Introduction

On 6 November 2024 the UK government published its long-anticipated guidance on the failure to prevent fraud offence (the Guidance).

The new offence will come into force in September 2025. It will apply both to UK and to non-UK organisations, where there is some nexus to the UK. The only defence for an organisation will be to have in place “reasonable procedures” to prevent fraud. More details on the new offence, including the underlying fraud offences covered, are set out here.

The first step when considering putting in place or enhancing anti-fraud procedures is to conduct a risk assessment. This helps to ensure anti-fraud policies and procedures are focused on the areas of highest risk for the company and proportionate to those risks. In this article we have considered how best to approach a risk assessment.

As the Guidance acknowledges, organisations may have existing risk assessment frameworks that can be adapted to include fraud for the benefit of the organisation or its clients (rather than fraud where the company is victim). The risk assessment will take some time (and real thought): the Home Office issued an impact assessment (see here) in November 2022 which estimated that risk assessments should take companies between c.100-130 hours to prepare.

Please get in touch if you would like help with conducting a risk assessment.

1. Decide who will conduct (and oversee) the risk assessment

Ownership: there is often not one function that can on its own effectively conduct the failure to prevent fraud risk assessment or enhance / implement the requisite procedures to ensure compliance with the new offence (although the Guidance suggests that this may be the responsibility of a Head of Ethics of Compliance or similar). Input from across the organisation is likely to be required given the range of fraud risks which may arise. We have helped clients put in place a cross-function working group to seek input from a variety of different business units including finance, marketing, sales, legal, ethics/compliance and internal audit.

Oversight by senior management: The Guidance suggests it may be appropriate that some level of approval of the risk assessment should be given by senior management/the Board and that there should be designated responsibility for “horizon scanning for new fraud risks” and approving the “assessment of risk”. We would recommend that the approach taken in conducting a risk assessment is agreed at a senior level at the outset, with appropriate consideration given to resource allocation, coordination (e.g. via a working group) and reporting. As the Guidance stresses, there should be a specific budget and resources for the risk assessment as well as the enhancement of procedures.

Jurisdictional scope: As part of the risk assessment, companies will need to consider whether or not to adopt a global approach. The offence will apply to UK and non-UK companies alike where part of the offence takes place in the UK – such as a meeting or communication in the UK – or where there are victims in the UK, which could include investors or counterparties. It will also apply for certain offences where there is a gain or loss in the UK. This means that whether an entity is subject to the offence will vary depending on the specific circumstances in which the fraud takes place (and so could shift from transaction to transaction, or as its investor profile changes). Many multinational companies are therefore conducting risk assessments and enhancing fraud procedures on a global basis.

Level of external input: It is worth thinking upfront about what external input is required in conducting a risk assessment and where any external resource is best utilised. Although much of the knowledge required to conduct the risk assessment will be held internally, many companies will need some external legal support in conducting a risk assessment, particularly in terms of understanding the detail of the offences and how they can be committed, examples of fraud issues which have occurred in other organisations, the jurisdictional scope of the offence, and benchmarking against peer companies.

2. Understand the relevant risk assessments already in place; and what they do and don’t cover

Most companies have some kind of risk assessment that covers or touches on fraud (whether as part of a broader business-wide risk assessment or register, as part of a financial crime risk assessment, or a specific fraud risk assessment).  In our experience, however, many of these risk assessments do not adequately cover fraud intended to benefit the company or its customers (but instead focus on preventing fraud where the company is a victim). Appreciating this distinction is essential in terms of ensuring the risk assessment is fit for purpose.

3. Get to grips with the underlying offences

It is crucial that those undertaking the risk assessment and enhancing anti-fraud procedures understand the underlying offences in sufficient detail. The offences are complex (much more so than those under the UK Bribery Act). Often the precise conduct covered by the offence is not obvious from the shorthand description set out in the relevant legislation, which complicates any assessment of the associated risks. For example, the underlying criminal offence of false accounting would also include concealing documents made for an accounting purpose (for example withholding a document from auditors). Further, there are a lot of grey areas about where conduct would meet the standard of dishonesty (a defining characteristic of nearly all of the underlying offences) which need to be thought through.

Given these challenges, many clients have found it useful to break down each offence into its constituent elements and to bring these to life with examples of how each offence can be committed in practice in their sector (and, as set out below, in each different business unit).

4. Consider for each offence how (and where) it could arise in your business

Once the underlying offences are understood, it is then important to assess how they could arise in your business.

The Guidance suggests as a starting points identifying different types of associated person and “nominated risk owners” considering circumstances in which those associated person may attempt fraud (and whether there are particular types of fraud offence, e.g. false accounting or abuse of position which are more likely to be committed by particular types of associated persons).

A strategy we have seen work well to put structure around this is having each function lead within a cross-functional working group have documented discussions about the offences within their function (for example sales/marketing, finance, legal, sustainability, investor relations). The function lead can then feed back to the working group scenarios which have been identified as risk areas and any relevant controls. This enables the company to build up one document setting out risk areas across the business for each underlying offence.

Companies could be thinking about potential scenarios in which, for example:

  1. Employees in the finance team are dishonestly underestimating provisions to improve forecasts for the company;
  2. Third party sales agents dishonestly misrepresent the quality of a product to increase sales;
  3. Misrepresentations are provided in contractual documents e.g. as to compliance with financial crime provisions;
  4. An employee or third party makes inaccurate statements about the company’s green credentials.

As noted in the Guidance, when assessing risks consideration should be given to:

  • reward and recognition systems which may incentivise fraud;
  • financial or operating pressures on the company (including time pressures, targets, financial reporting dates); and
  • emergency scenarios in which fraud risks may increase (the Guidance notes that failing to do so may mean that the organisation is not considered to have reasonable fraud prevention measures in place).

It is also helpful to consider other input, such as reviewing fraud issues raised through speak-up programmes, by internal audit or otherwise in recent years, as well as looking at prior enforcement action or relevant litigation involving peers.

5. Gap analysis: assess what policies and procedures are already in place and identify any areas for enhancement

Clearly, in order to assess the level of risk, it is important to understand the extent to which existing policies or procedures (whether fraud specific or otherwise) can be adapted or supplemented. Many companies will already have in place, for example, third party due diligence and monitoring processes related e.g. bribery and corruption, as well as controls around financial reporting and approval of marketing materials.

What many clients have found useful is breaking down for each offence (and the scenarios which have been identified) all relevant controls in place and where there are gaps or enhancements required. An enhancement plan can then be drawn up.

6. Produce a written risk assessment – and agree when it will be reconsidered

Whilst the primary purpose of anti-fraud procedures is, of course, to stop fraud happening in the first place, it is also crucial that a company can defend itself if allegations of fraud are raised and it is facing a criminal investigation (or seeking to persuade criminal authorities not to investigate). This means the company’s procedures, including the risk assessment, need to be documented carefully.

To defend procedures effectively requires contemporaneous documentation of the decisions made and steps taken in conducting a risk assessment, including the rationale for those decisions. For example, where an offence arises in an area of a business which was deprioritised in light of the risk assessment, following a risk-based approach it will be important to be able to provide contemporaneous evidence of the rationale for that decision.

How often should the risk assessment be refreshed? The guidance states that the risk assessment should be dynamic and kept under regular review, either annually or bi-annually. Risk assessments should be refreshed in the interim as the business (and risks faced by the business) change – and in light of any fraud issues identified.