Failure to prevent fraud offence – putting the reasonable procedures theory into practice

After much consultation with industry professionals and other stakeholders, in late 2024 the Home Office released detailed guidance relating to the new corporate criminal offence of failure to prevent fraud (“FTPF”), which forms part of the Economic Crime and Corporate Transparency Act 2023 ("ECCTA"). The offence will come into force on 1 September 2025, setting the timescale for organisations to digest the guidance, assess their readiness and take action to ensure they are in a strong position. 

The guidance provided the update organisations had been waiting for: clarification on what reasonable procedures to prevent associated persons committing acts of fraud intended to benefit the organisation might entail. However, as was to be expected, the guidance is lengthy and designed to provide a framework requiring interpretation and application, as opposed to precise guidelines to be rigidly followed. Even for organisations with more mature fraud risk management arrangements, careful consideration, and possibly specialist support, will be needed. 

Following the introduction of the Bribery Act 2010, organisations have worked hard to create anti-bribery and corruption (“ABC”) frameworks, and this is likely to provide a frame of reference for many when considering their FTPF response, particularly given the similarities with ‘adequate procedures’ noted when reviewing the new Home Office FTPF guidance. While this experience will provide a good platform for developing a response to the FTPF offence, it is important that the process is not simply seen as a bolt-on to the ABC arrangements. 

To develop foundations for a strong counter fraud framework, organisations need to build from the ground up, utilising existing structures and strengths within the business while appropriately tailoring the response. We discuss below some important concepts to bear in mind when considering how this can be achieved in practice.

1. Start with the basics: What does fraud mean for your organisation? You cannot develop an effective response to risks that you do not fully understand.This will also help in your conversations with senior sponsors, more easily enabling you to articulate the importance of fraud risk management and the risks associated with not prioritising it, which will be vital when faced with roadblocks such as ensuring adequate financial and time resources for the next steps.
2. Use your in-house expertise: Your operational staff are your best asset so ensure you draw on their knowledge. They understand the workings of the business best, so ask them what the main risks are from their perspective.
3. Foster a culture of collaboration: There is significant value in getting representatives from your key business units and support functions together to discuss fraud risk and challenge each other’s ideas and perspectives. In our experience, such a session can be the first time the people in the room have got together and properly understood each other’s roles. Collaborating in this way provides the opportunity to challenge the status quo and identify potential instances where important considerations could fall between the gaps and give rise to risk.
4. Make full use of the valuable insight gained: Use knowledge gathered from across your business to sit down and map out your fraud risks in a way that suits your needs. This will look different in every case and could be divided, for example, by business function or by service/product line. You need to assess what the risks are, how significant and likely they are to materialise, and where any potential holes may arise. This process will be vital in assessing your internal control environment and readiness to protect your organisation against fraud.
5. Be specific: Fraud risk, no matter what your business, is significant and varied. Any groundwork you do is likely to identify many risks. While all this information is valuable and should inform your overall fraud risk management arrangements, to develop an appropriate response to the FTPF offence, you need to ensure that the lens of fraud being ‘to the benefit of the organisation’ is applied and given separate attention.
6. Prioritise the gaps: There may be many recommendations for improvements arising from a review of your fraud risk framework once this takes place. However, you will need to prioritise those that will have the biggest impact for your organisation.
7. Do not ignore the structures you already have in place: In the absence of unlimited financial or human resources, as well as having many other priorities to balance, it will be important to make use of your existing arrangements to help ensure maximum impact. For example, consider how you could use existing communication channels to expand fraud awareness messages, which will be crucial to facilitating effective operation of your whistleblowing channel – not forgetting that whistleblowing reports have long been the most common method through which internal fraud has been detected.
8. Build engagement from the outset: Even the most well-designed procedures will be rendered ineffective if they are not properly applied, or if employees do not understand them or the reason they are required. There may be a risk that employees see new or enhanced policies and procedures as an additional burden in their already time-pressured roles. Employees need to understand and be able to relate to why such policies and procedures are important and relevant for their day-to-day job. You will need to consider how best to communicate changes to your employee base and how you can sell them the benefits to get their engagement from the start. The overall objective is to integrate fraud risk management into the culture of your business and guard against a checklist mentality, whereby employees robotically comply with procedures in practical terms without understanding or really applying the substance or value of them.
9. Do not stand still: Fraud risk management cannot be a one-off exercise, and this is clearly reinforced in the FTPF guidance. Your business continually evolves, employees change, and fraudsters continually adapt to find new ways to commit fraud. Therefore, it is imperative that you regularly reassess your risks and how you respond to them. Important considerations will be protecting your business at the point of entry, through ensuring robust due diligence procedures for new suppliers and new recruits, as well as keeping pace with technology to maximise the defensive and proactive benefits. 
   In summary, there is no one-size-fits-all model to fraud risk management, and it is only by demonstrating a tailored, risk-based and informed approach that an organisation will be able to satisfy the requirements of a defence against a FTPF offence. Furthermore, any arrangements put in place can only truly be effective if they are embedded within the organisation’s wider culture. Policies and procedures define the rules, but the ethics and culture of an organisation determine whether these rules are followed. Actions speak louder than words – leaders need to be seen to be living and breathing the organisation’s values rather than simply verbalising them to the employee base. 

Fraud risk cannot be ignored and is becoming an increasing concern for all organisations, with the new legislation serving as a key driver for moving it up the priority list. While the focus of this article is responding to the FTPF offence, using this opportunity to take a holistic and proactive approach to reviewing your arrangements will help you to develop an agile framework that can evolve with your business and more readily adapt to changes in the internal and external environment.