Failure to prevent fraud under the UK's Economic Crime and Corporate Transparency Act

A new "reasonable procedures" defence is applicable to the failure to prevent fraud offences.

The UK government has now prepared the draft guidance required under section 204 of the Act to set out the procedures that organisations should put in place to prevent persons associated with them from committing fraud offences. This guide summarises the law and the draft reasonable procedures statutory guidance, which has been consulted on and may be subject to change.

Corporate criminal failure to prevent fraud offences

The new UK corporate criminal offence of failure to prevent fraud offences and other economic crimes will make “large” body corporates and partnerships criminally liable for the acts of a person associated with them who commits an economic crime for the organisation’s benefit or for the benefit of any person to whom the associated person provides services on behalf of the organisation – for example, a customer.

Associated persons include employees, agents, subsidiaries, or any other person performing services "for or on behalf" of the organisation. This definition could extend to suppliers when they provide ancillary services, agents, distributors, advisers, brokers, contractors, consultants, and joint venture partners.

The associated person must intend to benefit either:

• the organisation for which they are working or providing services for and on behalf of; or
• another group company, a customer or client of the organisation who the associated person provides services to on behalf of their employing organisation.

In addition, a parent company is criminally liable for failing to prevent an economic crime by an employee of a subsidiary company where the fraudulent act was intended to benefit the parent company or its client. However, liability is not triggered where the organisation is the intended victim of the associated person’s conduct.

The failure to prevent fraud offences apply to all UK and foreign organisations that carry on a business or part of a business in the UK, subject to them meeting two or more of the following thresholds either individually or, with respect to parent companies, where the subsidiaries in aggregate meet the statutory thresholds: a turnover of more than £36m; a balance sheet total of more than £18m; and/or more than 250 employees.

The failure to prevent offences apply to the following economic crimes: 

• Fraud Act 2006: fraud by false representation; fraud by failing to disclose information; fraud by abuse of position; participating in a fraudulent business; obtaining services dishonestly;
• Theft Act 1968 / Theft Act (Northern Ireland) 1969: misappropriating property (including electricity, gas, and water); false accounting/misleading underlying records; false statements by company directors to deceive members or creditors;
• Companies Act 2006: fraudulent trading, meaning to carry out business for any fraudulent purpose;
• cheating the public revenue; and
• Scots common law fraud, uttering – presenting a misleading document – and embezzlement.

Intended beneficiary

The issue of who is intended to benefit from the underlying fraud is key to determining whether a business can be held criminally liable for the offence of failure to prevent fraud.

The intention to benefit the business does not have to be the sole or dominant motivation for the fraud. The new offence applies where a fraudster's primary motivation was to benefit themselves but where their actions were also intended to benefit the organisation. For example, a salesperson who is on a commission may engage in mis-selling to increase their own commission but, in doing so, they also increase the company's sales. Even though this is not the fraudster's primary motivation, the intention to benefit the company can be inferred in this case because the benefit to the salesperson is contingent on the benefit to the company. The organisation is not liable if it is the victim of the fraud.

Application outside of the UK

The 1993 Criminal Justice Act extended UK jurisdiction for fraud and other economic crimes to where a "relevant event" occurred in the UK – including, for example, causing gain or a loss to another in the UK. This means:

• if a UK-based employee commits fraud, the employing organisation could be prosecuted wherever it is based;
• if an employee or associated person of an organisation based overseas commits fraud in the UK, or targets victims in the UK, the overseas organisation could be prosecuted;
• the offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus. This would be a matter for law enforcement in the country concerned.

Fraud scenarios: examples in the draft guidance

Draft guidance issued by the UK government about the new offence gives examples of failure to prevent fraud scenarios, including:

• payroll – employees of the payroll team arranging for some pension payments to be diverted for other projects within the company;
• accounts – the accounting department getting involved in fraudulently misrepresenting the value of the company;
• investment – an investment fund provider promoting an investment in a "sustainable" timber company knowing that, in fact, the company's environmental credentials are fabricated;
• testing results – the laboratory manager of an international testing company falsifying data from tests, aiming to benefit the client (which is in the UK);
• permits/licences – the head of a technical department of a company deliberately falsifying the company's discharge monitoring system and providing false data to the Environment Agency;
• sales – a salesperson engaging in mis-selling for the purpose of securing a commission but also to benefit the organisation.

These scenarios are illustrative, and serve to demonstrate the breadth of this new offence.

Reasonable procedures defence

It will be a defence to the failure to prevent economic crimes offence if the organisation can prove that it had reasonable prevention procedures in place, or that it was not reasonable in all the circumstances to expect it to have had any procedures in place. The new offence will come into force six months after the government publishes statutory guidance on the reasonable procedures organisations should consider putting in place.

Draft statutory guidance has now been prepared and issued for consultation. The draft guidance anticipates that parent companies will take steps to prevent fraud by subsidiaries, including by implementing group level policies and training and by ensuring that there is a nominated person responsible for fraud prevention in each subsidiary.

The reasonable procedures guidance follows six principles of compliance. The six principles are similar to those applicable to the Bribery Act and "adequate procedures" but there are differences in emphasis, particularly relating to the risk assessment methodology and the importance of financial controls.

The six principles are:

• top-level commitment;
• risk assessment, documented;
• robust but proportionate procedures;
• due diligence;
• communication (including whistleblowing) and training;
• monitoring and review.

Risk assessment

Having a documented risk assessment is a key pillar of the reasonable procedures defence. The focus of the risk assessment is the risk of associated persons of the organisation engaging in the prescribed economic crimes to benefit the organisation, the group or its customers, rather than the risk of internal fraud against the organisation.

The draft statutory guidance notes: "In some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. However, it will rarely be considered reasonable not to have even conducted a risk assessment."

Organisations are directed to consider "the opportunity, the motive and the means by which associated persons could commit fraud that benefits the organisation".

A starting point for a risk assessment may be to map out existing fraud prevention measures and to consider what other relevant risk assessments are already in place for the failure to prevent the anti-facilitation of tax evasion, failure to prevent bribery offences, money laundering and modern slavery. These risk assessments are likely to contain useful content for informing a broader economic crime risk assessment. Businesses may also have reports and data on other reviews relating to tendering, contracting, and the effectiveness of financial controls which are likely to be informative.

Workshops with relevant personnel to identify how economic crimes to benefit the business, the group or its customers could materialise are recommended.

Preventative procedures and controls

The risk assessment will inform the procedures that are reasonable for the business to put in place. Many organisations will already have procedures in place for risk areas which are likely to be capable of being extended to address wider economic crime risks. The draft statutory guidance states: "It is not necessary for organisations to duplicate existing work. Equally, it would not be a suitable defence to state that because the organisation is regulated its compliance process under existing regulations would automatically qualify as "reasonable procedures".

A reasonable procedures framework may include:

• a documented risk assessment which is reviewed and updated;
• a code of ethics or conduct to cover the new failure to prevent economic crimes offence, or a group-wide financial crime policy statement and guidance;
• compliance procedures covering fraud prevention and economic crimes;
• delegations of authority, divisions of responsibility and dual authorisations;
• tender and bid content assurance;
• accuracy assurance of sales materials;
• employee recruitment checks;
• bonuses and incentives scheme to reflect the importance of integrity and ethics;
• third party due diligence to address broader financial crime risks through, for example, increased adverse media screening;
• monitoring adherence with contractual terms, particularly open book/good faith terms;
• assurance and monitoring of time recording, accounting for materials, billing and invoice verification practices;
• assurance of statements to regulators, auditors, insurers, banks, creditors and shareholders;
• financial controls and data analytics tools adapted to implement the reasonable procedures programme and to improve the detection of discrepancies in procurement, invoicing and payments;
• guidance and measures to prevent fraud in emergency situations identified in the risk assessment;
• 'speak up'/whistleblowing procedures – this is a specific area of focus in the draft statutory guidance, which notes that ISO 37002 (Whistleblowing management systems) provides examples of good practice;
• communications and training to employees and higher risk associated persons about the new economic crime offence and policy adaptations;
• monitoring and reviews of the fraud prevention procedures.