The Home Office has published guidance to organisations on the offence of failure to prevent fraud under the Economic Crime and Corporate Transparency Act 2023.

The new offence – which will come into force on 1 September 2025 – applies to ‘large organisations’, defined in the legislation as those that satisfy two of the following three criteria in the financial year preceding the year of the offence: (1) a turnover of more than £36 million; (2) a balance sheet total of more than £18 million; (3) more than 250 employees.

The legislation provides that a large organisation is guilty of the offence if an employee, agent, subsidiary undertaking, or person who otherwise performs services for or on behalf of the body commits ‘a fraud offence’ intending to benefit either the organisation (directly or indirectly) or any person to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the relevant body.

The guidance unpacks many of these criteria, clarifying for example that it will apply to organisations incorporated or formed by any means, and setting out the range of underlying frauds (referred to in the guidance as ‘base frauds’) which will give rise to liability. It also confirms that whilst the offence will only apply where the associated person commits a base fraud under the law of part of the UK, should a UK-based employee commit a base fraud, the employing organisation could be prosecuted wherever it is based.

An important part of the new law is that a defence is available to an organisation if it can prove either that (a) it had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place or (b) it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place. The guidance makes clear that “reasonableness of procedures should take account of the level of control, proximity and supervision the organisation is able to exercise over a particular person acting on its behalf”. Furthermore, it states that it will rarely be considered reasonable not to have conducted a risk assessment.

The guidance continues to set out the six principles that should inform any fraud prevention framework put in place by relevant organisations:

1. Top Level Commitment

The guidance states that responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation and that those in charge should “foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by fraud”.  In addition, senior management’s role is likely to include:

• Communication and endorsement of the organisation’s stance on preventing fraud, including mission statements;
• Ensuring that there is clear governance across the organisation in respect of the fraud prevention framework;
• Commitment to training and resourcing;
• Leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices.

2. Risk Assessments

Organisations should assess the nature and extent of their exposure to the risk of employees, agents, and other associated persons committing fraud. In particular, given the broad definition of ‘associated persons’, the guidance recommends that organisations identify different types of associated persons and, in turn, consider the types of risks to which the organisation might be exposed. To assist with this, the guidance refers to the three elements of what it calls the ‘fraud triangle’:

• Opportunity. Are there sufficient controls and oversight to mitigate opportunities to commit fraud? Do emerging technologies open new opportunities for fraud? Have existing fraud prevention procedures been weakened or neglected?
• Motive. Do reward and recognition mechanisms (including commissions or bonuses) incentivise fraud? Are there particular financial or operating pressures on the company? Does the corporate culture (including sanctions and penalties) disincentivise whistleblowing when fraud is discovered?
• Rationalisation. Is the organisation’s culture quietly tolerant of fraud, particularly fraud that might be perceived as securing contracts or jobs for the organisation? Is fraud prevalent in this business sector? Is it difficult for staff to speak up if they have concerns? Do they face adverse consequences?

The guidance makes clear risk assessments should be regularly reviewed and that organisations should assess whether external factors should trigger an earlier review or a partial review, adding that “if the risk assessment has not been reviewed, a court may determine that it was not fit for purpose and therefore that “reasonable procedures” were not in place at the time of the fraud”.

3. Proportionate risk-based prevention procedures

Organisations are encouraged to draw up a ‘fraud prevention plan’ which is proportionate to the fraud risks it faces and to the “nature, scale and complexity of the organisation’s activities”. The guidance also sets out a series of risk factors to consider when determining the proportionality of reasonable prevention procedures.

4. Due diligence

The guidance states that organisations are expected to take a proportionate and risk-based approach to due diligence procedures. Furthermore, whilst many organisations might already have due diligence procedures in place, the guidance recommends that those with exposure to the greatest risk may consider setting out separately their due diligence procedures in relation to the new offence.

5. Communication (including training)

The guidance sets out that “communication should be from all levels within an organisation. It is not enough for the senior management to say that staff should not commit fraud, if middle management then actively ignore this and encourage junior members to circumvent the relevant body’s fraud prevention procedures”. Training should be provided, be proportionate to the risks faced, and monitored to measure its effectiveness. Organisations are also encouraged to have “appropriate whistleblowing arrangements” in place.

6. Monitoring and review

Finally, organisations should regularly monitor and review their fraud detection and prevention procedures.

To read the guidance in full, click here.