UK Corporate Criminal Liability: Guidance issued on New Failure to Prevent Fraud Offence

Introduction

On 26 October 2023, the UK Economic Crime and Corporate Transparency Act 2023 (the "Act") received royal assent and became law. The Act introduces a new strict liability corporate criminal offence of failure to prevent fraud which, it has just been announced, will come into effect on 1 September 2025.

We have previously written about the strict liability criminal offence of failure to prevent fraud and the organisations likely to be affected. The UK Government published guidance on 6 November 2024 about the only defence available to organisations charged with this new offence – namely that the organisation had “reasonable procedures” in place to prevent the fraud (the “Guidance”). In this update, we summarise and analyse the Guidance.

In addition to the new offence of failure to prevent fraud, we have also previously written about other changes introduced by the Act, such as changes to the Unexplained Wealth Order regime, reform of the identification principle, and amongst other things expansion of Companies House’s and the SFO’s powers.

Operation of the failure to prevent fraud offence

Under the Act, the new offence only applies to "large organisations" i.e. those which meet at least two of the following criteria in the financial year preceding the year of the fraud offence:

• more than 250 employees;
• more than £36 million turnover; and/or
• more than £18 million in aggregate assets on its balance sheet.

A corporate is also a "large organisation" where it is a parent undertaking of a group which meets at least two of the following criteria in the financial year preceding the year of the fraud offence:

• an aggregate turnover of over £36 million net (or £43.2 million gross);
• aggregate balance sheet total of over £18 million net (or £21.6 million gross); and/or
• more than 250 aggregate employees.²

A "large organisation" is liable under the new offence if it fails to prevent one of the fraud offences specified in Schedule 13 of the Act where:

1. an "associate" of the organisation commits the fraud; and
2. the fraud is intended to benefit the organisation or client of the organisation.

Examples may include dishonest sales practices, misleading consumers or investors (including via non-financial information disclosures such as environmental and sustainability reporting), false accounting, fraud by false representation, fraud by abuse of position, fraud by failing to disclose information, and dishonest practices in financial markets.³

"Associate" is defined as an employee, agent, subsidiary, or employee of a subsidiary of the organisation, as well as any others who perform services for or on behalf of the organisation.⁴

The organisation will only have a defence if it can show it either had "reasonable procedures" in place to prevent fraud, or that it was not reasonable for the organisation to have such procedures in place (the “Defence”).⁵

The Guidance

i. Wording of the Act

The Guidance provides useful clarification on some of the wording used, but not defined, in the Act.

• “Intending to benefit”:
  • An organisation does not need to actually receive any benefit for the offence to apply. It is enough that the organisation/its client(s) was intended to be the beneficiary.
  • The intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud. The offence can apply where a fraudster’s primary motivation was to benefit themselves, but where their actions will also benefit the organisation.
  • The benefit may be financial or non-financial e.g. a business advantage for the organisation or a disadvantage for a competitor could be considered a ‘benefit’.
• “Victim”:
  • Under s199(3) of the Act, an organisation is not liable if it is a victim or intended victim of a fraud that was intended to benefit the organisation’s clients. “Victim” is not defined in the Act, but the Guidance confirms that the organisation will be a victim if it suffers direct harm or loss as a result of the fraud. Indirect harm such as a damaged reputation will not constitute being a victim.
• “UK nexus”:
  • The offence will only apply if one of the acts which was part of the underlying fraud took place in the UK, or if the gain or loss occurred in the UK.
  • Examples include a UK based employee committing a fraud or an associate based overseas committing a fraud whilst in the UK temporarily or targeting victims in the UK.

ii. Principles informing reasonable fraud prevention procedures

Whilst the new offence only applies to large organisations, the six principles outlined in the Guidance for fraud prevention will be useful for smaller organisations too. Practitioners in this space may note that there is a significant overlap between the six principles in the Guidance and those in the Bribery Act 2010 Guidance on adequate procedures required to defend against a prosecution of failure to prevent bribery. Organisations will be able to leverage existing policies and processes to prepare a failure to prevent fraud compliance programme.

In summary, the Guidance recommends applying the six principles in the following way to demonstrate best practice.

1. Top level commitment – including:

1. articulation and endorsement of the organisation’s stance on preventing and rejecting fraud;
2. communication of the consequences, both for individuals and the organisation at large, for failing to prevent fraud;
3. implementing a clear financial crime compliance and prevention framework which includes fraud prevention measures and designates responsibility for sub-tasks; and
4. senior managers maintaining governance when key members of staff are on leave or change roles.

2. Risk assessment – including:

1. identifying typologies of “associate” given its wide definition;
2. considering the motivations and opportunities applicable to associates which could lead to a failure to prevent fraud; and
3. frequently reviewing (annually or bi-annually) the risk assessment approach and outcome.

3. Proportionate risk-based prevention procedures:

1. procedures should take account of the level of control, proximity and supervision the organisation is able to exercise over a particular person acting on its behalf;
2. if it is more proportionate to not introduce measures in relation to a particular risk, this should be clearly documented; and
3. the Guidance encourages avoiding duplication of work so if existing fraud prevention procedures are proportionate and no further steps are necessary, the organisation should document the steps taken to reach this conclusion.

4. Due diligence – including:

1. using appropriate technology, for example, third-party risk management tools, screening tools, internet searches, checking trading history or professional or regulated status if relevant, or vetting checks if appropriate; and
2. reviewing all service contracts to ensure (potential) associates are obligated to comply with fraud prevention measures.

5. Communication (including training) – including:

1. arranging fraud-specific training which covers the nature of the offence as well as the procedures to address it;
2. maintaining clear and accessible whistleblowing frameworks, supported by a “speak-up” culture, so that fraud can be uncovered; and
3. investigating and responding to internal concerns appropriately and in a timely manner.

6. Monitoring and review – including:

1. considering the processes in place for detecting financial discrepancies or unauthorised access to data (including data analytics and audit);
2. preparing a step-by-step guide on conducting internal investigations if fraud is suspected, including at which point to involve external advisers; and
3. working with other organisations, such as trade bodies or other organisations facing similar risks.

Comment

Much like the failure to prevent bribery offence, the UK is the first jurisdiction to introduce a strict liability corporate criminal offence of failure to prevent fraud offence. We expect, however, that other jurisdictions will follow suit and note active dialogue on the topic in Canada.⁶

The Guidance notes that, whilst the six principles will be considered by a court in the event of a prosecution for failure to prevent fraud, the Guidance is not prescriptive. Strict adherence to the Guidance will therefore not guarantee successful application of the Defence where the organisation faces particular risks arising from the unique facts of its business that the Guidance does not address. As such, the onus is on the organisation at all times to ensure it has reasonable procedures in place, according to its specific facts and circumstances, and to prove this on a balance of probabilities if required.⁷ This sets the bar high for relevant organisations to ensure they have the correct fraud prevention framework in place.

The practical steps set out in the Guidance and summarised above will certainly assist organisations and, indeed, many organisations will have an existing framework in place to prevent fraud, which can be leveraged. However, organisations should bear the following points in mind:

• existing frameworks will likely be directed towards preventing the organisation from being the victim of fraud rather than preventing fraud being committed with the intention of benefitting the organisation, which is what the new offence targets;
• where anti-corruption programs extend to third party risk, existing policies may be adapted – but this could have limited application because the fraud offences under the Act are broad and require a nuanced approach;
• by way of example, the failure to prevent fraud offence covers non-financial information disclosures such as ESG reporting. This comes against a backdrop of much more extensive reporting of these matters. It will be important to review ESG disclosure compliance controls in light of increased legal exposure for misstatements which now extends to potential corporate criminal liability if a company cannot demonstrate that its ESG disclosure controls are "reasonable".

Mayer Brown’s investigations and compliance advisory team advises multinational corporations and financial institutions on financial crime and associated laws, including anti-fraud and anti-corruption measures, and has extensive experience conducting and supporting large-scale risk analysis exercises, as well as criminal and internal investigations.