Clifford Chance

The new offence of failure to prevent fraud will make large organisations criminally liable for failing to prevent fraud committed by their employees, agents, subsidiaries or other associates, unless they can demonstrate that they had reasonable fraud prevention procedures in place.

This new offence sends a strong signal that large organisations are expected to play their part in combatting financial crime. The offence follows on from separate reforms, already in force, making companies liable for economic crimes committed by their senior managers.

Here, we consider some key actions for businesses in relation to the new 'failure to prevent fraud' offence.

The new offence criminalises organisations for failing to prevent certain 'base fraud offences' from being committed by 'associates' of the organisation.

An understanding of the base fraud offences will be an essential first step for organisations, before they can begin to assess where their greatest fraud risks lie.  Our top-level guide to the base fraud offences - What is Fraud? - is here.

Equally, organisations will need to identify who their associates are.  Employees, agents and subsidiary undertakings are automatically included. In addition, any person who provides services for or on behalf of the organisation will also be an associate.  Understanding who these third-party associates are is a first and critical step to assessing the organisation's fraud risk.

The guidance is clear that organisations are expected to conduct a full fraud risk assessment to assess the nature and extent of their exposure to associates committing fraud.  The starting point is to identify 'typologies' of associates, and then consider the scenarios under which the associates could attempt one of the base fraud offences.  It will also be important to conduct appropriate due diligence on third party associates to mitigate identified fraud risks, which may include carrying out vetting checks and reviewing contracts.  

Corporates should also identify the 'potential victims' of fraud.  Whilst organisations typically have well developed policies and procedures designed to prevent themselves becoming a victim of fraud, the new offence requires an outward-looking view of fraud risks, and an assessment of how third parties could be harmed by fraud committed by associates of the organisation.

The risk assessment should be dynamic, documented and kept under regular review. It will help identify, on an ongoing basis, any additional fraud prevention procedures needed.

Adherence to the Government's guidance will be a key consideration for prosecutors when deciding whether to bring criminal proceedings, and for the courts when deciding whether an organisation is guilty of the offence.

Organisations should therefore ensure they can demonstrate a carefully considered approach which fully aligns with the guidance and, where there are departures, there are valid, documented reasons for this. 

Equally, organisations need to be alert to the need to look beyond the guidance where they face risks arising from the unique facts of their business.

Most large organisations will already have in place fraud prevention policies and procedures in some form and will be familiar with 'failure to prevent' offences, given the 'failure to prevent bribery' and 'failure to prevent the facilitation of tax evasion' offences that are already law. Steps detailed in the Government's guidance in relation to the new offence are similar to those that organisations will already be taking in relation to bribery and tax evasion risks. This means that organisations should not need to start from scratch when considering what fraud prevention procedures to adopt.

For example, conducting a fraud risk assessment is likely to require the input of many of the same stakeholders who input into bribery and tax evasion risk assessments, so it may be possible to coordinate elements of these processes. Similarly, it may be possible to expand existing training given on bribery-related matters to cover economic crime risks more broadly, including fraud. 

Closely integrating any new fraud related measures into the organisation's existing financial crime compliance programme should not only drive synergies in the initial work required to prepare for the new offence but should help with the ongoing process of periodic review and updates to these measures.

The new offence will apply to organisations wherever they or their associates are incorporated or carry on business, provided the organisation has failed to prevent one of the UK base fraud offences. These offences require one of the acts which was part of the fraud to have taken place in the UK or any gain or loss resulting from that offence to have occurred in the UK. A non-UK organisation could therefore be liable for failing to prevent a non-UK associate committing a fraud offence, if the fraud targeted UK victims. Organisations should therefore look beyond their UK group companies when considering the new offence.

The risk of a prosecution in these circumstances should not be overstated however, given that finite investigative and prosecutorial resources are most likely to be focused on organisations with a strong UK nexus, and there would be practical challenges to criminally charge a non-UK organisation in the UK.