New Guidance issued on the Corporate Offence of Failure to Prevent Fraud

New Guidance issued on the Corporate Offence of Failure to Prevent Fraud

On 6 November, UK Government published guidance that will provide organisations with important advice on the new corporate criminal offence of failing to prevent fraud. The guidance advises organisations on the requirement to develop and implement reasonable fraud prevention measures.

Partner and economic crime lead, Michael Balmer, sets out the elements of the corporate fraud offence and summarises the guidance and the 6 principles around which all reasonable measures should focus.

What is the new offence of failure to prevent fraud?

Under the Economic Crime and Corporate Transparency Act (ECCTA), an organisation may be criminally liable where an employee, agent, or other ‘associated person’, commits fraud intending to benefit the organisation and the organisation does not have reasonable fraud prevention procedures in place. It does not matter whether directors or senior managers ordered or knew about the fraud.

The offence will make it easier to hold organisations accountable for fraud committed by employees, or other associated persons, which may benefit the organisation. The offence should also encourage organisations to implement or improve prevention procedures, driving a major shift in corporate culture to help prevent fraud.

What types of fraud are covered by the offence?

The offence of failure to prevent fraud applies to several specific “base fraud” offences committed by a ‘person associated with the relevant body’. They include:

• Fraud by false representation (section 2 Fraud Act 2006)
• Fraud by failing to disclose information (section 3 Fraud Act 2006)
• Fraud by abuse of position (section 4 Fraud Act 2006)
• Participation in a fraudulent business (section 9, Fraud Act 2006)
• Obtaining services dishonestly (section 11 Fraud Act 2006)
• Cheating the public revenue (common law) 
• Fraudulent trading (section 993 Companies Act 2006

What is an “associated person”?

An employee, an agent or a subsidiary of the relevant body is automatically an ‘associated person’ for the purposes of the ECCTA. A person who provides services for, or on behalf, of the relevant body is also an associated person while they are providing those services.  

Are all organisations liable?

No. The offence applies to large incorporated bodies and partnerships across all sectors that meet two of the following:

• Have more than 250 employees
• Have more than £36 million turnover
• Have more than £18 million in total assets

These criteria will apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located.

What are the penalties?

An organisation convicted of an offence of failure to prevent fraud may be liable to an unlimited financial penalty. The actual level of fine imposed will depend upon the circumstances of the case, having reference to any appropriate sentencing guidelines available to the court.

Can organisations be prosecuted now?

No. The offence will come into effect nine months after the publication of this guidance, to allow organisations to develop and implement their fraud prevention procedures.

Is there a defence?

Yes. Organisations will have a defence if they can establish that they have reasonable procedures in place to prevent fraud, or can demonstrate that it was not reasonable for the organisation to have any prevention procedures in place. The onus will be on the organisation to prove that it had reasonable procedures in place to prevent fraud at the time the fraud was committed.

What do reasonable anti-fraud measures look like?

The Government issued guidance sets out procedures that relevant bodies can put in place to prevent persons associated with them from committing fraud offences. The fraud prevention framework put in place by relevant organisations should be informed by the following six principles:

• Top level commitment

Responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation. The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud by:

• communication and endorsement of the organisation’s stance on preventing fraud, including mission statements
• ensuring that there is clear governance across the organisation in respect of the fraud prevention framework
• commitment to training and resourcing
• leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices

Risk assessment

The organisation should assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud within scope of the offence. The risk assessment ought to be dynamic, documented and kept under regular review.

Proportionate risk-based prevention procedures

An organisation’s procedures to prevent fraud by persons associated with it will need to be proportionate to the fraud risks it faces and to the nature, and scale of the organisation’s activities. The procedures should also be clear, practical, effectively implemented and enforced.

The organisation should draw up a fraud prevention plan, including procedures to prevent fraud which are proportionate to the risk identified in the risk assessment.

Due diligence

Organisations should conduct due diligence on associated persons, including new employees. Examples of best practice include:

• using appropriate technology, e.g., third-party risk management tools, screening tools, internet searches, trading history, professional or regulated statusand vetting checks.
• reviewing contracts with those providing services, to include appropriate obligations requiring compliance and the ability to terminate in the event of a breach
• reviewing contracts for agents
• monitoring the well-being of staff and agents to identify persons who may be more likely to commit fraud because of stress or workload.

Communication (including training)

The organisation should ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Training and maintaining training are key. 

Monitoring and review

The nature of the risks faced by an organisation will change and evolve over time. This may be as a natural result of external developments, or changes in the organisation’s activities. The organisation should adapt its fraud detection and prevention procedures in response to the changes in the risks that it faces. Risk assessments should be conducted at consistent intervals. Relevant organisations should also consider whether external factors should trigger an earlier review. An organisation may have its review conducted by an external party or may choose to conduct an internal review.

Monitoring fraud prevention measures might include:

• monitoring of financial controls
• collecting data on how many staff have attended fraud prevention training courses and any test results, if applicable
• monitoring updates to procedures (for example, due diligence procedures)
• monitoring updates to contractual clauses for associated persons

Our economic and business crime lawyers are experts in acting for both businesses and individuals on matters involving  fraud and corporate crime, bribery and corruption, money laundering, and data protection breaches.

We provide preventative compliance advice to businesses which helps limit the risk and exposure to criminal and regulatory sanctions. Our training and e-learning packages augment our services.