It now seems so long ago that we were reporting almost daily on the lively political debates on the scope of the new corporate offence of failure to prevent fraud (FTPF). Finally, the old Government got its way and the offence came onto the statute books within the Economic Crime and Corporate Transparency Act 2023 (ECCTA) in late October 2023. We all wondered whether the new Government would look to make any changes before the offence actually came into effect, but we now have confirmation that it won't, and the offence will come into force on 1 September 2025.
In this article, we look at what the offence is and who it applies to, and how affected businesses should be using the Home Office guidance on "reasonable" prevention procedures.
What is the offence, and who does it cover?
The offence applies to "large organisations" – that is, an entity that meets two of the criteria of having more than 250 employees, more than £36m turnover and more than £18m total assets. It includes groups where the resources across the group meet the threshold and liability will be with the relevant group entity, or with the parent if the subsidiary commits an offence for the parent's benefit. So, unlike the offence of failure to prevent bribery on which this offence is heavily based and which applies to all businesses regardless of their size, the FTPF offence applies only to a very small proportion of UK businesses. It applies not only to UK organisations but also non-UK organisations with a UK nexus.
A large organisation will commit the offence if a person associated with it commits a fraud offence intending to benefit the organisation or a person to whom (or to whose subsidiary) the person provides service on behalf of the large organisation. It is not necessary to show that the organisation's senior managers ordered or knew about the fraud.
What's an "associated person"?
It's a bit wider than the Bribery Act in that it's any employee, agent or subsidiary (automatically – for the Bribery Act subsidiaries aren't automatically associated persons), any employee of a subsidiary or anyone else performing services for or on behalf of the large organisation.
There is no offence if the large organisation itself was or was intended to be the victim, and there's a defence to have in place reasonable procedures to have prevented the fraud from happening or that it was reasonable not to have such procedures.
What's a "fraud offence"?
This covers all offences under the Fraud Act 2006 – that's fraud by false representation, failing to disclose information or abuse of position, or participating in fraudulent business carried on by a sole trader), false statements by company directors and false accounting under the Theft Act, fraudulent trading under the Companies Act and the common law offence of cheating the public revenue. Obviously these are already offences, so anyone committing the underlying fraud will commit an offence, but the FTPF offence also means an organisation can be liable for not preventing it.
In terms of territorial scope, it will include all frauds under UK laws or which target UK victims regardless of where the relevant employee and organisation are.
The law leaves it open for extension both of the types of organisation the offence applies to, and the underlying offences it covers.
Is there any defence?
Yes, there is a defence if an organisation can show that it had reasonable procedures in place to prevent fraud, or that, in all the circumstances, it was not reasonable to expect the organisation to have prevention procedures in place.
How to comply – the Home Office guidance
The law requires the Home Office to publish guidance for firms on how to comply, but it is not mandatory to follow the guidance. A court will take into account whether an organisation has adhered to the principes of the guidance, but adherence is not an automatic safe harbour, and neither is an alternative approach automatically not good enough – it is up to organisations to adopt procedures which are reasonable for their businesses and, if it comes to it, they will need to prove they had reasonable prevention procedures in place or that it was unreasonable to expect that they would have procedures. The Home Office is of the view that in some limited circumstances it may be deemed reasonable not to introduce measures in respect of a particular risk but that it will rarely be reasonable not even to have carried out a risk assessment.
The guidance:
- Explains who the offence applies to (and how some of the factors that determine what is a “large organisation” should be applied)
- Sets out the types of fraud covered by the offence
- Explains who will be an “associated person” of the organisation and what “intending to benefit” means
- Sets out the key considerations for organisations developing their fraud prevention procedures with a view to having “reasonable procedures” in place – based on the now familiar 6 principles of top level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication (including training) and monitoring and review
- Gives some examples of what would constitute the base offences
- Discusses the overlap with other offences, particularly the offence of failure to prevent facilitation of tax evasion.
It also stresses that organisations should keep their risk assessments under review – as with everything financial crime compliance related, this is not a "once and done" exercise.
Will there be sectoral guidance?
Regulators and industry associations have produced guidance for their communities on compliance with several other financial crime prevention laws. However, the Home Office has noted that ECCTA has no mechanism for any statutory guidance to be issued by any industry association or other body, so, in order to be effective, any sectoral guidance must align with the Home Office guidance and the law itself.
What should organisations be doing?
Financial crime prevention is best done holistically within organisations. All organisations should already have in place well-seasoned anti-bribery policies and some will also have extensive anti-money laundering, sanctions and prevention of tax evasion policies. They should build their risk assessments and additional policies, procedures and training for FTPF into these. This way, management can show it has a thorough understanding of how the suits of laws applies to its business and how it is taking well-thought out and appropriate measures to minimise any risks its business faces.
Please contact us if you'd like to discuss how UK financial crime prevention laws apply to you, and how best to protect your business.
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.