New UK Corporate Offense of “Failure to Prevent Fraud” Under Economic Crime and Corporate Transparency Act 2023: What Companies Need to Be Ready

Nick Ephgrave, Director of the SFO, said it is “very, very keen” to bring charges against companies under the new offense, noting that “We’re telling [companies] how to avoid getting trouble” and “come September, if they haven’t sorted themselves out, we’re coming after them.”

Overview of the Offense
A large organization may be criminally liable where an employee, agent, subsidiary or other “associated person” commits a fraud intending to benefit the organization (or a client of the organization) and the organization did not have reasonable fraud prevention procedures in place.

The offense is a strict liability one—meaning there is no need to show complicity or even knowledge of directors or senior management. The onus, therefore, is on the organization, where it seeks to rely on the defense, to prove, on the balance of probabilities, that it had reasonable prevention procedures in place.

The offense will not extend to individual liability for persons within an organization who may have failed to prevent the fraudulent behavior. However, this does not preclude the employee or agent who committed the base fraud, or anyone who encouraged or assisted them, being prosecuted for the base fraud in addition to the organization being prosecuted for failing to prevent it.

Who the Offence Applies to and Extraterritoriality
The offense applies only to a “large organization” that satisfies at least two of the following criteria:

• More than 250 employees
• More than £36 million turnover
• More than £18 million in total assets

These conditions apply to the financial year of the organization that precedes the year of the base-fraud offense.

Note that these criteria apply to the whole organization, including subsidiaries, regardless of where the organization is headquartered or where its subsidiaries are located.

If an individual subsidiary meets the criteria, it could be liable for the offense in its own right. Additionally, the subsidiary of a large organization, which is not itself a large organization, can be prosecuted rather than the parent organization if an employee of the subsidiary commits a fraud intending to benefit the subsidiary.

The offense applies not only to UK companies and partnerships, but also to overseas companies and partnerships that have a UK nexus, i.e., if a part of the base fraud took place in the UK, or if the gain or loss occurred in the UK.

Therefore, if a UK-based employee commits fraud, the employing organization could be prosecuted wherever it is based.

Similarly, if an employee or associated person of an overseas-based organization commits fraud in the UK, or targets victims in the UK, the organization could be prosecuted.

Types of Fraud Covered by the Offense
The offense applies to specific fraud offenses, i.e., “base-fraud” offences:

• Fraud by false representation (Section 2 Fraud Act 2006)
• Fraud by failing to disclose information (Section 3 Fraud Act 2006)
• Fraud by abuse of position (Section 4 Fraud Act 2006)
• Participation in a fraudulent business (Section 9 Fraud Act 2006)
• Obtaining services dishonestly (Section 11 Fraud Act 2006)
• False accounting (Section 17 Theft Act 1968)
• False statements by company directors (Section 19 Theft Act 1968)
• Fraudulent trading (Section 993 Companies Act 2006)
• Cheating the public revenue (common law)
• Aiding, abetting, counseling or procuring any of the above

An organization can be prosecuted if the associated person’s conduct constitutes a base-fraud offence, even if the associated person is prosecuted for an alternative offence or is not prosecuted at all.

Who Constitutes an “Associated Person”

The corporate offense can only take place if the person commits a base fraud whilst acting in the capacity of a person associated with the organization. Essentially, anyone providing services for or on behalf of the organization can be an associated person (regardless of whether they are under contract or not), including:

• employees, agents, subsidiaries—all of whom are automatically regarded as associated persons;
• contractors, distributors, franchisees;
• joint venture partners; and
• payroll providers, HR service firms.

It is important to note that those providing services to an organization, rather than for or on behalf of, are not associated persons, e.g., external lawyers, valuers, accountants or engineers.

Small organizations may be associated persons while they provide services for or on behalf of large organizations.

A subsidiary undertaking of a large organization can also be an associated person, e.g., if a senior manager of a subsidiary commits a base-fraud offense where the beneficiary is the parent organization or its clients to whom the subsidiary provides services for or on behalf of the parent organization, it is possible for the parent company to be prosecuted for FTPF.

Companies within an organization’s supply chain are not associated persons unless they are providing services for or on behalf of the organization.

The Intended Beneficiary Is Key
An organization does not need to actually receive any benefit for the offense to apply—it is sufficient that the organization or its clients was intended to be the beneficiary. Moreover, the benefit may be financial or non-financial.

Intent to benefit is to be judged according to the position of the associated person at the time they commit the fraud offense.

The intention to benefit the organization does not have to be the sole or dominant motivation for the fraud—the offense can apply where a fraudster’s primary motivation was to benefit themselves, but where their actions will also benefit the organization, and there is no threshold below which the organization is deemed not to have benefited from the fraud.

Defense of Reasonable Fraud Prevention Procedures
What is considered reasonable will vary depending on the size, structure and risk profile of the organization, and the complexity of its operations. The greater the risk of fraud, the stronger controls to prevent it will need to be.

Depending on an organization’s structure, implementing group level policies or training and ensuring that there is a nominated person responsible for fraud prevention in each subsidiary should be considered. For groups based outside of the UK, whether it is appropriate to adopt group wide policies could depend on the extent to which the activities of organizations within the group take place in the UK or give rise to a risk of fraud involving victims in the UK.

The UK Government in its Guidance on the offence of FTPF outlines six core principles that organizations should consider when designing their fraud prevention network—these principles are intended to be flexible and outcome-focused:

• Top Level Commitment. These include mission statements, chairman’s/CEO’s letter, “fraud champions,” allocating a proportionate budget for compliance, fostering a culture of openness and integrity.
• Risk Assessment. Extend existing risk assessments to include the risk of the base frauds, identify typologies of associated persons, classify each inherent risk by its likelihood and impact, and provide a description of why that classification has been chosen.

The risk assessment should be kept under review to ensure it remains fit for purpose.

• Proportionate Risk-Based Prevention Procedures. The reasonableness of procedures should take account of the level of control, proximity and supervision the organization is able to exercise over a particular person acting on its behalf, e.g., it is likely to have greater control over the conduct of an employee than that of an outsourced worker performing services on its behalf. Nonetheless, appropriate controls should be implemented via the relevant contract.

Similarly, where a supply chain involves several entities or a project is to be performed by a prime contractor with a series of subcontractors, an organization is likely only to exercise control over its relationship with its contractual counterparty.

Where the prime contractor sub-contracts to persons or entities that could be associated persons of the organization, the organization may consider employing risk-based due diligence and the use of relevant fraud prevention terms and conditions in the contract with its prime contractor counterparty, and request that counterparty to adopt a similar approach with the next party in the chain.

In some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. However, it will rarely be considered reasonable not to have even conducted a risk assessment. Any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorized that decision.

It is not necessary or desirable for organizations to duplicate existing work;

organizations are advised to assess whether their existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment. Large organizations that operate internationally may already use various international standards for testing fraud prevention controls, e.g., “Evaluation of Corporate Compliance Programs” published by the U.S. Department of Justice.

• Due Diligence. Merely applying existing procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud.

Review contracts with those providing services to include appropriate obligations requiring compliance and the ability to terminate in the event of a breach where appropriate.

• Communication (Including Training). Integrate fraud messaging into existing policies and procedures, e.g., policies related to sales targets or customer interactions could include a brief statement addressing fraud rationalization (“ethical fading”) and the potential consequences of committing fraud.

Organizations may incorporate training into their existing financial crime prevention training or introduce bespoke training to address specific fraud risks. Also, they may choose either to train third-party associated persons or encourage them to ensure their own arrangements are in place.

Training should include ensuring that staff and other associated persons are familiar with whistleblowing policies—it may be helpful to have reminders of the procedures in internal communications.

• Monitoring and Review. Feedback loop—consider communicating outcomes of whistleblower alerts and fraud-related investigations to staff and other associated persons.

Risk assessments should be conducted annually.

Conclusion
Repercussions for organizations that do not have reasonable measures in place to prevent fraud are unlimited fines, reputational damage and regulatory scrutiny.

To avoid being in the crosshairs of the SFO, in the very limited time remaining to September 1, organizations are urged, at a minimum, to:

• conduct a fraud-risk assessment;
• evaluate existing controls against the six principles;
• record decisions and rationale; and
• update contracts, policies and training, where necessary.