Proposed UK 'failure to prevent fraud' offence: what do you need to do now?
Andrew Reeves, Partner, Annie Birch, Senior Associate, Claudia Van Gruisen, Senior Associate, and Thomas Hubbard, Senior Associate, Norton Rose Fulbright (London), examine a proposed new ‘failure to prevent fraud’ offence in the UK and discuss its potential impact, as well as how organisations can prepare themselves.
Highlights
- a new offence of ‘failure to prevent fraud’ is likely to come into force by the end of 2024 and will form part of broader reforms of UK corporate criminal liability
- this will significantly shift the landscape for organisations carrying on a business in the UK, making it easier for them to be prosecuted for fraud committed by employees or third parties that the organisation benefits from
- a broad range of conduct could be captured under the proposed offence, including dishonest sales practices, false accounting, hiding important information from consumers or investors and dishonest financial market practices
The UK Government intends to introduce a new ‘failure to prevent fraud’ offence as an amendment to its Economic Crime and Corporate Transparency Bill. On 11 April 2023, the Home Office published a fact sheet, which was updated on 20 June 2023, and tabled an amendment to introduce the failure to prevent fraud offence, which is supported by the Serious Fraud Office and the Crown Prosecution Service. The new offence is likely to come into force by the end of 2024 and will form part of broader reforms of UK corporate criminal liability that also include proposed changes to replace the ‘directing mind and will’ test for corporate criminal liability with a new ‘senior managers’ test which, if introduced, could make prosecuting organisations for criminal offences much easier more generally. Recent proposed amendments have also introduced a ‘failure to prevent money laundering offence’, although it remains to be seen whether this will be included in the final legislation.
Coupled with the renewed focus of the Serious Fraud Office, Financial Conduct Authority (FCA) and other authorities on the prevention of fraud, this will significantly shift the landscape for organisations carrying on a business in the UK, in a similar way to the impact of the UK Bribery Act (the UKBA) more than a decade ago. In particular, it will shift the focus from organisations as victims of fraud (inward fraud) to make it easier for organisations to be prosecuted for fraud committed by employees or third parties that the organisation benefits from (outward fraud). It will also require many organisations to make significant changes to fraud compliance programmes in order to prevent a wide range of fraud offences.
What is the offence going to look like?
The new offence will make an organisation liable if it fails to prevent a specified fraud offence (see details below) from being committed where: (i) an employee or agent commits the fraud; and (ii) the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.
Importantly, the offence will have a defence of ‘reasonable procedures’ to prevent fraud. This means it will effectively require organisations to review and enhance their anti-fraud systems and controls to cover fraud committed for their benefit by employees or agents, although the government has stated that there may be circumstances where it is reasonable for an organisation to have no fraud prevention procedures in place.
Who will the offence apply to?
The offence was initially drafted to apply to all ‘large organisations’, with such a threshold being met where an organisation satisfied two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees; (ii) more than £36 million turnover; and/or (iii) total assets of more than £18 million. However, recently agreed amendments have resulted in this requirement being removed, meaning that the offence is likely to apply to all organisations, regardless of their size.
Although the exact jurisdictional scope remains unclear, the new offence will also apply to organisations and employees who are based overseas where an employee or agent commits a fraud offence under UK law or which targets UK victims. This appears to be slightly different from the jurisdictional scope of the UKBA (which focuses on organisations carrying on a business in the UK).
“the new offence will also apply to organisations and employees who are based overseas where an employee or agent commits a fraud offence under UK law or which targets UK victims”
What types of fraud will this capture?
There has been continuing debate as to which types of fraud offence should be included in the new failure to prevent fraud offence. The proposed offence captures the fraud and false accounting offences that the government considers are most likely to be relevant to large corporations. These are:
- fraud by false representation (section 2, Fraud Act 2006)
- fraud by failing to disclose information (section 3, Fraud Act 2006)
- fraud by abuse of position (section 4, Fraud Act 2006)
- obtaining services dishonestly (section 11, Fraud Act 2006)
- participation in a fraudulent business (section 9, Fraud Act 2006)
- false statements by company directors (section 19, Theft Act 1968)
- false accounting (section 17, Theft Act 1968)
- fraudulent trading (section 993, Companies Act 2006), and
- cheating the public revenue (common law).
The types of conduct that could be caught are broad. Offences could arise out of warranties and representations made in transaction documents, prospectuses, annual reports and insurance claims. Crucially, there would have to be dishonest intent for an offence to be committed. According to Home Office Guidance, conduct caught will include ‘dishonest sales practices, false accounting and hiding important information from consumers or investors’ and ‘dishonest practices in financial markets’.
The cheating the public revenue element of this new offence may also cross over with organisations’ existing obligations under the failure to prevent tax evasion offences introduced under the Criminal Finances Act 2017 and so it may be possible for organisations to build on existing procedures already in place in this regard.
Impact of the new offence
The ‘failure to prevent’ model will make it easier to prosecute organisations compared with the current position, in which an organisation will only be held liable for fraud where a ‘directing mind and will’ has been directly involved (although, as indicated above, there are proposals to lower the bar for this test to ‘senior managers’). In practice, it has been very difficult to attribute liability for fraud to organisations, particularly large global groups.
The move towards a failure to prevent offence will increase the likelihood of prosecutions against organisations. This includes an increased risk of private prosecutions being brought by individuals who are victims of fraud.
We also envisage an increase in the number of organisations entering into deferred prosecution agreements (DPAs) in relation to failure to prevent fraud, effectively settling the case without any formal requirement to admit criminal liability. Once the offence is in force, organisations that identify conduct covered by the new offence will have to consider carefully the risks and benefits of a DPA, particularly given the risk of parallel civil claims.
What do organisations need to do now?
The government has announced that it will produce specific guidance providing organisations with information about what reasonable procedures will look like in due course (akin to the UKBA adequate procedures guidance). Whilst the precise form that the guidance will take remains unclear, in our view this should be detailed and tailored to sectors, so as to highlight particular fraud risks that may be faced in each sector, and provide detailed examples of red flags. This will considerably assist organisations in conducting their risk assessments and tailoring their policies and procedures. The UK Government will also likely need to clarify how, for regulated firms, this will interact with existing required financial crime processes.
Pending guidance being published, and as a first step, organisations should consider whether any existing fraud risk assessment covers fraud committed by employees or third parties from which the organisation benefits (outward fraud) in sufficient detail, or otherwise needs to be revised. The risk assessment should be reviewed by reference to fraud issues the organisation and/or its peers have encountered. As highlighted above, there is a broad range of potentially complex offences covered and therefore risk assessments will need to be wide ranging and to incorporate input from a number of different functions within an organisation. Organisations should make sure that the individuals tasked with conducting a risk assessment and putting in place procedures have a sufficient understanding of the offences covered. It is therefore important that legal and compliance are closely involved to ensure the nuances of the offences are addressed, both in the risk assessment itself and in the policies and the procedures to implement them. Based on the results of their risk assessment, organisations should ensure that their anti-fraud policies, systems and controls manage the risks identified effectively, including:
- anti-fraud policies and procedures that mitigate outward fraud committed for the benefit of the organisation
- training, including tailored training for those in higher risk positions. Given the complexities, case studies will be really important in policies and training to ensure individuals fully understand where offences may arise
- financial controls should be reinforced and tailored to ensure that any potential red flags are picked up and investigated, for which four-eye checks are required
- due diligence both in respect of transactions for clients and contracts (eg for suppliers), particularly on third-party agents given the offence will apply to the acts of agents acting on the organisation’s behalf. Where possible we would suggest integrating fraud due diligence with existing processes (for example anti–bribery and corruption due diligence processes already in place)
- ensuring contractual provisions cover outward fraud
- putting in place effective audit and monitoring processes in relation to fraud, and in particular for third parties. Medium- and high-risk third parties should be monitored more closely, and on a more regular basis. As for due diligence processes, we would recommend that fraud monitoring and review processes are built in to existing procedures, and
- ensuring regular internal review of systems and controls, and a clear tone from the top. Fraud should be an agenda item at board and senior management level to ensure this is prioritised and given the appropriate oversight.
Andrew Reeves, Partner, Annie Birch, Senior Associate, Claudia Van Gruisen, Senior Associate, and Thomas Hubbard, Senior Associate
Norton Rose Fulbright (London)
© Copyright Norton Rose Fulbright, April 2023 (updated July 2023)
“organisations should consider whether any existing fraud risk assessment covers fraud committed by employees or third parties from which the organisation benefits (outward fraud) in sufficient detail, or otherwise needs to be revised”