The new corporate criminal offence of failure to prevent fraud, in the Economic Crime and Corporate Transparency Act 2023 ("ECCTA"), will come into force on 1 September 2025.
By that date, in-scope organisations will need to have considered, designed and adopted reasonable procedures to prevent their associated persons (employees; agents; subsidiaries) committing acts of fraud intended to benefit the organisation, its parent company or its clients / customers.
The Government Guidance (the "Guidance") issued on 6 November 2024 provides several helpful clarifications and interpretative aids in relation to the offence and its scope. This article highlights and explores some of the most important points in the Guidance, which will be helpful to organisations as the new offence is assessed and prevention procedures are considered and designed.
Our earlier article, available here, sets out the elements of the offence, including the question of which organisations are in scope.
The Guidance makes its status (and limitations) clear in several places:
"While legislation is binding, this guidance is advisory. Moreover, the guidance is not a substitute for reading the legislation or obtaining professional legal advice."
"this guidance is not intended to provide a safe harbour: even strict compliance with the guidance will not necessarily amount to having reasonable procedures where the relevant body faces particular risks arising from the unique facts of its own business that have not been addressed."
"organisations cannot rely on this [overview of the offence] alone and should take legal advice on how the offence affects them."
"Given the large range of legal structures for organisations, this guidance cannot provide details on exactly how the criteria apply to each case. Organisations should take professional legal advice to determine whether they fall into the definition of “large organisation” set out in sections 201-202 of the Act."
Organisations then cannot rely on strict compliance with the letter of the Guidance as amounting to a defence to the new corporate criminal offence. Consideration will need to be given to the particular circumstances and risks to which an organisation is subject, with advice being taken where necessary.
The Guidance therefore has a different status to other regulatory or Government-issued guidance. Under the Money Laundering Regulations, for example, an organisation's compliance with FCA and/or Treasury-approved Guidance must be considered by a supervisory authority, in determining whether the organisation has breached a relevant requirement (Regulation 76(6) MLRs 2017).
The Guidance, therefore, while clear and helpful in several ways, cannot be treated by organisations as the singular, or even the most important, input into the process leading to the design and implementation of reasonable fraud prevention procedures.
While most large organisations, particularly regulated financial services firms, will already have sophisticated anti-fraud policies and processes in place, the clear steer in the Guidance is that doing nothing, or relying exclusively on existing procedures or processes, will not generally allow an organisation to avail itself of the “reasonable prevention procedures” defence.
“In some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. However, it will rarely be considered reasonable not to have even conducted a risk assessment”
“Any decision not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who made that decision”
“it should be noted that merely applying existing procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud.”
“It is not necessary or desirable for organisations to duplicate existing work. Equally, it would not be a suitable defence to state that because the organisation is regulated its compliance processes under existing regulations would automatically qualify as ‘reasonable procedures’ under the Economic Crime and Corporate Transparency Act.”
The indication that the duplication of work should not be required is important. However, this must be read in context; it is very difficult to imagine an organisation that has done nothing in response to the new offence being able to satisfy a prosecutor that it has in place reasonable prevention procedures within the meaning of the ECCTA.
As a minimum, the entry into force of the new offence in September 2025 should prompt organisations to conduct a thorough review of its fraud risk assessment(s), the categories and numbers of its associated persons, and the existing procedures that are in place to prevent fraud, and record (if this is the case) why these are considered to be reasonable for the purposes of the new offence.
The same point – in relation to existing work – is reiterated in the Guidance in the context of what is said about the Corporate Governance Code:
"Where the principal risks and controls reported on under the Code concern fraud risks identified in the risk assessment for the offence of failure to prevent fraud, there is no need to duplicate that work.
However, in practice, they may not cover all the fraud prevention measures that should be considered for the purposes of the offence. In short, compliance with the Code may contribute to an organisation’s defence of “reasonable procedures” in the context of the offence, but is not sufficient, on its own, to constitute that defence."
And in relation to audit:
"“an audit alone cannot constitute sufficient defence against an accusation of failure to prevent fraud.”
The definition of "associated person" for the purposes of the failure to prevent fraud offence is set out at s.199(7) ECCTA (summarised in our earlier article, here). The Guidance provides a number of helpful, additional aids to interpreting that definition:
An organisation will be liable under the new criminal offence where one of its associated persons commits an offence intending to benefit (whether directly or indirectly) the relevant body, any parent organisation, or the organisation's client or customers.
The Guidance provides helpful clarification on the nature of the required intention to benefit:
Section 199(3) of ECCTA provides that the relevant organisation is not liable if it is a victim or intended victim of a fraud.
"Victim" is not defined in ECCTA. However, the Guidance notes that the concept would apply, "if the loss caused, or intended to be caused, by the fraud would be borne by the organisation, or the fraud was committed with intent to harm the organisation."
The Guidance also restricts the notion of "victim" and the circumstances in which an organisation can claim to be a "victim" of a fraud, to avoid prosecution for failure to prevent the fraud:
"an organisation would not be a “victim” only because it suffered indirect harm as a result of the fraud by an associated person (for instance, because revelation of the fraud damaged the organisation’s reputation).
For the avoidance of doubt, an organisation cannot claim that the consequences of being charged with the offence of failure to prevent fraud constitute being a victim of the fraud."
In our earlier article (here) we considered how the new offence can be committed by overseas companies (i.e. those incorporated and/or headquartered outside of the UK) and how liability can attach to whichever individual legal entity within a group of companies was responsible for failing to prevent a fraud, or to a parent company, if a fraud was committed by the associated person of a subsidiary, intending to benefit the parent company, if the parent did not take reasonable steps to prevent it.
The Guidance adds the following important points of clarification in relation to groups of companies:
Internal investigations are conducted increasingly frequently by organisations in response to (inter alia) evolving regulatory expectations, an increase in the breadth of matters which the regulator might require be investigated, the increasing prevalence and diversity of fraud, increases in whistleblowing and reporting of suspected wrongdoing, investor expectations, and ESG imperatives.
There is also a widespread understanding, based on publications such as the Deferred Prosecution Agreements Code of Practice, the FCA's Enforcement Guide, and regular speeches given by regulators and prosecutors, that the commission of a prompt and independent investigation and report of the outcomes can lead to better regulatory and/or criminal law outcomes for corporates. Conversely, a failure to investigate, or a failure to investigate independently or thoroughly, can lead to negative regulatory outcomes. It is harder to justify a decision to let matters lie than ever before.
The significance of internal investigations is noted in the Guidance, in the section "Monitoring and Review", which contains a short but potentially significant sentence, that appears to define what a "reasonable" investigation of fraud would entail:
"Investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice), and legally compliant. Investigations should strive to be fair to all parties."
In the same section a number of what might be termed, "self-assessment questions" for organisations to ask in respect of the organisation's approach to investigations. These include:
"Who authorises the investigations? Are decisions to investigate documented?
What factors determine whether the investigation is internal or whether an external investigator is appointed?
What arrangements are in place to ensure that internal investigations are independent?"
Although the notion of investigating fraud may be assumed to be reactive as opposed to preventative, the Guidance helpfully highlights that investigations can be an important means to detecting (and thus stopping / preventing the recurrence of frauds), of learning lessons to prevent frauds in the future, and of testing the efficacy of existing risk assessments and anti-fraud processes and procedures.
The Guidance sets out six principles that are intended to help organisations work towards the creation of reasonable prevention procedures before 1 September 2025.
The principles, and practical steps that can be taken now to work towards that necessary end, will be the subject of a second article in this series, to follow later this month.
If you would like to discuss your project to adopt reasonable fraud prevention procedures, please get in touch.
