Skip to content

New Year resolution: double check existing anti-fraud policies and training

Briefing
13 December 2024
9 MIN READ
3 AUTHORS

Executive Summary

The new failure to prevent fraud offence will enter into force in September 2025.

Nick Ephgrave QPM, the director of the Serious Fraud Office has said that this guidance means that “time is running short for corporations to get their house in order or face criminal investigation.”

The reality is less stark. 

Most firms are likely to have had a focus on anti-fraud measures before the new legislation and are not in the business of fraud. Changes in the law starting with anti-bribery over a decade ago and more recently failure to prevent tax evasion legislation and the lowering of the bar to corporate liability at the end of 2023 means that much of the anti-fraud work required is likely to have been done by firms already and a framework of Risk Assessment, Risk Registers etc. already exist for most.

However, at a minimum firms should look to the new anti-fraud guidance and expectations and ensure that existing measures cover them; take steps if gaps are identified, update risk assessments and provide updated training. 

There is plenty of time given the September 2025 implementation and so a task for the compliance team to add to 2025 half year objectives.  

If you’d like some help please let us know.  We are presently providing training and advising various clients on compliance with new law.

In the meantime in the new year we shall run a seminar on the things firms should be doing in the run up to the entry into force of the new law. 

The new law

On 6 November 2024, the UK Home Office published long-awaited guidance (the ‘Guidance’) on the “failure to prevent fraud” offence (“FTPF offence”), introduced by the Economic Crime and Corporate Transparency Act 2023. The guidance sets the clock ticking for organisations to take steps to get ready for the new offence which will come into force as of 1 September 2025.

The FTPF offence is a strict liability offence and will apply to large organisations, incorporated in the UK or which have a UK nexus1, where “a person associated” with the organisation commits fraud intending to benefit the organisation or, in some circumstances, a client of the organisation. It does not matter whether the directors or senior managers of the organisation were aware of the conduct for the offence to apply.

Similarly, to the failure to the failure to prevent offences for bribery and the facilitation of tax evasion there is a defence for the organisation if it had “reasonable procedures” to prevent fraud by its associated persons. The government guidance sets out what organisations need to consider when implementing reasonable procedures. As with the previous failure to prevent offences these consist of the following six principles (set out in detail in chapter 3 of the guidance):

  1. Top level commitment;
  2. Risk assessment;
  3. Proportionate risk-based prevention procedures;
  4. Due diligence;
  5. Communication (including training); and
  6. Monitoring and review.

The Guidance provides further insights into the scope and application of the new Offence, along with clarification on what constitutes reasonable fraud-prevention procedures. Below, we outline how the new offence will work and what affected companies can do in the next 10 months to get ready.

What is a large organisation?

A ‘large organisation’ is one where at least two or more of the following conditions are satisfied in the financial year that precedes the year in which the fraud offence was committed:

  • The turnover is more than £36 million;
  • The balance sheet total is more than £18 million; and
  • There are over 250 employees.

These criteria apply to the whole organisation – including subsidiaries – regardless of where the organisational headquarters or subsidiaries are located or incorporated.

Parent companies, where they may not meet the criteria set out above, can nevertheless still be caught by the offence if two or more of the following conditions are satisfied by the group headed by it in the financial year that precedes the year of the fraud offence:

  • The aggregate turnover is more than £36 million net (or £43.2 million gross);
  • The aggregate balance sheet total is more than £18 million net (or £21.6 million gross); or
  • The aggregate number of employees is more than 250.

A subsidiary which meets the above criteria would also be considered a large organisation in its own right and can be prosecuted for the FTPF offence. In addition, a subsidiary which isn’t a large organisation but where its parent is can be prosecuted instead of the parent if an employee of the subsidiary commits a fraud intending to benefit the subsidiary.

Who is an associated person?

An employee, an agent, a subsidiary or other persons providing services for or on behalf of the relevant body is an associated person.

What constitutes an intention of benefitting the organisation?

For the purposes of the Act, it is sufficient for there to merely be an intention to benefit the organisation in some way, whether directly or indirectly. Therefore, the offence will apply even in circumstances where the organisation did not actually receive the benefit. The offence will also be triggered where the associated person committed fraud with the intention to benefit himself but the company received an ancillary benefit as a result of the fraud.

The Guidance gives the following example – a salesperson who is on commission may induce sales by fraud to increase their own commission. As a result of this, they also increase the company’s sales. Despite this not being the fraudster’s primary incentive, the intention to benefit the company can still be found.

The benefit may be financial or non-financial. For example, a fraud intended to confer an unfair business advantage would be caught under the Offence as would a fraud that disadvantaged a competitor.

Where does the fraud need to have taken place?

The offence has extraterritoriality, meaning that it can catch both UK and non-UK organisations. However, the Guidance confirms that the Act will only apply where there is a UK nexus. This means that the offence must include at least one of the following: all or part of the fraudulent conduct occurred in the UK, the gain or loss was realised in the UK or there are victims in the UK. The effect is that the Offence has an extremely wide jurisdiction.   

What fraud is covered?

The FTPF offence covers a smaller number of offences than are covered by the extension of corporate liability for economic crimes by senior managers, which was introduced at the end of 2023 and applies to all companies regardless of size. Under the FTPF offence the fraud offences contained in the Fraud Act 2006 are covered as is false accounting and false statements by directors (theft Act 1968) and fraudulent trading (Companies Act 2006). In addition, the common law offence of cheating the pubic revenue is included.  These types of fraud in a corporate context can be complex, the guidance sets out at 2.8. some illustrative examples of conduct that may amount to a FTPF offence.  

How can the defence be engaged?

Pursuant to sections 199(4) and (5) of the Act, it is a defence to the Offence where the organisation can evidence to the satisfaction of the court that:

  1. It had in place prevention procedures that were reasonable in all the circumstances to expect the organisation to have in place; or
  2. It was not reasonable in all the circumstances to expect the organisation to have such prevention procedures in place. Any decision not to implement procedures to mitigate a specific risk should be documented, including the name and position of the person who authorised the decision. This should be reviewed as appropriate.

Footnote

  1. It also applies to partnerships  (including Scottish partnerships and Limited Partnerships formed under the Limited Partnerships Act 1907).