Failure to prevent fraud: controversial new details announced

UK Government offers the bare minimum on fraud prevention

The UK government had previously announced they are pushing ahead with a game-changing new regulation to expand the ‘failure to prevent’ family of offences to failure to prevent fraud. More details have now been announced about the offence which will be brought forward as part of the Economic Crime and Corporate Transparency Bill. Significantly, the government have proposed a controversial exemption for smaller organisations, and have ignored calls for a failure to prevent money laundering offence, even for the regulated sector. 

What is the proposed new offence?

Under the new offence of failure to prevent fraud, an organisation will be liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place. Company bosses would not need to have ordered or knew about the fraud for the failure to prevent offence to be committed.

Significantly, this formulation is less stringent than what was previously proposed by the Law Commission. The Law Commission’s proposals wanted to see that an associated person would commit an offence of fraud that benefits the company, OR benefited another person to whom they provide services on behalf of the company.

The Law Commission wanted to ensure that the benefit to the company provision should be wide enough to encompass situations in which it is not the associated person’s primary purpose to benefit the company, but that outcome is intrinsically related to their purpose. This should cover instances where the company benefits indirectly, but not where the conduct was intended to benefit a client.

If convicted, organisations could receive an unlimited fine. The government has not proposed individual liability for failure to prevent fraud, as proposed by the Law Commission. 

What underlying fraud offences are included?

Failure to prevent fraud requires a specified fraud offence to have been committed by an employee or agent, and for the organisation’s benefit. Money laundering offences are not included, and there is not currently a failure to prevent money laundering offence being brought forward. 

The underlying fraud offences include:

  • fraud by false representation (section 2 Fraud Act 2006)
  • fraud by failing to disclose information (section 3 Fraud Act 2006)
  • fraud by abuse of position (section 4 Fraud Act 2006)
  • obtaining services dishonestly (section 11 Fraud Act 2006)
  • participation in a fraudulent business (section 9, Fraud Act 2006)
  • false statements by company directors (Section 19, Theft Act 1968)
  • false accounting (section 17 Theft Act 1968)
  • fraudulent trading (section 993 Companies Act 2006)
  • cheating the public revenue (common law)

Will your organisation be covered?

The government have proposed to only include large organisations, as per the definition of the Companies Act 2006. This means organisations who meet two of the following criteria will be covered:

  • More than 250 employees
  • More than £36m in turnover
  • More than £18m in total assets

The government have made it clear that the scope could be expanded through secondary legislation, meaning ministerial regulation (by this or a future government) could bring more organisations into scope which would align the new failure to prevent fraud offence with the existing failure to prevent bribery and tax evasion. 

What is the defence to failure to prevent fraud?

As expected, companies will require reasonable procedures to prevent fraud. This is the same standard as the Criminal Finances Act, meaning it could be reasonable for an organisation to have no anti-fraud procedures in place. However this would still have to be set out in a risk assessment, and where the risk has been assessed as very low. 

Will the offence apply overseas?

Yes. Similar to the other failure to prevent fraud offences, if an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas

What has been the reaction to the new offence?

The government had been somewhat dragged into committing to bringing in the failure to prevent offence given damning reports from the House of Lords, and a push by the former Justice Secretary Robert Buckland in the Commons. The now published plans for the failure to prevent offence has been roundly criticised by anti-corruption campaigners, who have called the exemption for smaller companies “desperately short-sighted and entirely unnecessary.”

The Law Commission who previously outlined plans for new failure to prevent offences did not accept that there were valid arguments for exempting smaller companies. Neither did the House of Lords when they rejected exemptions for SME’s during the debate on the 2010 Bribery Act. 

The pressure group Spotlight on Corruption also criticised the government’s failure to introduce a ‘failure to prevent money laundering’ offence, particularly for the unregulated sector.

Will the government get its own way with this legislation?

It seems likely the government’s plans will be brought forward as outlined, however there may be scope for change as the legislation goes through parliament. The government have essentially offered the minimum on the failure to prevent fraud offences, and it could still be subject to amendment and opposition in the House of Lords prior to the Economic Crime and Corporate Transparency Bill being passed.

A future government may also decide to scrap the threshold exemption for smaller organisations. Given the fairly uncontroversial proposals from the Law Commission and House of Lords for a failure to prevent fraud offence that covers all organisations, as well as failure to prevent money laundering and failure to prevent false accounting, it seems likely this will be revisited. 

Given the relative weakness of the government’s proposals, this could strengthen the resolve of the opposition Labour party to commit to a much wider failure to prevent economic crime offence. Senior Labour MP Margaret Hodge, who chairs the all-party group on anti-corruption, has previously said that the UK’s “financial services and our defences against dirty money have been overrun. London is now the laundromat for washing dirty cash.”

What will organisations need to do?

An organisation will need to conduct a risk assessment similar to one carried out for failure to prevent tax evasion. The risk assessment should be wide ranging and review the risks of fraud faced by the company and potentially what others in similar sectors have experienced. 

Following the risk assessment, reasonable procedures should be implemented including:

  • Anti-fraud policies and procedures that mitigate outward fraud committed for the benefit of the organisation
  • Training, including tailored training for those in higher risk positions
  • Due diligence both in respect of transactions for clients and contracts (e.g. for suppliers), particularly on third party agents given the offence will apply to the acts of agents acting on the organisation’s behalf
  • Ensuring contractual provisions cover outward fraud
  • Putting in place effective audit and monitoring processes in relation to fraud
  • Ensuring regular internal review of systems and controls
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.