HR ‘central’ to fraud prevention compliance in UK workplaces

From 1 September a new corporate criminal offence has been in force – ‘failure to prevent fraud’. It’s part of the government’s Economic Crime and Corporate Transparency Act and it makes large organisations criminally liable for frauds committed by employees, contractors and other ‘associated persons’ if the fraud is intended to benefit the business. It is one of the most important reforms of corporate criminal law in over a decade, putting fraud prevention on the same footing as bribery. The Serious Fraud Office has already warned it is ‘very keen’ to prosecute cases under the new law.

The legislation does provide a defence, but only if the organisation can show it had ‘reasonable procedures’ in place to prevent fraud. That’s a high bar. The government’s guidance makes clear that procedures need to be proportionate, risk-based and effective in practice. So what does that mean for HR? We’ll ask an expert in corporate crime and fraud.

The critical point is that fraud prevention goes well beyond finance controls. Investigators will expect to see how people systems support the defence, whether recruitment checks are robust, whether onboarding and training address fraud risks, and whether staff feel confident to raise concerns through whistleblowing channels.

It’s also important to recognise that ‘reasonable procedures’ aren’t static. They must be reviewed and adapted over time as risks change – for example, when the workforce expands, when new technology is introduced, or when staff turnover increases. That means HR has an ongoing role in shaping culture and ensuring that policies are lived day-to-day.

So let’s hear more on that. Neil McInnes is a criminal defence and corporate crime specialist and earlier he joined me by phone to discuss it. So what steps should HR be taking to ensure compliance?

Neil McInnes: “Well, the starting point is understanding what you have already done, and if you haven't already done so, doing some form of current state assessment of your compliance programme in respect of this Act. Then building out from that is to conduct a risk assessment to understand where your vulnerabilities to fraud may be - and all organisations will have these vulnerabilities - and working out where's the gaps are. What do I need to do as an organisation to plug that? What additional enhancements to the compliance programme might I need to be considering? For an HR professional, they will have an invaluable input in that risk assessment process for the people -issues that the risk assessment process should inevitably touch. It's not just going to be about, well, what are our systems and controls in our finance team? It's going to be people-related and, again, going back to this fraud triangle, the opportunities for fraud within an organisation, that could be something that the HR team in particular will be able to feed into. But it will also go to other steps that need to be rolled out or enhanced, so recruitment checks and the diligence around that, thinking about what higher risk roles might be, and monitoring and having oversight of those roles and decisions that post holders might have, through to ensuring speak up mechanisms are effective. So many cases can be spotted early if you have a really effective whistleblowing system in place and HR are often responsible for the implementation of that system or at least are party to the team that is responding. Then there may also be other training modules that need to be refreshed or implemented where the delivery of that across an organisation will often have an HR input. Where do you need to do face to face training? Where can you do online training and how do you keep it refreshed? Do you do a toolbox talk on site? How do you roll it out to everyone? Those are experiences HR will have within their function and they should be lending that experience to compliance and legal professionals who need it in an organisation too.”

Joe Glavina: “What are the practical steps should HR be leading on right now? You’ve mentioned audits and training but is there anything else HR can be doing?”

Neil McInnes: “It’s worth an HR professional spending a bit of time in the government guidance. There are some really significant step changes between this government guidance and previous similar guidance for earlier types of failure to prevent offence. There is reference, for example, to the use of appropriate technology tools which HR may well be familiar with in other in other contexts, to screening tools, to other sorts of checks and vetting that might be appropriate. You will also find expectations set in the guidance around how to integrate anti-fraud messaging into existing into existing policies and procedures. There are also expectations set about how training programmes should be monitored for their effectiveness, particularly if there's a churn, or workforce changes, over periods of time. How far are you keeping on top of that with your training?”

Joe Glavina: “If an investigation needs to take place, what would HR need to show to help to prove compliance with these new laws?”

Neil McInnes: “The issue around investigating fraud, this corporate criminal liability, needs great care and thought within an organisation as to who should be involved and it may well be that HR are part of a team that needs to escalate serious cases to others within an organisation who will have responsibility for investigating the most serious cases. What this guidance does for the failure to prevent fall defence, which is novel, is have an expectation around the effectiveness of an internal investigation which hasn't been stated previously in other guidance. So, investigations have to be fair, have to be well resourced, and various other statements are made about internal investigations which reflect, I think, a change of approach from law enforcement over the years that part of an effective compliance programme should have effective internal investigations baked into it, and HR will have a role to play there. Whether they're leading these sorts of investigations will vary from organisation to organisation, however, it's certainly the case that investigations need to be appropriately triaged between HR professionals, legal professionals, others in the compliance team, so that the right resourcing is put towards an investigation that falls under ECCTA and under this new failure to prevent offence.”

Joe Glavina: “This offence has just come into force, on 1 September, and not every organisation will have got their ducks in a row yet. What’s your message to them?”

Neil McInnes: “Well, I think the message, really, for those involved in an organisation responding to this legislation is even if you don't feel you've achieved everything you wanted to do already, to be ready for the offence now in force, this is about continuous improvement of a compliance programme and what prosecutors, investigators, and law enforcement agencies will look for is whether there is a genuine intent to embed an effective compliance programme. It may be that not everything has been achieved so far, and the offence is now in force, but having a programme in place, a plan, over the next few months to continue to build out the different aspects of the compliance programme and feed in, if you're an HR professional, to that is a really good next step.”

If you would like help with reviewing your organisation’s fraud prevention procedures please do get in touch with Neil – his details are on the screen for you. Alternatively, you can contact your usual Pinsent Masons adviser.

- Link to government guidance on the offence of failure to prevent fraud

- Link to Out-Law article: ‘ECCTA: one month to go as businesses urged to review fraud prevention procedures’