Failure to prevent fraud: steps to take before September 2025

The government has published guidance on reasonable fraud prevention procedures for the new failure-to-prevent-fraud offence in the Economic Crime and Corporate Transparency Act (ECCTA) 2023. The offence will come into effect on 1 September 2025.

The new offence is part of wider  reform of corporate criminal enforcement in the UK, including the senior manager regime. The legislative changes aim to make it easier to prosecute commercial organisations. The guidance is only advisory, however, and should not be taken as a substitute for having a thorough and clear understanding of the legislation.

The onus will be on an organisation to prove, on the balance of probabilities, that it had reasonable procedures in place to prevent fraud, or that it was unreasonable to expect it to have such procedures in place.

Reasonable procedures

As with the failure to prevent bribery and the facilitation of tax evasion offences, the reasonable procedures defence will again be based around six principles but the principles have been reordered.

Top-level commitment is now the first of the specified principles, followed by risk assessment and proportionate risk-based procedure is demoted to third place.

The six principles in their new order are top-level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication (including training) and monitoring and review

Organisations should adopt specific anti-fraud procedures to take account of these principles, which are intended to be flexible to allow each organisation to implement risk-proportionate measures.

The fact that top-level commitment now heads the list we believe could, in time, be significant. In the event of an external investigation, it may be likely that investigators will place  increased importance on whether "tone from the top" can be demonstrated consistent with the guidance.

Top-level commitment

The guidance stresses that responsibility for the prevention and detection of fraud rests with the organisation's senior management (and if relevant, the board of directors or partners). The level and nature of their involvement will vary depending on the size and structure of the organisation, but it is likely to include:

• Communication and endorsement of the organisation's position on preventing fraud;
• Designing and implementing a clear governance structure across the organisation;
• Committing to allocating a reasonable and proportionate budget for training and resourcing the fraud prevention plan; and
• Leading by example and fostering an open culture where attempts to rationalise fraud are challenged proactively.

Notably, unlike the UK Bribery Act guidance, this guidance includes an additional element of commitment to training and resources. The commitment to resourcing should be continual, and cover instances of employee movement.

Risk assessment

As this principle is now elevated above proportionate procedures, we again anticipate that there may be increased emphasis on an organisation's fraud risk assessments during an investigation.

The guidance emphasises that risk assessments are "dynamic", should be documented and kept under regular review.

It further  suggests that organisations develop typologies of risks by considering the three elements of the fraud triangle:

• the opportunity which associated persons have to commit fraud
• the motive; and
• the rationalisation.

These elements may then be grouped by their likelihood and impact, alongside a documented explanation of why the classification has been chosen.

The guidance suggests that "nominated risk owners" in the organisation should take responsibility for developing risk typologies.

Proportionate risk-based prevention procedures

The inclusion of "risk-based" in the title reinforces the emphasis that authorities are likely to place on procedures being tailored to a business and that implementing 'template' procedures, unfocussed on the specific risks of the business, may not  suffice when seeking to establish the reasonable procedures defence.

The guidance further suggests that best practice is for members of the organisation who were not involved in writing the fraud prevention plans to be responsible for assessing their effectiveness.

Some guidance is included on "limited circumstances" where it may be reasonable not to introduce measures in response to a particular risk. Such decisions must be documented and kept under review. Emergency situations are given as an example, recognising that not all emergencies are foreseeable. However, this is a time-limited defence and procedures should be put in place as quickly as possible following the emergency event.

The guidance advises that organisations should not duplicate existing work – the starting point is to assess existing regulatory compliance mechanisms and review whether current measures are sufficient to prevent fraud risks identified in the risk assessment. However, organisations cannot simply rely on existing processes as a defence under the ECCTA, even if these processes are prescribed under other regulations.

Due diligence

Organisations should take a risk-based approach to due diligence procedures and not simply apply existing procedures but carefully consider due diligence in relation to the offence.

It is recognised that organisations may already undertake a variety of procedures for due diligence in response to other business crime risks. Nonetheless, as with the proportionate procedures principle, applying existing procedures would not necessarily be considered an adequate response to the fraud risk.

The guidance gives an example of best practice which deploys "appropriate technology", such as third-party risk management tools as a means of demonstrating that effective due diligence has been conducted.

Organisations should also ensure they have rigorous due-diligence procedures in place for mergers or acquisitions, with examples of best practice given, suggesting that extra focus may be placed on adequate whether due diligence was conducted in this area.

Communication (including training)

The organisation's fraud policy should be clearly communicated to and from all levels within an organisation, to ensure it is sufficiently embedded and understood.

Training should include ensuring staff are aware of whistleblowing policies, how to access whistleblowing arrangements, and how to respond to whistleblowing concerns. It is expected that greater scrutiny will be placed on an organisation's whistleblowing arrangements, which are dealt with under a separate heading in this section of the guidance.

The guidance emphasises that organisations should monitor the effectiveness of training programmes and ensure these are routinely updated including in response to employee moves.

Monitoring and review

Fraud detection and prevention procedures should be monitored and reviewed in accordance with  evolving changes in the risks faced by an organisation. The guidance indicates that the monitoring of fraud-prevention measures should involve three elements:

• Detection of fraud and attempted fraud
• Investigation
• Monitoring the effectiveness of fraud prevention measures

The guidance provides questions that might be usefully considered when considering each element.  

Organisations can conduct reviews in a manner that most suits their needs, including seeking advice from professional organisations such as law firms, examining previous enforcement action and conducting periodic reviews of financial crime prevention procedures.

Osborne Clarke comment

Businesses should be using the next 9 months to ensure they have reasonable procedures in place to prevent fraud, before the offence comes into force on 1 September 2025.

While organisations do not need to duplicate existing financial crime measures, it is important to stress that they cannot simply rely on existing procedures without having undertaken a focused fraud-based risk assessment.

As a starting point, given the reordering of the principles, we recommend that organisations place increased focus on their ability to demonstrate top-level commitment. We also suggest that organisations refresh or implement their whistle blowing procedures.

We  believe that the wide potential scope of the offence means that it may be used to target a range of behaviours including corporate tax evasion and ESG-related crimes. On this latter point, of interest are the examples given in the guidance pointing to environmental crimes.

In future Insights, we will be considering in more detail specific behaviours caught within the scope of the new offence, including around tax and ESG risk.