ARTICLE
2 December 2024

Publication Of UK Government Guidance On Failure To Prevent Fraud Offence – The Countdown Begins To The Implementation Of The Offence

SJ
Steptoe LLP

Contributor

In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
The U.K.'s new "Failure to Prevent Fraud" offence, effective September 2025, holds organizations liable for fraud committed by associated persons unless they have "reasonable procedures" to prevent it. New guidance outlines steps for compliance, including risk assessments and fraud prevention plans.
United Kingdom Criminal Law

In our previous blog called "The Introduction of the U.K. "Failure to Prevent Fraud" into Law" dated October 31, 2023, we discussed the coming into U.K. law of a new "failure to prevent fraud" criminal offence pursuant to which an organization may be liable where (i) a specified fraud offence is committed by an associated person (defined as an employee, agent or subsidiary of the relevant organization, an employee of a subsidiary, or a person who otherwise performs services for or on behalf of the organization), (ii) for the organization's benefit, and (iii) the organization did not have reasonable procedures in place. The law was not then in effect, whilst we waited for the U.K. government to produce guidance detailing what "reasonable procedures" look like, to assist organizations in assessing, and where necessary, improving their own compliance frameworks.

On November 6, 2024, the much-anticipated guidance was published (the "Guidance"),1 starting the clock ticking to the offence coming into force on September, 1 2025.

A reminder of the scope of the offence

To whom will the new "failure to prevent fraud" offence apply?

The new offence applies to larger companies and partnerships which meet at least two out of three of the following criteria (during the financial year of the organization that precedes the year of the base fraud offence):

  • more than 250 employees
  • more than £36 million in turnover2
  • more than £18m in total assets

These criteria apply to the whole organization, including subsidiaries, regardless of where the organization is headquartered or where its subsidiaries are located.

Is the offence extra territorial?

Yes. The offence is intended to have extraterritorial effect; namely, if an employee commits fraud under U.K. law, or targeting U.K. victims, their employer could be prosecuted, even if the organization (and the employee) are based, formed or incorporated overseas and the fraud offence that took place outside of the U.K.. All that is required is a U.K. nexus, namely that "one of the acts which was part of the underlying fraud took place in the UK or that the gain or loss occurred in the UK".

What offences are caught by the new "failure to prevent fraud" offence?

The offences covered by the "failure to prevent fraud" offence are:

  • Fraud by false representation (section 2, Fraud Act 2006)
  • Fraud by failing to disclose information, (section 3, Fraud Act 2006)
  • Fraud by abuse of position (section 4, Fraud Act 2006)
  • Obtaining services dishonestly (section 11, Fraud Act 2006)
  • Participation in a fraudulent business (section 9, Fraud Act 2006)
  • False accounting (section 17, Theft Act 1968)
  • False statements by company directors (section 19, Theft Act 1968)
  • Fraudulent trading (section 993, Companies Act 2006)
  • Common law offence of cheating the public revenue

Possible Defenses

The only defense available to an organization caught by the offence is that it had reasonable procedures in place to prevent fraud or that it was reasonable not to have such procedures in place.

What does the Guidance say about "reasonable procedures"?

Similar to the guidance that was published in relation to the U.K. Bribery Act 2010, the Guidance does not provide an exhaustive list of what might constitute "reasonable procedures", noting that "...it is expected that organisations will choose the approach most suited to their needs. Relevant organisations may change their review process in light of developments. For example, an organisation may need to take a more formalised and detailed approach to reviewing its fraud detection and prevention procedures following criminal activity by persons associated with it."

Again, similar to the guidance accompanying the introduction of the U.K. Bribery Act 2010, the Guidance provides six broad "principles" intended "to be flexible and outcome-focussed, allowing for the huge variety of circumstances that relevant bodies find themselves in".

The six principles are:

  • Top Level Commitment

The Guidance stresses the role of the board of directors, partners and senior management in being committed to preventing associated persons from committing fraud, including by fostering a culture within the organization in which fraud is never acceptable. Depending on the size and structure of the relevant organization, the role of senior management may include:

    • communication and endorsement of the organization's stance on preventing fraud
    • ensuring that there is clear governance across the organization in respect of the fraud prevention framework
    • commitment to training and resourcing
    • leading by example and fostering an open culture

  • Risk Assessment

The Guidance notes that an organization should assess "the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence" and suggests that such a risk assessment be "dynamic, documented and kept under regular review".

The Guidance goes on to suggest how effective risk assessments may be designed, for example by first "identifying typologies of associated persons. For example: agents, contractors providing a particular service for or on behalf of the organisation, or staff in specific sensitive roles" and then considering the range of circumstances under which associated persons could attempt a fraud in scope of the offence.

The Guidance makes clear that risk assessments should be kept under regular review.

  • Proportionate Risk-based Prevention Procedures

The Guidance states that an "organisation's procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation's activities. They are also clear, practical, accessible, effectively implemented and enforced." It also provides that "the relevant body should draw up a fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment."

The Guidance goes on to list a number of risk factors that organizations should consider (for example, reducing the motive for fraud, putting in place consequences for committing fraud, etc.).

Organizations are also advised to test their fraud prevention measures to ensure that they are effective and that "best practice is for the prevention plan to be tested by members of the organisation who were not involved in writing it".

  • Due Diligence

An organization is advised to apply risk-based due diligence procedures in respect of persons who perform or will perform services for or on behalf of the organization, in order to mitigate identified fraud risks. That due diligence should, as relevant, be kept under review.

The Guidance goes on to provide examples of best practice in relation to due diligence on associated persons (including new partners) and due diligence in relation to mergers or acquisitions, including:

    • using appropriate screening and vetting technology
    • reviewing contracts with those providing services, to include appropriate obligations requiring compliance and ability to terminate in the event of a breach where appropriate
    • reviewing contracts for agents
    • monitoring of well-being of staff and agents to identify persons who may be more likely to commit fraud because of stress, targets or workload
    • assessment of any relevant criminal or regulatory charges
    • assessment of tax documentation

  • Communication (including Training)

The Guidance provides that an organization should seek "to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Training and maintaining training are key."

The Guidance includes a specific section on whistleblowing, noting that organizations may wish to consider measures such as: having board level accountability to oversee whistleblowing, overseeing a culture where employees feel able to raise concerns, ensuring that reporting channels for whistleblowers are independent, investigating and responding to internal concerns appropriately and in a timely manner, and conducting victimization risk assessments and protecting whistleblowers from potential victimization.

  • Monitoring and Review

Finally, the Guidance recommends that organizations consider monitoring to include the detection of fraud and attempted fraud, investigations and monitoring the effectiveness of fraud prevention measures. It also recommends that organizations review their procedures to respond to any changes in the risks that it faces.

What do you need to do now?

The new offence will come into effect on September 1, 2025. This gives relevant organizations a period of nine months to conduct any relevant risk assessments, develop a plan, and, as relevant, begin to implement any new fraud prevention policies and procedures.

Footnotes

1 https://www.gov.uk/government/news/new-failure-to-prevent-fraud-guidance-published

2 Defined as "the amount derived from the provision of goods and services falling within the ordinary activities of the commercial organisation or subsidiary undertaking, after deduction of a) trade discounts b) value added tax and c) any other taxes based on the amounts so derived".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More