The government has published official guidance on reasonable fraud prevention procedures, setting the deadline of 1 September 2025 for large organisations to make sure they are compliant.
The concept of holding corporate entities accountable for their failure to prevent fraud has been debated for some time. We previously wrote in detail about the process which ultimately led to the introduction into law last autumn of a new corporate criminal offence. Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) sits alongside the UK’s existing laws on fraud and corruption and is intended to make it easier to hold organisations to account by creating an offence of failing to prevent fraud committed by employees, or other ‘associated persons’, which may benefit the organisation.
The defence to a failure to prevent offence is for an organisation to prove that, at the time the fraud offence was committed, it had ‘reasonable procedures’ in place to prevent fraud. It is for the organisation to establish the defence and it is worth pointing out that this defence does not prevent the authorities prosecuting individuals for the underlying fraud.
Guidance on what may amount to a proportionate approach to preventing fraud has now been published, but the offence will not come into force until 1 September 2025.
ECCTA also brought about a significant change in the corporate criminal liability test, extending the number of senior managers whose conduct may make the corporate criminally liable, although this change is not relevant for the failure to prevent fraud offence.
The core objective is to drive a shift in corporate culture to ensure companies do more to assist in the fight against fraud. Inevitably this creates an added burden on the private sector; however, the extent to which companies will be held to account and the amount of resource enforcement agencies will devote to this area remain unclear.
Nine months but no further grace
The Guidance is core to the underlying intention of encouraging more organisations to implement or improve their compliance procedures – the hope being that this will further instil a corporate culture of prevention.
The Guidance is, of course, particularly directed at ‘large organisations’ to which the new failure to prevent fraud offence applies and should enable them to review and get their systems, policies and procedures in place to avoid falling foul of the new legislation.
In theory, the implementation date of 1 September 2025 gives companies plenty of time to prepare. However, as no “grace period” has been provided for once the relevant provisions are legally in force, this timetable remains very challenging for the types of entities that fall under the legislation – large global businesses which are likely to have offices and/or subsidiaries in multiple jurisdictions, staff operating in a number of languages and where the concept of economic crime and the pre-existing national and international compliance requirements may be very different.
The Guidance is a Home Office publication but has been developed with input from the Crown Prosecution Service (CPS), Serious Fraud Office (SFO), HM Treasury, HMRC, Ministry of Justice, Cabinet Office, Attorney General’s Office and Financial Conduct Authority (FCA).
The SFO is the natural prosecutor for these types of companies and has indicated its enthusiasm to prosecute the new offence – in his inaugural speech, the SFO’s Director Nick Ephgrave said that he wanted to be the first to prosecute an organisation under the new provisions of ECCTA and he has repeated this ambition more recently saying that “time is running short for corporations to get their house in order or face criminal investigation.”
Providing (some) clarity
The Guidance includes an overview of the offence including the types of organisations in scope, types of fraud covered, and aspects such as who commits the base fraud and in what circumstances; for example, there is an examination of who may be considered a ‘person associated with an organisation’. This concept of associated person has long been a difficult area for organisations to interpret when considering the equivalent failure to prevent bribery and facilitation of tax evasion offences, and since the new legislation was published, it has been seen as a core area for future litigation. The Guidance provides some clarification in relation to subsidiaries, franchises and companies within an organisation’s supply chain – but the extent to which the Guidance helps will only be seen once it is applied to real life situations, which are likely to be complex.
The Guidance rightly flags that “The issue of who is intended to benefit from the underlying fraud is key to determining whether a relevant organisation can be held accountable for the offence of failure to prevent fraud”, but it confirms that the organisation does not need to actually receive any benefit and the intention to benefit the organisation does not have to be the sole or dominant reason for the fraud.
Territoriality is another key aspect of the offence which requires some form of UK nexus, but does mean that overseas entities are caught by the legislation; for example, where an act that was part of the fraud took place in the UK or that the gain or loss occurred in the UK.
Turning to the reasonable fraud prevention procedures, as expected, the Guidance adopts the now familiar approach of six principles: top level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication (including training), and monitoring and review. This will assist organisations who have already adopted this framework following earlier legislation (in particular, the Bribery Act 2010).
The guidance on the principle of ‘top-level commitment’ is detailed and emphasises the leadership role of senior management in relation to fraud prevention and the responsibility and accountability that lies with those individuals. A welcome level of detail is also provided on ‘monitoring and review’.
There is a section devoted to whistleblowing within the guidance on ‘Communication’, which adopts Transparency International’s position that whistleblowing is one of the most effective ways to uncover fraud and other wrongdoing. Although it is acknowledged in the Guidance that not all large organisations are required to have whistleblowing procedures, no doubt the pressure to do so will increase for the few that have not adopted one already as a matter of best practice.
The section of the Guidance devoted to ‘Interaction and overlaps between legislative and regulatory regimes’ is relatively limited, covering the overlap with the (currently un-prosecuted) offence of failure to prevent the facilitation of tax evasion, and the interaction with auditing requirements and the UK Corporate Governance Code. However, there is also advice under ‘proportionate risk-based fraud prevention procedures’, where the Guidance notes that organisations may be subject to other regulations such as financial reporting, environmental, health and safety, or competition matters and confirms that while it is not necessary to duplicate work, organisations are advised to assess wither their current measures are suitable to prevent the frauds identified in the new legislation in their risk assessments.
A step forward, but no guarantees – and clarity will take (court) time
Publication of the Guidance is a welcome step for all those in scope of the new legislation as they prepare for the new regime, but, of course, it does not cover every eventuality and does not come with a checklist guarantee. Prosecutors when deciding to charge will be the ones to make the initial judgement as to whether a company had in place at the relevant time, reasonable procedures in all the circumstances. This is a point which, no doubt, will be tested in the courts in due course.
What is missing is guidance on how fraud can be committed and what conduct falls within the scope of the new failure to prevent offence. Potentially the reason for this is core to the challenge for companies in trying to implement reasonable procedures as fraud can take many forms, and the risk profile of each organisation and sector is very different. That makes it impossible to provide any sort of overarching guide. As a result, organisations will need to conduct risk assessments on the full range of fraud risk that they face and will need to systematically reassess as their business changes and methods of fraud evolve.
Organisations will doubtless have further questions for their legal advisers as to whether and how ECCTA and the Guidance applies to them, how to conduct effective risk assessments, what amendments should be made to their current compliance policies and procedures, and how to train their senior managers and workforce on identifying fraud risk and implementing prevention measures in their particular company or sector.
Greater understanding of whether particular steps taken by a company are “reasonable” or not will only develop after 1 September 2025 and similarly if failure to prevent fraud becomes the prosecutor’s charge of choice or this new legislation is an anti-climax, as with the facilitation of tax evasion legislation under the Criminal Finances Act 2017, which was launched with great fanfare but six years later has not yet been prosecuted.
Further infomation
If you have any questions or concerns about the topics raised in this blog, please contact Louise Hodges or any member of our Criminal Litigation team.
About the Authors
Louise Hodges represents individuals and companies embroiled in criminal and regulatory proceedings whether in the UK or internationally. She has acted in relation to high-profile Serious Fraud Office (SFO) investigations and Deferred Prosecution Agreement (DPA) negotiations.
