Failure to prevent fraud – what you need to know about the new offence

9 minute read
02 July 2024

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced a new offence of failure to prevent fraud (FTP Fraud Offence) for large organisations, as part of a wider reform of corporate criminal liability. It applies to individual and group organisations where the organisation is the beneficiary of the fraud, rather than the victim. In this briefing, we look at the FTP Fraud Offence in more detail, what's in scope, the potential penalties, and steps that organisations might take to avoid liability.

The FTP Fraud Offence

Fraud offences

  • Fraud by false representation
  • Fraud by failing to disclose information
  • Fraud by abuse of position
  • Obtaining services dishonestly
  • Participation in a fraudulent business
  • False statements by company directors
  • False accounting
  • Fraudulent trading
  • Cheating the public revenue

An organisation can be liable for the FTP Fraud Offence if a person associated with it commits a fraud offence with the intention of benefiting the organisation, or any person to whom the associated person provides services on behalf of the organisation. See the adjacent summary for the specific fraud offences.

Alternatively, the FTP Fraud Offence may be committed if an associate of the organisation aids, abets, counsels or procures any of the listed offences.

The new FTP Fraud Offence is similar to the UK's existing failure to prevent (FTP) offences (namely FTP bribery under the Bribery Act 2010 and FTP the facilitation of tax evasion under the Criminal Finances Act 2017), but covers a much broader range of factual scenarios.

Importantly, if the fraud was committed by an associated person for personal gain at the expense of the organisation and/or the organisation was, or was intended to be, a victim of the fraud, the organisation will not be liable as this would not meet the criteria of "intention to benefit the organisation".

Note: The underlying fraud offences have broad jurisdictional scope and allow for part of any criminal conduct to take place overseas.

Scope – what is a 'large' organisation'?

The FTP Fraud Offence applies to all large organisations, including corporate bodies, subsidiaries and partnerships. This means that in addition to businesses, large not-for-profit organisations, such as charities, are also in scope, as well as incorporated public bodies.

A large organisation is one that meets two out of three of the following criteria:

  • More than 250 employees.
  • More than £36 million turnover.
  • More than £18 million in total assets.

However, the Government has indicated that the impact of the offence will be kept under review and the threshold at which companies are excluded amended in future, if necessary.

Whereas the FTP bribery offence only applies to companies and partnerships incorporated, formed or carrying on business, or a part of a business, in the UK, the FTP Fraud Offence applies irrespective of the place of incorporation or formation of the organisation. So, for example, if an employee commits fraud under UK law, or targets UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.

Application to groups

If resources held across a parent company and its subsidiaries cumulatively meet the size threshold, that group of companies will be in scope of the failure to prevent fraud offence.

Liability can be attached to whichever individual entity within the group was directly responsible for failing to prevent the fraud. However, if a fraud was committed by a subsidiary employee for the benefit of the parent company, and the parent company did not take reasonable steps to prevent it, liability can, alternatively, be attached to the parent company.

Examples of potential third party associated persons

  • Contractors and subcontractors
  • Distributors and agents
  • Franchisees
  • Consultants
  • Intermediaries
  • Subsidiaries
  • Joint venture partners and entities
  • Third party service providers e.g.
    • IT support
    • Payroll services

Who is an "associated person"?

A person is "associated" if the person is:

  • An employee, agent, or subsidiary of the organisation.
  • An employee of a subsidiary of the organisation.
  • Any other person who performs services for or on behalf of the organisation.

The definition of associated person has the potential to capture a wide range of persons and activities - see some examples in the adjacent summary.

Note: The definition under ECCTA is slightly broader than the equivalent definitions under the Bribery Act 2010 and Criminal Finances Act 2017. For example, employees and agents are automatically classified as associated persons under ECCTA, whereas under the Bribery Act 2010 they are presumed to be associated persons unless the contrary is shown.

Steps that can be taken to avoid liability

An organisation can avoid liability for the FTP Fraud Offence if it can prove that it had reasonable prevention procedures in place (i.e. procedures designed to prevent associated persons from committing fraud offences). Note that the requirement of reasonable procedures is a slighter lesser standard than the adequate procedures required for an organisation to defend itself against the FTP bribery offence.

There may also be circumstances where it is reasonable to have no fraud prevention procedures in place (for example, organisations where the risk is extremely low).

The Government has a statutory duty to publish guidance to set out what would be considered reasonable fraud prevention procedures, clarifying the expectations on business. It has previously said that the legislation will only become law six months after the guidance on the relevant procedures is published.

Liability and penalties

The offence carries strict liability and it will not be necessary to prove that a company's management knew about or ordered the fraud. The Government intends this to discourage organisations from turning a blind eye to fraud by employees which may benefit them.

Organisations convicted under the new offence will be liable for financial penalties, as well as a real risk of reputational damage.

Next steps - action to consider taking

The Government has already sought the views of various organisations to shape the guidance on relevant prevention procedures, and in May 2024 suggested that the guidance might be published early in the summer. Although this has not been entirely ruled out, it now seems unlikely that the guidance will be published before, or even soon after, the election or that the offence will come into force before next year.

There are also calls for additional time to be given to organisations in scope to consider changes to their procedures. But irrespective of whether the period is six months or longer, organisations can already start taking action, in particular:

  • Undertaking an assessment to determine where the fraud risk may arise, and the categories of persons most likely to commit fraud on the organisation's behalf. Although a starting point may be existing risk assessments carried out in the context of the Bribery Act and the Criminal Finances Act, the areas of greatest risk under ECCTA are likely to be different.
  • Reviewing any existing policies and procedures in light of the new legislation

If you would like to discuss these changes and how they will impact your business, please contact Jeremy Millington, Sharon Ayres or your usual Gowling WLG contact.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.