UK’s incoming failure to prevent fraud offense: Four practical steps to take now
In 2022, the UK’s Law Commission published a Report on Corporate Criminal Liability in the UK. The Report was in response to a request by the UK government to consider challenges arising under the existing corporate criminal liability scheme and to propose possible improvements. Arising out of this Report, and the recommendations contained therein, is the Economic Crime and Corporate Transparency Bill. Among developments in the Bill is a provision addressing failure to prevent fraud, under which businesses can be held liable in certain circumstances for fraud committed by employees.
In particular, the proposed failure to prevent fraud offense extends liability to an organization when an associated person commits a specified offense for the organization’s benefit, unless the organization can show it had in place reasonable fraud prevention procedures. This is a strict liability offense, and the potential penalty is an unlimited fine.
At the moment, the Bill is the subject of ongoing debate between the House of Commons and the House of Lords, with the next debate scheduled to take place on October 18, 2023, as the two chambers consider the scope of the incoming offense of failure to prevent fraud. It is expected that the Bill may come into law as early as the end of 2023. Companies that may be impacted by the Bill should start considering the potential implications of the Bill generally – and in particular the new failure to prevent fraud offense – as soon as possible.
Below we set out four practical steps that your company can take now, in advance of passage of the Bill, to help prepare.
1. Assess your exposure
As a practical matter, step number one will be considering whether your business is exposed to liability for the offense of failure to prevent fraud. This is not straightforward: the primary issue currently under debate is the question of to which size businesses the new offense ought to apply.
At this stage, the Bill as drafted imposes potential liability on any business that meets two of the following three criteria:
- a turnover exceeding £36 million
- an annual balance sheet exceeding £18 million and
- over 250 staff.
However, proposed amendments from the House of Lords would include small and mid-sized enterprises, and if those amendments are accepted the Bill would additionally impose potential liability on any business that meets two of the following three criteria:
- a turnover of between £632,000 and £36 million
- an annual balance sheet between £316,000 and £18 million and
- between 10 and 250 staff.
Based on this proposed amendment, any change in the current thresholds will be designed to capture more, not fewer, businesses.
If a business currently meets two of the three criteria in the current Bill, it would be prudent to assume that the Bill, once in force, will apply – and even if a business is included only in the SME category – such that it would be covered under the amendments proposed by the House of Lords – the below steps would be worth considering.
2. Conduct a risk assessment
Once a company has determined that it has potential exposure to the failure to prevent fraud offense under the Bill, it should conduct a risk assessment to determine where within its business the potential for fraudulent conduct is the highest.
Most companies will have already considered these questions in the context of bribery, money laundering and broader compliance controls. However, a fresh risk assessment is warranted, given the parameters of this offense. In particular, most risk assessments regarding bribery, money laundering, or similar offenses often focus largely on higher-risk jurisdictions in which the company trades or operates. However, the underlying fraud offenses are broadly defined and include several offenses that would likely occur domestically, such as false accounting, obtaining services dishonestly, or cheating the public revenue. As a result, risk assessments that focus on conduct such as bribery may not capture the possible exposure created under this offense by individuals who do not regularly deal in high-risk jurisdictions or with external partners.
3. Enhance fraud detection procedures as needed
To the extent the risk assessment identifies gaps in procedures, those gaps should be closed as soon as possible. In closing those gaps, consider the requirement that the underlying fraud must be “for the organisation’s benefit” – this may require a corporation to focus attention on different parts of the business.
For example, your business may already have policies that will prevent or detect embezzlement for personal benefit, but those policies may not identify that same accountant creating false accounting records to recognize revenues sooner than they would otherwise be recognized, or in greater sums. Ensuring that internal policies and procedures are fit for purpose under the new failure to prevent fraud offense may require additional policies to be implemented.
4. Train, train, train!
While the offense is considered to be a strict liability offense – that is, the corporation itself (through managers or directors) does not need to have knowledge of the underlying fraud – the Bill does allow for certain defenses. In particular, an organization may have a defense if there were reasonable fraud prevention procedures in place, even if those procedures were not sufficient to in fact prevent the fraud that occurred. The current draft of the Bill also provides as a defense that it was not reasonable, in the circumstances, to expect the organization to have any prevention procedures in place. However, as a practical matter, it is unclear in what context this defense would be available in fact, and we would not recommend that any businesses proactively plan to take advantage of it.
The Bill requires the Secretary of State to issue guidance as to what “reasonable prevention procedures” means in the context of this offense, and such guidance will only be published once the Bill receives Royal Assent. However, trends arising from other contexts suggest that a company should be able to demonstrate strong anti-fraud messaging from the top of the business; effective risk assessment followed by design communication of policies and procedures; due diligence on third parties; ongoing monitoring and audit, and sufficient training protocols to ensure that all relevant employees are provided with the necessary guidance to comply with the relevant policies and procedures.
Importantly, training should be given as broadly as possible – the Bill applies to any “associated person,” which includes all employees, agents, or subsidiaries of the relevant organization, rather than just high-level employees.
Find out more about this coming legislation and its implications for your business by contacting any of the authors or your usual DLA Piper contact.
UK: Latest actions against corruption and financial crime by Parliament and the regulators
13 April 2023 .5 minute read
Corruption and Integrity Risks in Climate Action panel discussion
18 September 2023 .3 minute read