Independent internal investigations central to UK’s ‘failure to prevent fraud’ offence

On 1 September, the new corporate offence of failure to prevent fraud came into force. It means large organisations can now be prosecuted, and face unlimited fines, if they fail to prevent fraud by staff, agents or others linked to the business, unless they can show they had reasonable procedures in place. That makes internal investigations critical, because if fraud is suspected, the way the employer investigates will be scrutinised. So how should that internal investigation be handled? We’ll ask a white-collar crime expert that question.

This matters to HR because HR is on the frontline of those prevention measures. Recruitment checks and vetting at the onboarding stage, ongoing monitoring of staff, fraud awareness training, and whistleblowing channels all sit squarely in HR’s remit. Yet a survey by VinciWorks reported by Personnel Today has found that fewer than a third of employers have started training staff on the new law, showing just how much catching up there is to do. These are exactly the kind of steps prosecutors will look at when judging whether an organisation took fraud prevention seriously.

But prevention is not the whole story. If concerns are raised, the employer has to launch an internal investigation and the Home Office guidance, published in November last year, is clear about what that should look like. It says: ‘Investigations must be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped – including through legal advice – and legally compliant.’ That’s a step up from routine HR disciplinaries. It raises tough questions about who should lead, how much HR should be involved, and when outside expertise is needed.

So let’s hear more on this. Neil McInnes is a criminal defence and corporate crime specialist and earlier he joined me by video-link from the London office to discuss HR’s role in fraud prevention and those internal investigations.

Neil McInnes: “From an HR perspective, there are particular touch points that HR directors and HR teams should be thinking about, offering up their experience to help the organisation support reasonable prevention procedures. So the first area that I would highlight is when you're thinking about fraud prevention procedures, one area is your people coming into an organisation. Are there suitable pre-employment checks and vetting procedures that are risk based, that are adequate to meet the risks of a threat that someone comes into the organisation who's a bad apple? That will be a fundamental part of the proportionate procedures principle where, I expect, the knowledge and insight of HR teams will be invaluable to enrich that compliance response. The second area is around monitoring and review and making sure that fraud prevention procedures are kept under review and are working effectively. I think this is one of the first types of compliance guidance of its kind that the UK government has released that has talked about effective investigations in quite high-level terms, but with some really important key notes. For example, the guidance talks about investigations being independent, being clear about their internal client and purpose, being appropriately resourced, being empowered and scoped, including through legal advice, and being legally compliant and fair to all parties. In this context, unpacking some of that, and bearing in mind the corporate criminal risks that could arise from a fraud that affects an organisation, it's rarely going to be the case that an HR professional on their own should be conducting an investigation into a fraud that has a wider impact. It’s going to have to be a triage process that involves other stakeholders to make sure that that investigation is suitably independent and the right people are involved in conducting it. So this is the first time, really, we've seen guidance of this kind, relating to this type of compliance legislation, talking about investigations and what the hallmarks of an effective investigation are.”

Joe Glavina: “The new offence of failure to prevent fraud is often compared to the offence of failure to prevent bribery which has been around a long time, since 2011. Is this taking a different approach to a bribery investigation?”

Neil McInnes: “I don't think it's taking a different approach to how a bribery investigation should occur. I think it's bringing fraud investigations up to the level that people have been adopting for bribery investigations. So you would not be conducting a bribery investigation, typically, just as a business unit or an HR function within that business unit, it would be escalated because of the corporate criminal risk that can arise from bribery. Now we have that corporate criminal risk arising from, perhaps, an employee fraud and so it needs to be planned using an investigation protocol that has components that are legal, compliant, HR, internal audit, to make sure that investigation isn't part of the problem, essentially.”

Joe Glavina: “When the guidance talks about independent investigations what does that mean exactly? Typically you’d have HR involved along with a line manager, but they're obviously not as independent as if you bring in external lawyers, for example. So what’s the right approach?” 

Neil McInnes: “Independence in the context of investigations is always going to be fact specific. It's perhaps easiest to give examples of problems that can arise in investigations that aren't sufficiently independent. So, let's take an investigation into a suspected fraud of a senior manager in a regional business unit. If it's the regional business unit’ s HR, or legal, function that is tasked with conducting that investigation, where they might be wearing a number of different hats because they're looking after that business unit, that might not be sufficiently independent and some other part of the organisation might need to respond instead, making sure that investigation is independent. In other cases, it might need to be an external firm, whether a lawyer or non-lawyer, involved in making sure the fact finding is sufficiently independent, but it's not in every case. I think it depends on the facts, and it's incredibly fact sensitive.”

Joe Glavina: “Your final thoughts, Neil?” 

Neil McInnes: “Well I think clients are now needing to grapple with a range of different factors to make sure investigations are going to meet the standards that will be expected if anything ever got looked at by law enforcement if there was a substantiated problem. That means that there's more pressure to make sure those who conduct investigations are adequately trained in how to do them. There are also regulatory obligations that have come into force, or have come into play, including on in-house lawyers to make sure that they are complying with their regulatory obligations by the SRA, with new guidance there. So I think there's just a lot more focus on what an investigation, a good internal investigation, looks like with the understanding that if there is a problem for an organisation later, their response, their investigation of the problem, will be part of the piece that is looked at by law enforcement to assess whether, overall, an organisation had reasonable prevention procedures and therefore a defence, or not, to a corporate criminal liability that arises under ECCTA..”

If you would like help with reviewing your organisation’s fraud prevention procedures please do get in touch with Neil – his details are on the screen for you. Alternatively, you can contact your usual Pinsent Masons adviser.

- Link to: government guidance on the offence of failure to prevent fraud