Failure to prevent fraud – are you ready?

With the new corporate offence of failure to prevent fraud (FTPF) taking effect on 1 September, we've put together a quick compliance checklist so you can make sure you're ready.

1. Does the offence apply to you?

The offence applies to "large organisations" – that's any organisation however it's incorporated or formed, that meets at least two of the tests of having more than (1) 250 employees, (2) £36m turnover and (3) £18m total assets – based on the figures for the financial year that precedes the base fraud offence that leads to the FTPF offence, and in relation to the whole organisation (including subsidiaries) regardless of geographical location. So it's not stuck at one point in time, it's not done on a granular level for each entity. And it's still relevant to business done outside the UK even though there does need to be a UK nexus for the base underlying fraud. And, of course, even if an organisation doesn't meet the limits it's undeniably good practice to consider its risks and policies as if it did.

2. Where do you face the most risk of fraud against you?

For these purposes, "fraud" includes a wide range of base offences – including offences under the Fraud Act 2006 such as fraud by false representation, failure to disclose information and abuse of business and obtaining service dishonestly, as well as other offences such as cheating the public revenue, false accounting and fraudulent trading. Businesses need to look at when their associated persons would be in a position to commit one of these frauds when acting as associated persons and acting with intent that the business benefits. While, obviously, fraud offences may be committed to harm a business, and businesses will want to prevent that happening too, the FTPF offence applies only where the intent was to benefit the business. But the Home Office guidance makes it clear it will apply where the person intended mainly to benefit themselves, but a knock on effect was also to benefit the business. When you're considering fraud risks, you will almost certainly also be considering bribery and facilitation of tax evasion risks, and how the various crimes may interact.

3. Have you defined your "associated persons"?

It's key to make sure you know who your "associated persons" are. It's not just about fraud your employees may commit – "associated persons" also includes agents, subsidiaries and others who provide services for or on behalf of the organisation. Most of the people you've categorised as "associated" for Bribery Act purposes will also be associated for these purposes, but not necessarily – and of those associated persons, different ones may present higher risk for fraud purposes than for bribery and vice versa.

4. Have you documented your risk assessment?

It's a defence to the FTP offence to have reasonable procedures in place to prevent fraud, or if they can show it was not reasonable to expect it to have prevention procedures. But the Home Office guidance makes it clear that while it may be reasonable on occasion not to introduce procedures against a particular risk, it is very unlikely to be reasonable to have not even conducted a risk assessment. So the risk assessment is critical, not only to identify the risks but also to document what action the business is taking to mitigate them, and, if it has decided it does not need to take action, the justification for this.

5. Are you articulating your "tone from the top"?

The Home Office's six principles for reasonable fraud prevention measures follow a familiar format, with "top level commitment" being the first one. Senior management can help show their support in many ways, including making public mission statements and fostering an open and supportive culture.

6. Have you got a targeted, clear and proportionate policy?

It goes without saying, but the best policies are those that are clearly expressed and in terms of the business. Depending on the breadth of the business, it may be better to have variants on the policy for certain departments, associated persons or specific position holders. The key is that the policy must clearly explain what is prohibited, how the offence might occur, and give structured guidance on how the business expects its associated persons to behave, including how to raise concerns. Behind the scenes, the business should have looked at what it can do to mitigate the risks it has identified, and how it puts those mitigation techniques into practice, as well as how it will react if a problem occurs.

7. How are you communicating the policy?

Having a policy that is properly focussed and easy to understand is critical, but communicating it is no less important. Making sure all relevant individuals know how and where to access the policy, and providing appropriate training will embed the policy within the organisation. Whether the training is an online module, or a remote or face to face session, whether everyone gets the same training or whether high risk areas get tailored or additional guidance – communication is key.

8. How will you monitor?

And having got everything in place, nothing stands still. Businesses need to make sure that their risk assessments and policies are both regularly reviewed and updated as necessary, and also that they will react to internal or external developments between regular reviews – whether those developments are legal developments, changes in business or the detection of a fraud.

Financial crime prevention never stands still. There are many ways of getting it right, but in our experience the best arrangements look holistically at their business, the financial crimes they may be subject to, and the risks they face, and calibrate their policies and procedures accordingly. One size definitely does not fit all where prevention policies are concerned, but an engaged senior management looking at the risks as a whole is a powerful tool.