Following publication of the government’s guidance in November 2024 and ahead of the new offence coming into force on 1 September 2025, UK Finance has published guidance for the financial services sector on failure to prevent fraud (FtPF) which it says “should be taken into account by a supervisory or enforcement agency when considering and/or prosecuting suspected FtPF offences”.
The guidance (which is advisory only) will be of particular interest to those currently involved in activities aimed at establishing a defence of reasonable prevention procedures. Although the guidance is aimed at the financial services sector it may also be of assistance to organisations in other sectors. It comprises three sections:
- Part 1: Guidance aimed at assisting firms to understand the offence.
- Part 2: Guidance on the types of reasonable prevention procedures that might be proportionate.
- Part 3: Guidance on the circumstances in which reasonable prevention procedures would not be reasonable.
We have summarised below some of the key points made in the guidance by UK Finance. For further information in relation to the offence more generally please see our dedicated knowledge hub. We are currently assisting clients with establishing reasonable procedures so please do not hesitate to contact us if a discussion in relation to the guidance would be helpful or if you would like information about our related FtPF events.
Part 1: Understanding the Offence
1. AI: Actions solely attributable to AI or other machine-driven actions (such as trading algorithms) would not give rise to a fraud offence given the fraud offences require intent and (in most cases) dishonesty.
2. Secondary offences: Firms are reminded that secondary offences of aiding, abetting, counselling and procuring, more recently reframed as encouraging and assisting, could give rise to a FtPF offence even if no substantive fraud has been committed but the person would have to have the necessary belief or intention required for the relevant secondary offence to arise.
3. In-scope: For application purposes:
- branches are considered to be part of their overall legal entity;
- the FtPF offence applies to all firms that meet the relevant criteria for being in scope – not just UK entities;
- subsidiary that meets the criteria will be in scope in its own right (as well as being in scope with regards to the actions of its employees in accordance with the principles applied to large parent organisations).
4. Associated persons: Persons that are providing services “to” a firm (such as stationery suppliers) will not be acting “for or on behalf of the firm” and so would not be associated persons but care should be taken over those described by the firm as “suppliers” but which do provide services for and on behalf of the firm (the example given is a third party engaged to perform customer on boarding vetting and due diligence). Where a third party ‘white labels’ a product they are performing services on their own behalf.
5. Acquisitions: Where a firm purchases a new subsidiary or business the firm is not liable for fraud offences committed prior to the time of such purchase.
6. Acting outside of scope of employment: If the employee has acted outside of the role that they are employed to perform without the implied or direct instruction or sanction of their employer, a Court might find them not to be acting in the capacity of an employee (although sanction could be implied e.g. by turning a blind eye to known activity).
7. Services vs products: The guidance includes certain examples of services provided by third parties which would be in scope, such as customer relationship management, and distinguishes these from products where a service may not be provided, such as bilateral counterparty arrangements, over-the-counter transactions or lending facilities / loans.
8. Jurisdiction and UK branches: If there is jurisdiction to prosecute the underlying fraud offence then there will be jurisdiction to prosecute the FtPF offence and so:
- FtPF could be committed by persons outside the UK such as non-UK banks if the fraud offence had a UK nexus, regardless of whether or not that non-UK bank has a UK branch or subsidiary;
- non-UK banks with UK branches dealing with UK customers and a fraud committed by or intended to benefit a UK branch would be potentially in scope;
- an offence committed entirely outside the UK by a non-UK legal entity which was not intended to benefit its UK branch would not have a UK nexus;
- non-UK banks do not need to implement procedures for activities conducted entirely outside the UK just because they have a UK branch;
- UK headquartered firms will not generally be liable for their overseas employees or subsidiaries in relation to fraud that takes place entirely abroad; and
- although organisations could be prosecuted for fraud by a “UK-based employee” (see government guidance), an employee simply visiting the UK on a business trip would not be considered to be “UK-based” for these purposes.
9. Intention to benefit: Generally there would be no benefit if there is no business advantage.Enforcement action for FtPF can only proceed if the prosecution can prove beyond reasonable doubt that a benefit was intended or a positive outcome was virtually certain. There may be reasonable doubt that an intention to benefit existed where the firm can show that the associated person knew or suspected that the firm is likely to have to reimburse an impacted person; the firm is likely to be left with a bad debt (e.g. as a result of a loan); or the firm is likely to suffer reputational damage that adversely impacts on the value of the firm. Deposits held for customers are unlikely to be sufficient to imply an intent to benefit the firm.
10. Interaction with other offences: The guidance notes the interaction between FtPF and other financial crime regimes in the UK such as the failure to prevent the criminal facilitation of tax evasion under section 45(5) of the Criminal Finances Act 2017, the money laundering offences under the Proceeds of Crime Act 2002 and the requirements of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
Part 2: Reasonable Procedures
11. Risk Assessment: Firms may be able to leverage existing fraud risk assessments or may conduct one specific to FtPF. Although detailed knowledge of the interpretation of the fraud offences is not expected, firms should know the specifics of their own services and should use that knowledge to assess the risk of a fraud offence being committed by associated persons. It will not be possible to prevent all fraud but a risk assessment that has the following would be reasonable: (i) areas of risk; (ii) consideration of territorial scope; (iii) assessment of level of risk informed by the effectiveness of controls; (iv) clear assignment of ownership and responsibility; (v) clear documentation including a link between the risk assessment and the prevention procedures; and (vi) review on a periodic basis.
12. Proportionate prevention procedures: Firms may find that risks are sufficiently mitigated through existing controls, but should keep this under review. The reasonableness of prevention procedures should take into account the level of control it is possible to exercise. Contractual controls are a minimum control standard and where it is not possible to achieve this due to disparate negotiating power other means should be used. The guidance provides some examples of steps that can be taken to manage certain risks such as with distributors; the transfer agent relationship; employees and agents; market abuse; and some controls that may already be in place such as whistleblowing procedures, the SM&CR and the 3LOD model.
13. Due diligence: Due diligence should be applied on a risk-sensitive basis when establishing and reviewing third party relationships and documented including where relationships are terminated due to concerns. Professional or regulated status may be indicators of lower risk. Procedures should seek to prevent those that have been exited from being re-onboarded without concerns having been mitigated.
14. Communication and training: Training should be risk-based with general training being supplemented by role-based training or enhanced training for those in higher risk roles. It could be delivered as part of existing training.
15. Monitoring and review: The FCA expects continuous review and enhancement and updates or adjustments are not evidence that procedures were unreasonable. Having a structure and resource for investigations may assist.
16. Top level commitment: Senior management are ultimately responsible and may wish to issue a statement of commitment and ensure the risk of fraud is on the agenda and referenced in accountabilities mapping.
Part 3: Circumstances in which having no prevention procedures may be reasonable
17. Risk Assessment: The guidance references the statement in the government guidance that it will rarely be reasonable not to have even conducted a risk assessment and suggests that firm should show a clear link between any identified risk and its determination that it is not reasonable to have any prevention procedures in place.
18. Examples: The guidance suggests that it may be reasonable for financial services firms not to have prevention procedures in place such as: (i) where there is no UK nexus for a particular area of the business; (ii) for certain types of associated persons such as distributors who are subject to regulatory controls, persons who provide execution only services, single purpose relationships, providers of markets and exchanges, providers of ‘middleware’ platforms; (iii) where the firm does not have grounds to terminate or amend existing contracts and where mitigation by other means is not possible; and (iv) in the context of the legal and regulatory framework regarding UK listed companies and particular transactions.
At the back of the guidance, UK Finance have provided: (1) a decision tree for Part 1; (2) some examples of third party relationships which it considers are not “associated persons”; and (3) twenty illustrations of how the FtPF offence may apply to particular scenarios.