In October, we published an article setting out five key steps for regulated financial services firms to be thinking about in relation to the new failure to prevent fraud (FTPF) offence. We also have a number of more general publications on this topic which can be found on our knowledge hub.
The purpose of this briefing is to take a more detailed look at aspects of the guidance from the perspective of the regulated financial services sector following publication of the Government’s failure to prevent fraud guidance on 6 November (the Guidance).
Firms now have less than 9 months before the offence comes into force on 1 September 2025 to assess, enhance, and/or implement reasonable and proportionate policies, procedures, and systems and controls to detect and prevent a wide range of fraud offences. We set out below some issues across five key areas for regulated firms to assist with ensuring reasonable procedures are embedded within their existing systems and controls.
1. Ownership and governance
Whilst the FCA will expect a high level of engagement from senior managers in driving forward the identification and implementation of any risk assessment and enhancement of existing controls to take account of the FTPF offence, any relevant internal messaging should make it clear that managing fraud risk is the responsibility of everyone within the organisation, not just the Compliance Team or senior management. There are various angles to consider from an ownership perspective:
- Responsibility allocation
- The Guidance confirms the expectation that the lead senior manager for the purposes of failure to prevent fraud may be the same person as the ‘senior manager’ with responsibility for the firm’s financial crime compliance systems and controls, or if not, should work closely with them.
- Whilst ultimate ownership of FTPF procedures may technically sit with a particular senior manager function (SMF), all members of the leadership team need to play a role in considering particular fraud risks arising in relevant parts of the business, debating and challenging the fraud risk assessment and prevention plan, ensuring adequate resource is allocated and requiring and reviewing management information relating to fraud trends and the operation of relevant controls.
- Achieving and evidencing engagement
- Since, irrespective of technical allocation of responsibilities from a regulatory perspective, responsibility for regulatory compliance is shared, individuals across all three lines-of-defence need to assess the way that they are dealing with and managing the risk of fraud and how steps taken could be evidenced to a regulator or prosecuting authority if necessary.
- Senior management need to be proactive when assessing risk and the adequacy of controls and fraud-management requires high-level sponsorship from the executive and board levels. Consideration should be given to how this is best achieved within the firm’s governance structure and reflected in its record-keeping for example in terms of reference, agendas and minutes.
- Management information remains critical
- A key consideration for firms and the senior management team is the nature of the information on fraud risk that is flowing up to management and in particular, whether or not this is sufficient to discharge responsibilities and meet the requirement for reasonable procedures.
- Management information should be sufficiently detailed to equip senior managers with adequate knowledge of fraud incidents and particular trends; the effectiveness of existing controls and steps being taken to mitigate risks and address emerging issues. Firms should be asking themselves (and robustly testing) the adequacy of the existing information that senior management currently receive and whether any enhancements are needed to take into account the new offence such as providing additional granularity on fraud involving employees and other associates.
- Resourcing
- Given shared ownership and the work that may be needed to review existing policies and procedures and ensure they are adequate to address concerns arising in a FTPF context, consideration should be given to whether their investment in anti-fraud systems, including resourcing within relevant teams, is adequate.
- Communication, integration and training
- Firms need to assess staff awareness and make enhancements where necessary, through updates to policies and procedures as well as training practices.
- Staff knowledge should be periodically tested, to ensure it reflects current thinking and market developments.
2. Risk assessment and risk management in the context of existing regulatory framework
The Guidance recognises that firms may well already have in place policies and procedures relating to the prevention of fraud. Notwithstanding such existing arrangements, the Guidance confirms that it will rarely be considered reasonable not to have even conducted a risk assessment. A key step in evidencing reasonable procedures will be documenting the steps taken to consider the risks, the adequacy of existing risk assessment processes and documents and the need to build in any additional considerations with respect to the risks associated with the FTPF offence.
Pending sector-specific guidance in the context of the FTPF offence, useful materials include the FCA’s Financial Crime Guide which contains some self-assessment questions and good/ poor practice (FCG 2.2.4); the Financial Crime Thematic Review; and the FCA’s recent reviews on money mules (see also here) and authorised push payment fraud (see also here).
The risk assessment process
When mapping out areas of risk so as to demonstrate a bespoke risk assessment which takes account of the nature of the firm’s products, services and customers, taking and documenting the following steps may be useful:
- An initial assessment to identify the relevant associated persons which / who could pose a fraud risk to the firm and the wider group within which the firm operates, even where some relevant entities are outside the UK.
- A territorial scoping exercise taking into account that underlying fraud offences may be committed in the UK or involving UK victims by entities that are outside the UK.
- Engagement with the business and front-office to ensure all stakeholders understand the underlying fraud offences and can assist with identifying examples of circumstances in which the various offences could arise in practice including by all the relevant categories of associated persons.
- A critical assessment of the extent to which the risks identified are addressed through existing frameworks including with regards to the need for firms to understand:
- the way that fraud losses are accounted for and dealt with within the organisation;
- which parts of the business are targeted by fraudsters (including by reference to particular product categories and distribution channels).
- Consideration of any enhancements and a process of building the resulting risk scenarios effectively and appropriately into risk assessment frameworks.
- Recording any decisions not to implement procedures to address a particular risk identifying the rationale and the name and position of the person who authorised this approach.
- Documenting the governance around the risk assessment process including ownership, escalation, review, challenge, approval by appropriate individual/SMF/board.
Particular risks to consider
- Responding to issues that emerge:
- As part of the risk assessment, consideration should be given to the way in which the firm identifies, escalates and responds to any increase in or emerging fraud risk including by adopting appropriate remediation strategies (such as by amending systems, controls, processes and procedures).
- Testing should be carried out to ensure such controls are effective and remain appropriate including the collation, review and response to information about incidents of fraud (or ‘near misses’) and developments in the market more generally including incidents experienced by peers and regulatory responses.
- Given regulators expect risk-assessments to be ‘live’ rather than static processes, firms should also have in place processes to ensure that risk frameworks are updated and adapted as new scenarios emerge.
- Use of third parties: The risk assessment will need to take account of the risks posed by suppliers and other associated persons (even where they are located overseas) and steps needed so that firms can ensure that they can effectively manage fraud risks presented by those third parties including satisfying themselves in relation to the arrangements the relevant parties have in place to prevent fraud.
- Remuneration: One area of potential vulnerability relates to remuneration structures that incentivise individuals to take risk and which may increase the firm’s fraud risk. Firms need to ensure that they have considered this risk and the procedures necessary to mitigate it appropriately such as subjecting particular teams to additional vetting and/or monitoring.
- ESG: There is a potential for ESG-related disclosures to found the basis for a FTPF offence, and so relevant overlaps should be considered. By way of example, statements about the environmental benefits of a product made by employees which they know to be false (e.g. by omitting information about less environmentally-friendly aspects) could pose a problem for the firm under the FTPF framework, and firms should be thinking about ways to address these risks;
- The Consumer Duty: Firms will need to bear in mind the new Consumer Duty overlay. In particular, last year the FCA published a paper (in an authorised push payment context) encouraging firms to strengthen anti-fraud systems and to treat victims of fraud better.
3. Identifying ‘gaps’ in existing systems, controls, policies, processes and procedures
Once the risk assessment has been carried out, consideration will need to be given as to whether existing systems and controls adequately cover the types of fraud captured by the new offence particularly from the perspective of associated persons, such as suppliers and contractors, committing fraud to benefit the firm or its clients and taking account of the jurisdictional reach of the offence (which in broad terms applies to both UK and non-UK firms where part of the underlying offence takes place in the UK or there is gain or loss in the UK).
In addition to any of the particular risks referenced above, potential scoping ‘gaps’ may include:
- A focus in existing fraud-related policies and procedures on preventing a firm or its customers being defrauded as opposed to fraud for the benefit of the firm which is the focus of the new offence.
- Disclosures (or failures to provide information) beyond financial matters such as disclosures relating to products and services.
- Due diligence on and monitoring of employees, suppliers and other associated persons and whether enhancements are needed with regards to, for example, any surveillance tools including any relevant lexicon of search terms applied to communications.
- Whistleblowing policies and procedures which adequately encourage reporting of fraud suspicions including so-called ‘insider fraud’.
4. Group communication
As a result of the broad territorial application of the FTPF offence, global groups need to think carefully about how they message expectations in relation to the FTPF offence to colleagues and entities outside the UK, particularly where head office may be outside the UK and where additional resource may be needed to communicate effectively the implications of the offence for those outside the jurisdiction. Given challenges that can arise from internal group dynamics, it is advisable to start planning and messaging around this early.
5. Regulatory exposure and potential enforcement
In addition to any potential exposure to a prosecution for the criminal offence of failing to prevent fraud, regulated firms can also face regulatory investigations and penalties if their procedures are perceived to be inadequate. Senior managers can also be held personally accountable in the event of deficient policies and procedures or breaches by their firm and other staff members can be disciplined for breaches of the Conduct Rules.
Even where investigations conclude with no action being taken, they can involve significant time and expense, provide a distraction and attract publicity and other unwanted consequences. Depending on the outcome of the ongoing FCA consultation on the announcement of investigations, the FCA may increasingly seek proactively to make an investigation public.
It is not yet clear how the potential ‘double jeopardy’ for FCA / PRA regulated firms will be managed on a practical basis or the extent to which firms might be faced with parallel investigations arising from the same facts.
The Guidance states that where a base fraud offence also constitutes a breach of regulations, the expectation is that prosecutorial bodies and regulators will continue to work together to deliver coordinated resolutions, taking public interest considerations into account. There is a recognition that, in some cases, regulators could choose to prosecute the offence of failure to prevent fraud themselves. This includes the FCA which has specific prosecution powers in relation to fraud and whose general policy is described in the Enforcement Guide as being “to pursue through the criminal justice system all those cases where criminal prosecution is appropriate” applying the basic principles set out in the Code for Crown Prosecutors which includes consideration of the evidence and whether prosecution is in the public interest.
The risk of facing a dual track investigation process, as can sometimes be the case in other areas of financial crime, and the prospect of regulatory enforcement in cases where prosecution is not pursued provides an added incentive, if one were needed, for firms to devote time, attention and resources to their financial crime controls and ensuring that they are ready for when the offence comes into force next year.