Failure to prevent fraud: New Year’s resolutions for corporates

In 2023, Parliament introduced a new corporate criminal offence of “failure to prevent fraud” under section 199 of the Economic Crime and Corporate Transparency Act 2023.  That legislation was followed by Government guidance, published at the end of last year, as to the measures that organisations will be expected to take if they want to avail themselves of the “reasonable prevention procedures” defence (the “Guidance”).

The Offence: failure to prevent fraud 

We reviewed the scope and detail of the new offence, as well as a change in the approach to attributing criminal liability to corporates for economic crimes, in our update here: Burges Salmon - Corporate Crime & Investigations - New Approach to Corporate Criminal Liability & New Offence of Failure to Prevent Fraud (burges-salmon.com). 

In short, a “Large Organisation” can be guilty of an offence if an “Associate” commits a “Fraud Offence” intending to benefit that organisation or its clients. As to the key elements of the offence:

• A “Large Organisation” is a partnership or corporate which satisfies two or more of the following: (i) more than 250 employees, (ii) more than £36 million turnover, (iii) more than £18 million total assets.  In some circumstances, members of corporate groups which satisfy two or more of those conditions can also commit the offence.
• An “Associate” will include employees, agents, subsidiaries and their employees and anyone else who performs services for or on behalf of the organisation.
• “Fraud Offences” include cheating the public revenue, false accounting, false statements by directors, fraudulent trading, fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, participating in fraudulent business carried on by a sole trader and obtaining services dishonestly.[1]

The offence can be committed by non-UK organisations if the underlying fraud involved a UK nexus.[2]

An organisation convicted of the failure to prevent fraud offence faces an unlimited fine.  Note that a relevant body will not be guilty of the offence if it was (or was intended to be) a victim of the underlying fraud offence and where it was not intended to benefit from that offence.

The new offence is due to come into force on 1 September 2025 and will present brand new risk areas for organisations, big and small.  See further below.

The Defence: “reasonable prevention procedures”

Where a relevant fraud has been committed, an organisation will have a complete defence if it can prove that, at the time the fraud offence was committed, (i) it had in place procedures to prevent associates from committing fraud offences as it was reasonable in all the circumstances to expect (“reasonable prevention procedures”) or (ii) it was not reasonable in the circumstances to expect it to have any prevention procedures in place.  The Guidance outlines six guiding principles which will be familiar to those already managing anti-bribery and anti-tax evasion compliance programmes:

1. Top level commitment.  It is vital that senior management takes a role in fraud prevention and fosters a culture within the organisation in which fraud is never acceptable; that is likely to involve communication of anti-fraud policies, ensuring clear governance of a fraud prevention framework across the organisation, commitment to training and resourcing, and leading by example.
2. Risk assessment.  The expectation is that organisations will conduct assessments to identify their specific fraud risks.  The scope of an assessment will vary but the Guidance suggests that a starting point may be to identify persons who may be an “Associate” of the organisation (for the purposes of the offence) and the circumstances under which those Associates could attempt a fraud.  The risk assessment should be documented and kept under regular review.
3. Proportionate risk-based prevention procedures.  Organisations should draw up a fraud prevention plan, the scope of which should be proportionate to the level of risk identified in their risk assessment.  The Guidance specifically recommends that organisations should have appropriate whistleblowing programmes.  To avoid duplication of work, organisations are advised to assess whether their existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified. Our expectation is that that will rarely be the case.
4. Due diligence.  Linked to the above, organisations will need to consider and apply due diligence processes on persons who perform or will perform services for or on their behalf (i.e. their Associates).
5. Communication, including training.  Organisations will be expected to ensure a clear articulation and endorsement of their anti-fraud policies, with appropriate communication from all levels within the organisation.  It will often be appropriate to require employees (and, perhaps, other Associates) to undergo regular training so that those policies are well understood and embedded in the organisation’s culture.
6. Monitoring and review.  Organisations must monitor and review their fraud detection and prevention procedures on an ongoing basis and update them where necessary.  This includes learning from investigations and whistleblowing incidents and reviewing information from their own sector.

The Guidance is very clear that “reasonable prevention procedures” will need to be bespoke to each organisation.  Even strict compliance with the Guidance will not necessarily amount to having reasonable prevention procedures where the relevant organisation faces particular risks arising from the unique facts of its own business that have not been addressed. Conversely, departure from the Guidance will not necessarily mean that the defence is not available.  Whether procedures are “reasonable” or not will be determined by the courts by reference to the specific facts of each case.

What should organisations do now?

Organisations have until 1 September 2025 to get their houses in order.

While the offence currently only applies to “Large Organisations”, it is highly likely all those within the scope of the offence will expect business partners to have their own “reasonable prevention procedures” in place, not least as small organisations may be “associates” while they provide services for or on behalf of Large Organisations.  Businesses of all sizes are therefore getting themselves set for the new offence. 

While organisations will need to consider each of the six principles above, it seems to us that the priority must be to conduct a thorough risk assessment.  The MOJ Guidance notes: “In some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. However, it will rarely be considered reasonable not to have even conducted a risk assessment.”  Risk areas for businesses which we have been discussing with clients include:

• Sales & Marketing functions: Risk of untrue (or misleading) statements to customers, particularly in the context of competitive negotiations or tenders.
• Investor Relations and fund-raising: Risk of allegations by investors of untrue (or misleading) statements to market, even if no investments are secured by those statements. 
• Procurement functions: Risk of untrue (or misleading) statements to suppliers, particularly in the context of competitive negotiations or tenders.
• Supply chains: Risk of suppliers or distributors making untrue or misleading statements on your behalf upstream or downstream in your supply chain.
• Geographies: Some overseas markets will carry higher fraud risks than others.

Organisations will need to work with their internal and/or external legal and compliance teams to update their existing compliance procedures (or implement new compliance procedures) to mitigate those risks identified, in accordance with the principles explained above.  Actions are likely to include:

1. Reviewing and updating policies, guidance and training materials – particularly those dealing with bribery, corruption, fraud and any other form of economic crime – to ensure that they flag clear prohibitions on fraudulent conduct.
2. In relation to third parties identified as potentially being “Associates” (who will include employees, agents and subsidiaries):
   1. Considering whether to update due diligence checks on those parties (the Guidance suggests using appropriate technology including, for example, third-party risk management tools and screening tools); and
   2. Reviewing contracts with those providing services, to include appropriate obligations requiring compliance and ability to terminate in the event of a breach where appropriate. 
3. Reviewing approaches to investigation of and reporting of corporate/employee wrongdoing, both:
   1. Internally – Ensuring an effective whistleblowing facility for reports of allegations or suspicions of fraud.  Responsibility for whistleblowing arrangements should be designated to board level management.  Organisations will also consider their processes for triggering and conducting internal investigations (and related internal reporting).
   2. Externally – Reviewing processes for assessment and reporting of wrongdoing to criminal, regulatory and other external authorities.

If you would like to discuss the implications of these developments and the steps your business might take to mitigate the consequent risks, please contact Guy Bastable, Andrew Matheson or Sam Aldous in Burges Salmon’s Corporate Crime & Investigations team.

[1] Relevant offences include aiding, abetting, counselling or procuring the commission of the listed offences.  The Secretary of State has the power to add further offences to the list, including money laundering offences.

[2] i.e. where one of the acts which was part of the underlying fraud took place in the UK, or the gain or loss occurred in the UK.

"Organisations have until 1 September 2025 to get their houses in order."