On 6 November 2024, the Home Office published their long-anticipated guidance (the Guidance) for corporates in relation to the new Failure to Prevent Fraud (FTPF) offence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA).
The FTPF offence creates criminal liability for certain companies which fail to prevent fraud. If found guilty, companies face unlimited fines.
The Guidance (which runs to 44 pages) sets out examples of good practice which may enable corporates to demonstrate that they had in place ‘reasonable fraud prevention procedures’, which provide a complete defence against prosecution for the FTPF offence (i.e. absolving them of criminal liability).
This article provides an overview of the new FTPF offence, as well as setting out what the Guidance says about ‘reasonable fraud prevention procedures.’
Commencement date
The Guidance clarifies that the FTPF offence will come into force on 1 September 2025. The transitional period is designed to give organisations adequate time to understand and assimilate the Guidance into their policies, procedures, and practices.
The FTPF offence
Section 199 of ECCTA states that a criminal offence is committed where a ‘person associated’ with a ‘relevant body’ commits a ‘fraud offence’ intended to benefit, whether directly or indirectly: (a) the relevant body; (b) or any person to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the relevant body.
So, what does this mean?
‘Relevant body’
Whilst the FTPF offence applies across all sectors of the economy, can only be committed by ‘large organisations.’ This includes companies, and partnerships, meeting at least two of the following criteria:
- those with more than 250 employees;
- those with a turnover greater than £36 million; or
- those with more than £18 million in total assets.
These criteria apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located.
‘Persons associated’ with
Broadly speaking, this includes employees, agents, or subsidiary undertakings of a company, or any person who otherwise performs services for or on behalf of a relevant body. Whether an individual is actually performing services for an organisation may be a question of fact.
Companies in an organisation’s supply chain, and franchisees are not associated persons unless they are providing services for or on behalf of the relevant body.
Qualifying offences/conduct
The Act covers a wide range of fraudulent activities by persons associated with an organisation. These include offences such as fraud by false representation (under the Fraud Act 2006), false accounting (under the Theft Act 1968), fraudulent trading (under the Companies Act 2006), and cheating the public revenue (under the common law). Money laundering offences under the UK Proceeds of Crime Act 2002 are not qualifying offences.
The Act requires that the associated person committing the fraud has the ‘intention of benefiting’ the organisation or its clients. This intention does not have to be the sole or dominant motivation for the fraud – their primary motivation may be to benefit themselves. It is irrelevant whether the organisation does in fact actually receive any benefit.
Territoriality
The offence applies to relevant offences committed under UK law. Generally, this means that the fraud requires a direct UK connection, but non-UK companies can fall within scope.
For example, a non-UK-based company could fall within the scope of the FTPF offence if:
- An employee of the organisation, who is based in the UK, commits a relevant qualifying offence in the UK.
- An employee of the organisation, who is not based in the UK, commits fraud targeting UK victims.
Strict liability
The FTPF offence is a ‘strict liability’ offence. This means that if a relevant qualifying fraud offence is committed, by a relevant ‘person associated’, with a ‘relevant body’ (i.e. a large organisation), then the corporate body has, on the face of it, committed the offence. Senior managers in an organisation do not have to be aware of what the fraudster has done for the corporate to be guilty of FTPF offence.
The Guidance – how can organisations protect themselves from FTPF criminal liability
Under ECCTA, an organisation will not be guilty of an offence if it can prove, on the balance of probabilities, that it had reasonable procedures in place to prevent fraud, or that it was unreasonable to expect it to have such procedures. The onus will be on the organisation to discharge this burden.
What amounts to ‘reasonable’ will be judged based on the context of each case, considering factors such as the organisation’s size, nature, and complexity of its activities.
What should organisations do to prepare?
The Guidance, which courts will use as a benchmark, sets out that fraud prevention structures within an organisation should be guided by six ‘Principles’. At a high level, these are:
- Top-level commitment. This means ensuring that senior management is actively involved in fraud prevention efforts. It includes fostering a culture where fraud is not tolerated, endorsing anti-fraud policies, allocating resources, adopting speak-up policies, and leading by example.
- Risk assessment. This means evaluating the nature and extent of an organisations’ exposure to fraud risks, focusing on employees, agents, and other associated persons. It includes identifying specific roles and scenarios that present higher risks, and ensuring that the risk assessment is documented and reviewed regularly.
- Proportionate risk-based fraud prevention procedures. This means developing and implementing fraud prevention measures (that respond to the risk assessment) that are relevant to the identified risks. This may amount to an ‘anti-fraud policy’, which sets out the policies and procedures of the organisation to mitigate the risk of fraud. These procedures should cover various operational areas, such as procurement, financial reporting and contractual relationships.
- Due diligence procedures. This means conducting thorough, risk-based, due diligence on all associated persons. This should include the use of appropriate technology, such as third-party risk management tools, reviewing contracts, and monitoring the well-being of staff to identify those who may be more likely to commit fraud because of stress, targets or workload.
- Communication (and training). This means developing a training program to educate employees and other associated persons on fraud risks, and prevention measures (such as whistleblowing procedures). It includes ensuring ongoing communication about the organisation’s stance on fraud and the consequences of fraudulent behaviour.
- Monitor and review. This means establishing a system for regular monitoring and review of fraud prevention measures. It includes detecting attempted fraud, investigating suspected fraud, and evaluating the effectiveness of prevention procedures.
Detailed records of all risk assessments, prevention measures, training programs, and decisions related to fraud prevention should be kept. This documentation will assist in demonstrating compliance and reasonableness in the event of a challenge of the effectiveness of the measures put in place to prevent fraud.
The Guidance makes clear that whilst existing policies and procedures may be relevant (such as an organisation’s Bribery Act 2010 policies, or policies it has because it is regulated by the Financial Conduct Authority), it will not a suitable defence to state that because the organisation is regulated its compliance processes under existing regulations would automatically qualify as ‘reasonable procedures’ under ECCTA.
Smaller companies
Whilst only ‘large’ organisations are within scope of the FTPF offence, the Guidance notes that the Principles represent good practice and may therefore also be helpful for smaller organisation.
It is of course also possible that a currently ‘non-large’ organisation will in future years grow (in number of employees, turnover, or assets) and therefore qualify as ‘large.’
Therefore, it is worth all organisations taking note of changes.
Action points
We would suggest that ‘large’ organisations (and those likely to become large over the course of 2025) should in the near future:
- Discuss these issues amongst senior management, thinking about setting and timetable with key milestones between now and the implementation date.
- Carry out an appropriate risk assessment, focusing on fraud, to identify potential areas of risk.
- Review their current policies and procedures, and consider whether they need to be updated in anticipation of the FTPF offence and Guidance.
- Review their internal systems and controls in light of ECCTA and the Guidance.
- Begin to think about what their fraud prevention plan/framework will look like (i.e. what the proportionate, risk-based, fraud prevention procedures will be).
- Decide what resources and corporate governance structures are needed to adapt to this change in the law.
- Review and deliver appropriate training to employees (and other relevant individuals), to ensure awareness of the coming changes.
- Think about whether their internal investigation mechanisms need to be updated in light of the changes.
Conclusion
The FTPF offence marks a major shift in corporate accountability, emphasising the need for robust fraud prevention measures in large organisations. Organisations should ensure they thoroughly understand and implement the principles outlined in the Guidance. To adequately prepare, organisations may wish to seek legal advice to navigate areas of uncertainty.
As the offence is both new and far-reaching, organisations should remain vigilant in maintaining and updating their fraud prevention procedures, documentation, and training programs.
For further information on ECCTA, please see our previous articles here and here.
Related News
Authors
Connect with us
