The UK government have now released further details on the new ‘failure to prevent fraud’ offence in their recently published fact sheet covering the scope, purpose, application and potential penalties associated with the proposed new legislation.
Whilst the scope of the offence has been narrowed to exclude money laundering (perhaps through recognition of the existing ML regime), this will still represent a really positive step in the fight against fraud, alongside other actions underway and in the pipeline such as the incoming corporate reforms on fraud, the ten-year fraud strategy due for publication this month and a renewed focus on fraud from the SFO and FCA.
The new legislation will make it easier to prosecute organisations where a fraud is committed by an employee or ‘agent’ (which I assume will be further defined in due course, possibly to specifically include supply chain elements), for the organisation’s benefit, and where the organisation did not have “reasonable fraud prevention procedures” in place. It will require an organisation to think broadly about the fraud risks to which it is exposed, and in particular, those frauds where it is seen to benefit. This includes, for example, manipulating financial statements prior to a fundraise, misrepresenting products it sells, or the manufacture thereof, or even using a customer dataset it obtains improperly. An organisation will also need to ensure it designs and embeds robust processes and controls to mitigate the risks accordingly.
Further guidance will be published by the government as to what constitutes “reasonable procedures” in due course after the Economic Crime and Corporate Transparency Bill receives its Royal Assent, so likely 2024. However information provided to date suggests that the guidance will be principles-based, akin to the structure and application of the UK Bribery Act 2010 (UKBA) and Criminal Finances Act (CFA), i.e. covering Risk Assessment, Proportionate Procedures, Top level Commitment, Due Diligence, Communication, and Monitoring & Review. Organisations that can demonstrate that they have a clear and robust fraud risk management framework in place in line with these guidelines will have a defence should a fraud offence occur that will protect it from potentially significant punishment.
Interestingly, the offence will only apply to large organisations, defined as such under the Companies Act 2006. The Companies Act threshold of a ‘large organisation’ is lower than the PIE threshold coming in under the incoming corporate reforms, and thus this offence will apply to a much wider spectrum of organisations than the corporate reforms do. However, I would expect that as the bar is raised in large organisations this expectation will trickle down to smaller organisations as a result of their engagement with those in scope larger businesses through supplier and other types of relationships. A large organisation will wish to ensure that its robust fraud risk management framework covers its extended enterprise.
As part of the likely uplift in activity in the corporate sector I think it will be important for organisations to ensure they consider the overlap between risk domains (such as fraud, Environmental, Social and Governance (ESG) and Modern Slavery) that exist and ensure their approaches encompass that to drive efficiency and effectiveness.
As noted above, large UK Public Interest Entities (PIEs) should already have begun their journey to enhance their proactive fraud risk management capabilities in light of the incoming corporate reforms, as outlined in our Blog Post “Fraud regulation & UK SOX: Are you ready? | Deloitte UK”. With convicted organisations facing unlimited fines, I would expect the new legislation is expected to drive a significant shift in corporate culture and raise the expectations on board members and senior stakeholders to oversee the implementation of robust fraud prevention measures.
I noted above that the new offence will likely come into force at some point in 2024. However, given the fact sheet guidance, whilst some elements of the new legislation remain unclear (such as how jurisdictional aspects will work exactly) I think organisations would be wise to start their preparations now.