Countdown to Compliance: five key priorities for those preparing for the UK’s New Failure to Prevent Fraud Offence

What is the offence?

Further details about the offence are available in this feature article which explains in greater detail explains how the new FtPF offence works and what is expected in terms of putting in place reasonable procedures.  

In short, the FtPF offence applies when:

• a person associated with a large organisation (i.e. an employee, subsidiary or agent) commits an underlying fraud offence intending to benefit the large organisation or its clients; and
• the large organisation does not have “reasonable procedures” in place to prevent such fraud (this is the only defence to the FtPF offence).

This marks a shift from companies having to focus on inward fraud (i.e. as a victim) to outward fraud (i.e. as the beneficiary) and is intended to make it significantly easier for authorities to prosecute fraud.  What constitutes “reasonable procedures” is not defined in the law, and companies are likely to seek to align as far as possible with UK government expectations as set out in published guidance as well as any sector specific guidance (for example the UK Finance guidance for the financial services sector).  

Who is affected?

The offence applies:

1. To “large organisations,” defined as those having two of the following criteria:

• more than 250 employees;
• turnover over £36 million; and
• assets over £18 million.

2. To large organisations based either inside or outside the UK.  This is because the offence applies to any conduct which gives rise to one of the underlying UK fraud offences and these can be committed in some circumstances where there is a UK nexus irrespective of where the company itself is located or whether some of the conduct took place outside the UK.  A UK nexus may be triggered (depending on the underlying offence) where:

• one of the acts to commit the fraud took place in the UK; 
• the gain or loss occurred in the UK; or
• the victims targeted are in the UK.

Smaller organisations may also be impacted if they are part of groups which are or contain large organisations or where they act for larger firms, which may require them to adopt anti-fraud procedures.  It is also important to note, as recently published UK government guidance makes clear, that a large or small organisation may face prosecution for the underlying substantive fraud offence where the conduct can be attributed to the company through other means (e.g. the  actions of a company’s senior manager). 

Five key priorities

We recommend that companies take stock of their risk assessments and how effectively their existing fraud prevention procedures manage risks in relation to the FtPF offence including in response to any newly emerging risks that may have arisen since implementation projects commenced. For those whose projects are ongoing, this may mean prioritising efforts in particular areas, with a more detailed risk assessment and compliance enhancement to be completed in the following months (noting that the compliance enhancement should be tailored to the outcome of the risk assessment).  Such priority areas might include:

1. Evaluate the offence and brief senior leadership

As a first step, companies should urgently ascertain if they are within scope (in terms of size, and also with regard to their risk level based on the likelihood of any UK nexus – assessing jurisdiction is not black and white and will turn on the facts of the underlying offence committed). Senior management should be briefed on the outcome of this evaluation exercise, the offence and what is required in terms of risk assessments and procedures. Specified senior individuals should be designated as owners of the risk assessment/anti-fraud procedures.

2. Review and enhance policies and procedures

Most organisations have policies and procedures which assist in covering fraud risk, but these often focus on protecting the company from fraud rather than preventing fraud committed for its benefit. In the short-term companies in scope may want to confirm that the following documents have been reviewed, and the new FtPF offence incorporated to the extent possible or that there is a plan for doing so or a rationale for not doing so 

• fraud policies/relevant sections of codes of conduct;
• financial crime clauses in contracts or relevant supplier codes; and
• adding relevant questions to the third-party risk rating/due diligence process (if the company has such a process in place). 

If a company does not have a fraud policy, or a supplier code focused on highest risk suppliers, we recommend consideration is given to issuing these documents before the deadline if possible.

3. Senior communication

To date, most companies have focused anti-fraud policies and messaging on preventing the company from becoming the victim of fraud.  A key foundation for effective FtPF prevention procedures is to educate employees on how the new offence is different and emphasise the company’s zero-tolerance approach to fraud.  Over the next few weeks we recommend that companies consider publishing at least one communication from senior UK leadership which includes the following key points: 

• how important it is to act ethically and the risks of not doing so;
• an explanation of the broader scope of this new offence; and 
• guidance on what employees should look out for (and to whom they should escalate any concerns).

4. Deliver training

A further point of focus before the FtPF offence comes into force is training.  It is vital to ensure, taking a risk-based approach, that relevant staff understand the types of conduct that could constitute fraud. 

In the short-term, companies may wish to consider providing townhall training to all UK employees, followed by detailed e-learning and function-specific training.  Messaging from senior and middle management within functions to reinforce this training can have a further beneficial effect.  Retaining records of such communications so that they can easily be accessed if needed in future as part of establishing a defence will also be helpful.  

5. Target the highest risk areas

A further priority for companies in this window is to consider any known high fraud risk areas and take steps to manage these.  This might be in response to an historic or ongoing issue, issues faced by peer companies or a function that is known to pose a higher fraud risk even without a risk assessment. 

If there are any such issues, considering the immediate steps that can be taken to control and mitigate these risks even before completing a full risk assessment is recommended. 

Looking forward

Once these immediate priorities have been achieved the focus will shift to the medium and long term for companies.

Once companies are further along the track, their time may be best spent:

• Conducting a thorough risk assessment and control-mapping/gap analysis exercise in the medium term, continuing to fine-tune these in the long term.
• Following the risk assessment:
  • documenting where existing controls adequately address identified risks;
  • reviewing and enhancing fraud prevention procedures for areas identified as needing improvement; and
  • conducting risk-weighted due diligence on third-parties based on the company’s risk appetite, applying additional controls as appropriate. 
• Considering their global operations, because the offence has broad jurisdictional reach. Non-UK companies may be caught if part of the underlying fraud occurs in the UK or if UK victims are involved. Multinationals must decide whether to implement global procedures, expanding the steps described above beyond the UK, or limit them to UK-facing operations.
• Testing their fraud prevention procedures in the medium term and conducting structural audits of their fraud prevention framework over the long term.

Further information

For those companies evaluating the FtPF offence, additional resources are available here: 

• What’s the current status and what should organisations be doing now?
• What do you need to do now?
• Webinar: Preparing for 1 September