Background
October 2023 saw the enactment of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) as part of the UK government’s efforts to reduce fraud and bolster the ability of UK authorities to prosecute companies for economic crimes. The legislation introduced two new strict liability criminal offences for companies, with global extraterritorial effect:
- The senior manager offence (section 196); and
- The failure to prevent fraud (FTPF) offence (section 199).
Please see our client alert from March 2024 which sets out in detail how both offences work. The senior manager offence has been in force since 26 December 2023 and provides a mechanism by which an organisation will be held criminally liable if its senior managers commit a relevant economic crime.
FTPF offence recap
The new offence expands corporate criminal liability by holding large organisations and their subsidiaries accountable if they, or their customers, benefit from fraud committed by an associated person, and where the organisation has failed to implement reasonable fraud prevention procedures. The offence does not create liability for individuals.
The definition of a large organisation covers companies and partnerships where two or more of the following conditions in the financial year that precedes the year of the fraud offence are met:
(a) A turnover of more than £36 million;
(b) A balance sheet total of more than £18 million; and
(c) A total of more than 250 employees.
The offence is committed if an “associated person” – defined broadly to include employees, subsidiaries, agents, or anyone performing services for or on behalf of the organisation – commits fraud for the organisation’s benefit. Various types of fraud can form the base FTPF offence, including fraud by false representation, false accounting, false statements by company directors or fraudulent trading.
The FTPF offence can be committed by all large organisations and their subsidiaries wherever they are incorporated, formed or carrying on business. As such, it appears to have a similar extraterritorial reach to that of the failure to prevent bribery offence under the UK Bribery Act 2010.
The offence may apply to any fraud with a UK nexus, regardless of the location of the organisation or associate. This means foreign companies could be liable if any relevant criminal conduct takes place in the UK or targets UK victims.
The organisation will only have a defence if it can show it either had reasonable prevention procedures in place designed to prevent associates from committing fraud, or that it was reasonable for the organisation not to have such procedures in place.
Purpose of the Guidance
Under section 204 of ECCTA, there is a requirement that the government issue guidance (the Guidance) about the procedures that relevant bodies can put in place to prevent persons associated with them from committing fraud offences. The publication of the Guidance was required before the FTPF offence could come into force.
The Guidance, which was published on 6 November 2024, confirms that the FTPF offence will come into force on 1 September 2025. Organisations have until that date to ensure that they have sufficient fraud prevention procedures in place, failing which they may be liable to significant financial penalties.
The Guidance has been formulated taking into account feedback from industry consultations (including input from the authors of this article), and ECCTA provides that it can be updated at any time. The Guidance is advisory, rather than binding or prescriptive. It will be for organisations to determine how to develop or enhance procedures in line with it.
Key points from the Guidance
- The Guidance reiterates that the scope of the offence is extremely wide, notably in relation to who can be considered an associated person.
- Although an intention to benefit the organisation is required for the offence to be committed, this does not have to be the sole or even the dominant motivation for the fraud. For example, it is sufficient for a fraudster to incidentally benefit the organisation while aiming to benefit themselves.
- What is considered “reasonable” prevention procedures will be analysed on a case-by-case basis, but the absence of a risk assessment will be viewed negatively by prosecuting authorities.
- Fraud prevention procedures will be informed by the same six key principles that govern existing economic crime legislation such as the UK Bribery Act 2010 and Criminal Finances Act 2017:
- Top level commitment: senior managers, directors and partners have a key responsibility in defining and communicating their organisation’s strategy regarding fraud prevention. This can manifest in express statements regarding fraud prevention, but also, for example, by committing resources to setting up safeguards.
- Risk assessment: the Guidance suggests basing assessments on the “fraud triangle”, which takes into account the motivations behind fraud, the opportunities for it to be committed, and how it may be rationalised by the organisation’s culture or by the sector in which the organisation operates. Ongoing review is key in ensuring risk assessment is effective.
- Proportionate risk-based prevention procedures: the fraud prevention plan should take into account the severity of the risks faced by the organisation. The Guidance explicitly states that compliance processes completed for the purposes of complying with other legislation will not necessarily qualify as reasonable procedures for the purposes of ECCTA.
- Due diligence: organisations should take steps to assess their potential exposure. Due diligence processes, whether they are organised internally or by external consultants, should be reviewed on an ongoing basis.
- Communication: while senior management has a key role, the Guidance also states the importance of making all staff aware of the necessity of fraud prevention. It particularly highlights effective whistleblowing procedures as a key part of anti-fraud strategies.
- Monitoring and review: organisations should aim to have effective processes in place to detect fraud, but also to ensure suspicious activity is investigated effectively. Ongoing review is a crucial part of any fraud prevention procedure: feedback from staff and advice from professional organisations can be tools when assessing the relevance of internal policies.
- The Guidance advises (but does not mandate) that parent companies take steps to prevent fraud by subsidiaries, including by implementing group level policies and training and by ensuring that there is a nominated person responsible for fraud prevention in each subsidiary.
- As to how the offence will be enforced, the Guidance states prosecutions will be carried out by the Crown Prosecution Service and the Serious Fraud Office (in England and Wales). Where organisations in scope are subject to a range of other legislation and where a base fraud offence constitutes a breach of regulations (which may come under the ambit of the Financial Conduct Authority or HMRC, for example), the Guidance states that there is an expectation that regulators will work together to deliver a resolution.
- The Guidance reiterates that self-reporting is encouraged and that application of fraud prevention procedures is of significant interest to those investigating fraud.
- As to auditors, who have a responsibility to identify and assess the risk of material misstatement (due to error or fraud) in an organisation’s financial statements, the Guidance clarifies that an audit alone cannot provide a reasonable procedures defence. Management and those charged with governance should therefore not rely solely on the audit to provide them with assurance about the appropriateness of their fraud prevention and detection controls in the context of failure to prevent fraud.
- Similarly, for listed companies that are expected to carry out robust risk assessments under the UK Corporate Governance Code, compliance with the Code may help support a reasonable procedures defence in the context of the offence, but is not sufficient, on its own, to constitute that defence.
- Although the offence only applies to large organisations, the Guidance identifies its content as being “good practice” for smaller organisations as well. Smaller organisations should also keep in mind that they may be considered an associated person if they provide services to large organisations and may therefore be contractually required to put in place relevant procedures.
Practical steps
What can your organisation do to ensure that it has reasonable prevention of fraud procedures in place? Here are our key practical recommendations for the introduction of anti-fraud compliance programmes:
- Identify your senior managers. Identify individuals and relevant roles that may fall into the definition of “senior manager”.
- Identify your associated persons. Identify individuals and entities that may fall into the definition of “associated person”.
- Risk assess your geographies, sectors, clients and suppliers. Conduct an enterprise-wide risk assessment specifically focused on the risk of your senior managers and associated persons committing fraud and/or review any such assessments previously carried out to see if they remain fit for purpose.
- Update policies and procedures. Subsequently review and amend policies and procedures to account for these risks in a proportionate way.
- Comprehensive training. Train employees, agents and senior managers to identify risks and to mitigate them if they are spotted, and ensure appropriate methods are in place for reporting and reviewing any suspicions.
- Monitor and incentivise compliance. Establish procedures for the ongoing monitoring of the above to ensure continued compliance. Seek regular feedback from those on the ground to tailor your approach.
Failing to take adequate steps will result in a heightened prosecution risk under both the FTPF and senior manager offences.
Client Alert 2024-228