Stand by for guidance

The failure to prevent fraud offense, a key provision of the U.K.’s 2023 Economic Crime and Corporate Transparency Act, is expected to go into force later this year or 2025. The offense, part of the government’s overall strategy to fight financial crime, is meant to encourage corporate accountability for fraud. In this article, anti-fraud professionals assess the new law and consider what organizations might do to prepare as they await government guidance on “reasonable procedures” rules to prevent fraud.

In 2020, British banking giant Barclays was acquitted of conspiring with its senior executives to arrange an illegal payment with Qatar. The executives had arranged the payment to save the bank from needing a public bailout during the 2008 financial crisis. A jury later cleared senior executives Roger Jenkins, Thomas Kalaris and Richard Boath of fraud for their roles in the deal.

The U.K. Serious Fraud Office charged the bank and its executives with fraud in 2017, alleging that the trio made fraudulent advisory services agreements to disguise payments of 322 million pounds to Qatar. According to the SFO, those payments were fees paid in exchange for the Gulf state’s 4-billion-pound investment in Barclays and allowed it to buy shares in the bank at a discounted price not available to other investors. (See “No ‘directing mind and will’ found in SFO prosecution of Barclays,” Herbert Smith Freehills, May 5, 2020; “Three former Barclays executives found not guilty of fraud,” by Kalyeena Makortoff, The Guardian, Feb. 28, 2020; and “Former Barclays executives cleared of fraud charges,” by Andy Verity, BBC, Feb. 28, 2020.)

In the case, the court determined that the executives didn’t represent the ‘directing mind and will’ of Barclays, so the bank wasn’t liable for the fraud. The acquittal of Barclays and its senior executives was considered a major blow to the SFO and emblematic of its difficulties in prosecuting fraud cases against major corporations. One reason for this, some legal experts say, is the test that had long been used for determining corporate criminal liability in the U.K. — the identification doctrine. According to this doctrine, an offense must be committed by the “‘directing mind and will’ of a corporation to trigger attribution to the corporate itself.” (See “Factsheet: identification principle for economic crime offences,” Gov.Uk, updated Oct. 26, 2023.) If the person(s) identified as the “directing mind and will” of the corporation commits a crime, then the corporation is considered liable. Critics say that this framework has long created an uphill battle in the U.K. government’s fight against corporate wrongdoing. It’s this very framework that the 2023 Economic Crime and Corporate Transparency (ECCT) Act, is supposed to rectify with its failure to prevent fraud offense. The new offense is a strict liability offense in the vein of the U.K. Bribery Act that made organizations liable to prevent bribery. In the case of the failure to prevent fraud’s strict liability test, there’s no requirement to prove that a company’s senior management was involved in, or even knew about, misconduct for the organization to be held liable. (See “UK Corporate Criminal Liability: Reform of the Identification Principle,” by Alistair Graham, Chris Roberts, and Hormis Kallarackel, Mayer Brown, July 26, 2023 and “Thoughts on the new Economic Crime and Corporate Transparency Act - A New Era for Corporate Criminal Liability in the UK,” by Anneka Randhawa, Jonah Anderson, Ed Pearson, Mhairi Fraser, White & Case, Nov. 9, 2023.)

Fraud is the most common crime in the United Kingdom. In 2022, fraud accounted for 40% of crime in England and Wales — 7% of adults had either been a victim of fraud or had a fraud attempt made against them, according to a U.K. Parliament report.

The ECCT’s failure to prevent fraud offense is supposed to go into force in late 2024 or 2025. Newly named SFO Director Nick Ephgrave has hailed it “the most significant boost to the [SFO]’s ability to investigate and prosecute serious economic crime in over 10 years.” (See “Thoughts on the new Economic Crime and Corporate Transparency Act.”) In its fact sheet, the U.K. government says that the failure to prevent fraud offense is meant to encourage companies to look inward to implement or improve their fraud prevention programs, “driving a major shift in corporate culture to help reduce fraud.” (See “Factsheet: failure to prevent fraud offence,” UK.gov, updated Oct. 26, 2023.) But, as the offense has yet to go into force, it’s unclear just how effective it will ultimately be in this endeavor. Yet even more pressing for organizations is the question of how they’ll  be expected to comply with the law. An important part of the offense is that organizations will be able to defend themselves against charges of liability if they’re able to show they had “reasonable procedures” in place to prevent fraud. Right now, those are unknown, as the U.K. government is expected to publish its guidance later this year. Until then, anti-fraud experts in the U.K. say the time is now for organizations to get up to speed on their fraud prevention measures.

“Organizations need to look at their structure and their culture,” says Ashu Sharma, CFE, a corporate investigator with a global mining company in London. “I’d look at conducting fraud risk assessments. I’d look at my fraud policies and fraud standards already implemented. I’d be looking at education and awareness, and management and controls. I’d look at speak-up processes and internal speak-up lines for reporting fraud.”

We’ll provide more advice from anti-fraud experts on the compliance procedures organizations can take as they await guidance from the government later in the article. But first, the following section provides an overview of fraud in the U.K. and the elements of the failure to prevent offense.

Fighting fraud with an offense

Fraud is the most common crime in the U.K. In 2022, fraud accounted for 40% of crime in England and Wales — 7% of adults had either been a victim of fraud or had a fraud attempt made against them, according to a U.K. Parliament report. (See “Crushing fraud in the U.K.,” by Jennifer Liebman, CFE, Fraud Magazine, November/December 2023 and “Fraud,” UK Parliament.) The 2023 Annual Fraud Indicator (AFI), a report by Crowe, Peters & Peters and the University of Portsmouth, estimated that annual fraud losses in the U.K. amounted to more than 200 billion pounds in 2023. (See “Annual Fraud Indicator,” Crowe.) The ECCT and its failure to prevent fraud offense is but one part of the government’s overall strategy to fight economic crime in the U.K. This particular aspect puts the onus on big businesses to address fraud within their ranks. According to the offense, organizations are criminally liable if they failed to prevent fraud by an associated person, and the fraud committed by the associated person was intended to benefit the organization. Associated persons include employees, agents or subsidiaries, and any person who performs services on behalf of an organization. Crimes covered by the offense include fraud by false representation; fraud by failing to disclose information; fraud by abuse of position; false accounting; and obtaining services dishonestly, just to name a few. (See “New UK Corporate Offense: The ‘Failure to Prevent Fraud’,” by Chris Warren-Smith, Amy E. Schuh, Michelle Page, Erica A. Jaffe, Morgan Lewis, Feb. 14, 2024.)

“There are businesses that knowingly or unknowingly benefit from fraud. The importance of a level playing field for organizations shouldn’t be underestimated, especially when it comes to businesses that are at risk of facilitating fraud. I’d hope that this new offense will force a wide range of organizations to go beyond credit risk, ensuring that they’re confident of not only being paid but also that their services aren’t being abused to perpetrate fraud,” Jonathan Frost, an independent fraud subject-matter expert, tells Fraud Magazine.

There is a possibility that organizations meeting these criteria [the large organization threshold] may manipulate their financial data and employee numbers to evade compliance with the failure to prevent offense. In such cases, the measure itself could inadvertently incentivize fraudulent behavior.

The failure to prevent fraud offense applies to large organizations only — those organizations with at least 250 employees, more than 36 million pounds in turnover (turnover refers to revenue or sales), and more than 18 million pounds in total assets. The decision to apply the offense only to large organizations was a point of contention between the House of Lords and the House of Commons as they debated passage of the law. The House of Lords originally wanted the failure to prevent fraud offense to apply to smaller organizations as well, but the House of Commons won out on covering only large organizations. However, the organization threshold can be amended by secondary legislation, so it’s possible that smaller organizations could be included in the offense’s scope in the future. (See “New UK ‘failure to prevent’ fraud corporate criminal offence,” by Eve Giles, Brandon O’Neil, Jonathan Benson, Stacey McEvoy and Amy Edwards, Allen & Overy, Oct. 26, 2023.) Still, in the meantime, some say that the current threshold isn’t enough and many frauds will slip through the cracks.

“Many other organizations that have the potential to engage in fraudulent activities and harm victims are excluded from the ambit of this measure,” says Rasha Kassem, Ph.D., CFE, a senior lecturer of accounting at Aston University in Birmingham, England. “There is a possibility that organizations meeting these criteria [the large organization threshold] may manipulate their financial data and employee numbers to evade compliance with the failure to prevent offense. In such cases, the measure itself could inadvertently incentivize fraudulent behavior.”

Another important aspect of the failure to prevent fraud offense concerns its reach. The law applies to U.K. organizations and U.K. citizens, specifically, unlike the U.K. Bribery Act, which has an extra-territorial reach and can affect anybody who might be conducting business in the U.K. As of right now, the failure to prevent fraud offense only applies to the U.K. and wouldn’t necessarily affect companies in other jurisdictions.

“Because the failure to prevent here is the failure to prevent a number of preexisting, underlying economic crime offenses, each of which requires the conduct, or some of the conduct to take place within the U.K. in order for it to be capable of being prosecuted,” says Ruby Hamid, co-head of Global Corporate Crime and Investigations for law firm Ashurst. “If it’s a conspiracy to defraud and an element of the conspiracy is cooked up in the U.K., then the whole of the conduct could come into scope.”

Reasonable procedures

If an organization has been accused of fraud under the failure to prevent fraud offense, the government can impose an unlimited fine if the company is convicted. Organizations can also enter into deferred prosecution agreements with the government if they’ve been convicted of fraud under the offense. As mentioned, an important element of the offense is the type of defense that organizations can use if they’ve been accused of fraud. That defense, that the organization had “reasonable procedures” in place to prevent fraud and what those reasonable procedures entail is still being determined by the U.K. government.

What I think will happen is you’ll have a lot more people, for example, going for the CFE [Certified Fraud Examiner] credential, because now you’ll have a lot of people saying this actually matters for our organization and wanting to do better and raising that skill set.

Ashu Sharma, CFE

Some see the failure to prevent fraud offense as a way to persuade companies to do the right thing and to get their houses in order, so to speak.

“It’s much more about fear, isn’t it — frightening companies into doing the right thing,” says Tristan Bramble, a risk advisory consultant at Ashurst. “I think the U.K. authorities are trying to do something in the hopes that it becomes one of the factors that reduces fraud and dissuades it. It’s an off-putting factor, it’s a deterrent.

“But this failure to prevent regime really does demand that companies take that proactive compliance-first approach,” says Bramble. “This failure to prevent fraud regime is arguably not designed to produce lots of prosecutions. It’s at least designed to inspire proactive, prevention-based cultural and behavioral change.”

So, what are companies supposed to do that will get their prevention programs in place and deter fraud? Neil Donovan, a senior associate with Ashurst, says that organizations will need to shift their thinking about their anti-fraud controls and prevention mechanisms. Donovan, Hamid and Bramble have all been working with clients to help them prepare their compliance and prevention programs for the day when it comes into force.

“A lot of anti-fraud controls are historically set up in companies to protect the company from being defrauded where the company is the victim,” says Donovan. “But the offense operates slightly differently in that it bites where the fraud is committed for the benefit of the company. So, when it comes to assessing the risks, it needs to be done through that lens as opposed to where the company may itself be the victim of fraud.”

Donovan explains that a second part of that task for companies is mapping their existing compliance controls to those risks. “What we’ve found is that because a lot of clients, particularly large organizations, already have compliance controls in place, a lot of those can be used, leveraged and enhanced to apply to the risks under the new offense.”

According to Donovan, when the guidance is published, organizatons will then need to review their existing controls to ensure that they can demonstrate that reasonable procedures are in place to prevent fraud.

Of course, many large organizations have already implemented financial crime control frameworks and procedures to deter and prevent fraud.

Hamid advises that above all else, it’s important that organizations make sure that all their key stakeholders, and especially those in areas of the business that are at a heightened risk of fraud, are simply aware of the offense and what it means for the organization.

Yet still, not all organizations will require the same sort of preparation. Many organizations, such as ones in the financial sector, are already heavily regulated and have had anti-fraud controls in place for years. But there are many other organizations that don’t have this background, and they’ll need to do a lot to prepare for the time when the offense officially becomes law.

“The trouble or the stress now is for those sectors outside of the financial sector — the mining industry, metals, manufacturing, the techs — they’ve never had what the financial sector has got, and so their risk mitigation is still not mature to the level that the financial sector is,” says Sharma. “What I think will happen is you’ll have a lot more people, for example, going for the CFE [Certified Fraud Examiner] credential, because now you’ll have a lot of people saying this actually matters for our organization and wanting to do better and raising that skill set.”

Fostering a culture of compliance

Hamid advises that above all else, it’s important that organizations make sure that all their key stakeholders, and especially those in areas of the business that are at a heightened risk of fraud, are simply aware of the offense and what it means for the organization. “They must understand the elements of the offense, and they’ve had training, and they understand the potential risks to the business.” According to Hamid, it will largely be up to the board and senior management to set expectations and help foster a culture of zero tolerance. “One of the pillars of reasonable procedures will likely be cultural tone from the top.”

Jennifer Liebman, CFE, is editor-in-chief of Fraud Magazine. Contact her at JLiebman@ACFE.com.