What reasonable fraud prevention procedures can companies put in place?

The act encompasses a wide range of reforms, including changes to Companies House and increased powers for the Serious Fraud Office and National Crime Agency to combat economic crime.

The introduction of the 'failure to prevent fraud' offence and the extension of corporate liability for economic crimes means the act represents the biggest legislative shake up in the economic crime arena since the Proceeds of Crime Act in 2002. 

The failure to prevent fraud offence operates as follows: a large organisation – that is, companies or partnerships that satisfy two of the following conditions: turnover of £36mn+; balance sheet of £18mn+; or 250+ employees – will be guilty of the offence if an employee or third party acting on its behalf commits fraud intending to benefit the organisation.

The definition of fraud is broad, encompassing offences such as greenwashing or false accounting, but excludes instances where the organisation is the victim.

Organisations have a complete defence to this offence if they can demonstrate they had reasonable fraud prevention procedures in place, or that it was reasonable for it not to have any procedures.  

This article focuses on two key aspects: what constitutes reasonable fraud prevention procedures and how the extension of corporate liability for economic crimes will be implemented.  

Reasonable fraud preventative procedures 

Guidance on the procedures organisations can put in place to prevent fraud is expected to be issued by the government in early in 2024, meaning the failure to prevent fraud offence is likely to come into force in mid-2024.  

Organisations seeking to get ahead can review the guidance for the existing failure to prevent bribery and tax evasion facilitation offences.

Despite slight differences in the wording of the two offences, the government’s guidance documents on establishing adequate anti-bribery procedures and reasonable tax evasion facilitation prevention procedures are based on the same six principles.

It is therefore probable that the failure to prevent fraud guidance will focus on similar principles.  

Organisations will find that implementing reasonable fraud prevention procedures provides benefits beyond the defence to the offence.

The starting point is an assessment of the fraud risk. In cases where the risk is extremely low and the costs of implementing procedures are disproportionate, it may be reasonable for an organisation to have no fraud prevention procedures.

However, it is still recommended to conduct an annual risk assessment to support that assessment. All other large organisations will require fraud prevention procedures to defend a failure to prevent fraud charge.

These procedures should be proportionate and tailored to effectively manage the identified risks and may include written anti-fraud policies, training programmes, financial controls, due diligence on associated persons, contractual provisions, audits, internal reviews, and a clear tone from top management.  

Organisations will find that implementing reasonable fraud prevention procedures provides benefits beyond the defence to the failure to prevent offence.

An effective fraud prevention programme can form the basis of an organisation’s environmental, social and governance credentials; drive a positive change in culture by enhancing employee morale, conduct and retention; and enhance its reputation with customers, suppliers and potential investors.

It will also reduce financial losses by helping to identify and prevent fraudulent activities beyond the fraud offences covered by the failure to prevent offence.  

The identification principle

The new act attributes criminal liability for economic crimes to certain bodies.

It could either be seen as a fundamental change in the criminal law and the prosecution of corporate entities (a company or partnership), or the latest step in the development of the criminal law penalising corporates for breaching the law (see also the Corporate Manslaughter and Corporate Homicide Act 2007, the Bribery Act 2010, and the Criminal Finances Act 2017). 

Prosecution and enforcement guidance is still awaited, and it is anticipated it will be published soon. It is still unclear whether a particular agency will lead the investigation of these offences (as with bribery and the SFO), or whether it will fall to police forces and other agencies to investigate and prosecute.

The act states that if a senior manager of a corporate or partnership commits a relevant offence then the organisation is also guilty of the offence.

The offences include a mixture of common law (conspiracy to defraud, cheating the public revenue) and statutory offences (for example false accounting, theft, false statements, fraud and bribery).

It can also include attempts or conspiracy to commit these offences. The secretary of state has the power to add or remove offences, an important provision where there may be a change in political and policing objectives.

Prior to the act, it was settled law and prosecution guidance that corporate liability may be established by either vicarious liability for the acts of a company’s employees and agents (see above for reference to other statutory/regulatory offences), with the more difficult criminal conduct to prove and which arises from non-vicarious liability.

This derives from the identification principle, which determines whether the offender was a directing mind and will of the company, and if so, then the company can be prosecuted. 

The company must show it has the requisite culture and adequate procedures in place.

Both avenues present difficulties in collecting sufficient evidence to prosecute a company. It is not sufficient to say that the prosecution must prove their case. 

Having to identify a directing mind in any complex case involving one or more corporate entities can present insurmountable difficulties in understanding the extent of offences such as fraud, especially where several people are suspects and evidence may be contradictory.

Thereafter, it can be difficult to obtain evidence to identify individual directors and managers who have authority to act on the company’s behalf, and who were involved in criminality. 

The act has potentially removed many of these difficulties and should allow prosecuting authorities (such as the SFO) to investigate a company without needing to identify a director at the centre of any alleged offending.

If the breaches are not rebutted, and if it is in the public interest, then a prosecution can start with confidence.

It also raises the prospect of greater financial penalties, recovery of prosecution legal costs, and any compliance undertakings at the conclusion of proceedings carrying greater weight.

Inevitably the company will have to consider how it responds to allegations and of wider import is that this is another area where in relation to alleged criminal offences or regulatory breaches by a company, the evidential burden has in fundamental ways reversed.

The company must show it has the requisite culture and adequate procedures in place required to minimise the risk of offences being committed, which are outlined in the act. It is not sufficient to say that the prosecution must prove their case. 

The company will have to provide sufficient evidential material at the investigation stage showing it has adequate anti-fraud procedures, complies with the act, and that any failures are attributable to individuals trying to break the law, but are not indicative of wider company failings.

Ben Cooper is a partner in the economic crime compliance team; and Jason Cropper is a commercial partner and economic crime compliance expert at law firm TLT