On 6th November 2024, the Home Office released guidance on the Failure to Prevent Fraud Offence as part of the Economic Crime and Corporate Transparency Act (“ECCTA”), which will come fully into force on 1st September 2025.
The guidance sets out the circumstances in which a company can be held liable for failing to prevent fraud and what the Home Office deem likely to be considered as ‘reasonable procedures’ in defence. However, it should be noted that the Home Office’s guidance explicitly states that the standards set out should be considered as ‘best practice’ for all firms, regardless of whether they are in-scope of the offence. Companies should consider how they will reflect this as part of an existing fraud/financial crime framework.
Failure to Prevent Fraud Guidance Summary
Under the Failure to Prevent Fraud Offence, an organisation may be considered liable where an “associated person” commits fraud intending to benefit the organisation or any party they provide services to on the organisation’s behalf. The defence in any legal proceedings that organisations have are the reasonable procedures they have in place to prevent fraud – it’s therefore critical that a firm’s control framework meets this minimum standard.
The scope of the offence only applies to ‘large’ organisations, firms that meet at least two of the three following criteria:
• Over 250 employees.
• Greater than £18 million in total assets.
• More than £36 million in annual turnover.
There is zero-tolerance for fraud activity, and a very dim view is taken on firms who do not have sufficient controls. Based on the Bribery Act 2010, which imposes similar requirements on companies to prevent criminal activities of associated persons, fines are estimated to range from £500,000 to hundreds of millions.
Three critical steps firms should take in response to the Failure to Prevent Fraud Guidance:
1. Begin the process of mapping out your associated persons
Firms should be aware of the extension of liability which in-scope organisations face for fraudulent activity undertaken by associated persons.
What is an associated person?
The guidance defines associated persons as both natural and legal persons who have the authority to enter contracts for or on behalf of the in-scope organisation.
How does it apply to Group structures?
These criteria apply to the entire organisation, including its subsidiaries, in cases where a base fraud is committed at the corporate level, and the beneficiary is either the parent organisation or one of its clients. The in-scope parent organisation can be liable for failure to prevent fraud regardless of where the organisation is headquartered or where its subsidiaries are located. There need only be a “UK Nexus” to the fraud, whereby one of the acts which was part of the underlying fraud were committed in the UK.
Due to the broad net cast for associated persons, it is vital that in-scope organisations identify their associated persons (including those operating on a non-contractual basis) and the ways in which their business may be exposed to fraud risk as a result. Without understanding your associated persons, any future risk assessments will be incomplete. For larger firms, mapping all associated persons will be a significant undertaking.
| In Scope (examples) | Out of Scope (examples) |
| · Employees
· Subsidiaries · Agents · Introducers · Other contractors providing services to the organisation NB: Individual does not have to be in a contractual relationship with the in-scope organisation |
Provision of goods nor the provision of services to the in-scope organisation, including: · Lawyers · Accountants · Engineers |
2. Assess fraud risks posed by internal and associated persons
To identify, mitigate and prevent the risk of fraud, in-scope organisations should look to assess the typologies of their associated persons and the risk to which they expose the organisation in line with the new offence. Firms should, where they already have in place fraud/financial crime risk assessments, look to extend their risk assessments to include fraudulent activities covered by the failure to prevent fraud offence. This will differ from previous fraud assessments due in the need for a broad scope and comprehensive analysis of external parties.
Firms should identify scenarios where fraudulent activity might occur, along with the types of fraud most likely to arise for each typology. For example, fraud by false representation may be a greater risk at the hands of contracted third-party agents, while fraud by abuse of position may be a greater risk from internal sources. The Guidance provides that typologies of risk should be developed by considering the three elements of the fraud triangle:
• Opportunity
• Motive
• Rationalisation
It is important to note that the guidance explicitly states that ‘it will rarely be considered reasonable not to have even conducted a risk assessment’. As such, it is necessary that in-scope organisations undertake a risk assessment that properly accounts for fraud committed by internal and associated persons, as well as territoriality and business size.
3. Begin developing reasonable procedures to prevent fraud
The guidance is clear in stating that the reasonability of procedures will be assessed by courts on the balance of probabilities, and that firms may comply with parts of the guidance and still be deemed to not have reasonable procedures in place. However, the guidance offers a good indication of what courts will be looking for.
In line with the Guidance, firms should look to assess what ‘reasonable’ looks like by considering the:
• level of control exerted by the in-scope organisation and associated persons.
• proximity between the in-scope organisation and particular associated persons.
• supervision the organisation is able to exercise over a particular person acting on its behalf.
Reasonable procedures, alongside the above risk assessment should be implemented along the following lines:
• Tone from the Top: Top level commitment from senior management, including endorsement of the prevention of fraud, clear governance and messaging across the organisation, commitment to training and resourcing, and fostering of an open culture.
• Procedures: Proportionate risk-based prevention procedures, including a fraud prevention plan proportionate to the organisation’s size.
• Communications strategy: Communication (including training) which ensures that internal procedures are communicated to the firm’s associated persons, alongside training to address fraud risk and whistleblowing procedures.
• Appropriate relationship due diligence: Due Diligence, including documentation around vetting of individuals and firms, utilisation of technology, reviewing contracts where necessary and monitoring staff wellbeing.
• Ongoing measures: Monitoring and review, including of procedures to detect and prevent fraud, and review of procedures and any potential failures.
An organisation’s only defence is having reasonable procedures in place. Therefore, ensuring that this guidance is followed in line with an in-scope organisation’s size and risk profile is key in mitigating both the risk of fraud and of prosecution.
Key Takeaways
- Firms must know whether they are in scope for the incoming failure to prevent fraud offence.
- Firms must identify and map their associated persons, in order to identify where potential fraud risks lie.
- Firms must undertake a risk assessment of these associated persons alongside internal fraud risks.
- Firms must put in place reasonable procedures to mitigate fraud risk and prevent it from taking place.
Next Steps
Novatus Global supports its clients in identifying and mitigating fraud risk, including producing the ‘reasonable procedures’ and control framework to protect themselves. Our bespoke approach ensures that firms across the financial services sector have fraud prevention frameworks tailored to their territoriality, size and level of associated person risk, and empowers all aspects of their businesses to work towards the prevention of fraud.
Contact us today to learn more about our ECCTA offering and the comprehensive service offering we have in place to ensure compliance with fraud/financial crime legislation and regulation.
