Failure to prevent fraud: Steps to take ahead of the UK government's guidance being published

The failure to prevent fraud offence is now likely to come into force in the first half of 2025, once the government has published guidance prescribed by the Act. It will be followed by an implementation of at least six months.

This offence is part of a significant reform of corporate criminal enforcement in the UK and dovetails with the senior manager regime (see our earlier Insight). The clear intention of both these legislative changes is to make it easier to prosecute commercial organisations.

The Serious Fraud Office and the Director of Public Prosecution have stated that they intend to make early and full use of these new powers, and we expect them to have a similar (if not greater) impact than the Bribery Act had, which came into force over a decade ago.

What is the offence?

The new offence makes an organisation liable if it fails to prevent a listed offence (see below) from being committed where: (i) an employee or agent commits the fraud; and (ii) the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.

As with the Bribery Act, a defence of having “reasonable procedures” to prevent fraud is available. This means it effectively requires organisations to review and enhance their anti-fraud systems and controls to cover fraud committed for their benefit by employees, subsidiaries or third party agents.

What organisations will the offence apply to?

The offence will only apply to "large organisations".  The threshold will be met if an organisation satisfies two or more of the following conditions in the financial year preceding the year of the offence:

• more than 250 employees:
• more than £36 million turnover; and/or
• assets of more than £18 million.

Although not directly impacted by the offence, small and medium enterprises are still likely to need to have in place anti-fraud procedures, as they will be an "associated person" of  the large organisation, who will want to ensure that the SME has anti-fraud measures as part of being able to demonstrate that it has reasonable procedure in place to prevent fraud.

What types of fraud does this capture?

The offence applies to the following offences:

• fraud by false representation (section 2, Fraud Act 2006)
• fraud by failing to disclose information (section 3, Fraud Act 2006)
• fraud by abuse of position (section 4, Fraud Act 2006)
• obtaining services dishonestly (section 11, Fraud Act 2006)
• participation in a fraudulent business (section 9, Fraud Act 2006)
• false statements by company directors (Section 19, Theft Act 1968)
• false accounting (section 17, Theft Act 1968)
• fraudulent trading (section 993, Companies Act 2006)
• cheating the public revenue (common law)

The offence includes tax evasion, and brings the risk of corporate liability for tax evasion closer to the organisation than the existing failure to prevent the facilitation of tax evasion offence. Businesses can anticipate that HM Revenue & Customs and the Crown Prosecution Service may be likely to launch more corporate enforcement actions using this power.

Jurisdictional reach of the offence

While the Act contains no express provision in respect to territoriality, a government policy paper published in 2023 states:

"If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas".

What will constitute reasonable procedures?

While the guidance is still awaited, it seems that the defence will be built around the six pillars that underpin the Bribery Act, which organisations will be familiar with:

• proportionate procedures
• top level commitment
• risk assessment
• due dilligence
• communication and training
• monitoring and review.

It is likely that there be some refocussing of these elements for the purposes of the new offence.

It will also be possible to advance a defence that it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place, although it is anticipated that this will only be likely to apply in exceptional circumstances.

What should organisations do now?

Organisations should be taking steps to mitigate the risk that this new offence will present ahead of it coming into force.

Most importantly, risk assessments should be reviewed and, if necessary, refreshed with specific reference to the fraud issues that the organisation could be exposed to. This will require input from compliance personnel with appropriate experience to ensure that informed and objective assessment is reached.  

Based on the results of that assessment, the following steps should be considered:

• new or augmented anti-fraud policies and procedures;
• training, including tailored training for those who might be present most risk;
• review of and reinforcement of relevant financial controls;
• conducting necessary due diligence on both counterparties and in relevant transactions, particularly where third party agents may be involved;
• putting in place anti-fraud contractual provisions for third parties;
• putting in place effective audit and monitoring processes in relation to fraud; and
• ensuring that a system is in place to regularly review internal systems and

Whatever measures are needed to address the risks faced by an organisation, fraud should be prioritised by senior management and included as a board agenda item so that a clear tone from the top can be demonstrated.

If you would like to discuss the issues raised in this Insight, please get in touch with your usual Osborne Clarke contact, or one of our experts below