The new failure to prevent fraud offence is due to come into force during 2025. In broad terms, in respect of the financial services community, it will mean that regulated firms of a certain size could be at risk in the event that fraud is committed for their benefit or the benefit of their clients by the firm’s “associated persons” (which may include employees, subsidiaries and other third parties).  Similar to other ‘failure to prevent’ offences, the only defence for firms will be via demonstrating that they had in place reasonable preventative procedures.  Guidance on “reasonable procedures” is due to be published in Q4 2024.

Regulated firms are already subject to regulatory requirements to have adequate systems and controls to counter the risk of the firm being used to further financial crime.  There is guidance in the Financial Crime Guide and elsewhere including the Financial Crime Thematic Review.  Firms can face regulatory investigations and penalties in the event of inadequate procedures.  Senior managers can also be held personally accountable in the event of deficient policies and procedures or breaches by their firm and other staff members can be disciplined for breaches of the Conduct Rules.  However, the new offence opens up the possibility of in scope firms being prosecuted for, or entering into a deferred prosecution agreement in relation to, a criminal offence with attendant publicity, penalties, expenditure of costs and management time and other unwanted consequences.  It is not yet clear how the potential ‘double jeopardy’ for FCA/ PRA regulated firms will be managed on a practical basis or the extent to which firms might be faced with parallel investigations arising from the same facts.  However, this provides an added incentive, if one were needed, for firms to devote time, attention and resources to their financial crime controls and ensuring that they are ready for when the offence comes into force in 2025. 

In the meantime, we set out below some key steps for regulated firms: 

  1. Are you in scope?  A general overview of the offence is provided here including a reminder that those in in scope are “large organisations” which, as a whole (including subsidiaries), meet two of the three following criteria: (i) more than 250 employees; (ii) more than £36 million turnover; and (iii) more than £18 million in total assets.  Remember that even if your firm is not in scope, you may be an ‘associated person’ of an in scope organisation which may expect you to have procedures in place. 
  2. Who should take the lead? The FCA and SFO will expect a high level of engagement from senior managers in driving forward the identification and implementation of any assessment and enhancement of existing controls.  Ultimate ownership may sit with a particular SMF but all members of the leadership team should play a role in considering particular fraud risks arising in relevant parts of the business, debating and challenging the fraud risk assessment and prevention plan, ensuring adequate resource is allocated and requiring and reviewing management information relating to fraud trends and the operation of relevant controls. The reasonable procedures guidance is likely to set an expectation that senior management or the board signs off on the risk assessment and enhancements to anti-fraud procedures.  
  3. Where should you start? A good place to start would be drawing together a working group comprising key internal stakeholders from each relevant function and division to carry out a risk assessment by working through the relevant underlying fraud offences, how these could arise in each of the respective areas, which are most high risk and what controls are already in place.   Regulated firms will already have a significant number of relevant policies, procedures and other materials relating to financial crime.  In some cases, enhancements may not be significant but it is worth gathering together all potentially relevant materials including financial crime policies, terms of reference, statements of responsibility, employee handbook or code of conduct, supplier terms and conditions, employee vetting arrangements, disclosure approval procedures, due diligence materials, finance materials, investigation and audit procedures, whistleblowing processes and management information. 
  4. Where are the gaps? Consideration will need to be given to whether existing systems and controls adequately cover the types of fraud captured by the new offence particularly from the perspective of associated persons, such as suppliers and contractors, committing fraud to benefit the firm or its clients and taking account of the jurisdictional reach of the offence (which in broad terms applies to both UK and non-UK firms where part of the underlying offence takes place in the UK or there is gain or loss in the UK).  Existing policies and procedures relating to fraud may focus predominantly on preventing a firm or its customers being defrauded (which is not the scope of the new offence).  The exercise should include reviewing the existing risk assessment, collating information about incidents of fraud which have already occurred (or near misses), considering the existing guidance in the Handbook including the Financial Crime Guide (which contains some self-assessment questions and good/ poor practice) and the Financial Crime Thematic Review, and keeping an eye on the emergence of government and sector specific guidance as it becomes available. It’s also helpful in conducting a risk assessment to consider instances or allegations of fraud against peer firms. Some technical legal input may be helpful in terms of understanding the elements of the underlying offences given their complexity.  By way of example, fraud goes beyond financial matters and can extend to misleading disclosures of (or failures to disclose) information.  Due diligence on and monitoring of suppliers and other associated persons will also be needed so that the firm can ensure that it can effectively manage fraud risks presented by those third parties and satisfy itself in relation to the arrangements they have in place to prevent fraud. 
  5. How will you evidence reasonable procedures? In order to best position the firm to be able to discharge the burden of establishing a reasonable procedures defence (or persuading a prosecutor that it is not in the public interest to prosecute), it is essential that adequate records are maintained of all the steps taken by the firm. This will include steps taken as part of the risk assessment process but also within the governance and controls enhancement process in terms of board agendas and minutes, approvals requested and granted, training delivered, due diligence and vetting conducted, incidents arising and remediation conducted, feedback of lessons learned into the firm’s processes and training delivered (and attended). It is important to document the rationale for steps taken, and decisions taken as to prioritisation of enhancements based on the risk assessment. Training will be required throughout the organisation by reference to specific and relatable examples, enabling staff to identify potential instances of fraud and escalate suspicions where necessary (with tailored training for those in higher risk positions).  Any assertion of a reasonable procedures defence will only be as good as the documentary evidence that supports it and that evidence may need to be deployed at some unknown future time when those currently engaged in implementation have moved on.  Looking ahead, firms should also consider how they will review the effectiveness of and adherence to anti-fraud policies and procedures.  

We are currently advising clients on their risk assessments and enhancements to procedures so please do get in touch with any of the authors of this briefing with any queries.