UK government guidance paves way for entry into force of failure to prevent fraud offence

In short, the purpose of the offence is to ensure businesses take proactive measures to prevent and deter fraudulent activities. In this regard, the government has published guidance on reasonable fraud prevention procedures, to assist businesses in their efforts to interpret and comply with the law. The guidance is only advisory, however, and should not be taken as a substitute for having a thorough and clear understanding of the legislation. 

The failure to prevent fraud offence in a nutshell

The "failure to prevent fraud" offence imposes criminal liability on organisations if they fail to implement reasonable procedures to prevent fraud being committed by employees, agents, or others acting on their behalf (see our previous article for more details on the offence itself). The offence applies to certain, specified types of fraud, including fraud by false representation, fraud by failure to disclose information and fraud by abuse of position.

The offence covers fraud committed for the organisation's benefit and where the organisation failed to prevent such conduct by someone associated with it. Key sectors at higher risk of fraud, including finance, construction, and professional services, are likely to feel the greatest impact.

Scope and application

The offence applies to "large organisations", as defined in the UK Companies Act 2006, meaning organisations that meet two of the following three criteria: 

• More than 250 employees
• More than £36 million in turnover
• More than £18 million in total assets

Notably, these criteria apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located, as long as there is a UK nexus. A UK nexus will be established where at least one of the acts which was part of the underlying fraud took place in the UK, or the gain or loss resulting from the offence occurred in the UK. For instance, if an employee or associated person of a non-UK based organisation commits fraud in the UK, or fraud which impacts victims in the UK, the organisation could be prosecuted.  

The "reasonable procedures" defence

Organisations have a defence against a charge of having failed to prevent fraud for the purposes of the offence by demonstrating that they had "reasonable procedures" in place to prevent fraud. The guidance issued by the UK government in November seeks to assist businesses in designing and implementing such reasonable procedures. 

The guidance is broadly in line with similar guidance published to assist businesses in implementing adequate or reasonable procedures to prevent bribery and the facilitation of tax evasion under, respectively, the UK Bribery Act 2010 ("UKBA") and the Criminal Finances Act 2017. The avid reader will have spotted the differing terminology of the adequate procedures defence, for a charge of failing to prevent bribery, and the reasonable procedures defence, for charges of failing to prevent fraud and the facilitation of tax evasion. Following the introduction of the UKBA, concerns were voiced that companies being investigated for failing to prevent bribery faced an inherent difficulty in demonstrating that their procedures were adequate when the occurrence of bribery had, arguably, rendered the procedures by definition inadequate at preventing the conduct in question. A House of Lords Select Committee conducting post-legislative scrutiny of the UKBA, subsequently recommended that if further 'failure to prevent' offences were created after the UKBA, the defence of procedures which were “reasonable in all the circumstances” would be preferable to one of “adequate procedures”, with the test of 'reasonableness' "more clearly giving the intended meaning". 

UK government guidance on reasonable procedures to prevent fraud

According to the government guidance, key components of an effective anti-fraud framework include:

1. Top-level commitment: The board of directors, partners and senior management should demonstrate commitment to preventing associated persons from committing fraud.
2. Risk Assessment: The organisation should regularly assess the nature and extent of its exposure to the risk of employees and other associated persons committing fraud.
3. Proportionate risk-based fraud prevention procedures: The organisation should implement clear measures to prevent fraud which are proportionate to the risks and the nature, scale and complexity of the organisation. This includes a strong encouragement to implement effective whistleblowing processes.  
4. Due diligence: Appropriate due diligence should be undertaken on persons who perform or will perform services for or on behalf of the organisation.
5. Communication: Policies and procedures should be clearly communicated throughout the organisation, supported by training and appropriate whistleblowing arrangements.
6. Monitoring and review: Regular monitoring and review of fraud prevention procedures should be conducted to ensure their effectiveness, with improvements to be made as necessary.

The government guidance encourages companies to put in place fraud prevention measures designed with the company's specific structure and links to the UK in mind.

The guidance also notes that, in some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk, but that it will rarely be considered reasonable not to have even conducted a risk assessment. Any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision. The risk assessment should be kept under review. The frequency of review is a matter for the relevant organisation. However, if the risk assessment has not been reviewed recently enough, a court may determine that it was not fit for purpose and therefore that reasonable procedures were not in place at the time of the fraud.

Parent company responsibility for subsidiaries

In contrast with the UKBA, the failure to prevent fraud offence establishes a presumption that a subsidiary of the organisation is an associated person for the purposes of the offence. As a result, it is possible for a parent company to be prosecuted for failing to prevent fraud committed by a subsidiary and where the beneficiary is either the parent organisation or its clients to whom the subsidiary provides services for or on behalf of the parent. Note, however, that the parent company will not be liable for frauds committed by a subsidiary where there is no intention to benefit the parent company or its clients. 

The government guidance encourages parent companies in scope of the offence to implement fraud prevention policies and training for all companies within a group, while also ensuring that there is a nominated person responsible for fraud prevention in each subsidiary. 

Supply chain and subcontractor responsibility 

Companies within an organisation’s supply chain are not associated persons unless they are providing services for or on behalf of the organisation. Where they are providing such services, however, they are associated persons even if they do not have a direct or formal contractual relationship with the relevant organisation. 

Pursuant to the government guidance, the implementation of reasonable fraud prevention procedures should take account of the level of control, proximity and supervision the organisation is able to exercise over a particular person acting on its behalf. The greater the degree of control, proximity and supervision, the more likely it is that a court will find that an "associated person" relationship exists. Where a supply chain involves several entities or a project is to be performed by a prime contractor with a series of subcontractors, the guidance clarifies that an organisation is likely only to be deemed to exercise control over its direct contractual counterparty, rather than all subcontractors involved in the project or supply chain. The guidance also goes further than the equivalent guidance for the failure to prevent bribery and facilitation of tax evasion offences, by giving examples of service providers that would generally not be deemed associated persons. These include external lawyers, valuers, accountants and engineers.

Where the prime contractor subcontracts to persons or companies that could be associated persons of the in-scope organisation, the implementation of reasonable procedures may entail risk-based due diligence and the use of relevant fraud prevention terms and conditions in contractual relationships, including requesting that direct counterparties require the next party/ies in the chain to adopt similar procedures.

Implications for businesses

The introduction of the failure to prevent fraud offence is a continuation of the UK's efforts to depart from the traditional "identification doctrine" (which we have previously written about here) in the context of corporate liability for economic crimes such as bribery, fraud and tax evasion. 

The question of whether a relevant organisation had reasonable procedures in place to prevent fraud is a matter that can only be resolved by the courts, taking into account the particular facts and circumstances of the case. To avoid falling foul of the offence, however, companies should, as a starting point, conduct a fraud risk assessment, including an assessment of any potential UK nexus that might lead to the company falling in scope of the offence. In this regard, it is important to note that, unlike the UKBA, the failure to prevent fraud offence can be applicable even if a company has no UK presence or operations, if there is a possibility that any victims of the fraud could be located in the UK. 

As for the relevant procedures to put in place, these should include policies which mitigate fraud, fraud training and a clear tone from the top about the importance of these policies and controls, alongside the promotion of a speak-up culture. The government guidance encourages organisations to allocate a reasonable and proportionate budget specifically for the leadership, staffing and implementation of the company's fraud prevention plan, including training. With respect to contractual counterparties, organisations are expected to conduct risk-based due diligence, implement contractual provisions to prevent fraud by counterparties on the organisation's behalf and putting in place effective audit and monitoring mechanisms relating to fraud. 

Although smaller organisations and organisations without any UK touchpoints are not in scope of the offence, such organisations should be aware that they may be “associated persons” while they provide services for or on behalf of large organisations in scope of the offence. In these circumstances, even organisations that are not in scope of the offence may be subject to contractual or other requirements imposed by the in-scope organisations in respect of the offence of failure to prevent fraud.