On 6 November 2024, the UK Government published final guidance on what constitute reasonable prevention procedures (the “Guidance”), on which organisations can seek to base a defence to the recently introduced Failure to Prevent Fraud offence (the “FTPF Offence”). It has also now been clarified that the offence will come into force on 1 September 2025. While it had been anticipated that the implementation period for the FTPF Offence would be six months, this longer period is a welcome development which provides organisations with additional time to implement the measures set out in the Guidance.
Here, we provide a brief overview of the Guidance accompanied by some practical suggestions for preparing for this landmark reform to the corporate crime landscape.
Overview of the FTPF
The FTPF is a strict liability offence which operates where a “large organisation” fails to prevent an “associated person” from committing one of the fraud offences listed and where that fraud is intended to benefit, directly or indirectly, the organisation or a client of the organisation.
Reasonable prevention procedures defence guidance in practice
It is a defence to the FTPF Offence if the company can show, on a balance of probabilities, that it had “reasonable prevention procedures” in place to prevent the fraudulent activity (or if it was not reasonable in all the circumstances to expect the organisation to have any reasonable prevention procedures in place for such fraud).
The Guidance sets out six general principles for organisations to have in mind when developing fraud prevention procedures, alongside illustrative case studies. These principles are:
- Top level commitment;
- Risk assessment;
- Robust but proportionate risk-based prevention procedures;
- Due diligence;
- Communication (including training); and
- Monitoring and review.
These reflect the principles in the UK Bribery Act Guidance and there may be some overlap in the measures taken to prevent fraud and bribery. But the nature of the underlying fraud offences and the range of potential additional touchpoints across organisations means companies will also likely require other fraud-specific prevention procedures.
Top level commitment
The clear message from the Guidance is that senior level endorsement of tackling fraud is essential. Given this, senior management of all relevant organisations should assess plans for identifying and preventing fraud (and record such discussions) and implement any necessary changes to their systems and controls in advance of the offence coming into force. This includes communication and endorsement of the organisation’s fraud prevention stance, ensuring clear governance structures to tackle fraud, commitment to training and resourcing, leading by example and fostering an open culture.
Risk assessment
An important part of a corporate’s strategy for tackling possible fraud should be a risk assessment exercise. This should consider the: (i) opportunity; (ii) motive, and (iii) rationalisation by which associated persons may commit fraud that benefits the organisation or its clients (whether indirectly or directly). This is coined as the “Fraud Triangle” in the Guidance and there are lists of questions under each of these three headings. The questions provide a useful starting point for risk analysis.
Areas of potential exposure to fraudulent activity include public statements, representations to counterparties and stakeholders, instances where an organisation has obligations to disclose information (eg statutory obligations and audit requirements), processes regarding tax and accounting, and procurement exercises.
The risk assessment should not be limited geographically because the FTFP could extend to certain UK offences where part of the offence may have taken place abroad and there is a sufficient nexus with the jurisdiction (for example, harm to UK consumers).
Robust but proportionate risk-based prevention procedures
Companies should then adopt a fraud prevention plan with proportionate procedures that address the risks identified. These fraud prevention procedures should aim to reduce the opportunity, motive and means to commit fraud. Often this may simply involve building on existing processes and procedures, but this will be fact-specific depending on the risk assessment and existing safeguards.
We expect that prosecutors will examine the entire relationship between organisations and associated persons to assess whether measures in place to tackle fraud were reasonable and proportionate; this will likely include considering:
- contractual terms with third parties that aim to mitigate the risk of fraud; use of internal and external audit to ensure that policies are applied consistently;
- assessment and testing of third-party risk (both at onboarding (including the initial diligence) and throughout the relationship);
- review and assessment of payment terms and incentive structures;
- how performance of third parties is monitored;
- regular testing of procedures;
- any practical training of third parties in terms of fraud risk; and
- a wider assessment of how the company tracks and deals with red flags (including as part of initial due diligence and throughout performance).
Reflecting concerns around fraud perpetrated against the Government during COVID-19, the Guidance confirms that risk assessments should cover emergency situations, although it accepts that not every emergency can be predicted.
Due diligence
Due diligence procedures in respect of services performed by associated persons should be applied using a risk-based approach. The guidance warns that “merely applying old procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud. Those with exposure to the greatest risk may choose to clearly articulate their due diligence procedures specifically in relation to the corporate offence”. Therefore, organisations should carefully revisit existing policies by reference to the new statutory requirements and recognise that simply bolting-on fraud wording to current contractual or policy terms may not be sufficient.
The Guidance provides illustrations of the best practice steps organisations can take to ensure adequate due diligence, including the use of appropriate technology (eg third-party risk management tools, screening tools and vetting) and monitoring staff to identify those that are at risk of committing fraud.
Communication and training
Training can help employees understand the steps they can take to spot and prevent fraud, with communications to reinforce why this is important. Those operating in high-risk areas or holding senior roles may merit additional training and deep dive crisis scenario sessions. As with other types of risk, ensuring whistleblowing procedures are communicated and are fit for purpose is key.
Monitor and review
The Guidance provides three elements for ensuring sufficient monitoring of fraud: (i) detection; (ii) investigation; and (iii) ongoing review/monitoring. The Guidance provides questions to assess under each of these headings. An important part of this process is learning from (among other matters) whistleblowing incidents, internal investigations, enforcement action and sector specific information.
Overlap with existing offences and guidance
The Guidance provides some additional insight on the overlap of the FTPF with the common law offence of “cheating the public revenue” and statutory auditing requirements. The Guidance also explains that steps taken to implement risk assessments to comply with the recently reformed UK Corporate Governance Code applicable to boards of premium listed companies may contribute towards fraud mitigation measures, but this will not be sufficient to provide a defence to a FTPF prosecution. We also expect that additional sector specific guidance is likely to follow, especially in heavily regulated industries. These tools may prove helpful for those in the relevant sector and may also assist those in other sectors in designing their mitigation measures.
Outlook
The introduction to the Guidance gives the clear signal that is intended to “make it easier to hold organisations to account for fraud committed by employees, or other associated persons, which may benefit the organisation, or, in certain circumstances, their clients” and “encourage more organisations to implement or improve prevention procedures, driving a major shift in corporate culture to help prevent fraud”. In this vein, the offence looks to incentivise proactive steps by corporations to foster a culture of zero-tolerance to criminal activity. Given this context, we do not expect to see an immediate marked increase in prosecutions in the area, although there will likely be additional investigations into corporate fraud as the reforms are implemented.
Next steps
We recommend that businesses review their current policies and procedures consistently with the approach endorsed in the Guidance. In addition, companies should monitor announcements in the next 2-12 months, including the expected publication of sector specific guidance on the FTPF and further announcements by the new Government on how they intend to tackle fraud.
In addition to fraud prevention procedures, the Guidance addresses the scope of the FTPF Offence, including its territorial reach and how subsidiaries of large organisations will be treated. We will be commenting further on the Guidance and providing additional insight on how companies can prepare for these reforms in follow up posts.
