Failure to Prevent Fraud: The New Offence Comes into Force

Summary

• The new legislation creates a corporate criminal offence of “failure to prevent fraud” for which organisations may be prosecuted and subject to an unlimited fine.
• The fraud must be for the organisation’s benefit – but what does this mean?
• Individuals within companies can already be prosecuted for committing, encouraging or assisting fraud but will not be held individually liable for failure to prevent fraud under this legislation.
• Reasonable fraud prevention procedures will provide organisations with a defence; statutory guidance on what constitutes ‘reasonable’ was published on 6 November 2024.
• Research shows that corporates are under prepared for the changes.

The Government states that: “Under the new offence, an organisation will be liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place. It does not need to be demonstrated that company bosses ordered or knew about the fraud.”

The vision behind the new “failure to prevent fraud” offence is to drive cultural change towards improved fraud prevention, and to hold organisations accountable if they profit from the fraudulent actions of their “associated persons”, an expression that is wider than previous corporate criminal legislation in the new offence.  For example, there does not need to be a contractual nexus for a party or organisation to be deemed an “associated person” that could bring your organisation into breach of this new offence.

The results of a “Fraud prevention and response survey” carried out by Foot Anstey [1] reveal that 45% of businesses have had to act due to fraud caused by an employee or contractor in the last 12 months. Yet only 47% of those businesses surveyed have anti-fraud policies in place, with 54% providing training for staff on fraud and only 20% of businesses having a salaried, dedicated fraud prevention role in place.

Which organisations are affected?

The offence applies to all large corporate bodies, subsidiaries and partnerships. This means that in addition to businesses, large not-for-profit organisations such as charities are also in scope, as well as incorporated public bodies.

The offence applies to all sectors, but will only affect organisations meeting two of the three following criteria:

1. More than 250 employees
2. More than £36 million turnover
3. More than £18 million in total assets

We understand this threshold will be kept under review and may be amended in the future. It is understood that the government wished to prevent small and medium enterprises from being disproportionately burdened by the requirements of fraud prevention. However, research shows that businesses of all sizes are vulnerable. Foot Anstey’s recent “Fraud prevention and response survey” [2] identified that within the businesses that have had to act on fraud within the last 12 months:

• 47% are large organisations (250 people plus)
• 53% are companies with 50-249 employees (therefore not caught by the Act)
• 20% are small companies with 1-9 employees (also not caught by the Act)

There is a danger that by exempting SME businesses (which constitute 99.9% of the business population in the UK [3]), the opportunity to drive cultural change will be missed as there will be no incentive for such businesses to invest in fraud prevention. Given the pervasive nature of fraud, this is concerning. However, given the depth of the supply chain that could cause a “large organisation” subject to the new offence, we expect to see large organisations ensuring all in their supply chain have anti-fraud procedures in place.  In that respect, the new offence almost through stealth has a wider impact than it expressly says.

In any event, as the Government could easily amend these thresholds, it may be prudent for SMEs to also be aware of the new offence and to introduce or review current fraud prevention measures.

What types of fraud are covered?

The failure to prevent fraud offence captures the fraud and false accounting offences most likely to be relevant to corporations, including:

• fraud by false representation (section 2 Fraud Act 2006)
• fraud by failing to disclose information (section 3 Fraud Act 2006)
• fraud by abuse of position (section 4 Fraud Act 2006)
• obtaining services dishonestly (section 11 Fraud Act 2006)
• participation in a fraudulent business (section 9, Fraud Act 2006)
• false statements by company directors (Section 19, Theft Act 1968)
• false accounting (section 17 Theft Act 1968)
• fraudulent trading (section 993 Companies Act 2006)
• cheating the public revenue (common law)

The above offences cover a broad range of conduct from false statements in company accounts and other company documents such as sales materials and insurance claims, to mis-selling and rogue trading. It is important to remember that the underlying offence would need to be made out in order for the organisation to be found guilty of “failure to prevent”, and consequently, for many of these offences, dishonesty would need to be proved.

To be caught by the Act, the fraud has to be for the benefit of the organisation or a person to whom the associated person provides services on behalf of the organisation. The organisation will not be guilty of the offence of failure to prevent fraud where the organisation itself was, or was intended to be, a victim of the fraud. The “benefit” can be direct or indirect but this is not further defined. However, the Explanatory Notes to the Lords Amendments [4] suggest that “benefit” is not restricted to financial benefit. Furthermore, it is said that the requirement for an intent to benefit the organisation, is broader than the requirement in the offence of failure to prevent bribery in the Bribery Act 2010, section 7, which requires the intention to “obtain or retain business” or to “obtain or retain a business advantage” for the organisation. [5]

Guidance around the new Legislation

The Guidance outlines examples of what “reasonable” fraud prevention procedures might look like, but ultimately it is the organisation’s responsibility to show that effective measures were in place, or to explain why it would have been unreasonable to expect them. Courts will consider each case individually, weighing the facts and circumstances, with decisions made on the balance of probabilities.

Organisations are encouraged to design their fraud prevention processes in a way that reflects their internal structure and the reach of the potential offence. What counts as reasonable depends on how much oversight and influence the organisation can realistically exercise over those acting on its behalf.

The Guidance identifies six key principles, covering the same framework as the Bribery Act 2010, the focus here is different: top-level commitment comes first, reflecting the critical role senior leadership plays in setting the tone and culture for fraud prevention. Although the principles are all important, this ordering signals the areas regulators may scrutinise most closely in the future.

1. Top-level commitment – there should be a commitment to prevention procedures by top-level management fostering a culture within the organisation in which bribery (or in this case fraud) is never acceptable.
2. Risk assessment – assessment should be periodic, informed and documented.
3. Proportionate procedures – procedures should be proportionate to the risk faced by the organisation and to the nature, scale and complexity of its commercial activities.
4. Due diligence – due diligence procedures should be applied taking a proportionate and risk-based approach in respect of those who perform or will perform services for or on behalf of the organisation.
5. Communication (including training) – prevention procedures should be embedded and understood throughout the organisation and form part of both internal and external communication.
6. Monitoring and review – ongoing monitoring and review of procedures and making improvements where necessary.

Businesses will need to conduct a review of their commercial activities and consider and identify where the risk for fraud arises and where responsibility for management of such risk lies. This will form an integral part of the risk assessment process. Due diligence of employees and agents will need to be carried out periodically, and particularly when employees or agents are given additional access or responsibility.

In reality, many organisations ought to have the foundations and risk framework in place to address the requirements set out in the guidance due to what ought to have been their compliance with previous corporate criminal liability.  Key is knowing one’s own business, where will the risks more likely present, what are the cultural motives that could cause a risk of an offence, have any activities occurred historically that now be considered an offence under the new law.  All of these considerations and more should not be ‘new’ considerations but an evolution of what is already in place.

The Consequences of Inaction

Organisations found guilty face serious consequences, including unlimited fines, reputational damage, and increased regulatory scrutiny. Beyond financial penalties, a conviction can undermine stakeholder confidence, affect contracts, and trigger wider compliance reviews.  The legislation is designed to hold organisations accountable at a structural level, making it critical for businesses to embed robust, proactive fraud prevention measures rather than rely on reactive responses.

Tenet has long advocated for a top-down approach in creating workplace cultures that limit the risk of fraudulent behaviour. Tenet’s White Paper – Leading to Loss discusses the link between leadership, culture, disenchantment in the employee base and fraud in more detail and considers the setting of ethical standards above the base-level set by the law in order to drive positive behaviours. Given the emphasis on top-level commitment in the Government’s Bribery Act guidance, the influence of senior management on behaviours and outcomes cannot be overstated.

As with the fraud landscape in general, education is key, and the success of fraud prevention procedures will rely upon clear and user-friendly communication and training. Reviewing and drafting such procedures is only half of the story; employees and agents need to be made aware of their existence, content and practical implications, and importantly how their role and/or daily tasks fit into the overall process.

Conclusion

Although fraud is not a new risk, research shows that businesses continue to lack in terms of fraud prevention choosing a reactive rather than a preventative approach. This has led to Government action to force the hand of those organisations that fall within this new legislation. The message to those businesses who are yet to address fraud prevention within their organisation is “fail to prepare and prepare to fail”.

Let’s talk solutions

If your business requires assistance in formulating its framework for dealing with preventing or reacting to fraud, please contact Elaine Mitchell or Arun Chauhan with any questions or to arrange a call so we can understand more about your business and the specific challenges you face.

We are always keen to invest our time helping organisations navigate the complex world of responding to and avoiding fraud so please do reach out and get to know us.

[1] Foot Anstey Prevent Fraud Report October 2023

[2] Foot Anstey Prevent Fraud Report October 2023

[3] According to Government statistics, at the start of 2022, large businesses (i.e. those with 250 employees or more) constituted 0.1% of the total business population of the UK

[4] Explanatory Notes relate to the Lords Amendments to the Economic Crime and Corporate Transparency Bill as brought from the House of Lords on 10 July 2023 (Bill 346) para 181

[5] Ibid para 182

[6] Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud: Publish 6 November 2024