Introduction

Fraud has reached endemic levels in the UK and is now considered a threat to national security. As well as damaging the UK’s reputation as a business centre, rising levels of fraud are impacting the private sector’s bottom line and its commercial stability. The Association of Certified Fraud Examiners estimates total global losses due to fraud to be nearly US$5 trillion. Of this sum, fraud committed by an executive or employee (occupational fraud) accounts for approximately 40% of the total, equivalent to US$2 trillion.

On 26 October 2023, the Economic Crime and Corporate Transparency Act 2023 received Royal Assent, introducing a new corporate criminal offence of ‘Failure to Prevent Fraud’ into English law. The offence will hold large commercial organisations criminally liable for fraud offences committed by persons associated with it where the organisation does not have in place reasonable procedures to prevent such offences.

The offence will come into force once Government Guidance has been issued on reasonable fraud prevention procedures (expected in 2024) and Commercial organisations would be wise to start thinking now about how the new offence might impact them.

Failure to Prevent Fraud— an overview

The Failure to Prevent Fraud offence will be made out where:

1. An ‘associate’ of a ‘relevant body’ which is a large organisation commits a relevant ‘fraud offence’;

and

2. The relevant fraud offence is intended to benefit (whether directly or indirectly):
     a. the relevant body, or
     b. any person to whom, or to whose subsidiary, the associate provides services on behalf of the relevant body.

The relevant body is not guilty of an offence where the relevant conduct was intended to harm the body. It is a defence for the relevant body to prove that it had in place such prevention procedures as it was reasonable in all the circumstances to expect. Where a commercial organisation is convicted, unlimited fines can follow.

Breaking that down:

What is a ‘relevant body’?
For the purpose of the Failing to Prevent Fraud offence, a ‘relevant body’ is body corporate or partnership wherever it is formed.

The offence applies only to large organisations and a relevant body will be a large organisation for the purpose of the new offence if it meets at least two of the following three criteria: (i) it has more than 250 employees, (ii) it has more than GBP36 million turnover, and/or (iii) it has more than GBP18m in total assets. If resources held across a parent company and its subsidiaries cumulatively meet the above test, that group will also be within the scope of the new offence.

Who is an ‘associate’?
An associate is a person associated with the relevant body defined as either an employee, agent or subsidiary, an employee of a subsidiary, or someone otherwise performing services for or on behalf of the relevant body.

What is a ‘fraud offence’?
The relevant fraud offences are: fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, obtaining services dishonestly, participation in
a fraudulent business, false accounting, false statements by company directors, fraudulent trading, and cheating the public revenue. The new offence also applies to the ‘aiding, abetting, counselling or procuring the commission of’ a relevant fraud offence.

A proposal to include money laundering in the above list was rejected by the House of Commons but it is possible that the list of relevant fraud offences may be added to in due course by way of secondary legislation.

Intended to benefit the relevant body?
The associated person who commits the relevant fraud offence must intend (directly or indirectly) that offence to benefit the relevant body, or those to whom services are provided. No offence will be committed where the offence was intended to harm the commercial organisation.

The offence may be made out where, for example, the associated person intends primarily to act for their own benefit, but where that benefit is also intended to be felt by the commercial organisation (for example, an employee who fraudulently over-bills a client in order to boost their own performance figures, but also company revenue).

Reasonable fraud prevention procedures

Requiring commercial organisations to prevent fraud imposes a considerable burden. While the offence requires only that the prevention procedures be ‘reasonable’, what will be ‘reasonable’ in the context of each individual organisation is difficult to anticipate; and a procedure is much less likely to be judged as reasonable where it did not in fact prevent the offending.

The Economic Crime and Corporate Transparency Act 2023 requires the Secretary of State to publish guidance on the procedures which could be put in place, however, it is likely that any guidance will be relatively high-level and principle-based. Given the wide scope of the offence, and the fact that it will cover a very broad range of sectors with very different risk profiles, it is unlikely that any published guidance will provide a clear framework for what an organisation should reasonably do to prevent fraud.

Moreover, very little guidance exists from other ‘failure to prevent’ offences. The Failure to Prevent Fraud offence is modelled on the existing offences of failing to prevent bribery (introduced via the Bribery Act 2010) and failing to prevent the facilitation of tax evasion (introduced via the Criminal Finances Act 2017).

However, despite existing on our statute books for some years, neither of those offences has produced any meaningful judge-led guidance on how the ‘reasonable procedures’ defences work in practice or how they will be interpreted in contested criminal proceedings.

It will, therefore, be largely down to relevant commercial organisations and their advisors to assess the types of controls required, by reference to organisation- specific factors, and to put in place bespoke fraud prevention procedures sufficient to meet the requirements of the new offence.

Where does Insider Risk fit in?

Organisations should start to consider now whether they fall within the scope of the new offence and whether existing fraud risk assessments, policies, systems and controls adequately address the risk of not only outward but also inward fraud. Do they explicitly reference fraud committed on behalf of the organisation and by ‘insiders’?

An insider can be considered as anyone to whom you have granted authorised access who then uses, or intends to use, that access for unauthorised purposes. An ‘insider’ can be anyone (an employee, a contractor, a business partner, or someone in the supply chain) who is trusted with physical or virtual access to a firm’s assets and who can therefore cause harm.

Effective Insider Risk programs seeking to prevent and detect harm caused by insiders should:

• Assess and regularly update the evolving insider risk for the organisation.
• Develop a “response plan” to an insider incident: including how to respond, how to minimise damage and retain stakeholder trust.
• Ensure consistency and clear lines of responsibility for the management of Insider Risk.
• Understand and pay close attention to red flags: (for example, an individual’s behaviour, performance or financial habits; absenteeism).
• Nominate a C-Suite and Board member who is accountable for Insider Risk.
• Execute spot audits.
• Put in place clear and proportionate policies and procedures.
• Implement ethics and compliance training.
• Ensure robust speak up procedures, a strong ‘tone from the top’ and a focus on culture.

If Insider Risk programs exist, they are often designed to prevent and detect misconduct targeted at an organisation, whether that be fraud, data loss, theft, sabotage, or the leaking of sensitive information.

However, an Insider Risk program can also act as an effective tool to identify and mitigate the risk posed by associated persons who might act dishonestly in the misplaced belief that they are acting in the best interests of the organisation.

Companies who are looking to refresh or update existing risk management processes in light of the introduction of the new offence would benefit from looking closely at the controls they currently have in place to prevent, detect and mitigate insider fraud. They also need to consider now how any existing programme can be adapted to prevent and detect any broader risks of misconduct committed in the interests of a company.

With the introduction of the new offence, organisations will also need to consider how employees or other potential insiders might rationalise committing fraud “on behalf” of their organisations. Are employees under pressure to meet targets, win contracts, or achieve unrealistic levels of performance? Has the firm been recently re-structured or involved in M&As (changes which promote uncertainty and increase the likelihood of insider risk)? Could misplaced loyalty lead an insider to obtain services dishonestly, make false representations or otherwise commit fraud that they believe will benefit their employer?

What actions should organisations take now

From an Insider Risk perspective, some practical measures that organisations can consider
now include:

• Ensure that training, communication and ‘tone from the top’ attribute the same level of importance to preventing all types of fraud (“inward” and “outward”). Visible and clear policies, standards and procedures relating to fraud should be communicated consistently and regularly across the organisation.
• Remind employees that outward fraud should be escalated and reported using the same mechanisms (including whistleblowing channels) as inward fraud. Now is a good time to assess your ‘speak up’ programme. How, and with what frequency, does your organisation measure the effectiveness of its whistleblowing programme? Are your leaders committed to promoting a culture of speaking up?
• Conduct an updated insider risk assessment to take account of any evolving internal and external risk factors. For example, the pandemic and the rise of remote working has increased the risk of insider fraud, given the higher number of employees who are isolated and have infrequent interactions with co-workers and supervisors.
• Develop “response guidance” to an insider incident covering how to respond, minimise damage and retain stakeholder trust. Ensure that this response guide considers all types of insider act and includes outward as well as inward fraud.
• Conduct enhanced due diligence on any employees or service providers (including third party agents) who have access to the firms’ most sensitive data or assets.
• Ensure that regular monitoring and reviews of fraud systems and controls (to set up ‘trip wires’ and to spot ‘red flags’) are in place, and that reviews consider changes in the risk profile of the business. Monitoring and reviews may be conducted internally or through an independent external party.

Conclusion

Tackling fraud is hard: fraudsters are agile, adaptive, inventive and fuelled by the evolution of technology. The geopolitical risk landscape is also challenging, and complex risks are continuously emerging and evolving. Organisations need therefore to be adaptive, agile, inventive and holistic in their approach to detecting, preventing and mitigating all types of offending. The new Failure to Prevent Fraud offence is another incentive to revisit existing risk management programmes, including those that cover Insider Risk. A timely review and remediation of these programmes may well be one of the best ways to protect your organisation.

This article was co-authored with Anoushka Warlow and Tom McNeill of BCL Solicitors LLP. We are grateful for their invaluable contributions.

If you would like to discuss any of the issues raised in this article please contact Sarah Keeling, Julia Arbery, or Lucy Cryan.