How to protect your business against the new failure to prevent fraud corporate offence

The core of the offence

Under the legislation, an organisation such as a company or limited liability partnership commits the offence if a person associated with it, such as an employee, agent, subsidiary or contractor, commits fraud intending to benefit the organisation or any customer for which the associated person provides services on the organisation’s behalf and the organisation did not have reasonable fraud prevention procedures in place. It does not need to be shown that the directors or senior management knew about or authorised the fraud.

The range of conduct covered is extensive, encompassing offences under the Fraud Act 2006 such as fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, false accounting, cheating the public revenue, fraudulent trading and obtaining services dishonestly. It also includes aiding, abetting or procuring a fraud offence.

The offence carries significant penalties, with companies facing unlimited fines. While a company will not be guilty of this offence if it was itself a victim of fraud, the scale of potential liability as well as reputational damage makes compliance an urgent priority.

The offence applies to large organisations, defined as those meeting at least two of the following thresholds:

• turnover exceeding £36 million;
• total assets above £18 million; or
• more than 250 employees.

These thresholds are assessed across the corporate group, so subsidiaries can be caught if their parent company meets the criteria, regardless of where it is based. Companies incorporated outside of the UK may be prosecuted if there is sufficient UK connection, for example, if a UK-based employee commits fraud for their benefit or is targeting victims in the UK.

The defence: “Reasonable Prevention Procedures”

A defence available to an organisation is demonstrating that it had put in place reasonable procedures designed to prevent fraud. In limited circumstances an alternative defence that it was unreasonable to expect the organisation to have put in place any such procedures may be available. However, it will rarely be considered reasonable not to have even conducted a risk assessment and documented steps to mitigate identified risks.

The UK government has identified six areas of reasonable prevention procedures that organisations are encouraged to review and implement:

• 1. Top level commitment

Top level commitment requires senior management clearly to endorse the organisation’s intolerance of fraud, for example a clear statement on its website, and commit to reasonable staffing and implementation of fraud prevention procedures including training and appropriate due diligence, and whistleblowing procedures.

• 2. Risk assessment 

Organisations should review potential areas where fraud could take place within the business, assessing level of risk according to opportunity, motive and rationalisation and putting in place appropriate mitigating steps and policies.

• 3. Proportionate risk-based prevention procedures 

An example of a risk-based prevention procedure is a fraud prevention plan having regard to the risk assessment and potential emergencies, and sanctions/disciplinary measures for individuals or entities which commit fraud. It may consider risk factors such as reducing the opportunities for fraud, reducing the motive for fraud, putting in consequences for committing fraud, reducing the rationalisation of fraudulent behaviour such as “other businesses do it”, emergency scenarios, and testing the fraud prevention procedures

• 4. Due diligence

If an organisation engages a new employee or supplier, it should do appropriate due diligence on them, using screening and vetting techniques. This can be done in-house or by external providers. Also, employee wellbeing should be monitored. Contracts with service providers such as agents and sub-contractors should be reviewed to include relevant obligations requiring compliance and the ability to terminate in the event of a breach.

• 5. Communication

Organisations should provide appropriate fraud prevention specific training to employees, agents and other potential associated persons, including requiring compliance with appropriate policies and ensuring awareness and understanding of the policies and whistleblowing procedures.

• 6. Monitoring and review

Monitoring should include detection of fraud and attempted fraud (for example on invoicing), investigations, monitoring the effectiveness of fraud prevention measures, such as financial controls, collecting data on how many staff have attended fraud prevention training courses and any test results, ensuring that teams responsible for investigating fraud are appropriately resourced, and assessing the effectiveness of whistleblowing procedures.

In addition, best practice also includes testing a fraud prevention plan by staff not involved in writing it and considering the fraud prevention measures that might need to be taken in emergency situations identified in the risk assessment.

Investigation process

If organisations find themselves under investigation, it is important to maintain a strong audit trail and clearly document what information has been provided, when and by whom. This transparency is crucial not only for compliance but also for demonstrating cooperation during regulatory scrutiny.

Readiness and compliance expectations

Businesses are expected to act now to understand and implement the necessary measures. Regulators will expect tangible evidence of fraud prevention procedures. Failure to act exposes businesses to the risk of severe financial penalties and reputational harm. As emphasised in the webinar, fraudulent business is bad business. It is bad for the organisation and its reputation, bad for staff and their morale, and bad for victims.

Live polls: gauging business preparedness

During the webinar, a live poll invited attendees to share how their organisations are preparing for the new offence. The results provided a useful insight into the current market readiness.

Has your organisation already implemented fraud prevention procedures?

When asked whether their organisations had already implemented fraud prevention procedures, over 44% of participants indicated that frameworks were in development but not yet complete, while over 11% reported that no procedures were in place. This reflects growing awareness of the issue, but also highlights that many businesses are still at the early stages of formalising their response.

A second live poll asked participants to identify their greatest challenge in preparing for the new offence, with the largest share of participants voting that monitoring and reviewing controls were the greatest challenge, followed by preparing a fraud prevention plan/other prevention procedure, and training and awareness across teams. This identifies that many organisations require assistance and guidance on these areas in particular, such as detection, investigations and monitoring the effectiveness of fraud prevention measures, including whistleblowing procedures.

What area do you see as your organisation’s biggest challenge?

Finally, when asked about next steps, over half of the respondents stated that they first plan to update and review their existing risk-based prevention procedures. This provided a positive indication that many organisations understand that proactive steps towards compliance are required.

What’s your organisation’s next step in response to the new offence?

Conclusion

The failure to prevent fraud corporate offence represents one of the most significant corporate compliance developments in recent years. Its introduction reflects the UK government’s determination to make organisations accountable for fraudulent behaviour committed for their benefit or the benefit of their customers, regardless of whether senior management was aware.

Organisations have a crucial window to act by putting in place reasonable procedures to prevent fraud, in particular as summarised above: top level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication and monitoring and review.

For more information, please contact Anthony Woolich, Partner or Claire Rawle, Partner.

Counsel+

If you are an in-house lawyer, sign up to our Counsel+ Forum to benefit from the learning resources and networking opportunities. Blake Morgan run a series of webinars and exclusive events, which you can find out more about here.