By Jonathan Armstrong, Partner at Punter Southall Law
The much-anticipated guidance regarding the new UK corporate offence of Failure to Prevent Fraud (FTPF Offence) was published on 6 November 2024. This FTPF Offence is part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which was granted Royal Assent on 26 October 2023.
The aim of the FTPF Offence is to change the way in which organisations look at fraud and to encourage measures aimed at detecting and preventing fraud. In some ways, this aim recalls how the failure to prevent provisions in s.7 of the Bribery Act 2010 changed the way in which businesses looked at bribery when that Act was introduced.
This offence applies across the UK and can have extra-terrestrial reach when there is a “UK nexus” – see below for an explanation of what this means in practice.
Since the FTPF Offence was introduced, one of the main questions was what “reasonable procedures” should look like for fraud prevention. This Guidance outlines some recommended procedures that organisations can put in place to help prevent fraud.
What is the FTPF Offence?
The FTPF offence applies to large, incorporated bodies and partnerships across all sectors of the economy,
Organisations will be guilty of an offence if an associated person commits a fraud offence intending to directly or indirectly benefit the organisation or their clients. The definition of associated persons is again similar to that under the Bribery Act 2010. Associated persons include employees, agents, subsidiaries and others. It does not need to be demonstrated that senior managers or directors ordered or knew about the fraud.
A defence is available where the organisation can prove that they had reasonable prevention procedures in place, or that it would have been unreasonable to have expected prevention procedures to be in place. As mentioned above, businesses had many questions about what “reasonable procedures” might look like.
What is the threshold to be considered “large”?
“Large” organisations meet at least two criteria below, which apply to the whole organisation including subsidiaries:
- More than 250 employees.
- More than £36 million in total annual revenue.
- More than £18 million in total assets.
What does the Guidance say about reasonable fraud prevention procedures?
In summary, the Guidance recommends that an organisation’s fraud prevention frameworks be informed by 6 flexible and outcome focused principles. They won’t come as a surprise to most compliance officers given the similarity with guidance from regulators and the UK Bribery Act 2010 guidance. The 6 principles are:
- Top level commitment from those charged with the governance of the organisation.
- Risk assessment that is dynamic, documented, and regularly reviewed. Consider factors such as opportunities to commit fraud, systems that could incentivise fraud (like compensation), and whether a culture might quietly tolerate fraud.
- Proportionate risk-based prevention procedures which are effectively implemented and enforced.
- Due diligence regarding people who perform or will perform services for or on behalf of the organisation.
- Communication and training to ensure that the prevention policies and procedures are embedded and understood throughout the organisation.
- Monitoring and review.
Are non-UK businesses in scope?
Possibly. Again, the extraterritorial provisions are similar to the Bribery Act 2010.
The Guidance highlights how a “UK nexus” is needed for the offence to apply. The main factors to consider are whether the associate is based in the UK, whether there are actual UK victims, or whether some of the fraud was committed in the UK.
Examples of when this offence applies extraterritorially include:
- When a UK-based employee commits fraud, the employing organisation could be prosecuted even if the organisation is based overseas.
- When an associated person commits the fraudulent act overseas and had actual UK victims.
Remember, a subsidiary of a large organisation is an associated person for the purposes this FTPF offence.
Therefore, it is possible for a parent company to be prosecuted for failure to prevent fraud where the initial fraud offence is committed corporately by a subsidiary and where the beneficiary is the parent organisation, or there is a connection with the parent company’s clients. We have seen cases under the Bribery Act 2010 where parent companies outside the UK have been involved because of the acts of subsidiaries in the UK.
Could a subsidiary be prosecuted for FTPF?
Yes. If an employee of a subsidiary of a large organisation (where that subsidiary is not itself a large organisation) commits a fraud that is intended to benefit the subsidiary, the subsidiary may be prosecuted
If the employee of a subsidiary of a large parent company commits a fraud that is intended to benefit the parent company, that parent company may be prosecuted
Who wrote this guidance?
The UK Home Office. It was developed with input from the Crown Prosecution Service (CPS), Serious Fraud Office (SFO), HM Treasury, HMRC, Ministry of Justice, Cabinet Office, Attorney General’s Office and Financial Conduct Authority (FCA).
What are the next steps?
According to the Guidance itself, this offence will come into effect 9 months after publication of the Guidance, which would be 6 August 2025. The Home Office website currently states that it will come into force on 1 September 2025. This date will likely be clarified shortly.
The clock has started, and businesses should start looking at their own fraud prevention policies and procedures.
The full guidance is here Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (accessible version) – GOV.UK