Article

The UK’s Economic Crime and Corporate Transparency Act 2023: Part 3

Failure to prevent fraud offence, guidance released

The UK’s Economic Crime and Corporate Transparency Act 2023 (the “Act”) introduced a new corporate criminal offence targeting an organisation’s failure to prevent fraud (the “Offence”), which we discussed here. The government delayed the Offence coming into force until guidance was released on what constitutes reasonable fraud prevention measures, as having such measures in place provides organisations with a defence to the Offence. This guidance was released on 6 November 2024, meaning organisations can now implement reasonable fraud prevention procedures before the Offence comes into force on 1 September 2025. In this article we summarise this guidance, and how Marsh can support organisations keen to ensure compliance before the deadline.

Who’s in scope?

The guidance clarifies that under the Offence, “an organisation may be criminally liable where an employee, agent, subsidiary, or other “associated person,” commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place.” There is no requirement to show that senior management knew of the fraud for liability to attach. Many organisations are in scope of this new offence.

Associated person

Associated person includes: employees, subsidiaries, including those overseas, agents, and those providing services for or on behalf of the organisation. It’s important to note that providing services for or on behalf of an organisation is not the same as providing services to the organisation, which means professional advisors would not necessarily be included in the definition.

Overview of the fraud offences

For an organisation to be criminally liable for failing to prevent fraud, the prosecution must first prove that a base fraud offence was committed by an associated person. Examples of base frauds include: offences under the Fraud Act 2006 such as fraud by failing to disclose information or false representation; false accounting or false statements by company directors under the Theft Act; fraudulent trading under the Companies Act; and the common law offence of cheating the public revenue (HMRC). Aiding or abetting these frauds is also a base offence. The prosecution would then need to establish that the organisation failed to prevent the fraud. The following examples illustrate this.

Employees in the marketing team exaggerate sustainability claims to make a product more attractive to consumers, knowing the claims are untrue. The base fraud is false representation. Even if there are no increased sales or profits as a result, and the board was unaware of what was going on, the failure to prevent fraud offence would apply as it is enough that the fraud was intended to benefit the organisation.
A payroll director finances other projects within the business with contributions meant for employees’ pension funds. The base fraud is abuse of position by the payroll director. The organisation has failed to prevent this and benefits by the increased investment in its business, so is guilty of the Offence.

Reasonable fraud prevention procedures

Having reasonable fraud prevention measures in place matters for two reasons. First, because they could prevent a fraud being committed at all, but secondly, because having them in place provides a defence in the event of a prosecution for the Offence.

The guidance on reasonable fraud prevention measures is advisory. This means courts will take the guidance into account, but each organisation must take measures that are appropriate to its risk profile. This means for some organisations, strict adherence to the guidance will not necessarily be sufficient to prove that all reasonable fraud prevention measures were taken. Conversely, depending on the fraud risk facing an organisation, it may be reasonable not to follow the guidance to the letter. The onus will be on the organisation to show that it had reasonable prevention procedures in place, given its sector and risk profile.

The guidance sets out six principles that should inform the fraud prevention procedures that organisations put in place.

Top level commitment: The board of directors, senior managers, or partners must set the tone from the top that fraud is unacceptable. They must ensure a robust governance framework is in place across the organisation, which can be delegated to the ethics and compliance function. It is important that a zero-tolerance position on fraud is articulated and communicated so that all employees understand the consequences of fraud on the business and their careers, and feel empowered to speak up when they see inappropriate behaviour. Actions that might evidence leadership commitment to fraud prevention could include establishing mission statements, allocating time and money to training, board minutes evidencing discussions around preventing fraud, and clearly articulating the consequences for those who breach the fraud policy.
Risk assessment: Organisations need to assess their exposure to fraud by associated persons and ensure they have a detailed risk assessment in place which complies with the duties under the Act. The guidance recommends developing an understanding of risk based on the three elements of the fraud triangle: opportunity, motive, and rationalisation. It would be dangerous to write a risk assessment, file it, and think you’ve ticked the box. These documents must be dynamic, regularly reviewed, accessible, and understandable by the relevant teams and people.
Proportionate risk-based prevention procedures: The organisation must create fraud prevention procedures that are proportionate to the risks identified. Organisations can take different steps based on how much control they have over a situation or a person. For example, they can exercise more oversight over an employee than over an outsourcing entity. There may also be limited situations where having no fraud prevention measures in place is proportionate to the risk. In such cases, organisations should ensure that this decision is documented, along with the identity of the person who authorised it. Some industries and organisations are already heavily regulated, and it may be that an organisation is already complying with rules or regulations that will count as reasonable fraud prevention procedures. However, existing procedures should still be reviewed to ensure they satisfy the Act and guidance.
Due diligence: Again, many large organisations will have due diligence procedures entrenched in their procurement process, but the Act makes it even more important to apply due diligence procedures to persons that perform services for or on behalf of the organisation, specifically to mitigate fraud risks.
Communication and training: Training is necessary to ensure the fraud prevention procedures are understood and followed by anyone who needs to know. This might include third parties that provide services for or on behalf of the organisation and that may, therefore, be associates under the Act. It may be that existing training programmes can be tweaked to include an element on recognising, preventing, and reporting fraud. There is particular emphasis in the guidance on whistleblowing, which is one of the most effective ways to uncover fraud and corruption within an organisation. Many organisations are already required to have whistleblowing procedures in place and can, therefore, simply ensure that they are suitable for the risks identified in the risk assessment. As with the fraud prevention procedures, training should be proportionate to the risks identified in the risk assessment.
Monitoring and review: An organisation’s response to the new offence of failing to prevent fraud cannot be a one-off box-ticking exercise. The fraud detection and prevention procedures must be kept under review and improvements must be made where necessary, including when identified by whistleblowers or regulatory investigations.

Key considerations for organisations

Focus on the goal: Fraud is the most common crime in England and Wales, accounting for 40% of all crimes committed, according to the National Crime Agency. The aim of the Act and the Offence is to create an anti-fraud culture within organisations, to the benefit of the organisation as well as society and the economy at large. Most large organisations have fraud prevention measures in place, but the Act provides the motivation and impetus to dust the risk assessment off or draft a new one, ensure it is fit for purpose, and put appropriate fraud prevention measures in place by 1 September 2025.
Ask what others are doing: Your risk advisor should provide industry insights to ensure that your fraud prevention controls are reasonable and proportionate as against your peers. This comparative analysis can help you stay aligned with best practices and regulatory expectations.
Document your discussions: It is essential to document consideration of the Act’s requirements and your organisation’s decisions about what action is proportionate or reasonable, so that this evidence can be relied upon in the event of an investigation.
Protect your people: Ensure that directors and officers have sufficient individual protection in the event of a regulatory investigation into a potential breach, or civil action alleging failure to ensure compliance with the Act, for example, via a derivative claim. Your insurance broker can help ensure your directors and officers (D&O) liability insurance provides sufficiently broad cover to protect individuals in the event of a prosecution. See further here.
Consider insuring against fraud losses: While commercial crime insurance does not replace obligations contained within the Act, it does protect against the direct financial loss caused by fraud, so should form part of an effective risk management strategy and complement the other actions taken.

Remember, you are not alone. Marsh Advisory has developed a suite of services for any organisation in scope for the Offence. We offer support ranging from help preparing risk assessments through to implementing a robust fraud prevention procedure and ongoing monitoring. In the event of a regulatory investigation arising out of fraud, having such procedures in place could be the difference between prosecution and no further action being taken.

We can also conduct a strategic insurance review to ensure you have the best protection in place. If the worst should happen and a fraud is committed, we also have a specialist team of forensic accountants and legally qualified complex claims and disputes specialists who will work with you to navigate the loss and advocate on your behalf to maximise any insurance claim recovery.

Speak to your Marsh team to discuss how we can help.

Young businesswoman and her diverse team brainstorming with sticky notes on a glass wall while working together in a modern office

Article

Impact of identification doctrine reforms on D&O insurance

17/06/2024

The UK’s Economic Crime and Corporate Transparency Act 2023 (the Act) aims to make it easier to bring prosecutions against large organisations when an employee commits fraud for the benefit of the business.

Forex market. Young trader is pointing at graphs on computer screen and analyzing data while working in his modern office. Stock exchange. Trade concept. Investment concept

Article