On 6 November 2024 the UK government published its long-awaited guidance (the Guidance) on the new offence of failure to prevent fraud (here) and confirmed the offence will be in force from 1 September 2025.
Under the new offence an organisation (whether or not it is a UK organisation) may be criminally liable where an employee, agent, subsidiary, or other “associated person” commits a fraud intending to benefit the organisation, where that fraud has a UK nexus, and the organisation did not have reasonable fraud prevention procedures in place. More detail on the new offence is set out (here).
This new offence is a hugely significant development and is intended to have a similar impact to the UK Bribery Act 2010, both in terms of driving changes in compliance and culture and in leading to deferred prosecution agreements and prosecutions.
The Guidance covers both the elements of the offence itself and importantly advice on what constitutes reasonable fraud prevention procedures.
The Guidance broadly follows the format of the UK Bribery Act adequate procedures guidance, but there are some important differences and changes of emphasis. These include more detailed guidance on the role of senior management, more detailed consideration of the types of risks that should be assessed (including risks relating to rationalisation, culture and incentives) and an emphasis on compliance resourcing/budgeting and reporting lines.
The Guidance provides a helpful starting point, but it is designed to be outcomes-focused: organisations need to consider their own fraud risks and how best to mitigate them. Notably, the Guidance refers to the US guidance on corporate compliance programmes (here), which provides much more detailed expectations (and in practice informs many compliance officers and lawyers when designing or reviewing financial crime compliance programmes).
In this blog we summarise some of the key points we identified during our initial review of the Guidance. We will be discussing the Guidance on a live webinar on Thursday 14 November 2024. Please click (here) to register.
- Interaction with existing procedures: the Guidance acknowledges that in some cases existing procedures may be able to be adapted or extended to avoid duplication, but warns that “merely applying existing procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud”. This is an important point: while some processes can be adapted (e.g. third-party due diligence), many organisations do not currently have effective policies and procedures to prevent fraud for their benefit (outward fraud); existing policies and procedures are usually designed to prevent the company being a victim of fraud (inward fraud).
- Risk assessments: the Guidance emphasises the importance of a comprehensive risk assessment and suggests the following:
- considering the type of associated persons and employees which present the highest risks of fraud. Notably, the guidance refers to “nominated risk owners” developing typologies of risks. It is not clear who would be considered a “nominated risk owner”, but in our experience it is helpful to have representatives of different functions in the organisation considering the offences and discussing scenarios within a working group;
- assessing risks related to cultural and organisational factors, including financial or operating pressures on the company, time pressures, whether the organisation’s culture is “quietly tolerant of fraud” and stress, targets and workload; and
- procedures may not be considered reasonable if a risk assessment is not reviewed periodically (it is suggested this should be at least annually).
- Senior management/board responsibility and resourcing: there is a real emphasis on senior management and board responsibility, reporting lines, and resourcing of the fraud prevention procedures. It is suggested organisations consider:
- designated responsibility for “horizon-scanning for new fraud risks”, approving the risk assessment, overseeing investigations and “monitoring and review of the framework”;
- ensuring that the Head of Ethics and Compliance (or similar person) has direct access to the board or CEO as they think necessary. This reflects one of the enhancements noted in recent DPAs;
- committing “a reasonable and proportionate budget specifically for the leadership, staffing and implementation of the fraud prevention plan…over the long term”; and
- how fraud investigation findings are reported to the board.
- Due diligence: the Guidance emphasises the importance of due diligence on associated persons and during M&A, but this section is fairly high level and needs to be read in conjunction with the risk assessment section – which refers to more substantive analysis of the risks posed by particular third parties. It is also worth considering here recent US guidance on compliance programmes, which provides more detail on due diligence, including on the need for a risk-based and integrated process, appropriate controls, management of relationships and real actions and consequences.
- Training and communication: the Guidance suggests:
- “consideration should be given to the specific training needs of those in the highest risk posts”. This is likely to require more than online all-employee training;
- monitoring the effectiveness of training programmes (as well as completion rates). This is crucial to avoid training being a tick-box exercise (particularly given the risk that employees click through online training);
- “training should cover the nature of the offences as well as the procedures to address it”. In practice, this is likely to mean that training will need to be fairly detailed given the breadth of the offences and the controls needed to prevent them;
- it may be helpful to integrate fraud messaging into existing policies and procedures (e.g. it suggests that policies related to sales targets or customer interactions could include a brief statement addressing fraud rationalisation and the potential consequences of committing fraud). This is a really important point: taking steps like this helps to bring the key points of fraud policies to the attention of those at higher risk of committing offences; and
- organisations consider publicising internally the outcomes of investigations. This needs to be handled sensitively given the risks involved (including their duties to their employees).
- Whistleblowing: the Guidance suggests that those organisations not required by regulators (e.g. the FCA) to have whistleblowing programmes should consider the following. In effect, this is setting new expectations for whistleblowing programmes for fraud outside the regulated sector:
- board level accountability to oversee whistleblowing;
- ensuring that reporting channels are independent;
- training managers on how to respond to whistleblowing concerns;
- learning from the issues raised by whistleblowers; and
- ensuring internal and external whistleblowing mechanisms are signposted.
- Monitoring: the Guidance suggests conducting formal and documented periodic review, including considering:
- what data analytics or AI tools are used;
- a nominated member of staff with responsibility for collating and verifying management information on suspected fraud/effectiveness of fraud prevention procedures and raising this to the board;
- internal investigations, including: what measures are put in place to ensure independence; who authorises investigations; in what circumstances external investigators are appointed; and ensuring investigations are appropriately scoped and resourced. These pick up on some of the points in the SRA’s recent draft guidance on conducting internal investigations (here);
- whether reviews/testing are conducted internally or externally (noting that best practice is for the procedures not to be tested by those that design them); and
- potential crossover with the UK Corporate Governance code monitoring requirements for premium listed companies.