Overview

The Economic Crime and Corporate Transparency Act (ECCTA) 2023 introduced criminal liability for 'large organisations' whose associated persons (e.g., employees, agents or subsidiaries) commit fraud, intending to benefit (whether directly or indirectly) the large organisation.

A new ‘failure to prevent fraud’ offence will enter into force on 1 September 2025.
The delay in implementation allows large organisations to review and/or refresh their fraud prevention procedures.

Large Organisation

A large organisation is an organisation which satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees: (ii) more than £36 million turnover; and / or (iii) total assets of more than £18 million.

The subsidiary of a large organisation, which is not itself a large organisation, can be prosecuted rather than the parent organisation if an employee of the subsidiary commits a fraud intending to benefit the subsidiary.

Associated Person

Example persons who could be considered associated with a relevant body/large organisation, include:

An employee, agent or subsidiary undertaking of the relevant body, or
A person who otherwise performs services for or on behalf of the body.

Whether or not a particular person performs services for or on behalf of a relevant body will be determined by reference to all the relevant circumstances and not merely by reference to the nature of relationship between a person and the body.

Strict Liability

A large organisation could be strictly liable if:

a specified offence is committed by an employee, agent or other associated person;
the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation; and
reasonable prevention procedures were not in place when a specified offence was committed.

The offence will apply to:

all large incorporated bodies, subsidiaries and partnerships;
large not-for-profit organisations such as charities if they are incorporated;
incorporated public bodies.

Company Managers

The offence will make it easier to hold organisations to account for fraud committed by associated persons which benefit the organisation, or, in certain circumstances, their clients.

There will be no need to demonstrate that a large organisation's directors or senior managers knew about the fraud.

Culture Considerations

The ‘failure to prevent’ fraud offence is intended to encourage large organisations to build an anti-fraud culture.

Such an organisation would benefit from completing a risk-assessment (e.g., where or how 'associated persons' might have opportunity to commit fraud, due to weak internal controls, inadequate management oversight).

Control Risk

Without compliance policies and procedures being in place, which reflect an informed assessment of fraud risk (i.e., relevant to the organisation and/or its peer-group risks), in the event of criminal proceedings being implemented against a large organisation, a court may determine that ‘reasonable procedures’ were not in place at the time of a particular fraud.

Reasonable Fraud Prevention Procedures

A large organisation will be responsible for proving that it had reasonable fraud prevention procedures in place (i.e., proportionate to the risk). 'Reasonableness' should take account of the level of control, proximity and supervision the organisation is able to exercise over a particular person acting on its behalf.

What are the risks?

Prosecution Risk

A large organisation could be liable where an associated person (e.g., employee, agent, etc.) commits a specified offence for the organisation's benefit, where reasonable procedures are not in place to prevent involvement in a specified offence:

There will be no requirement to demonstrate senior management knowledge of an employee or agent committing a specified offence.
Criminal liability could apply to organisations which fail to assess and respond to the risk of fraud involving employees or agents.

If an employee or associated person of an overseas-based organisation commits fraud in the UK, or targeting victims in the UK, the organisation could be prosecuted.

Whether or not a person performs services for or on behalf of an organisation will be determined by the relevant circumstances and not merely by reference to the nature of relationship between that person and the organisation.

Regulatory Risk

Firms supervised by the Financial Conduct Authority ('FCA') are already subject to compliance with regulatory requirements set out in the FCA Handbook, which include: "A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime." [SYSC 3.2.6]

To avoid duplication relevant firms should consider whether their existing regulatory compliance mechanisms and fraud prevention measures are sufficient to prevent the assessed fraud risk.

A large organisation supervised by the FCA could be subject to regulatory intervention or enforcement activity, where fraud-related systems and controls fail to meet regulatory requirements.

Internal Control Risk

The failure to prevent fraud offence under criminal law will apply to all 'large organisations'. The ECCTA is designed to:

Discourage organisations from turning a blind eye to fraud risk.
Encourage implementation and maintenance of reasonable fraud prevention procedures (e.g., using a risk-based approach).
Make it easier to prosecute non-compliant organisations in the criminal court.

Senior management of large organisations need to ensure consideration of fraud risk within their organisation's control environment.

Is there a defence?

Reasonable Prevention Procedures

Home Office Guidance indicates a fraud prevention framework should be informed by six principles:

top level commitment
risk assessment
proportionate risk-based prevention procedures
due diligence
communication (including training)
monitoring and review

A defence to the ‘failure to prevent fraud’ offence is available, where an organisation can prove that, at the time the fraud offence was committed:

the body had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place, or
it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place (e.g., where the assessed risk is extremely low and the rationale is sufficiently documented).

Risk Assessment

To assess whether existing fraud prevention arrangements are reasonable requires consideration of the organisation's fraud-risk nexus:

Rarely will it be considered reasonable not to have even conducted a risk assessment.
Risk assessment should be kept under review, with the frequency of review being a matter for the relevant organisation.

Example areas to review/assess include:

Tone-from-the top (e.g., Policy content and fraud risk ownership).
Management information (e.g., Key risk indicators).
Understanding of the risks (e.g., Relevant fraud typologies).
Internal controls (e.g., Effectiveness of fraud prevention measures).
Transaction risk (e.g., In supply and distribution activity).
Funds flow (e.g., Transparency and legitimacy).
Use of agents or intermediaries (e.g., Contract terms and conditions).
Staff awareness of fraud (e.g., Training content and completion rates).
Whistle-blowing (e.g., suspicion and incident-reporting arrangements).

Risk Response

Proportionate risk-based fraud prevention procedures should reduce exposure to fraud risk involving 'associated persons'. This might incorporate:

A fraud prevention plan proportionate to the risk and the potential impact.
Board or senior management team engagement.
Risk-based procedure to reduce opportunity for misconduct.
Clarity of responsibility for fraud risk-ownership.
Raising staff awareness of fraud typologies and risk.
Introducing a Code of Conduct for dealing with suppliers/vendors, etc.
A 'whistle-blowing' mechanism for staff to report suspected misconduct.
Clarity of responsibility for testing the application of policy and procedure.
Reporting to senior management on key risk indicators and control testing.
Escalation and reporting of notifiable events.
Routine review/refresh of applicable policy and procedure.
Obtain specialist support / assistance where necessary.

Official Guidance

SYSC326

Home Office: Home Office Guidance (html); Home Office Guidance (pdf)

SYSC326 supports organisations to identify and respond to fraud risk, or fraud events, and to prepare for the new failing to prevent fraud offence, by:

Supporting stakeholder planning for the new failure to prevent offence.
Advising on fraud control framework design and implementation.
Facilitating fraud risk-assessments.
Supporting development of policy and risk-based operating procedure.
Supporting Compliance monitoring and assurance testing arrangements.

To contact SYSC326 - Click Here

Failing to Prevent Fraud