The Economic Crime and Corporate Transparency Act 2023 was passed in October 2023 and introduced a new corporate criminal offence of "failure to prevent fraud". However, the offence is not yet live and we have been waiting for the Home Office to publish guidance on the new offence and confirm when it will come into force.
There is a defence to the offence if an organisation can show that it had in place reasonable procedures to prevent fraud. The notice period is designed to give impacted organisations time to review and implement appropriate prevention procedures to address their organisation's fraud risk. The guidance came out last week (at the start of November 2024 – see here) and confirms that the new offence will come into force on 1 September 2025.
The offence
Our previous article here provides a summary of the new offence and to whom it applies. To recap, a relevant body is guilty of an offence if a person associated with the body commits a fraud offence intending to benefit, directly or indirectly, the relevant body or any person to whom the associate provides services on behalf of the relevant body.
Large organisations are "relevant bodies", and this covers corporations and partnerships which have two out of three of (1) over 250 employees; (2) turnover of £36 million or more; (3) assets of £18 million or more.
The defence – reasonable procedures to prevent fraud
There is a defence if the organisation can show that it has reasonable procedures in place to prevent fraud. The newly published guidance sets out the key principles which organisations should be informed by when putting those procedures in place. They are:
- top level commitment
- risk assessment
- proportionate risk-based prevention procedures
- due diligence
- communication (including training)
- monitoring and review.
Key points from the guidance
The guidance bears many similarities to the guidance issued in relation to the Bribery Act 2010's "failure to prevent bribery" offence and the Criminal Finances Act 2017's "failure to prevent the facilitation of tax evasion" offence, making the new offence the third corporate "failure to prevent" offence in the UK.
The guidance encourages organisations to consider the three elements of the fraud triangle in assessing risk: opportunity, motive and rationalisation, eg an associated person might commit fraud if there are weak controls/inadequate oversight (opportunity), they have financial stress and pressure to meet targets (motive) and they consider that no real harm is caused by committing the fraud (rationalisation). It also notes that emerging technologies such as AI might open new opportunities for fraud. It is vital that relevant organisations are alive to this and keep such possibilities under review, but equally such technologies may be employed to assist with the implementation and monitoring of fraud risks.
Key points to note:
- the board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud and fostering a culture which makes it clear that fraud will not be tolerated
- that position should be clearly communicated and articulated, and the organisation should identify the key individuals and departments with responsibility for the development and implementation of fraud prevention procedures
- relevant organisations should have a fraud prevention plan in place which should be supported by a risk assessment
- the risk assessment should assess and document the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud - this should be kept under regular review
- the fraud prevention plan should be proportionate to the risks faced by the organisation and the potential impact. In some limited circumstances it may be reasonable not to introduce measures in relation to a particular risk but that should be carefully documented
- relevant bodies should clearly set out the consequences for those associated with the relevant body for breaching the policy on fraud and this may include contractual clauses where appropriate (so out of scope organisations that provide services for or on behalf of organisations who are in scope may be required to give contractual commitments to observe/implement suitable procedures)
- relevant bodies should commit to allocating a reasonable and proportionate budget for the leadership, staffing and implementation of a fraud prevention plan and training and should ensure those practices are sustained if/when key members of staff are on annual leave, off work or when they leave the organisation
- due diligence should be undertaken in relation to persons who perform or will perform services for or on behalf of the organisation in order to mitigate identified fraud risks which might include appropriate use of third-party risk management tools/screening tools and including appropriate obligations in contracts to require compliance
- organisations should monitor and review their fraud detection and prevention procedures and make improvements where necessary.
Other points to note
The guidance provides some broader commentary on how the offence will operate in practice including:
- Application of "large organisation criteria":
(i) The guidance makes it clear that the large organisation criteria apply to the whole organisation, so subsidiaries will be considered when counting number of employees, turnover and assets, regardless of where the organisation is headquartered or where the subsidiaries are located.
(ii) It also notes that the subsidiary of a large organisation, which is not itself a large organisation, would be caught and can be prosecuted (rather than the parent co) if an employee of the subsidiary commits a fraud intending to benefit the subsidiary. The parent co which is a large organisation could be prosecuted if an employee of a subsidiary commits a fraud that is intended to benefit the parent co. The parent is not responsible for frauds not intended to benefit the parent organisation.
- Territorial scope: it was already clear that the offence would have extra-territorial scope. The guidance gives additional clarity - there has to be a UK nexus meaning that one of the acts that was part of the underlying fraud has to take place in the UK or the gain/loss has to occur in the UK, but that could cover over-seas organisations where an employee or associated person commits a relevant fraud offence in the UK or targets UK based victims. It would not apply where a UK organisation has an overseas employee or subsidiary which commits fraud abroad with no UK nexus.
- Scope of the "intention to benefit":
(i) the offence can apply where the primary motivation was self-benefit but it will also benefit the organisation (eg where a commission will be earned)
(i) the benefit can be financial or non-financial – disadvantaging a competitor would be in scope
(iii) it is irrelevant that the intended benefit was not actually secured – it is enough that there was an intention to benefit the organisation.
- Overlap with other offences: the failure to prevent fraud offence includes cheating the public revenue – the base offence overlaps with the failure to prevent the facilitation of tax evasion offence but note that the failure to prevent fraud offence is wider in scope in terms of who can commit the offence so the procedures in place for preventing the criminal facilitation of tax evasion may not be sufficient on their own for that offence. Organisations need to review this.
- Overlap with existing regulation: there may be overlap with other regulations eg financial reporting, environmental, health and safety or competition but organisations should be very careful about relying on any procedures in place to comply with other regulations as a defence to a failure to prevent fraud offence – a careful assessment has to be done regarding any such measures to determine whether they would be sufficient to prevent the fraud risks identified in the organisation's risk assessment.
It is helpful to now have clarity regarding the time frame for the offence going live, so large organisations should make sure they prepare and review/adopt suitable fraud prevention procedures ahead of 1 September 2025. Please get in touch if you would like assistance.