/>iOn 6 November 2024, the government released its much-anticipated guidance on the offence of failure to prevent fraud (the Guidance), as introduced by the Economic Crime and Corporate Transparency Act 2023 (the Act).
Under the offence, corporates may be criminally liable where a person associated with the body corporate commits a fraud offence with the intention of directly or indirectly benefitting the company.
Corporates will have a defence if they can demonstrate that they have reasonable procedures in place to prevent fraud, or that in the circumstances it was not reasonable to expect the organisation to have prevention procedures in place.
The offence aims to make it easier for organisations to be held accountable for fraud committed for their benefit. It is intended to encourage stronger prevention procedures and inspire a change in corporate culture that collectively aims to prevent fraud.
This alert provides an overview of what might be considered “reasonable fraud prevention procedures”, as outlined by the recently published Guidance.
Reasonable Fraud Prevention Procedures
Organisations are advised to adhere to six principles when developing their fraud prevention framework. These are as follows:
Top Level Commitment
Responsibility for the prevention of fraud lies with those in charge of the governance of the organisation. This includes directors, partners, or senior managers. As part of their duty to prevent fraud, their role is likely to include:
- Advocacy of the company’s commitment to preventing fraud.
- Ensuring that there is a clear governance structure to prevent fraud.
- Dedication to training and resourcing.
- Creating a culture whereby employees feel confident to report suspected fraud.
Risk Assessment
The Guidance provides a “fraud triangle” to assist organisations in developing their fraud prevention procedures:
Opportunity
Is there an opportunity to commit fraud? Which departments have the greatest opportunity to commit fraud? How likely is detection of fraud? Is there anyone within the company that does not have appropriate oversight?
Motive
Has the organisation created a reward system that incentivises fraud? Do financial targets or time pressures encourage employees to cut corners? Does the corporate culture discourage whistleblowing?
Rationalisation
Does the organisation subtly tolerate fraud? Is it a sector whereby fraud is prevalent? Has there been an “emergency” scenario that might be perceived as justifying fraud? Are there adverse consequences if individuals speak up?
Organisations should continuously assess the extent and nature of the risk of fraud. Importantly, if an appropriate risk assessment has not been conducted, the courts may consider that “reasonable procedures” were not in place at the time the fraud was committed.
Proportionate Risk-based Prevention Procedures
An organisation’s fraud prevention procedures should be proportionate to the nature, complexity, and scale of its activities. When considering what constitutes a “proportionate” risk-based prevention procedure, organisations can consider the following:
Reducing Opportunities for Fraud
Does the company conduct pre-employment and vetting checks? Is anti-fraud training provided for high-risk roles? How is access to sensitive information monitored or restricted? Have any audits highlighted areas of particular concern that have not been addressed?
Reducing Motive
Can changes be made to internal reward structures? Can improvements be made to reduce pressures that encourage cutting corners? Does the organisation continually monitor potential conflicts of interest? Is it made clear that rationalisation of fraud or “ethical fading” is unacceptable?
Consequences
Are there clear reporting and disciplinary procedures? Are outcomes of investigations and enforcements communicated and understood?
In some instances, it might not be appropriate to introduce measures in response to a risk. However, it is advised that this decision be documented and justified. It is also important to review such decisions and implement procedures if, and when, necessary.
The Guidance also accepts that organisations are likely to be regulated under other regimes that require fraud prevention policies. Whilst it is not intended for organisations to duplicate existing work, corporates should be aware that it would not be an acceptable defence to argue that compliance under other regulations means the organisation automatically has “reasonable procedures” as required by the Act.
Due Diligence
When conducting due diligence, companies should take a proportionate and tailored risk-based approach.
For associated persons, this could include using technology to conduct checks into prior professional history, reviewing service contracts to ensure they contain compliance clauses, or monitoring the wellbeing of staff to ensure workload does not incentivise the commission of fraud.
With regards to mergers and acquisitions, it might involve using third-party tools, investigating any regulatory or criminal charges, reviewing tax documentation, identifying the firm’s risk exposure, and assessing their fraud prevention measures.
Communication (Including Training)
Clear communication should ensure that fraud prevention policies are embedded and understood throughout the organisation. This should be enforced across all levels of the organisation, not just by senior management.
It might be necessary for representatives of the organisation to undergo fraud prevention training. Such training should cover the nature of the offences most likely to be committed and should be reviewed and updated as necessary, especially when there are movements by staff.
Organisations should also have suitable whistleblowing procedures. Procedures might include implementing independent whistleblowing reporting channels, signposting whistleblowing arrangements, creating a culture in which people feel confident to raise concerns, and training staff so that they are aware of and understand the processes.
Monitoring and Review
Organisations should monitor and review their fraud prevention procedures and update them if, and when, necessary.
Monitoring includes the detection of fraud, the investigation of suspected fraud, and monitoring of fraud prevention measures.
The nature of the risks that organisations face will likely evolve over time. Organisations will need to respond to such changes by adapting their fraud detection and prevention procedures. The frequency of such reviews will be dependent on the organisation, but they should be conducted at regular intervals and with flexibility to conduct an earlier review if necessary.
What Does This Mean for Businesses?
Failure to prevent fraud will come into force as an offence on 1 September 2025. This gives organisations an opportunity to utilise the practical steps outlined by the Guidance to develop and implement reasonable fraud prevention procedures before the offence comes into effect.
However, the Guidance is not designed to act as a fully comprehensive checklist. Departure from the Guidance does not necessarily mean that reasonable fraud prevention procedures are not in place. Conversely, strict compliance does not in itself guarantee that reasonable procedures have been implemented. Everything will be considered on a case-by-case basis, and those with higher risks for fraud will be expected to address certain issues that others might not be.
Organisations should review, update, and monitor any existing and future fraud prevention procedures. The onus will be on organisations to demonstrate that on the balance of probabilities they have reasonable procedures in place.
