Failure to prevent fraud: UK Finance Guidance for the financial services sector

Services | 28/02/2025

UK Finance is the leading industry body for financial services in the UK, representing more than 300 firms providing finance, banking, markets and payments-related services in or from the UK. Its members include major domestic and international banks and other international, domestic and regional banks and non-banks, including retail and wholesale firms.

It has recently published guidance (the "UKF Guidance") for the financial services sector in relation to the "Failure to Prevent Fraud" offence (the "FTP fraud offence").

The UKF Guidance aims to set out non-statutory, sector-specific guidance for the purposes of interpretation of the FTPF offence and sets out examples of: (i) reasonable prevention procedures; and (ii) circumstances in which it would not be reasonable for a firm to have prevention procedures in place.

The UKF Guidance is distinct from the statutory Guidance issued by the UK Government in November 2024 (the "Government Guidance") under section 204 of the Economic Crime and Corporate Transparency Act 2023 ("ECCTA").

The Failure to Prevent Fraud Offence

By way of reminder, the FTP fraud offence under Sections 199 to 206 of ECCTA makes an in-scope firm potentially criminally liable if it fails to prevent a "fraud offence" committed by a person associated with that firm (an "associate" as defined). It is irrelevant whether the firm was unaware of the misconduct.

Our prior e-alert on the scope and elements FTP fraud offence can be found here.

Our e-alert from January 2025 on the Government Guidance can be found here.

What does the UKF Guidance say?

Associates – which third-parties are not associates?

Persons who are providing services to the firm (e.g. stationery suppliers or external lawyers, valuers or accountants) are not acting “for or on behalf” of the firm and are therefore not associates. However, care should be taken with relationships that a firm records as “suppliers” on its internal systems, but which in fact provide services for or on behalf of the firm.

To illustrate this, the UKF Guidance refers to a situation where a firm uses a third party to perform customer on boarding vetting and due diligence services on behalf of the firm. The firm onboards the third party through its supplier procurement processes and manages the relationship as a supplier relationship. However, it might be determined that the third party is in fact providing services on behalf of the firm for the purposes of the FTP fraud offence.

Appendix C to the UKF Guidance identifies a list of what it calls Non-Associated Person Roles, which includes:

Third parties recommended by the firm but appointed by an investor – where an investor asks for a recommendation for a third party to act on their behalf and the firm provides them with a referral, any party who the investor appoints will be an associated person of the investor;
The firm’s co-advisors on a M&A deal – the client is given advice by the co-advisors, but the co-advisors do not and cannot act or provide services on behalf of the firm;
The firm’s co-lead managers, bookrunners, global co-ordinators, underwriters on an equities capital markets or debt capital markets transaction – where their duties and obligations are owed to the client and not to the firm;
The firm’s co-lead arrangers or underwriters/ original lenders on a loan financing – they are not providing services on behalf of the firm, even if the firm enters into a contractual arrangement with them;
Service providers critical to deal mechanics including but not limited to registrars, receiving agents, depositaries, listing agents, calculation agents and or conversion agents – they provide services to the firm or to the customer on their own account;
The facility agent and/or security agent appointed on a loan transaction when the firm is a lead arranger/underwriter – they take instructions from the lenders but do not act on behalf of the firm;
Any third parties who have been appointed by the client to provide due diligence reports in the context of a M&A or financing transaction (whether or not the firm can rely on that report);
Any auditors/accountants appointed by the client who issue comfort letters in the context of a capital markets transaction – they owe their primary obligation to the client and do not take instructions from or act on behalf of the firm;
External counsel appointed by the firm (incl. legal counsel and tax advisors) – external counsel provide a service/advice to the firm and are not providing services on behalf of the firm, even if they hold the firm’s power of attorney to finalise the documentation;
A receiver appointed by the firm – a receiver owes a duty of good faith to the entity that is insolvent separate to any obligation to the firm, but they do not act on behalf of the firm;
Others e.g., PR agents, data room providers, printers, roadshow coordinators – all are providing services to the firm or to the customer on their own account.

Associates – which third parties may be associates?

In contrast, the UKF Guidance notes that third parties can be an associated person while they are providing services or products on behalf of the firm. In the context of the financial services sector, a service could include:

Customer relationship management;
Payment services;
Sales and distribution services;
Advisory services;
Fund management services;
Discretionary or execution-only investment services;
Custody services;
Arranging, agent/trustee, underwriting and/or placing services;
Brokerage services; and
Trust and fiduciary services.

Providing a product (i.e. the financial services equivalent of ‘goods’) could include:

Bilateral counterparty arrangements (such as for wholesale or treasury management purposes);
OTC (over the counter) transactions;
Providing lending facilities/loans to borrowers;
Providing receivables financing;
Taking security over the assets of a debtor;
Providing letters of credit or other forms of trade finance;
Providing access for customers to the firm’s own technology products or platforms;
Providing and/or underwriting an insurance policy or investment product; and
Operating a pension scheme.

Employees

The UKF Guidance indicates that even if a fraud offence is committed by an employee of the firm, a Court may hold that they are not “an employee” for the purposes of creating corporate criminal liability for their employer if the acts are undertaken outside of the scope of their employment. The question is whether or not the employee is carrying out acts of the same kind as those that are within their authority. However, an employer's sanction could be implied by action or inaction, e.g. turning a blind eye to known activities.

Territorial reach

Can fraud offences committed outside the UK trigger the FTP fraud offence?

The UKF Guidance indicates that if there is jurisdiction to prosecute the underlying fraud offence, there will be jurisdiction to prosecute the FTP fraud offence.

This means that, in respect of in-scope firms, the FTP fraud offence only applies where the fraud has a UK nexus, meaning, for example: where the fraud offence is committed in whole or in part in the UK (such as where the fraud offence is committed by a UK-based person, is intentionally targeted at a victim in the UK or relates to providing false information to a UK market), or where actual gain or loss occurred in the UK. As the Government Guidance notes, if no part of the base fraud took place in the UK, then there is only a UK nexus if actual gain or loss occurs in the UK, not just intended gain or loss.

The Government Guidance also indicates: “the [FTP fraud] offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus. This would be a matter for law enforcement in the country concerned.”

The UKF Guidance indicated that, in the context of financial services sector groups, this means:

Non-UK firms – a non-UK firm may be liable under the FTP fraud offence if the fraud offence has a UK nexus, regardless of whether or not that non-UK firm has a UK branch or subsidiary.

UK branches – a UK branch would be considered to be part of the legal entity as a whole for the purposes of the assessment as to whether or not it is an in-scope firm. A fraud offence committed by or intended to benefit the branch would be potentially in-scope of the FTP fraud offence. However, an underlying fraud offence committed entirely outside the UK by another part of its non-UK legal entity (and which is not intended to benefit the branch) would not have a UK nexus for the purposes of assessing the application of the FTP fraud offence.

UK headquartered international groups – UK headquartered firms will not generally be liable for their overseas employees or subsidiaries in relation to fraud that takes place entirely abroad (i.e. where there is no UK nexus).

Intention to benefit

Generally speaking, for the FTP fraud offence to apply, a firm's employee, agent or other associate must have committed a fraud with the intention to benefit either the firm or customers of the firm (including where the associate provides services to those customers through a subsidiary on behalf of the firm).

Where an employee of a subsidiary of a large parent organisation commits a fraud intending to benefit the parent company, the parent can be prosecuted.

The onus of proving both intention and benefit lies on the prosecution beyond reasonable doubt. In ordinary language, a person ‘intends’ to cause a result if they act in order to bring it about. It is immaterial that the chances of success are small.

The UKF Guidance states that "intention" may be inferred when the associated person foresaw that it was a virtually certain consequence of their actions that the firm or its customer would benefit from their actions, even if it was not their purpose to cause that result.

The UKF Guidance also indicates that, although the Government Guidance states that intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud¹, benefit that was not deliberate and that was an uncertain, or unknown, consequence of the act would not be sufficient to create liability for the firm under the FTP fraud offence. It adds that although ECCTA refers to indirect benefit, "this does not mean that an incidental or accidental benefit is brought into scope – there must be an actual or inferred intent to indirectly benefit".

In a financial services context, the UKF Guidance states that it may not be apparent for many years following a fraudulent act whether the firm has or has not benefitted; so in deciding whether there has been a business advantage, it would be necessary to consider whether the associated person foresaw that loss or harm would arise in the future.

The UKF Guidance indicates, in particular, that there may be reasonable doubt that an intention to benefit existed where the firm can show that the associated person knew or suspected that the firm would in fact suffer negative consequences such as where, for example, the firm is likely to be required by law or regulation to reimburse an impacted customer, or where the firm is likely to suffer reputational damage that adversely impacts on the value of the firm. It is suggested that depositing proceeds of any such activity into an account held by the associated person with the firm is unlikely to be sufficient to imply an intent to benefit the firm.

Exceptions and defences

A firm will not be guilty of the FTP fraud offence if the firm itself either: (i) was; or (ii) was intended to be, the victim of a fraud. Where an employee conspires with the customer to defraud their employer, the firm is not liable. This is referred to as the "victim exemption" in the UKF Guidance.

It is a defence if, at the time the fraud offence was committed, either the firm: (i) had in place reasonable prevention procedures; or (ii) it was not reasonable in all the circumstances to expect the firm to have any prevention procedures in place. Here, the burden of proof shifts to the firm, but the standard of proof is only on the balance of probabilities. What is "reasonable" depends on the knowledge and understanding that it was reasonable to expect the firm to have at the relevant time, and not on the basis of hindsight.

Overlap with other regulatory requirements

The UKF Guidance indicates that activities undertaken by firms to meet the requirements of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("ML Regs") (including as clarified in the and the Joint Money Laundering Steering Group ("JMLSG") guidance will form part of the reasonable prevention procedures for firms in respect of the FTP fraud offence. There is no expectation that activities under each regime be performed twice or differently for the purposes of reasonable prevention procedures. This includes the elements of activities such as customer due diligence, ongoing monitoring and terminating business relationships which the firm has identified as being met by its money laundering prevention procedures.

Reasonable prevention procedures

The UKF Guidance indicates that there are six core principles, in line with Financial Conduct Authority's ("FCA") expectations for effective control frameworks, that ought to inform a firm's reasonable prevention procedures:

1. Risk assessment, that in turn informs:

2. Proportionate policies and procedures commensurate to the risk;

3. Due diligence;

4. Communication (training);

5. Monitoring and review.

Each of which is supported by:

6. Top level commitment ("tone from the top").

Risk prevention procedures must be reasonable and proportionate in all the circumstances, having regard to that firm’s risk exposures.

1. Risk assessment – this must be specific to the firm’s perceived risks of associated persons committing a fraud offence, the risk assessment should be proportionate to the organisation’s size, nature and complexity, and it should be documented and kept up to date. A risk assessment that has the following features would be reasonable:

Areas of risk – identifying and assessing the risk of activities, departments, and/or roles held by associated persons, to identify which pose a higher (and lower) risk of committing fraud with intention of benefitting the firm or a customer of the firm through the service they perform on behalf of the firm.
Territorial scope – consideration of the territorial scope of the FTP fraud offence, with respect to the FTP fraud offence only triggering when there is a UK nexus to the underlying fraud offence.
Levels of risk – a determination of the level of risk exposure across those activities, departments, and/or roles, informed by the effectiveness of the control environment and prevention procedures in place to prevent fraud (e.g. staff vetting and screening, clear anti-fraud messaging from top-level management).
Ownership – a clear assignment of ownership and responsibility for the risk assessment framework, the performance of the risk assessments and the delivery of any resulting actions.
Documentation and integration – the risk assessment process, conclusions and any resulting actions, should be clearly documented.
Review – the risk assessment should be reviewed on a periodic basis. As for other risk-based controls, ad hoc reviews of the risk assessment (outside of the normal periodic basis) should be performed where new information is discovered which might reasonably be considered material.

2. Proportionate prevention procedures – reasonable prevention procedures will be proportionate to the risk identified in the risk assessment. The FTP fraud offence does not require firms to undertake excessively burdensome procedures in order to eradicate all risk or necessarily to do more than they already do under existing legal or regulatory requirements. Leveraging existing regulatory requirements might also be reasonable for the purposes of the FTP fraud offence. Firms will likely have proactively sought to address the risk of fraud to them or their customers under existing FCA principles and rules.

The UKF Guidance specifically points to examples of reasonable prevention procedures for:

Managing associated persons who provide distribution services;
Fund management – reasonable prevention procedures for managing transfer agent relationships;
Reports to the market and reports to regulatory authorities;
Reasonable prevention procedures for employees or agents e.g., Code of Conduct, screening and vetting;
Conflicts of interest – managing the risks arising through conflicts of interest;
Mandatory leave;
Market abuse controls;
MiFID and UK MiFIR – false misstatement and dishonesty controls that are implemented in accordance with the requirements of MiFID or MiFIR;
Whistleblowing – whistleblowing procedures established in line with the expectations of the FCA set out in SYSC 18;
SM&CR, remuneration code and conduct rules; and
Three lines of defence – the three line of defence model provides a basis for implementing reasonable, risk-based, periodic testing and review of the effectiveness of the firm’s prevention procedures.

For groups based or headquartered in the UK, the Government Guidance notes that steps a firm might take to prevent fraud by subsidiaries might include group level policies or training and ensuring that there is a nominated person responsible for fraud prevention in each subsidiary.

The UKF Guidance itself indicates that where a firm is a subsidiary of another in-scope firm (an in-scope parent) and the in-scope parent has implemented reasonable prevention procedures by way of a group control framework, the subsidiary may not need to establish its own, separate prevention procedure.

3. Due diligence – due diligence procedures are both a form of fraud risk assessment and a means of mitigating risk. Due diligence should be applied on a risk-sensitive basis. Due diligence related to fraud prevention will often form part of a wider due diligence framework. In the context of third party associated persons, firms should apply risk-based due diligence when establishing and reviewing third party relationships.

4. Communication (training) – this includes training being risk-based, such as general training on the code of conduct and the firm's fraud prevention policies, supplemented by role-based, tailored training and enhanced/supplemental training for higher risk roles, departments and/or activities. Training on the FTP fraud offence does not need to be a separate training course. Firms may consider it appropriate to leverage existing training. Firms may include a review of their existing fraud facilitation training and awareness programmes of higher risk third party associated persons as part of their prevention procedures.

5. Monitoring and review – the FCA expects firms to operate a cycle of continuous review and enhancement of their compliance programmes, and this will include in respect of the FTP fraud offence. Firms may use their existing oversight structures, including committees and audit functions, to drive forward their programmes via appropriate, regular review. In identifying emerging risks, existing measures in place (e.g. those for detecting fraud or attempted fraud) may be focussed on fraud against the firm, and so firms should consider how these might be extended to frauds that might be intended to benefit the firm or its customers.

6. Top level commitment – senior (executive) managers may wish to issue a statement of commitment to the prevention of associated persons of the firm committing a fraud offence. This may form part of the general senior commitment to preventing financial crime and other wrongdoing as part of the corporate culture. For financial services firms, an expectation for documentation of accountability will likely mean making specific reference to failure to prevent fraud in the accountabilities mapping for relevant holders of senior management functions under the FCA’s senior managers regime.

Circumstances where it is not reasonable to expect firms to have prevention procedures in place

The UKF Guidance also sets out risks for which it would not be reasonable in all the circumstances for financial services firms to have prevention procedures in place. These include:

In-scope firms providing services entirely outside the UK;
Certain associated persons. The following types of relationship likely represent no or almost no risk to the firm in the context of the failure to prevent fraud offence:
- Distributors who are subject to MiFID II requirements, or equivalent regulatory controls. This is because MiFID II directly imposes a control framework on the distributor which represents a reasonable prevention procedure for the purposes of the FTP fraud offence;
- Persons who perform services for the firm on an execution-only basis at the instruction of the firm. This is because the execution-only nature of these roles means that the service provider is only entitled to follow the express instruction of the firm and cannot apply any element of discretion on its own account;
- Single-purpose relationships, such as syndicated agents or account banks appointed by lenders. This is because these relationships (and the terms and conditions between the parties) are determined by the customer, and not by the firm; and
- Providers of markets and exchanges. This is because the services provided by these providers are for the benefit of the market as a whole so that individual firms can execute trades directly with each other. As a result, any fraud activity that is undertaken by firms using the market or exchange in question would be execution-only in nature, so any such activity performed by the provider of the market or exchange itself would be for its own account. Other more specific examples are also given.

Commentary

The UKF Guidance is non-binding and non-statutory. It does, however, provide helpful, sector- specific guidance for FCA/PRA authorised firms operating in the financial services markets. One might wonder have much weight would be given to it if reliance were to be placed on it in proceedings. The UKF Guidance itself notes that, "If there is a conflict between this sector-specific guidance and the Home Office guidance, the [Government] guidance will take priority".

It will be a significant task to digest and take account the underlying legal provisions and two sets of detailed guidance. It is also necessary to start to take steps towards implementation, to be completed by 1 September 2025 when the FTP fraud offence comes into effect.

¹ The Government Guidance asserts that the FTP fraud offence can apply where the fraudster's primary motive was to benefit themselves, but where their actions will also primarily benefit the organisation. A footnote adds "In the event that the benefits of the fraud accrue to both the individual fraudster and the organisation, there is no threshold in the legislation below which the organisation is deemed not to have benefitted from the fraud. However, prosecutors will apply a public interest case before proceeding with prosecution."