On 6 November 2024, the UK government published guidance in respect of the failure to prevent fraud offence, which was introduced in the Economic Crime and Corporate Transparency Act 2023 (ECCTA).Under this offence, companies may be held criminally liable if they did not have ‘reasonable prevention procedures’ in place when a fraudulent act was committed by persons associated with them. The guidance helpfully outlines which factors businesses should consider when developing such procedures. Below, we have summarised key aspects of the guidance.
The offence
The ECCTA came into law on 26 October 2023 as part of broad reforms to the UK’s current framework for addressing financial crime. Section 199 of the ECCTA, in particular, created the new criminal offence of failure to prevent fraud. Following publication of the guidance,[1] the offence will now come into force on 1 September 2025. We have written previously on the nature and scope of this new offence – in this April 2023 post and in this October 2023 post.
The guidance
A large organisation (as defined in the ECCTA) may have a defence to a failure to prevent fraud offence if it had reasonable prevention procedures in place at the time of the fraud offence,[2] designed to prevent persons associated with it from committing such offences.[3] The guidance sets outs six principles that businesses should use to inform the procedures they put in place to prevent fraud offences. The intention is that a nonprescriptive approach will enable a wide variety of businesses and circumstances to be addressed, and may be supplemented by more specific sectoral guidelines where appropriate.
- Top-level commitment: The guidance indicates that individuals who are responsible for governance of a relevant company should lead the development and review of prevention procedures, either individually or by delegation to a relevant committee and senior managers should communicate and endorse the organization’s stance on preventing fraud, including mission statements.
- Risk assessment: Any risk assessment should be well-documented and regularly reviewed, such that it continuously responds to business changes. The guidance suggests classifying any risks using the following structure and by reference to their likelihood and impact:
- Opportunity Companies should identify who is in a position to commit a fraud offence, including departments which are particularly at risk (i.e., those with inadequate oversight or weak controls).
- Motivation
Companies should evaluate whether their reward systems (e.g., criteria for bonuses) may encourage fraud and, conversely, should assess whether there are any specific financial stresses that may encourage risky behaviour. - Rationalisation
Companies should consider the culture at large to assess whether it is ‘quietly tolerant’ of fraud and whether any reporting lines in place (e.g., whistleblowing hotlines) are sufficient for employees to make their concerns known.
- Robust but proportionate risk-based prevention procedures: The guidance suggests that each risk that has been recognised should be addressed by proportionate procedures. It acknowledges that some may be sufficiently addressed by sectoral regulations, such as those on tax evasion and audit requirements, but notes that this is not guaranteed.
- Due diligence: Where services are performed on behalf of a company, the guidance states that it should carry out proportionate due diligence procedures in respect of those persons, either internally or by outsourced means. Notably, the guidance acknowledges that it may be proportionate not to implement procedures in respect of lower-level risks, but the reasons for this should be well-documented. Some procedures are mandated by law, such as anti-money laundering checks, but others may be necessitated by sector or circumstance. The guidance conveys an expectation on a company to review the effectiveness of its due diligence procedures and subsequently amend them as appropriate.
- Communication (including training): The guidance notes that a company should seek to ensure that its prevention policies –including whistleblowing policies – and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Further, the guidance stipulates that this communication should be delivered, at least in part, through training programmes that are proportionate to the risk faced.
- Monitoring and review: As risks can evolve over time as businesses change, preventative procedures will need to be updated accordingly. The guidance suggests that procedures should be reviewed periodically with reference to three key touchpoints: detection of fraud and attempted fraud, investigation of suspected fraud, and monitoring the effectiveness of fraud prevention measures.
The guidance states that what is ‘reasonable’ in any particular instance is for the courts to decide based on the facts and circumstances of the case (such as a company’s organisational structure and territorial reach).
Conclusion
Publication of the guidance commences a nine-month implementation period, throughout which large organisations will be expected to develop their ‘reasonable preventative procedures’. What is deemed ‘reasonable’ will be business-specific and will necessitate detailed risk assessments by each organisation to identify what is appropriate for its particular circumstances.
From 1 September 2025, a large organisation which fails to put appropriate and proportionate procedures in place may risk not having any defence to a criminal prosecution under the ECCTA. It is therefore essential that businesses have well-designed procedures in place to prevent this, and that these are regularly reviewed in line with regulatory and technological developments.
[1] Section 219(8) ECCTA.
[2] Section 199(4) ECCTA.
[3] Section 199(5) ECCTA.
Contributors