top of page

New corporate offence of Failure to Prevent Fraud

The Economic Crime and Corporate Transparency Act (‘ECCTA’) 2023 has brought in some significant new obligations for employers. On 6 November 2024, the government published long-awaited guidance on how employers should be preparing for the introduction of the new offence under s199 of ECCTA 2023 of failure to prevent fraud.

 

Under the legislation, an organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’,


  • commits a fraud;

  • intending to benefit the organisation; (note: no benefit must actually be obtained, nor does the company’s benefit need to be the sole purpose of the fraud)

  • and the organisation did not have reasonable fraud prevention procedures in place.


The corporate offence may also apply where the fraud offence is committed with the intention of benefitting a client of the organisation. The company will not however be prosecuted if it is the victim of a fraud designed to benefit its clients.


The offence comes into force in September 2025, leaving companies with 10 months to get their house in order.

 

So what do employers really need to know?

 

1.      Who falls within the scope of the offence?

Large, incorporated bodies and partnerships are liable to be prosecuted under s199 of ECCTA 2023.


A ‘large organisation’ is defined as meeting two or three out of the following criteria:

 

·         more than 250 employees

·         more than £36 million turnover

·         more than £18 million in total assets

 

The criteria is based on the financial year preceding the year of offending, and will apply to the whole organisation, including any subsidiaries regardless of where they are based.

Whilst this offence only applies to large organisations, it is well worth smaller organisations reviewing their anti-fraud procedures to bring them in line with government guidance as set out below, as a matter of good practice.

 


2.      What fraud offences will implicate the company?

The offence applies to a number of specific fraud offences (referred to as ‘base fraud’ offences and listed in schedule 13 of the ECCTA 2023 legislation), and include (but are not limited to):

 

·         Fraud by false representation

·         Fraud by failing to disclose information

·         Fraud by abuse of position

·         False accounting

·         Obtaining services dishonestly

·         False statements by company directors

·         Cheating the public revenue


Aiding, abetting, counselling or procuring any of the base fraud offences will also qualify under the corporate offence. The base fraud offences are clearly wide-ranging and may be updated in time through secondary legislation.


To fall within the s199 offence, the base fraud offence must be committed within the UK, or the benefit or loss must take place within the UK. The corporate offence can therefore be committed by a UK-based individual (regardless of where the company is based), or by an overseas employee committing fraud or targeting victims in the UK. UK organisations who have overseas employees committing fraud outside of the UK will not be liable under the corporate offence.

 

 

3.      Who can make the company liable?

The base offence can be committed by a person associated with the relevant body, ie an ‘associated person’. This will include an employee, an agent or a subsidiary of the relevant body. Furthermore, a person who provides services for and on behalf of the company will also be an associated person.

 

When considering whether an individual is an associated person, all of the relevant circumstances will be taken into account – and therefore they may or may not be under contract to the relevant corporation.


The corporate offence will only be committed if the associated person commits the base fraud offence in the capacity of acting for the corporate. A fraud offence committed in a private capacity will not implicate the company.

 

 

4.      Who can be prosecuted?  

The individual who committed the fraud can be prosecuted individually (plus any individual who encouraged or assisted the offending), as well as the company for failing to prevent it. It is not necessary for the individual to be prosecuted alongside the company; the company can be prosecuted alone. A conviction of the individual offender can be used as evidence in the prosecution of the company.

 

It does not need to be demonstrated that directors or senior managers ordered or knew about the fraud, for the company to be criminally liable.

 

No senior manager can be prosecuted as an individual for failing to prevent the offence; ECCTA provides only for a corporate offence.

 

 

5.      What defences can the company claim?

Relevant organisations will have a defence to the corporate offence if they can show that they have ‘reasonable procedures’ in place to prevent fraud. Alternatively, they will have a defence if they can

demonstrate that it was not reasonable for the company to have any prevention procedures in place – although this is unlikely to be considered reasonable in the absence of a risk assessment.

 

The onus will be on the company to prove a defence and it will be for the court to decide, on the balance of probabilities, whether the procedures were reasonable.

 

The fraud prevention framework is underpinned by 6 principles:

 

  • top level commitment – demonstrating a culture in which fraud is never acceptable

  • risk assessment – a dynamic, documented risk assessment that is kept under review

  • proportionate risk-based prevention procedures - a fraud prevention plan with clear, practical, accessible, effectively implemented and enforced procedures

  • due diligence - proportionate and risk-based due diligence, in respect of persons who perform or will perform services for or on behalf of the organisation

  • communication (including training) - prevention policies and procedures are communicated, embedded and understood throughout the organisation

  • monitoring and review - fraud detection and prevention procedures are monitored and reviewed and improvements are made where necessary

 

The principles are designed to be flexible and outcome-focussed, and procedures should take into account the level of control, proximity and supervision that the company has over an individual acting on its behalf. Similarly, the company will need to consider local laws if it has employees or agents overseas. Appropriate whistleblowing arrangements should also be in place.

 

A bespoke approach is needed; a company can fail to follow the guidance to the letter but still have a defence and the reverse is true; that even with strict compliance there may not be reasonable procedures in place if the company faces particular risks due to the unique nature of its business.


The guidance on reasonable procedures is extensive however, as is stipulated by the government, specific legal advice should be sought regarding the procedures to be implemented.

 

Audits are not required nor designed to identify all frauds and an audit cannot provide a ‘reasonable procedures’ defence. Management and those charged with governance should not rely solely on an audit to provide them with assurance about the appropriateness of their fraud controls, however audits can be useful in identifying certain potential fraud risks.

 

The aim of the ECCTA legislation is to drive a change in corporate culture, with a ‘prevention is better than cure’ approach. A company’s willingness to co-operate with an investigation under ECCTA 2023 and to make full disclosures will be taken into account when prosecuting authorities decide whether to prosecute or consider a deferred prosecution agreement (‘DPA’).

 

6.      What are the consequences for non-compliance?

If a company is convicted of the corporate offence, it can be sentenced to an unlimited fine. A deferred prosecution agreement may be an alternative option, providing the offending and circumstances fall within the SFO’s criteria for DPAs.

 

If you would like to have an initial conversation about how we can support you, please get in touch with Sarah Wallace or one of the team.


bottom of page