Legal development

The failure to prevent fraud offence: what do companies need to do?

Insight Hero Image

    The introduction of the new "failure to prevent fraud" offence is a milestone moment for how corporate compliance programmes will be assessed in the UK.

    As one of the proposed reforms under the Economic Crime and Corporate Transparency Bill (the "Bill"), the new offence raises important considerations for those responsible for managing financial crime risk, particularly in relation to fraud and tax evasion. For a full summary of the new offence, see our article here.

    This article sets out the steps for compliance professionals to consider in advance of the Bill's implementation and an overview of the key tenets that should underpin any fraud compliance programme.

    Expanding corporate compliance programmes

    The new failure to prevent fraud offence creates a separate standalone basis on which a company could be held criminally liable for fraud.

    Under current proposals, the offence will only apply to "non-micro" organisations, but this is subject to change. A non-micro organisation is a company that fulfils two or more of the following conditions in a financial year:

    • A turnover of more than £632,000
    • A balance sheet total of more than £316,000
    • More than 10 employees

    The only defence to the failure to prevent fraud offence is for a company to prove that it had reasonable prevention procedures in place at the time the fraud was committed or that it was reasonable to not have any procedures in place. As a result, companies across all sectors will need to ensure they can demonstrate that they have robust compliance programmes in place supported by a strong anti-fraud culture driven by senior management.

    Legal and compliance professionals should take a proactive approach in ensuring that their organisation is prepared for the introduction of the new offence, seeking early engagement with senior management and other stakeholders (including Finance, Treasury, Tax, and Investor Relations teams). Consideration should be given to the specific fraud risk profile of the organisation, including the identification of particular high risk areas in relation to the relevant fraud offences. This should be followed by the implementation of appropriate measures to reduce the risk of a specified fraud offence being committed.

    What steps do companies need to take?

    Specific steps that organisations should take include:

    1. Fraud risk assessment

    As a preliminary step, in-scope businesses should review and reassess their existing fraud risk assessment. This should start with a holistic assessment of the broad range of potentially complex fraud offences that are covered as part of the proposed legislation.

    It is important to note that a fraud risk assessment can be more complex in nature than other risk assessments (e.g. ABC and tax evasion), as the specific categories of fraud extend across a wide range of functions. There is also an overlap with other financial crime risks and controls which could potentially create efficiencies. When identifying fraud risks, it is useful to focus on behaviours driving an individual's decision to commit fraud (i.e. the opportunity, incentive and rationalisation to commit fraud).

    The fraud risk assessment should have oversight by senior management, be fully documented, be reviewed on a regular basis, and it should assess the existing fraud detection and prevention processes which include (but are not limited to):

    • reasonable operational, commercial and finance controls in place to prevent and detect fraud;
    • appropriate separation of internal functions;
    • avoidance of conflicts of interest; and
    • a "speak-up" function and sharing of management information to monitor risks.

    2. Policies, procedures and training

    Anti-fraud prevention procedures should be proportionate to the size of the organisation and informed by the risks identified by the findings of a fraud risk assessment. An essential element of reasonable prevention procedures is demonstrating a clear commitment from top-level management, including the Board. A poor "tone at the top" that shows a lack of integrity and honesty can cause a company to be more susceptible to fraud.

    Procedures must be supported by appropriate training on fraud prevention issues and include appropriate measures in the event of a breach. A weakness in internal controls such as segregation of duties, lack of supervision and poor documentation can provide opportunities for individuals to commit fraud.

    3. Due diligence

    Organisations should have proportionate due diligence measures in place, which are driven by the fraud risk assessment, in respect of persons who perform or will perform services on behalf of an organisation (including third party agents). This includes staff and contractor background checks.

    Screening controls should also take into account suppliers and other third parties to detect any undisclosed conflicts of interest, as well as the authenticity and track record of third parties.

    4. Ongoing monitoring and internal review of fraud systems and controls

    Firms should regularly monitor and review their preventative and detective procedures, systems and controls and make improvements where necessary, including in response to changes in the risk profile of the business. Monitoring and reviews may be done internally or through an independent external party.

    As part of the monitoring process, it is important to take into consideration any behavioural triggers such as holiday patterns or financial incentives that might drive pressures to commit fraud, e.g. bonuses based on financial metrics, exceeding investor expectations or stock prices.

    In addition, monitoring the wellbeing of employees to identify disgruntled employees who feel they have been treated unfairly or are unhappy with the behaviour of the corporate hierarchy can lead to rationalisation of fraud.

    Next steps

    The Bill is still making its way through the legislative process in Parliament. The scope of the failure to prevent fraud offence is therefore subject to further amendments before it is enacted. The Bill is expected to receive Royal Assent before Parliament breaks for the summer recess on 26 July 2023.

    The failure to prevent fraud offence itself will not come into force until the government has released guidance on the relevant prevention procedures that it expects organisations to implement in response to the offence.

    It is likely that the guidance will be principles based consistent with guidance previously published in relation to the failure to prevent offences related to bribery and the facilitation of tax evasion. Companies should therefore start work now to prepare themselves for the introduction of the new failure to prevent fraud offence.

    We expect the guidance to be issued and the offence to come into force in early 2024.


    Authors: Ruby Hamid, Partner, Ashurst; Neil Donovan, Senior Associate, Ashurst; Anthony Asindi, Associate, Ashurst; Sarah Tomalewicz, Director, Ashurst Risk Advisory.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.


    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest