Mountford Chambers delivers a nationwide and international service to clients, who are assured quality advice, advocacy and representation at all levels.
News & Insights
Fatima Jama explores the Home Office’s new guidance for large organisations on the offence of failure to prevent fraud created by the Economic Crime and Corporate Transparency Act 2023.
The Economic Crime and Corporate Transparency Act 2023 (the “Act”) created a new corporate offence wherein organisations may be held criminally liable when an employee, agent or subsidiary commits fraud with the intention of benefiting the organisation. This legislation applies to large organisations across the UK and aims to improve corporate accountability whilst encouraging the implementation of robust fraud prevention measures. The offence is designed to make it easier to hold organisations accountable for fraud committed by their associated persons and drive a significant shift in corporate culture towards fraud prevention.
This new guidance (“the guidance”) serves as an advisory document under section 204 of the Act, providing organisations with an overview and principles for developing effective fraud prevention procedures. Due to the wide range of organisations covered, the guidance cannot be prescriptive about all possible scenarios. It is important to note that this guidance is not a substitute for obtaining professional legal advice, and organisations should consult legal professionals for specific applications of the law. Organisations will have a nine-month implementation period following the publication of this guidance to develop and implement their fraud prevention procedures.
Individual sectors may develop their own specific guidance to address unique industry risks and requirements. However, any sector-specific guidance must align with the guidance and receive endorsement from appropriate industry bodies. In cases where conflicts arise between sector-specific guidance and this document, the guidance will take precedence.
Section 199 of the Act introduced the offence of failure to prevent fraud, which applies to large, incorporated bodies and partnerships that meet at least two of three specific criteria. These criteria include having more than 250 employees, achieving more than £36 million in turnover, or holding more than £18 million in total assets. The requirements apply to the whole organisation, including subsidiaries, regardless of their geographical location.
The offence encompasses specific fraud offences listed in Schedule 13 of the Act, with variations across jurisdictions in England and Wales, Scotland, and Northern Ireland. These include various types of fraud, false accounting and fraudulent trading, amongst others. The base fraud must be committed by a “person associated with the relevant body”, which includes employees, agents and subsidiaries of the organisation. The fraud must be committed whilst the person is acting in their capacity as an associated person, not in their private capacity. The concept of “intending to benefit” means that the fraud was committed with the intention of benefiting either the organisation or its clients. Importantly, actual benefit does not need to materialise for the offence to apply. The benefit can be either financial or non-financial in nature, including gaining unfair business advantages or disadvantaging competitors. The offence requires a nexus with the UK, meaning it applies to frauds “committed within the UK or those targeting UK victims.”
Organisations can be held liable for frauds committed by UK-based employees “regardless of where the organisation is headquartered”. Organisations must implement reasonable procedures to prevent fraud, with these procedures being proportionate to the risks faced by the organisation. The courts will ultimately determine whether the procedures in place were reasonable based on the specific circumstances of each case.
Various authorities have the power to prosecute this offence, including the Crown Prosecution Service and Serious Fraud Office. Penalties primarily consist of fines, with courts considering all relevant circumstances when determining the appropriate level of financial penalty.
The responsibility for preventing and detecting fraud lies with those charged with organisational governance. “The board of directors, partners and senior management must demonstrate clear commitment to preventing associated persons from committing fraud. They should foster a culture where fraud is never acceptable and reject profit based on, or assisted by, fraud.”. Senior management must take an active leadership role in fraud prevention, which includes communicating the organisation’s stance, ensuring clear governance, committing to training and resources, and fostering an open culture where staff feel empowered to speak up about concerns.
Organisations must assess the nature and extent of their exposure to the risk of fraud by “employees, agents and other associated persons”. This assessment needs to be dynamic, thoroughly documented and regularly reviewed. The risk assessment should consider various typologies of associated persons and examine potential fraud risks through the lens of the fraud triangle: opportunity, motivation and rationalisation. Organisations should utilise multiple sources of information about potential risks, including data analytics, previous audits, sector-specific information and regulatory enforcement actions. These are onerous requirements.
Organisations must implement fraud prevention procedures that are proportionate to the fraud risks they face and appropriate to their nature, scale and complexity. “These procedures should be clear, practical, accessible and effectively implemented and enforced”. The fraud prevention plan should be developed based on the risk assessment and regularly tested for effectiveness. Organisations may build upon existing regulatory compliance mechanisms but should ensure these are sufficient to address all identified fraud risks.
Organisations should apply due diligence procedures using a proportionate and risk-based approach when dealing with persons who perform or will perform services on their behalf. This includes conducting appropriate background checks, reviewing contracts, monitoring wellbeing of staff and agents, and implementing specific procedures for mergers and acquisitions. The level of due diligence should match the level of risk identified and be regularly reviewed.
Organisations must ensure their prevention policies and procedures are effectively communicated throughout the organisation through comprehensive internal and external communication strategies. This includes implementing appropriate training programs, maintaining clear policies and establishing robust whistleblowing arrangements. Training should be proportionate to the risk faced and specifically tailored for those in high-risk positions. Organisations should also ensure that whistleblowing procedures are well-communicated and accessible to all staff members.
Organisations need to maintain vigilant oversight of their anti-fraud systems and adapt them as needed. The core components encompass spotting actual and attempted fraud, conducting comprehensive enquiries into suspicious activities, and assessing how well preventive controls perform. Regular evaluation of protocols, insights gained from past cases and whistleblower reports, and awareness of industry trends all contribute to a robust fraud management strategy.
Whilst there is some overlap with the Criminal Finances Act 2017, particularly regarding cheating the public revenue, the scope and requirements of the failure to prevent fraud offence are distinct. Organisations should ensure their procedures address both sets of requirements independently, as compliance with one regime may not satisfy the requirements of the other.
Most organisations within scope of this offence will require auditing under the Companies Act 2006. “An audit alone cannot constitute sufficient defence against an accusation of failure to prevent fraud”, however, the auditing process can be valuable in identifying certain potential fraud risks and should be considered as part of a comprehensive fraud prevention strategy.
For organisations subject to the UK Corporate Governance Code, whilst “compliance with the Code’s requirements regarding risk assessment and control monitoring contributes to a defence of reasonable procedures, it is not sufficient on its own”. Organisations need to ensure their fraud prevention measures extend beyond Code compliance to address all relevant risks identified in their fraud risk assessment.
The offence of failure to prevent fraud represents a significant development in corporate criminal liability within the United Kingdom. The newly published guidance has outlined the fundamental elements that organisations must consider when developing and implementing their fraud prevention procedures. The successful implementation of fraud prevention measures requires organisations to develop and maintain reasonable procedures that are proportionate to their size, complexity and risk profile. These procedures must be supported by genuine commitment from top-level management and underpinned by thorough, regular risk assessments. Organisations must also ensure appropriate due diligence measures are in place, whilst maintaining effective communication and training throughout all levels of the organisation.
It is important to understand that this guidance provides a framework rather than prescriptive rules, allowing organisations to develop their own bespoke approaches to fraud prevention. Fraud prevention must be viewed as a dynamic process that requires continuous attention and improvement. As business practices evolve and new risks emerge, particularly through technological advancement, organisations must regularly review and update their fraud prevention procedures. This includes staying informed about sector-specific developments and emerging best practices in fraud prevention.
While existing compliance programs related to tax evasion prevention, auditing requirements or corporate governance may provide valuable foundations, organisations must ensure their fraud prevention procedures specifically address the requirements of this new legislation. The nine-month implementation period offers organisations a crucial opportunity to assess their current position thoroughly and enhance their fraud prevention framework as needed.
Professional advice should be sought when developing these procedures, particularly given the serious consequences of failing to prevent fraud. Through careful application of the principles outlined in this guidance, organisations can work towards creating robust defences against fraud whilst contributing to the broader aim of reducing economic crime within the United Kingdom. This collaborative effort between government and business will help create a more resilient corporate environment that better protects against fraudulent activities.
For a detailed exploration of these recent legislative updates, please click here.
Tom Edwards looks at the impact of the shift from Joint Enterprise to Common Purpose in the five years since…
Ben Hargreaves explores the inherent challenges in the admissibility of sexual history in sex cases. Section 41 of the Youth…
Silas Lee, pupil barrister, reviews the statutory regime on witness anonymity. Anonymous witness orders are most commonly sought by the…
An analysis of the law on fitness to plead and stand trial in the magistrates’ courts: Silas Lee reviews the…