Ropes & Gray Logo
Page Translations
  • Home
  • Insights
  • The Clock is Ticking on the UK’s New ‘Failure to Prevent Fraud’ Offence: We Now Have Guidance and a Deadline

The Clock is Ticking on the UK’s New ‘Failure to Prevent Fraud’ Offence: We Now Have Guidance and a Deadline

Viewpoints
November 7, 2024
8 minutes
Printer-friendly Version
Authors:
Sarah Lambert-Porter

On 6 November 2024, the UK Government published the long-awaited guidance on the new corporate criminal ‘failure to prevent fraud’ (FTPF) offence (the “Guidance”). The FTPF offence was introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA) in October 2023, but is not yet in force – firms have been waiting for the publication of guidance, which has now kicked off a transition period before the offence takes effect on 1 September 2025.

In a nutshell

The publication of the Guidance means that the FTPF offence will take effect from 1 September 2025, giving organisations just ten months to assess, enhance, and/or implement reasonable and proportionate policies, procedures, and systems and controls to detect and prevent a wide range of fraud offences.  

The basics of the FTPF offence

  • Offence:  Organisations will be liable for failing to prevent the commission of a range of specified fraud offences by their employees, agents, subsidiaries or other “associated persons” who provide services for or on behalf of the organisation, where the fraud was committed with the intention of benefiting the organisation or their clients (i.e. a person to whom services are provided on behalf of the organisation).  There is no need for prosecutors to prove that the organisation’s senior managers or directors ordered or knew about the fraud. 
  • Parallel/related offending: While the FTPF offence is a corporate one and does not entail individual liability for persons who may have failed to prevent the fraudulent behaviour, the employee/agent who committed the specified fraud, and/or anyone who encouraged or assisted them, may be prosecuted for those acts, in addition to the corporate’s prosecution for the FTPF offence. 
  • Application: Unlike the UK Bribery Act’s ‘failure to prevent bribery’ offence, the FTPF is limited in application to ‘large’ organisations (including partnerships, NGOs, charities, and public bodies), which satisfy two of the following three conditions in the financial year preceding the fraud offence:
    • Turnover above £36 million;
    • Total assets (balance sheet total) above £18m; or
    • More than 250 employees (i.e. employed under contracts of service).

These thresholds apply to the organisation as a whole, including subsidiaries, and regardless of where its headquarters or subsidiaries are located. 

  • Extra-territorial scope: The FTPF offence will catch UK and non-UK organisations, and much will turn on the specific facts of a case. The FTPF offence bites where part of the offence takes place in the UK (e.g. meetings, communications), where there has been a gain in the UK, or there are victims in the UK (e.g. investors or counterparties). The Guidance is clear that:
    • non-UK organisations could be prosecuted if an employee/associated person commits fraud in the UK; and
    • UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus will not be caught by the FTPF offence – that would be a matter for law enforcement authorities abroad.
  • Defence (reasonable procedures): Organisations will have a defence if they can demonstrate that they had ‘reasonable fraud prevention procedures’ in place at the time the fraud was committed.

Overview of the guidance

The Guidance is high-level and non-prescriptive, and highlights the need for organisations to tailor their fraud prevention framework to the particular risks in their operations. The Guidance sets out six principles, which are intended to be flexible and outcome-focused, to cater for the wide range of risks and circumstances that may exist for different organisations. To be reasonable, procedures should always be proportionate to the risk.

Snapshot of the six principles

1. Top level commitment

  • Senior management has a leadership role in fraud prevention. The Guidance notes that this would likely include:
    • maintaining clear governance and reporting structures in relation to the fraud prevention framework
    • allocating reasonable and proportionate budget for leadership, staffing and implementation of the fraud prevention plan, including training
    • communicating and endorsing its fraud prevention commitments, with clear consequences for non-compliance
    • fostering an open and ethics-focused culture where staff ‘speak up’ on fraud concerns

2. Risk assessment

  • The organisation assesses the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud. This can be an extension of existing economic crime risk assessments.
  • The risk assessment is dynamic, documented and regularly reviewed and updated.
  • The Guidance proposes that organisations start by identifying the typologies of the particular associated persons they encounter, taking into account the ‘fraud triangle’ in respect of each:
    • Opportunity: areas of weak controls, or inadequate oversight
    • Motivation: financial stress, unreasonable targets, misaligned incentives
    • Rationalisation: perception of fraud as victimless, culture of resentment

3. Proportionate risk-based prevention procedures

  • The organisation’s fraud prevention framework is proportionate to the fraud risks it faces, the associated potential impact, and to the nature, scale and complexity of the organisation’s activities
  • The framework of procedures must be clear, practical, accessible, effectively implemented, and enforced.
  • The Guidance warns regulated organisations that they cannot assume that any existing processes and procedures in place to ensure compliance with other regulations will automatically qualify as ‘reasonable procedures’ for the FTPF offence: organisations must assess whether existing regulatory compliance mechanisms, financial reporting controls, and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment, and take steps to enhance, change, or supplement them.

4. Due diligence 

  • The organisation applies due diligence (DD) procedures (taking a proportionate and risk-based approach) in respect of persons who perform, or will perform, services for or on behalf of the organisation, in order to mitigate identified fraud risks. The DD procedures should be proportionate to the identified risk, and regularly reviewed and updated.
  • The Guidance warns that merely applying existing DD procedures (tailored to a different type of risk) will not necessarily be an adequate response to the risk of fraud.
  • Best practice is stated to include using appropriate technology (e.g. third-party risk management tools, screening tools, internet searches, checking trading history or professional or regulated status, vetting checks. etc.) and carrying out culture checks, by monitoring well-being of staff and agents to identify indicators of stress, target-related or workload pressure, etc., which may increase fraud risk. 

5. Communication (including training and whistleblowing) 

  • The organisation seeks to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication.  
  • Training is key: it should be proportionate to the risk faced, regularly updated and refreshed. 
  • Some organisations may wish to incorporate training into their existing financial crime prevention training, while other organisations may wish to introduce bespoke training to address specific fraud risks, with tailored or additional training for persons considered to be in positions at high risk for fraud prevention purposes.
  • Training should include ensuring that staff and other associated persons are familiar with whistleblowing policy and procedures, which should be suitably robust for the risks identified in its risk assessments.
  •  The Guidance notes that it is good practice to monitor the effectiveness of training programmes and to ensure that they are kept up to date, particularly as staff move

6. Monitoring and review

  • The fraud prevention framework must be dynamic and evolve in line with the risks faced. The organisation must monitor and review its fraud detection and prevention procedures and makes improvements where necessary. 
  • This includes learning from and acting to enhance procedures based on lessons from investigations and whistleblowing incidents, and from reviewing information from its own sector.
  • The Guidance notes that monitoring of fraud prevention measures might include: 
    • monitoring financial controls; updates to procedures (e.g. DD procedures); updates to contractual clauses for associated persons; 
    • collecting data  on fraud prevention training attendance and testing; and
    • using data analytics tools or even AI to identify potential frauds, where appropriate. 
  • The Guidance highlights the need for:
    • Investigations into suspected fraud to be independent, appropriately scoped, and properly resourced (in skills and budget)
    • Robust whistleblowing frameworks and a culture of openness
    • Collation and verification of management information on the effectiveness of the fraud prevention measures for consideration by the board

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Next steps

  • Enlist top level commitment and focus to ensure that commitment to fraud prevention is prioritised and that appropriate budget and resources are allocated to implementing the changes needed to create a fraud prevention framework that is reasonable and proportionate to the organisation’s risk. 
  • Conduct a comprehensive risk assessment, which focuses on the fraud risk faced by the organisation as a whole, and assesses whether and how any existing fraud risk management framework may need to be changed or supplemented. 
  • Create a fraud prevention plan that is reasonable and proportionate to the risks identified in the risk assessment. This plan should:
    • Outline a clear timeline for changes to policies, procedures, training, communications, and the various systems and controls necessary for monitoring, detecting, and preventing fraud and the risk of fraud by employees or associated persons; and
    • Involve appropriate multi-functional consultation and collaboration – fraud has touchpoints in many functions (e.g. finance, compliance, HR, data/IT, legal etc.) and all of these teams will need to have involvement in the changes to policies, procedures, controls, training, etc. 
  • Assess (and update) the organisation’s whistleblowing framework, and update communications and training to ensure that staff and other stakeholders are aware of how to report concerns related to fraud
  • Assess (and update) the organisations internal investigations procedures to ensure that there is adequate provision for and competence in investigating the wide range of fraud offences specified in ECCTA.

A final thought – the FTPF offence in context

It is important to see the FTPF offence as part of:

  • A broader reform of the UK’s corporate criminal liability regime, including, most notably, ECCTA’s overhaul of the ‘identification doctrine’ (whereby prosecutors no longer need to prove involvement by persons representing the ‘directing mind and will’ of the corporate, but by a broader population of ‘senior managers’), which is expected to render corporate prosecutions more likely and more effective than has historically been the case; and
  • Increasing focus on corporate culture by UK regulators and authorities. The primacy of corporate culture was stressed in the Guidance, and the UK Government has repeatedly stated that it intends the FTPF offence to drive a major shift in corporate culture as a means of reducing fraud. Assessing culture and culture-related data is a complex and specialised area, but it is one in which our R&G Insights Lab (a multidisciplinary team of data experts and behavioural scientists) excels! To learn more about how we help clients with culture reviews and related procedural changes, click here.

R&G Insights Lab's culture assessments allow you to systematically measure organisational culture and drive change by drawing on the latest developments in scientific research. The Lab's multidisciplinary team of behavioural scientists, regulatory specialists, and data experts work with clients to develop impactful, quantitative, and qualitative assessments and change-initiatives. Get in touch with us to find out more. 

For more perspectives from our team, check out the Culture & Compliance Chronicles podcast series

Subscribe to Ropes & Gray Viewpoints by topic here.

Related Services

    Authors

    Sarah Lambert-Porter
    Sarah Lambert-Porter
    Senior Attorney
    London+44 20 3201 1568
    Sarah.Lambert-Porter@ropesgray.com
    See Bio

    Stay Up To Date with Ropes & Gray

    Subscribe to Our Podcast

    Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.

    Subscribe on AppleSubscribe on Spotify
    Follow Us on Social

    Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.

    Follow Us on LinkedInFollow Us on X
    Join Our Mailing List

    We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.

    Join Our Mailing List