Failure to prevent fraud: key guidance released

Important new guidance released

On 6 November 2024, the Home Office released its much-anticipated guidance on the new failure to prevent fraud offence and the procedures that organisations can implement to prevent associated persons from committing fraud offences. Running to 44 pages, this guidance is crucial as it provides a framework for large organisations to establish effective fraud prevention measures.

In scope companies now have nine months to ensure their fraud prevention procedures meet these standards. In this article we will consider some of the key issue arising from the guidance and look at practical considerations for companies that our expert, multi-disciplinary team has identified in our work advising several companies as they have been preparing for the new offence. 

Overview 

The Economic Crime and Corporate Transparency Act (ECCTA), which passed into law in October 2023, introduced the offence of failure to prevent fraud. This corporate criminal offence applies to large organisations that fail to prevent their “associated persons” – which includes employees, subsidiaries, agents, and other third parties providing services on their behalf – from committing fraud offences that benefit the organisation. Consequences can be severe, with organisations facing potentially unlimited fines if convicted. 

The new offence marks a sea change in the way large companies should consider fraud risk.  At present, the vast majority of companies' fraud policies focus on the risk of a company losing money to fraud. The new offence requires to consider the risk of it and its associated persons perpetrating fraud. 

The offence

The offence targets "large organisations", that is to say, organisations that meet at least two of the following criteria: 250 or more employees, a turnover of £36m or more, and/or assets of £18m or more. 

Key fraud offences in scope include those specified in the Fraud Act 2006, such as fraud by false representation, failing to disclose information, and abuse of position, and also offences under the Theft Act 1968 like false accounting and false statements by organisation directors. Additionally, the Act covers cheating the public revenue, and fraudulent trading under the Companies Act 2006.

Under the ECCTA, frauds committed by "associated persons" intending to benefit the organisation, whether directly or indirectly, are particularly targeted. This could include, for instance, greenwashing or misleading environmental claims, misselling of products or services, and other misrepresentations made by "associated persons" for the benefit of the organisation with the intention of making a gain for that organisation, causing a loss, or exposing another to risk of loss. 

The reasonable procedures defence and guidance

Organisations can establish a defence by demonstrating that, at the time its "associated person" committed an underlying fraud offence on its behalf, it had reasonable fraud prevention procedures in place. The newly released guidance outlines what is expected of organisations to meet this standard and includes wide ranging requirements including regular risk assessments, adequate resourcing and appropriate use of data analytics and AI.

During the process of drafting the guidance, the Home Office sought input from numerous industry sectors and bodies, including the from the legal profession. Sam Tate, Head of White-Collar Crime and Compliance at RPC was a contributing member of the City of London Law Society group that provided input, reviewed and commented on the guidance before publication.

The offence will come into effect on 1 September 2025. This means, organisations now have nine months to ensure their procedures align with the standards set out in the guidance. Although this sounds like a fairly long time period, many companies will face much work to meet the standards set out in the guidance, and those that have not already begun to develop their fraud prevention procedures should start now. The importance of taking prompt action has been emphasised by Nick Ephgrave, the Director of the SFO, who stated on the release of the guidance that "time is running short for corporations to get their house in order or face criminal investigation.”

Key practical considerations from the guidance and steps to take for companies 

Timing – the offence will come in to force on 1 September 2025. This gives companies nine months to develop their fraud prevention plans.

Principles-based guidance – the guidance is structured around six risk-based principles of compliance; these principles essentially mirror those that were the basis of the guidance issued in support of the Bribery Act 2010, for establishing "adequate procedures" to prevent bribery. Therefore, many compliance professionals will be well acquainted with this principles-based approach to establish effective controls. 

These principles, which are intended to be outcome-focused and proportionate to the risks a business faces, are: 

• top-level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review.

The guidance contains detailed recommendations and suggestions across all six of these principles. Below we set out some key elements of the guidance that highlight the steps companies should consider as they prepare for the offence to come into force.

Conducting risk assessments – the guidance places particular importance on conducting thorough risk assessments. For most companies, a fraud risk assessment will be the first step in their fraud prevention plan, with the outcome indicating what areas of their organisation might require additional resourcing and focus and what steps might need to be taken next. Risk assessments are not static documents and should be reviewed at regular intervals. The guidance suggests this might be annually or biannually, depending on the risks faced by the business. Failure to review the risk assessment regularly may bring the reasonableness of the organisation's fraud prevention programme into question. RPC's team has extensive experience advising companies in conducting risk assessments across a wide range of financial crime areas and is now advising numerous companies in conducting their fraud risk assessments. 

Jurisdiction and territoriality – the offence has potentially very broad extra-territorial application, and the guidance provides important context on this point. The offence applies to companies established anywhere in the world, but it will only apply where the associated person commits an underlying UK fraud offence. This means that, in general, the fraudulent act must involve one or more acts taking place in the UK or result in a gain or loss occurring in the UK. If there are UK-based victims of the fraud offence, this would likely meet the territoriality threshold. This means that when conducting their fraud risk assessments, companies (including those mainly operating outside the UK) should consider whether there are any elements of UK nexus across their business, including internationally, in their wider group.

The "fraud triangle" and risk typologies – under the new guidance, companies are encouraged to approach risk assessment proportionately, focusing on how “associated persons” may pose fraud risks. This begins with an understanding of the “fraud triangle” – motives, opportunities, and rationalisations that might drive individuals to commit fraud. By evaluating these drivers, organisations can create typologies, or risk profiles, tailored to their operations, helping to spot vulnerabilities more proactively. The guidance indicates that this may include assessing the typologies of associated persons an organisation engages as a starting point and considering the circumstances under which each of these groups might attempt to commit fraud. Risk assessments are expected to be dynamic; a tailored, evolving process that combines data analysis, industry trends, and past cases to stay resilient against emerging fraud threats.

Emergency scenarios – the guidance indicates that it may be reasonable to expect an organisation to consider the types of fraud prevention measures that might need to be taken in emergency scenarios, as well as how it may transition back to business as usual once the emergency has passed. Therefore, some organisations may need to develop contingency plans that ensure they can swiftly implement and roll back emergency fraud prevention measures where necessary.

Resourcing and training – the guidance places emphasis on the importance of organisations providing sufficient resources and budget to address fraud risks. This includes:

(i) ensuring adequate leadership and staffing to implement and manage its fraud prevention framework
(ii) ensuring that staff receive training tailored to their roles, helping them understand both specific fraud risks and reporting procedures 
(iii) potentially providing funding for technology such as third party due diligence platforms and tools.

Use of data, technology, and AI – there are several references in the guidance to the use of data analytics, technology, and artificial intelligence (AI) as tools that might be deployed in an organisation's fraud detection and prevention programme. This might include using these tools to assist with ongoing monitoring and review through the detection of anomalous or high-risk behaviours. Having advised multiple companies on the development and implementation of technology platforms as part of their compliance framework, RPC has found that investing in these tools not only enhances oversight but introduces real benefits in identifying and mitigating fraud risk. The use of such tools also demonstrates a robust commitment to fraud prevention. 

Management information – relatedly, the guidance states companies should establish systems to collect management information on fraud-related activities, which may include tracking incident trends, compliance metrics, and risk assessments. Regular reporting enables leadership to assess the effectiveness of anti-fraud measures and adjust strategies as necessary to address vulnerabilities.

Learning from past incidents – organisations are expected to learn lessons from internal data in the form of previous audits, investigations, and issues that have arisen as well as external data such as industry trends and, once they occur, prosecutions or deferred prosecution agreements related to the offence. These lessons should be factored into fraud prevention procedures, risk assessments, communications to employees, and the way fraud risk is monitored and reviewed. 

Policy and code of conduct – while the guidance does not specifically require an organisation to create a standalone fraud policy, it does indicate that companies are expected to at least include fraud prevention principles within existing policies or codes of conduct. Such policies should articulate the organisation’s commitment to preventing fraud, outline key anti-fraud procedures, and clarify consequences for non-compliance.

Fraud prevention procedures – with respect to policy and procedure, the guidance states that reasonable procedures may include steps such as:

• employee vetting: conduct thorough vetting, particularly for high-risk positions, to ensure integrity and prevent fraud
• financial controls: implement best practices for financial reporting, emphasising transparency and accountability
• conflict of interest management: assess the adequacy of existing conflict of interest procedures and if necessary, strengthen procedures
• third-party contract review: ensure contracts with third parties include anti-fraud clauses, with regular reviews to adapt to evolving risks and changing relationships.
• clear disciplinary measures: establish, and communicate, clear consequences for employees who commit fraud

Investigations – companies should consider the ways in which they will investigate incidents of potential fraud committed for its benefit. This may involve reviewing existing procedures relating to internal investigations, including oversight of those processes and when it will be suitable to appoint an external, independent investigator. Companies should also consider how the outcomes of fraud investigations are communicated within the organisation, including to management, along with how any lessons learned will be integrated into the fraud prevention procedures. 

Fraud risk impact assessment – the guidance recommends conducting fraud risk impact assessments to address the unique and novel risks that may arise in relation to new services or the engagement of new associated persons. This is to ensure that existing controls are sufficient to address new risks presented, and where they are not, to ensure countermeasures are deployed.

Differentiated procedures – it may be acceptable for an organisation to apply different fraud prevention procedures to different categories of associated persons, such as employees and overseas agents, especially where overseas law limits the controls that can be implemented.

Developments since the Bribery Act

The guidance for ECCTA builds on the foundation laid by the guidance to the Bribery Act 2010. Overall, the ECCTA guidance provides a more detailed and structured set of procedural recommendations providing companies with a more comprehensive guide to developing their fraud prevention framework. This is, at least in part, likely due to the maturation of the sector as a whole since the introduction of the Bribery Act. Examples include references to the use of management information and conducting internal investigations as key components of establishing an effective compliance framework. 

Within the guidance, this is effectively acknowledged by the Home Office which advises organisations to leverage their existing compliance mechanisms and processes. This should help to enable organisations to develop a cohesive approach to financial crime, streamlining their compliance efforts and avoiding duplication of work.

Finally, the passage of time since the Bribery Act also sees this guidance seek to take advantage of the many technological developments within the financial crime compliance sector. The guidance emphasises the use of advanced technology and data analytics to detect and prevent fraud. This includes leveraging AI and other technological tools to enhance fraud detection and monitoring processes. Furthermore, the guidance envisages the data captured through these tools will be integrated into management information systems ensuring that organisations, and in particular their senior managers, can effectively track and respond to fraud risks.

Conclusion

The ECCTA guidance sets out clear, actionable expectations for organisations to prevent fraud. It emphasises the need for effective, risk-based procedures that address both internal and third-party risks, tailored to different roles and regional contexts. This guidance underscores the importance of financial controls, due diligence, and accountability, offering practical steps to help organisations meet legal obligations. The approach taken in the guidance not only reinforces corporate transparency but also promotes a culture of ethical integrity, which should hopefully help to deter fraud effectively.