This is the second article in our series breaking down the steps that companies will need to take to put in place “reasonable procedures” to prevent fraud. Our first post, which focussed on how to conduct effective fraud risk assessments, can be found here.  

This comes ahead of the new UK failure to prevent fraud offence coming into force, which is anticipated later this year or early next. The only defence for a company will be to have in place “reasonable procedures” to prevent fraud. More details on the new offence, including the underlying fraud offences covered, are set out here.

Importantly, the jurisdictional reach of the failure to prevent fraud offence is broad. It will apply to non-UK companies where a relevant part of the offence takes place in the UK. Depending on the nature of the underlying fraud offence, this could include a meeting or communication in the UK – or where there are victims in the UK, such as investors or counterparties. It will also apply for certain offences where there is a gain in the UK. Many multinational companies are therefore conducting risk assessments and enhancing fraud procedures beyond their UK business.

As we discussed in our previous article, the first step in considering “reasonable procedures” is to conduct a risk assessment to better understand the risks faced by the business. Many clients have put in place a cross-functional working group to consider the underlying offences and different risk scenarios applicable to each function. Once the risk assessment has been conducted, it is important to consider what policies and procedures are already in place to manage the risks identified – and where enhancements are needed. Ultimately senior management / the board should approve the procedures, so it is important to get their buy in to the risk assessment process and the proposed enhancements.

In our experience of advising clients on this, we have found that while many companies have some policies and procedures in place to assist in the prevention of fraud, frequently they do not fully cover the focus of the new failure to prevent fraud offence. In particular, there can be gaps in addressing:

  1. Fraud for the benefit of the company or its clients;
  2. All of the offences underlying the new offence; and
  3. The ways in which those underlying offences can be committed by “associated persons” which includes employees, subsidiaries and certain third parties.

We have set out below a summary of the approach we generally adopt in assessing and implementing necessary enhancements to fraud policies and procedures.

Please get in touch if you have any questions, or would like to discuss how to conduct a risk assessment or enhance your anti-fraud policies and procedures.

Assessing / implementing enhancements to policies and procedures

1. Existing fraud (and related) policies

As a starting point, it makes sense to review any existing fraud policies or policies which may contain (or ought to contain) fraud provisions, including codes of conduct, supplier codes, employee handbooks and whistleblowing policies, as well as polices relating to financial controls and tax evasion.

A crucial part of this is to assess the extent to which the existing policies cover the new offence, in terms of whether they address:

  • Fraud for the benefit of the company (as opposed to where the company is a victim);
  • Fraud by associated persons (including third parties and subsidiaries); and
  • The breadth of the underlying fraud offences and the ways in which they could be committed.

It is also important to consider to whom the policies apply i.e. do they cover third parties and subsidiaries (and any other group companies or joint ventures that may also be caught by the new offence)?

2. What anti-fraud procedures are already in place?

Most companies already have in place some level of anti-fraud related processes and controls, but it is important to review these against the underlying offences to ensure that they effectively prevent fraud for the benefit of the company or its clients by associated persons (which, as set out above, is defined very broadly). Some examples of anti-fraud procedures that may already be in place include:

  • Financial controls (such as balance sheet reconciliation, payment processes, authorities matrices / segregation of duties);
  • External audit and reviews by internal audit;
  • Terms of reference of relevant board committees and sub-committees (e.g. audit and risk);
  • Tax-related controls;
  • Processes in relation to the approval of quarterly and annual statements, and other periodic financial disclosures;
  • Sign off processes for disclosures/representations in M&A and financing transactions;
  • Guidance and other controls on sales, advertising and marketing practices;
  • Annual / periodic certifications by employees, contractors and service providers;
  • Recording / monitoring of phone lines and electronic communications (where applicable); and
  • Recruitment and counterparty due diligence and screening processes.

3. How can existing compliance procedures be adapted?

The anti-fraud procedures set out in section 2 above should be reviewed and organisations should consider how they can be adapted to cover the new offence, or alternatively, whether additional procedures need to be introduced to ensure that they fully address (taking a risk-based approach) the risks identified in the risk assessment.

For example, companies could consider:

  • Developing a fraud programme enhancement strategy based on the findings of the risk assessment process;
  • Ensuring relevant policies, codes and employee handbooks address potential fraud risks;
  • Expanding employee, counterparty and transaction due diligence processes to target key fraud risks;
  • Ensuring that internal audit protocols and other monitoring processes are adapted to detect the range of potential fraud risks;
  • Ensuring that employees identified as being higher risk for certain types of fraud receive training tailored to their role; and
  • Updating supplier codes of conduct and counterparty contract clauses to address fraud risk.

4. Ownership and timelines

Ownership of the enhancement (and ongoing monitoring) of anti-fraud policies and procedures should be clearly agreed and signed by senior management / the board. Care needs to be taken that the policies are consistent and work as a whole. This may involve review by an individual or team (internal or external) not involved in the design of the procedures.

Areas of highest risk should be prioritised and progress updates / any issues of fraud should be escalated to senior management. 

Our next article will consider how, in light of the enhancement of your policies and procedures based on your risk assessment, you should approach top level commitment.