A new “failure to prevent fraud” offence (the FTPF Offence) has been introduced as part of the Economic Crime and Corporate Transparency Act (the Act).
The Act received Royal Assent on 26 October 2023. It is expected that the new FTPF Offence will come into force after an implementation period following guidance being issued on ‘reasonable procedures’ by the government. This is expected in early summer 2024, so the new offence could come into force in late 2024 / early 2025.
This forms part of broader reforms of UK corporate criminal liability (which also replace the “directing mind and will” test for corporate criminal liability with a new “senior managers” test which is likely to make prosecuting organisations for criminal offences much easier more generally (for more detail please see here)). This change to the corporate criminal liability is already in effect.
Coupled with the renewed focus of the Serious Fraud Office (SFO), Financial Conduct Authority (FCA) and other authorities on the prevention of fraud, this offence is expected to significantly shift the landscape for organisations both in the UK and internationally, in a similar way to the impact of the UK Bribery Act (UKBA) more than a decade ago. In particular, it shifts the focus from organisations as victims of fraud (inward fraud) to make it easier for organisations to be prosecuted for fraud committed by employees or third parties that the organisation benefits from (outward fraud).
It also effectively requires many organisations to make significant enhancements to – or implement - fraud compliance programmes in order to prevent a wide range of fraud offences.
What is the offence?
The new offence makes an organisation liable if it fails to prevent a specified fraud offence (see details below) from being committed where: (i) an employee or agent commits the fraud; and (ii) the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.
Importantly, the offence has a defence of “reasonable procedures” to prevent fraud. This means it effectively requires organisations to review and enhance their anti-fraud systems and controls to cover fraud committed for their benefit by employees, subsidiaries or third party agents.
Who does the offence apply to?
The scope of application of the new offence has been a subject of debate. The new offence applies to ‘large organisations’. The threshold for this would be met where an organisation satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees: (ii) more than GBP 36 million turnover; and / or (iii) assets of more than GBP 18 million.
In practice, however, smaller organisations will still have to consider putting in place, or reinforcing, their anti-fraud procedures – given that they may be the ‘associated person’ of a large organisation, meaning the large organisation will likely require them to have in place reasonable procedures to prevent fraud.
What types of fraud does this capture?
Non-UK companies may be more likely to be caught by the new offence than by offences under the UK Bribery Act. It will apply to companies where part of the offence takes place in the UK – such as a meeting or communication in the UK – or where there are victims in the UK (which could include investors or counterparties). It will also apply for certain offences where there is a gain in the UK.
In practice, this makes the jurisdictional scope somewhat unpredictable and means that whether a company is subject to the offence will vary depending on the specific circumstances in which the fraud takes place, as well as from transaction to transaction, and as a company’s investor, counterparty and consumer profiles change.
Non-UK companies with no UK nexus, but who use a third party for services that operates in part in the UK may therefore be brought within the jurisdiction of the offence.
As a result, non-UK companies will therefore need to assess whether the acts of their employees, subsidiaries, or agents are likely to give rise to liability for the company under the new offence. Multinationals will need to consider whether enhancements to their anti-fraud policies and procedures are rolled out group-wide, or just in jurisdictions/business units with exposure to the UK.
What types of fraud does this capture?
The offence applies to the fraud and false accounting offences which the government considers are most likely to be relevant to large corporations. These are:
- fraud by false representation (section 2, Fraud Act 2006)
- fraud by failing to disclose information (section 3, Fraud Act 2006)
- fraud by abuse of position (section 4, Fraud Act 2006)
- obtaining services dishonestly (section 11, Fraud Act 2006)
- participation in a fraudulent business (section 9, Fraud Act 2006)
- false statements by company directors (Section 19, Theft Act 1968)
- false accounting (section 17, Theft Act 1968)
- fraudulent trading (section 993, Companies Act 2006)
- cheating the public revenue (common law)
The types of conduct that could be caught are broad. To name a few examples, offences could arise out of warranties and representations made in transaction documents, prospectuses, annual reports, and insurance claims; false statements by directors to shareholders; or by third parties misrepresenting the quality of products or services to increase sales and improve the financial outlook for the company.
Crucially, there would have to be dishonest intent for an offence to be committed.
The underlying offence of cheating the public revenue may also cross over with organisations’ existing obligations under the failure to prevent tax evasion offences introduced under the Criminal Finances Act 2017 and so it may be possible for organisations to build on existing procedures already in place in this regard.
Impact of the new offence
The “failure to prevent” model will make it easier to prosecute organisations compared to the previous position, in which an organisation will only be held liable for fraud where a “directing mind and will” (or, following the expansion of this doctrine by the Act, a “senior manager”) has been directly involved. In practice, it has been very difficult to attribute liability for fraud to organisations, particularly large international groups.
There will also be an increased risk of private prosecutions being brought by individuals who are victims of fraud.
We also envisage an increase investigations by the SFO (and other authorities) into fraud related offences, and in the number of organisations entering into deferred prosecution agreements (DPAs) in relation to fraud, effectively settling the case without any formal requirement to admit criminal liability. Once the offence is in force, organisations which identify conduct covered by the new offence will have to consider carefully the risks and benefits of a DPA, particularly given the risk of parallel civil claims.
What do organisations need to do now?
The government has announced that it will produce specific guidance providing organisations with information about what reasonable procedures will look like (akin to the UKBA adequate procedures guidance). This is expected in early summer. Specific guidance for financial institutions is anticipated, but other sector specific guidance is not anticipated. As part of this, the government will also likely need to clarify how, for regulated firms, this will interact with existing financial crime processes required.
Given the time it takes to put in place effective compliance policies and procedures, pending the guidance being published and as a first step, organisations should consider whether any existing fraud risk assessment covers outward fraud: in our experience of speaking to clients the majority of organisations do not have this in place already. The risk assessment should be reviewed by reference to fraud issues the organisation and/or its peers have encountered. As highlighted above, there are a broad range of potentially complex offences covered and therefore risk assessments will need to be wide ranging and incorporate input from a number of different functions within an organisation. Organisations should make sure that the individuals tasked with conducting a risk assessment and putting in place procedures have a sufficient understanding of the offences covered: it is therefore important that legal and compliance are closely involved to ensure the nuances of the offences are addressed both in the risk assessment itself, and in policies and the procedures to implement them. Our article on how to conduct effective risk assessments can be found here.
Based on the results of their risk assessment, organisations should ensure that their anti-fraud policies, systems and controls manage the risks identified effectively, including:
- anti-fraud policies and procedures that mitigate outward fraud committed for the benefit of the organisation;
- training, including tailored training for those in higher risk positions / business functions. Given the complexities of the underlying offences, case studies will be particularly important in policies and training to ensure individuals fully understand where offences may arise;
- financial controls should be reinforced and tailored to ensure that any potential red flags are picked up and investigated with required four-eye checks;
- due diligence both in respect of transactions for clients and contracts (e.g. for suppliers), particularly on third party agents given the offence will apply to the acts of agents acting on the organisation’s behalf. Where possible, it may be sensible to integrate fraud due diligence with existing processes (for example anti-bribery and corruption due diligence processes already in place);
- ensuring contractual provisions cover outward fraud;
- putting in place effective audit and monitoring processes in relation to fraud, and in particular for third parties. Medium and high risk third parties should be monitored more closely and on a more regular basis. As for due diligence processes, we would recommend that fraud monitoring and review processes are built into existing procedures; and
- ensuring regular internal review of systems and controls, and a clear tone from the top. Fraud should be an agenda item at Board and Senior Management level to ensure this is prioritised and given the appropriate oversight.
Other reforms to tackle economic crime and improve transparency
Other changes have been introduced through reforms to the role of Companies House. For more information on these, please see our article here.