Failure to prevent fraud: how to prepare for new UK corporate offence

Organisations to whom the offence will apply

There are three thresholds, at least two of which need to be satisfied for the offence to apply to an organisation. First, the organisation’s UK turnover must exceed £36 million; secondly, its total assets must exceed £18 million; thirdly, it must have more than 250 employees. The organisation may also be guilty of the offence if its parent company satisfies at least two of these thresholds.

Associated persons

An associated person of an organisation may be its employee, agent, subsidiary, sub-contractor or other person which provides services on its behalf.

The fraud offence

The fraud offence includes fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, cheating the public revenue, false accounting, false statements by company directors, participating in a fraudulent business, fraudulent trading and obtaining services dishonestly.

It also includes aiding, abetting or procuring a fraud offence.

An organisation is not guilty of the offence if it itself was a victim or intended victim of the fraud offence, for example if the loss caused, or intended to be caused, by the fraud would be borne by the organisation or the fraud was committed with intent to harm the organisation. But an organisation would not be a victim only because it suffered indirect harm due to the fraud by an associated person, for example damage to its reputation.[1]

Jurisdictional issues

There must be a fraud offence committed by an associated person that could potentially be prosecuted in the UK. In addition to UK organisations, the offence will apply to companies incorporated outside the UK with a UK connection.

If an employee or other associated person of an overseas-based organisation commits fraud in the UK, or is targeting victims in the UK, the organisation can be prosecuted.

Defences

There are two defences to this offence. One is that at the time that the fraud offence was committed the organisation had put in place reasonable procedures designed to prevent fraud; or, in limited circumstances, that it was unreasonable to expect the organisation to have put in place any such procedures (it will rarely be considered reasonable not to have even conducted a risk assessment).

The UK Government has published guidance on six areas which organisations should review to facilitate compliance with the requirement to put in place reasonable procedures to prevent fraud. Organisations should aim to have established or reviewed these procedures, which should be proportionate to the risk, before 1 September 2025. An audit trail will be an important part of showing that reasonable procedures had been put in place at the time of the offence.

• Top level commitment – senior management clearly endorsing the organisation’s intolerance of fraud, for example a clear statement on its website, and committing to reasonable staffing and implementation of fraud prevention procedures including training and appropriate due diligence, and whistleblowing procedures;
• Risk assessment – reviewing potential areas where fraud could take place within the business, assessing level of risk according to opportunity, motive and rationalisation and putting in place appropriate mitigating steps and policies;
• Proportionate risk-based prevention procedures – for example, a fraud prevention plan having regard to the risk assessment and potential emergencies, and sanctions/disciplinary measures for individuals or entities which commit fraud;
• Due diligence – if a company engages a new employee or supplier, it should do appropriate due diligence on them, using screening and vetting techniques. This can be done in-house or by external providers. Also, employee wellbeing should be monitored. Contracts with service providers such as agents and sub-contractors should be reviewed to include relevant obligations requiring compliance and the ability to terminate in the event of a breach;
• Communication – providing appropriate fraud specific training to employees, agents and other potential associated persons, including requiring compliance with appropriate policies and ensuring awareness and understanding of the policies and whistleblowing procedures;
• Monitoring and review – monitoring should include detection of fraud and attempted fraud (for example on invoicing), investigations, monitoring the effectiveness of fraud prevention measures, such as financial controls, collecting data on how many staff have attended fraud prevention training courses and any test results, ensuring that teams responsible for investigating fraud are appropriately resourced, and assessing the effectiveness of whistleblowing procedures.

Conclusion

It is important for organisations to which the new offence will apply to put in place reasonable procedures designed to prevent fraud before 1 September 2025. Organisations are already likely to have in place procedures designed to prevent fraud against the organisation and/or to prevent bribery. But they may need to extend these procedures to cover frauds that are intended to benefit the organisation or its customers.

[1] For more details of the failure to prevent fraud offence please see our article dated 1 November 2023 at Future Regulation: holding organisations to account for failure to prevent fraud by employees – BM Insights – Blake Morgan