【Column】Do you have reasonable procedures in place to prevent fraud involving your organisation?: Publication of UK Government guidance on ‘offence of failure to prevent fraud’
Do you have reasonable procedures in place to prevent fraud
involving your organisation?
Publication of UK Government guidance on
'offence of failure to prevent fraud'
- Guidance1 published by the UK Government in November 2024 under the Economic Crime and Corporate Transparency Act 2023 ('the Guidance').
- From 1 September 2025, certain organisations will be held criminally liable for failing to prevent fraud by their employees and other associated persons.
- Foreign companies engaged in activities related to the UK may also fall within the ambit of this Guidance and the related laws; and therefore, Japanese companies may also be required to implement the measures set out in the Guidance.
- An organisation will not be criminally liable if they have taken reasonable procedures to prevent fraud as set out in the Guidance – these include: (i) management commitment, (ii) risk assessment, (iii) developing proportionate risk-based prevention procedures, (iv) due diligence, (v) communication (including training), and (vi) monitoring and review to implement reasonable procedures to prevent fraud.
A. Crime of failure to prevent fraud
Summary
The Economic Crime and Corporate Transparency Act 2023 ('ECCTA'), which was passed in October 2023, introduced an offence of 'failure to prevent fraud. The concept of 'fraud' in the UK is broader than that of 詐欺 in Japan, and therefore, failure to prevent fraud is also broader than what is expected under Japanese law.
The offence of failure to prevent fraud is encapsulated in Article 199(12) of the ECCTA and applies only to ‘Large Organisations’ (defined below) and relates to such organisations’ failure to prevent specific offences, or certain base ‘fraud’ offences, committed by 'associated persons' of such organisations for the purpose of benefiting the Large Organisations.
There is no upper limit on the amount of fine which can be imposed on an offending Large Organisation under the ECCTA.
English laws also prescribe penal liability on large organisations for the failure to prevent bribery (under the Bribery Act 2010) and facilitation of tax evasion (under the Criminal Finances Act 2017). The new offence on failure to prevent fraud is similarly structured and takes a further step towards making companies liable for fraudulent or dishonest actions of certain employees and other persons associated with such company.
The following sections provide a detailed explanation as to the constituents of the offence of failure to prevent fraud and its applicability.
Scope of 'Large Organisation'
Specifically, a 'large organisation' is a company or organisation that meets two or more of the following three criteria (Articles 201-202 ECCTA).
(a) turnover in excess of £36 million (in the case of a parent company, for the group as a whole)
(b) Assets in excess of £18 million (in the case of a parent company, for the group as a whole).
(c) More than 250 employees (in the case of the parent company, the entire group).
A subsidiary of a Large Organisation will also be held liable under the ECCTA if an employee of such subsidiary commits fraud which is intended for the benefit of such subsidiary, even where such subsidiary does not, by itself, meet the criteria of a Large Organisation. However, where such fraud is committed for the benefit of the parent company, then the parent company will be held liable (Articles 199(2) and (8) ECCTA, Guidance p9-10).
Scope of 'associated persons'
A fairly broad range of actors who commit fraud are covered, including employees, agents, subsidiaries and any person who performs services for or on behalf of the large company concerned or its subsidiaries (Articles 199(7)-(9) ECCTA).
Offences constituting 'fraud'
Offences which constitute 'fraud' for the purpose of the ECCTA include, for example, the following (Schedule 13 ECCTA):
- Fraud by false representation (e.g. telling lies to get people to buy goods)
- Fraud by failing to disclose information (e.g. getting people to buy products without disclosing information that should be disclosed)
- Fraud by abuse of position (e.g. abusing authority in the course of duties to gain economic advantage)
- Obtaining services dishonestly (e.g. receiving services free of charge from a third party through an act of dishonesty)
- False accounting
- Fraudulent trading (unfair trading to defraud company creditors)
- Cheating the public revenue
However, the offence of failure to prevent fraud is not committed if the large company concerned is itself a victim of these crimes (Article 199(3) ECCTA).
Extra-territoriality
The offence of failure to prevent fraud also applies to companies based outside the UK (Guidance p12-13) if an associated person of such company concerned commits 'fraud' under UK law and a nexus with the UK exists in such case. A 'UK nexus' can be considered to apply, for example, in the following instances:
- Where the conduct that was part of the underlying fraud occurred in the UK
- Where profits or losses arise in the UK
- Where fraud is committed by the UK-based employees of a company
- Where an employee or associate of an organisation based abroad has committed fraud in the UK
- Targeted fraud against UK victims
If the above criteria are met, a Large Organisation, which is incorporated and operates outside of the UK may also be held liable for failure to prevent fraud under the ECCTA.
On the other hand, if an offence is committed (without any nexus to the UK) by an overseas employee or by an overseas subsidiary of a UK based Large Organisation, then such Large Organisation shall not be held liable under the ECCTA.
Defence
The offence of failing to prevent fraud does not exist where a Large Organisation has performed 'reasonable procedures to prevent fraud' (Article 199(4)(a) ECCTA). The ECCTA, by itself, does not provide details as to what conduct constitutes 'reasonable procedures'. However, reference, in this regard, may be made to the Guidance, the main points of which are explained in section 2 below.
B. Reasonable prevention procedures
The Guidance is advisory in nature and does not constitute binding law; however, the principles outlined therein represent good practice and updating industry standards.
The Guidance emphasises the following six aspects which Large Organisations must bear in mind for the purpose of implementing reasonable procedures to prevent fraud:
① Management commitment
② Risk assessment
③ Developing proportionate risk-based prevention procedures
④ Due diligence
⑤ Communication (including training)
⑥ Monitoring and review
① Management commitment
The Guidance states that responsibility for prevention and detection of fraud rests with those charged with governance of the Large Organisation, and that the board of directors, partners and senior management of such organisation should strive to prevent the commission of fraud by persons associated with such organisation, foster a culture within the organisation where fraud is never tolerated, and reject benefits that are based on or encourage fraud.
It further states that the management team should play the following roles:
- Communication and endorsement of the organisation's position on fraud prevention, including its mission statement.
- Ensure that there is clear governance throughout the organisation with regard to the anti-fraud framework.
- Training and resource initiatives.
- Setting an example and fostering a culture of openness where staff feel able to speak up if they encounter injustice.
② Risk assessment
The Guidance emphasises risk assessment and requires the development of a proportionate prevention plan based on identified risks. The main points in this context are as follows:
- Where companies are required to assess the nature and extent to which employees, agents and other relevant parties are exposed to the risk of fraud within the scope of the ECCTA, risk assessment measures need to be dynamic, documented and subject to regular review.
- Identification of the type of 'associated persons' is needed as the term is broadly defined. For example, an agent, contractor or staff member in a specified, sensitive role who provides a specific service for or on behalf of an organisation may also constitute an ‘associated person’.
- Such typologies are required to account for the fact that different fraud risks may exist. For example, fraud by false representation may be committed by a variety of parties, whereas fraud through failure to disclose information, false accounting or fraud by abuse of position is more likely to be committed by persons in specific roles.
- In considering risk, it is advisable to focus on the three elements of the fraud triangle: opportunity, motivation and justification2.
- Using such perspectives, a typology-specific risk assessment should be carried out, which can then be reviewed on a regular basis (once or twice a year).
- If periodic reviews are not carried out, then it is possible that a court may find that reasonable procedures to prevent fraud have not been adopted.
③ Developing proportionate risk-based prevention procedures
The Guidance states that fraud prevention procedures should be proportionate and risk-based. The main points in this context are as follows:
- Fraud prevention procedures should be proportionate to the risk of fraud, the nature, scale and complexity of the activities of enterprises and other entities.
- Fraud prevention procedures need to be clear, practical, accessible, effectively implemented and thorough.
- Anti-fraud procedures will also be subject to other regulations, e.g. those on financial reporting, environment, health and safety, competition, etc., so the compliance process for such regulations may address certain potential frauds.
- While organisations do not need to duplicate existing work, it does not necessarily follow that existing regulatory compliance processes can automatically be claimed to qualify as 'reasonable procedures' in fraud prevention.
- To avoid duplication of effort, it is recommended that organisations assess whether existing regulatory compliance mechanisms and other measures are sufficient to prevent each fraud risk identified in the risk assessment, and if existing mechanisms appear inadequate, companies should take appropriate fraud prevention procedures.
④ Due diligence
The Guidance states that organisations should apply due diligence procedures that take an appropriate risk-based approach to mitigate identified fraud risks in relation to persons performing services for or on behalf of such organisation. The main points in this context are as follows:
- Where appropriate, clear documentation of due diligence procedures relating to fraud.
- Using appropriate technology, e.g. third-party risk management tools, screening tools, etc.
- Review of contracts with service providers and agents, mandating compliances and setting out termination clauses in the event of breach.
- Monitoring of staff and agent situations to identify those at high risk of committing fraud due to stress, targets or workload.
- Thorough due diligence during M&A and related transactions.
⑤ Communication (including training)
The Guidance states that training and retention are important to ensure that prevention policies and procedures are communicated, embedded and understood throughout the organisation through internal and external communication. The main points in this context are as follows:
- Clear documentation and approval of corporate and other anti-fraud policies.
- Effective communication to take place from all levels within the organisation.
- Ensuring that relevant persons and others providing services for or on behalf of enterprises and others are informed of and understand their own policies.
- Depending on the level of risk, it may be necessary to require representatives to attend fraud-specific training.
- Development of whistleblowing procedures.
- Inclusion of fraud-related messages in existing policies and procedures. For example, including language in policies on sales targets and customer interactions that briefly explains the causes of fraud and its consequences.
- Publicising the results of investigations, in particular sanctions, within the organisation.
⑥ Monitoring and review
The Guidance states that monitoring for fraud includes three elements, i.e., the detection of fraud and attempted fraud, investigation, and monitoring the effectiveness of fraud prevention procedures. The main points in this context are as follows:
- The detection and investigation of fraud and attempted fraud may need to be extended beyond fraud intended to benefit oneself or cause damage to the organisation to fraud intended to benefit the organisation or its customers.
- As the nature of the risks faced by organisations changes and evolves over time, organisations would need to adapt their fraud detection and prevention procedures in response to the changing risks they face. Such assessments are usually carried out at regular intervals (once or twice a year).
C. Responses to be taken from now on
The following are the main points which organisations should keep in mind, in terms of the Guidance.
- As application of the offence of failure to prevent fraud is set to become effective on 1 September 2025, Large Organisations which would fall within the scope of the ECCTA should ensure that necessary policies and procedures, as suggested under the Guidance are in place well before such date.
- Even if an organisation is not incorporated in the UK, it will be held liable under the ECCTA if it is found to have a nexus with the UK, such as having a subsidiary or branch in the UK, having employees, suppliers or customers in the UK, or making profits in the UK, it may be subject to the offence of failing to prevent fraud. Japanese companies should therefore assess whether they meet such test and if so, ensure that they undertake the suggested actions.
- Preparations include risk assessment of fraud occurrences within the corporate group, including subsidiaries; due diligence of agents, representatives, supply chains, etc.; formulation, implementation, ongoing evaluation and review of fraud prevention procedures; internal training; and development of whistle-blowing systems.
D. Conclusion
Companies operating globally need to avoid being sanctioned for unexpected breaches of foreign laws and regulations. In recent years, a wide range of global regulations have been imposed, including on supply chains, as seen in economic security regulations, human rights regulations and regulations on bribery of foreign officials, etc. It is necessary to accurately understand and respond to these regulations. The enforcement of the offence of failure to prevent fraud in the UK can be seen as part of such trend of global regulations. It is considered necessary to achieve corporate governance and to evolve into a more resilient and sustainable organisation by fostering a culture of zero tolerance of fraud within the organisation through the implementation of fraud risk assessments and preventive procedures.
1 UK Home Office, ‘Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud.’
2 'Opportunity' refers to the opportunity to commit fraud, e.g. weak monitoring, inadequate supervision. 'Motive' means that there is a motive to commit the fraud, e.g. financial stress, need to meet targets, etc. 'Justification' means that there is a reason to justify the wrongdoing, e.g. no one is inconvenienced, resentment towards the organisation, customers, etc.
(Written by: Masayuki Otake / Additional comments by: Michael Lynch, Ranjini Gogoi)
*This newsletter is provided for educational and informational purposes only, and is not intended and should not be construed as legal or tax advice.
For more information and questions regarding this column, reach out to us.