Share
This article was co-authored by Tom Fennelly, Trainee Solicitor, London.
After months of waiting, which was not helped by the pause in the UK Government’s work following this year’s General Election, on 6 November, the Home Office published its guidance (Guidance) on the new corporate criminal offence of failure to prevent fraud (FTPF) that was brought in by the Economic Crime and Corporate Transparency Act (ECCTA) 2023. Please see our article for further detail on the FTPF.
With the Guidance firing the starting-gun, corporates now have nine months to consider existing compliance procedures, or introduce more robust ones, to counter the effect of associated persons (i.e. employees, subsidiaries, agents, consultants etc.) committing a fraud for the benefit of the entity.
A more mature approach to compliance
The Guidance not only offers an overview of the FTPF offence; including which organisations are within the scope, but also takes a mature and more practical approach to compliance. It also sets out what is expected of businesses in an age where corporate compliance programmes have (or at least should have) been at the top of a business’ agenda.
In acknowledging a sea-change in the way compliance systems should have matured since the coming into force of the Bribery Act 2010, the Guidance doths its cap to what should already be in place, but adds that corporates should not rest on their laurels by solely relying on what is already there.
Requirements for fraud prevention frameworks and systems
Chapter 3 of the Guidance may be most pertinent for corporate clients as it sets out specifically what any existing or prospective fraud prevention frameworks and systems should include. These are discussed briefly below:
1. Top level commitment
“Responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation”.
The role of senior management, including the board of directors and partners, is likely to include endorsing the organisation’s stance on preventing fraud and ensuring governance across the organisation through a commitment to training and resourcing.
2. Risk assessment
“The organisation assesses the nature and extent of its exposure to the risk of the employees, agents and other associated persons committing fraud in scope of the offence”.
The Guidance accepts that many organisations will have in place existing risk assessment practices, and that it may be more effective to simply extend these practices, whilst highlighting that risk assessments are not ‘one-off’ exercises.
3. Proportionate risk-based prevention procedures
“An organisation’s procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisations activities”.
The Guidance explains that a proportionate risk based prevention procedure should stem from the findings of any risk assessment and is contingent upon it. The Guidance accepts that many organisations will already be subject to other regulations. However, whilst it does not intend for work to be duplicated, simply relying on other compliance processes as an indication of prevention procedures being in place may not be sufficient.
4. Due diligence
“The organisation applies due diligence procedures, taking a proportionate risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks”.
While many organisations will have due diligence processes in place, the Guidance urges organisations to consider a more tailored due diligence process to capture all potential fraudulent activities.
5. Communication
“The organisation seeks to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through key internal and external communication”.
Focusing on training and whistleblowing, the Guidance offers advice as to integrating fraud messaging into existing policies and procedures such as sales targets and customer interactions.
6. Monitoring and review
“The organisation monitors and reviews its fraud detection and prevention procedures and makes improvements where necessary”.
The Guidance advises on the range of available measures to detect fraud and attempts at fraud by setting out a series of questions relevant organisations can ask themselves, such as those regarding the data analytics tools that are being used and how staff are being encouraged to speak up in relation to any suspicion of fraudulent activity. The Guidance also offers questions as to the investigative process of suspected frauds, such as queries around the authorisation process and the documentation of an organisation’s decision to perform an investigation.
The final section of the Guidance considers the interaction and overlap between legislative and regulatory regimes. Providing illustrations of such overlaps, and having regard to the UK Corporate Governance Code, the Guidance explains that auditing requirements in the Companies Act 2006, case law, practitioners’ texts and accountancy profession journal articles remain integral to identifying fraudulent actions and should therefore be used when addressing any fraud risks that the business may face.
Related items:
United Kingdom