This is the third article in our series breaking down the steps that organisations will need to take to put in place “reasonable procedures” to prevent fraud. Our previous posts, focusing on how to conduct effective fraud risk assessments and enhance polices and procedures, can be found here and here.
The new UK failure to prevent fraud offence is anticipated to come into force in early 2025. The offence will apply both to UK and to non-UK organisations, where there is some nexus to the UK. The only defence for an organisation will be to have in place “reasonable procedures” to prevent fraud (and the UK government is set to publish guidance for companies on “reasonable procedures” later this year). More details on the new offence, including the underlying fraud offences covered, are set out here.
As we discussed in our previous blog posts, a core element of “reasonable procedures” will be the completion of a risk assessment to better understand the risks faced by the organisation, and a review of the extent to which the identified risks are mitigated by existing policies and procedures – and what enhancements are needed.
In our experience, while many organisations have certain elements of anti-fraud programmes in place, these require significant development as they are not invariably designed to prevent fraud by associated persons where the company or its clients stand to gain.
Two key areas for enhancement are training and tone from the top. As with other areas of compliance, both are important in terms of embedding a strong organisational culture. Most anti-fraud training and senior level messaging currently in place focuses on preventing the company from being a victim – rather than a beneficiary – of fraud (e.g. email interception and phishing).
We set out in this blog some key points when considering how best to approach communication and training. If you have any questions or would like to discuss failure to prevent fraud in more detail, please get in touch.
Tone from the top (and middle)
What leadership (and middle management) says and does to reinforce the organisation’s commitment to fraud prevention is crucial in establishing effective procedures. An organisation that has good policies “on paper” but is not demonstrably committed to applying them in practice is unlikely to be deemed to have reasonable procedures.
Communication (for example through internal newsletters, townhalls, videos, participation in “ethics days” etc.) is very important, but in assessing compliance programmes authorities tend to focus on what the organisation “does” to ensure effectiveness. For example:
- what resources are deployed;
- the visible involvement of senior individuals in overseeing the implementation of reasonable procedures;
- how the policies and procedures are followed in practice by management;
- what behaviours are rewarded or penalised; and
- how breaches are investigated and dealt with.
As with any policy, many employees will look to how the organisation’s management acts, as much (if not more than) what is contained in the policy wording or CEO statements etc.
Consistency of messaging is vital, both in terms of how the organisation’s anti-fraud programme aligns with its values and broader ethics and compliance programme, but also on an ongoing basis after the initial policy updates and training have been delivered. Ideally, there will be sustained awareness raising as part of the company’s broader ethics communication campaign. This could take the form, for example, of disseminating frequently asked questions which have arisen following implementation of policies and procedures.
In assessing top level commitment, authorities are also likely to look at what role senior management played in overseeing the fraud risk assessment and consequential enhancements to anti-fraud procedures. The reasonable procedures guidance is likely to suggest that a senior individual or the Board signs off on the risk assessment, as well as the procedures to be put in place. The steps taken to assess the sufficiency of the risk assessment and procedures should be carefully documented given that it is likely to be scrutinised in the event of a significant fraud investigation by authorities.
Communication and training
Training on fraud will be a fundamental part of an organisation’s reasonable procedures. The various underlying fraud offences covered by the failure to prevent fraud offence can be committed in many different ways and by different types of employees and third parties. The offences are varied and more complex than, for example, bribery offences under the UK Bribery Act, and there are a lot of grey areas, particularly in terms of when conduct is dishonest such that a criminal offence may arise.
Given these complexities it is vital that employees – particularly those in higher risk roles – can spot potential fraud issues and raise them promptly. Employees should be trained as part of their financial crime onboarding training, and periodically thereafter (or in the event of a change in the company’s risk profile, or a significant fraud issue).
In our experience, industry specific scenario training is crucial for fraud: employees do not need to learn the details of the legal tests for the underlying offences, but they do need to understand the types of scenarios in which fraud may arise within their organisation and when to escalate an issue and ask for help. Ideally, the training will be based on real-life scenarios (or near-misses) identified by the organisation in its risk assessment, or previously encountered by the organisation or its peers.
Generic “off the shelf” training is unlikely to be as successful in enabling employees to spot high risk issues. Training should also cover the various mechanisms by which participants can raise queries or concerns about fraud. The training (ideally involving senior and middle management) should clearly communicate the organisation’s zero tolerance approach to fraud (and how this aligns with its values) and its encouragement for employees to speak up about fraud.
More detailed (and tailored) training will be needed for those in higher risk positions (for example, Sales and Marketing, Finance) and those who will be dealing with any potential fraud queries raised (for example Legal, Compliance and (if different) the recipients of speak up reports). Ideally, the more detailed training will be a two-way process such that those in higher risk positions can identify realistic scenarios which are then used to reinforce existing policies and procedures (and enhance future training).
Whether or not to train third party service providers should also be considered: at least, a clear explanation of the organisation’s expectations and approach to fraud should be provided, with third parties confirming their agreement to comply with those expectations and that they have in place appropriate fraud controls (including training). This may be standalone or part of a supplier code or the services agreement. For higher risk third parties, some level of training is likely to be appropriate (which will have the added benefit of allowing the organisation to understand better the fraud scenarios third parties may encounter as well as their approach and attitude to fraud risk). Organisations should build into their training mechanisms for assessing its effectiveness, for example employee surveys or measuring whether there is any uptick in fraud-related speak up as a result of the training. Training should evolve as the organisation encounters issues and as its business (and risks) changes.