On 6 November 2024, the UK Government published its guidance to organisations on the offence of failure to prevent fraud, providing detail on how the offence is to operate and how companies can put in place ‘reasonable’ fraud prevention policies and procedures. 

Companies now have ten months to implement these changes, with the offence coming into force on 1 September 2025. The guidance makes clear that the offence is designed to drive a culture shift, led from the top. Given the increased responsibilities on boards and the risk of subsequent regulatory actions and prosecutions, D&Os and their insurers would do well to take note. 

By way of reminder, in general terms, for organisations in scope (large organisations, as defined in the Act, across all sectors) to be found liable under the new ‘failure to prevent fraud’ offence, there must be:  

  1. a specified fraud offence: 
  2. committed by an “associated person” 
  3. which is committed with the intention of benefiting the relevant body (i.e., the large organisation) or its clients, in circumstances where that organisation does not have reasonable fraud prevention procedures in place. 

We do not discuss here all of the points raised in the guidance but note a few pertinent points that the guidance clarifies:

  • Reasonable procedures
    • The question of whether a relevant organisation can advance a defence that it had reasonable procedures in place is a matter that can only be resolved by the courts, judged on the balance of probabilities, taking into account the particular facts and circumstances of the case. The onus falls on the organisation to prove it had reasonable procedures. 
    • The guidance sets out a framework for what reasonable fraud prevention procedures should look like which reflects that in respect of other corporate crime offences, including the failure of relevant commercial organisations to prevent bribery and the failure of relevant commercial organisation to prevent the facilitation of tax evasion. 
    • The procedures should be informed by the following six principles:
      • Top level commitment 
      • Risk assessment 
      • Proportionate risk-based prevention procedures 
      • Due diligence 
      • Communication (including training) 
      • Monitoring and review.
    • Detail on these principles, plus a range of examples, are set out in Chapter 3 of the guidance.
    • Departure from the suggested procedures contained within the guidance will not automatically mean that the organisation did not have reasonable fraud prevention procedures in place. Equally, the guidance is not intended to provide a safe harbour: “even strict compliance with the guidance will not necessarily amount to having reasonable procedures where the relevant body faces particular risks arising from the unique facts of its own business that have not been addressed” (section 1.2).
  • Territorial Scope - The Act is silent on the extra-territorial jurisdictional reach of the new offence but the guidance states: “The offence will only apply where the associated person commits a base fraud offence under the law of part of the UK. This requires a UK nexus. By UK nexus, we mean that one of the acts which was part of the underlying fraud took place in the UK, or that that the gain or loss occurred in the UK. If a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based. If an employee or associated person of an overseas-based organisation commits fraud in the UK, or targeting victims in the UK, the organisation could be prosecuted” (section 2.5).
  • Intention - The “intending to benefit” aspect is key to the offence (section 2.4) – “An organisation does not need to actually receive any benefit for the offence to apply - since the fraud offence can be complete before any gain is received.” This intention is judged according to the position of the associated person at the time they commit the fraud offence and the intention does not have to be the sole or dominant motivation for the fraud and the benefit can be financial or non-financial.
  • Prosecution - The organisation can be prosecuted “even if the associated person is prosecuted for an alternative offence or is not prosecuted at all” (section 2.2). Conviction of an associated person can be used in evidence in proceedings against the organisation but if the associated person is not prosecuted, “then the prosecution must prove, to a criminal standard, that the associated person did commit the base fraud offence before the organisation can be convicted of failure to prevent fraud.”
  • Cooperation – The guidance notes the importance of systems and controls in detecting matters to self-report and that “The organisation’s willingness to co-operate with an investigation under the Economic Crime and Corporate Transparency Act and to make a full disclosure will also be taken into account in any decision as to whether it is appropriate to commence criminal proceedings and if so, which type of proceedings (for example, a prosecution or a deferred prosecution arrangement)” (section 2.7.1). As with the other 'failure to prevent' offences, prosecutions could result in a Deferred Prosecution Agreement and we have seen that cooperation is key to not only securing one but to achieving a reduced fine. This cooperation could include implicating wrongdoing individuals, who may then face subsequent prosecutions (though note the points made in the 'Prosecution' section above).
  • Professional advisers - The Act states that “associated persons” includes a person who otherwise performs services for or on behalf of an organisation (does not include the providing of goods). It had been thought that this might pull in external professional advisers to the organisation but the guidance confirms: “providing services for or on behalf of the relevant body” does not include providing services to the relevant body. Thus, persons providing services to an organisation (for example, external lawyers, valuers, accountants or engineers) are not acting “for or on behalf” of the organisation. This means they would not be associated persons for the purposes of the offence” (section 2.3). This is a welcome clarification and minimises issues with dual insurance. 

The onus is very much placed on organisations - and their D&Os to implement a cultural shift and take accountability for what goes on in their organisations.

In addition to the administrative demands and the risk of prosecutions, regulated firms and D&Os may also face FCA investigations. Not only is tackling financial crime and fraud a key priority for the regulator but there has been a notable focus on systems and controls failings in recent years, with significant fines imposed.