We are supplying this update on a law in effect in the UK. We believe the core philosophies here may be imported into US law to persuade entities to prevent fraud.
On 6 November 2024, the UK government released its Guidance on the offense of failure to prevent fraud (the Guidance), as introduced by the Economic Crime and Corporate Transparency Act 2023 (the Act).
Under the Act, corporations may be criminally liable when a person associated with it commits a fraud offense to directly or indirectly benefit the company.
Corporations will have a defense if they can demonstrate that they have reasonable procedures to prevent fraud or that, in the circumstances, it was not reasonable to expect the organization to have prevention procedures in place.
The offense aims to make it easier for organizations to be held accountable for fraud committed for their benefit. It is intended to encourage more robust prevention procedures and inspire a change in corporate culture that collectively aims to prevent fraud.
This is an overview of what might be considered reasonable fraud prevention procedures.
Reasonable Fraud Prevention Procedures
Organizations are advised to adhere to six principles when developing their aud prevention framework. These are as follows:
Top Level Commitment
Responsibility for preventing fraud lies with those in charge of the organization’s governance. This includes directors, partners, or senior managers. As part of their duty to prevent fraud, their role is likely to include:
Advocacy of the company’s commitment to preventing fraud.
Ensuring there is a clear governance structure to prevent fraud.
Dedication to training and resourcing.
Creating a culture whereby employees feel confident to report suspected fraud.
Risk Assessment
The Guidance provides a fraud triangle to assist organizations in developing their fraud prevention procedures:
Is there an opportunity to commit fraud? Which departments have the greatest opportunity to commit fraud? How likely is fraud detection? Is there anyone within the company who needs appropriate oversight?
Has the organization created a reward system that incentivizes fraud? Do financial targets or time pressures encourage employees to cut corners? Does the corporate culture discourage whistleblowing?
Does the organization subtly tolerate fraud? Is it a sector where fraud is prevalent? Has there been an emergency scenario that might be perceived as justifying fraud? Are there adverse consequences if individuals speak up?
Organizations should continuously assess the extent and nature of the risk of fraud. If an appropriate risk assessment has not been conducted, the courts may consider that reasonable procedures were not in place when the fraud was committed.
Proportionate Risk-based Prevention Procedures
An organization’s fraud prevention procedures should be proportionate to its activities’ nature, complexity, and scale. When considering what constitutes a proportionate risk-based prevention procedure, organizations can consider the following:
Reducing Opportunities for Fraud
Does the company conduct pre-employment and vetting checks? Is anti-fraud training provided for high-risk roles? How is access to sensitive information monitored or restricted?
Have any audits highlighted areas of particular concern that still need to be addressed?
Reducing Motive
Can internal reward structures be changed? Can improvements be made to reduce pressures that encourage cutting corners? Does the organization continually monitor potential conflicts of interest? Is it made clear that the rationalization of fraud or ethical fading is unacceptable?
Consequences
Are there transparent reporting and disciplinary procedures? Are outcomes of investigations and enforcements communicated and understood?
In some instances, it might not be appropriate to introduce measures in response to a risk. However, it is advised that this decision be documented and justified. It is also important to review such decisions and implement procedures if and when necessary.
The Guidance also accepts that organizations will likely be regulated under other regimes requiring fraud prevention policies. While organizations are not expected to duplicate existing work, they should be aware that it would not be an acceptable defense to argue that compliance under other regulations means the organization automatically has reasonable procedures as required by the Act.
Due Diligence
Companies should take a proportionate and tailored risk-based approach to conducting due diligence. This emphasis on due diligence will ensure the thoroughness of their risk assessment and provide a sense of security about their fraud prevention measures.
For associated persons, this could include using technology to conduct checks into prior professional history, reviewing service contracts to ensure they contain compliance clauses, or monitoring the well-being of staff to ensure workload does not incentivize the commission of fraud.
For mergers and acquisitions it might involve using third-party tools, investigating any regulatory or criminal charges, reviewing tax documentation, identifying the firm’s risk exposure, and assessing its fraud prevention measures.
Communication
Clear communication should ensure that fraud prevention policies are embedded and understood throughout the organization. This should be enforced across all levels of the organization, not just by senior management.
The organization’s representatives might need to undergo fraud prevention training. Such training should cover the nature of the offenses most likely to be committed and be reviewed and updated, mainly when staff movements occur.
Organizations should also have suitable whistleblowing procedures. These include implementing independent whistleblowing reporting channels, signposting whistleblowing arrangements, creating a culture where people feel confident raising concerns, and training staff to be aware of and understand the processes.
Monitoring and Review
Organizations should monitor and review their fraud prevention procedures and update them if and when necessary.
Monitoring includes detecting fraud, investigating suspected fraud, and monitoring fraud prevention measures.
The nature of the risks that organizations face will likely evolve. Organizations must adapt their fraud detection and prevention procedures to respond to such changes. The frequency of such reviews will depend on the organization. Still, they should be conducted at regular intervals and with the flexibility to conduct an earlier review if necessary. This continuous monitoring and review process will provide reassurance about the effectiveness of your fraud prevention procedures.
What Does This Mean?
Failure to prevent fraud will become an offense on 1 September 2025. This allows organizations to utilize the practical steps outlined by the Guidance to develop and implement reasonable fraud prevention procedures before the offense comes into effect.
The Guidance is not designed to act as a fully comprehensive checklist. Departure from the Guidance does not necessarily mean that reasonable fraud prevention procedures are not in place. Conversely, more than strict compliance is needed to guarantee that reasonable procedures have been implemented. Everything will be considered on a case-by-case basis, and those with higher risks for fraud will be expected to address specific issues that others might not.
Organizations should review, update, and monitor any existing and future fraud prevention procedures. They must demonstrate that they have reasonable procedures on the balance of probabilities.
Comments