UK Corporate Criminal Offence of Failure to Prevent Fraud: Practical Tips for Benchmarking Against the New Guidance

Print Friendly, PDF & Email

The UK Government has published long-awaited Guidance on the new corporate criminal offence of failure to prevent fraud. The offence will come into force on 1 September 2025. Over the coming months, impacted organisations[1] should ensure they have in place “reasonable procedures” to prevent employees, agents and other associated persons from committing fraud intended to benefit the organisation or (in certain circumstances) its clients.

Now is the time for impacted organisations to plan, execute, and document a Benchmarking Exercise of the organisation’s fraud prevention framework against the six general principles found in the Guidance:

  • Top-level commitment
  • Risk assessment
  • Proportionate risk-based prevention procedures
  • Due diligence
  • Communication including training
  • Monitoring and review

Our practitioners are experts on the practicalities of fraud programmes and strategy implementation, having led large scale UK and global fraud programmes at major institutions. We set out below our top practical tips for conducting the Benchmarking Exercise in a pragmatic yet effective manner.

Define the Exam Question and the End Game

The Benchmarking Exercise should answer the following “Exam Question”: Does the organisation have in place a reasonable anti-fraud framework and procedures to prevent associated persons from committing in-scope fraud offences?

The “in-scope” aspect is important, since the offence applies only to certain fraud typologies. To date, many organisations have been more focused on out-of-scope fraud typologies: external fraud threats (e.g. phishing) and internal fraud threats where the organisation is the victim (e.g. expenses fraud). Proportionality is also critical, since “reasonable” means proportionate to the organisation’s risk; the organisation must consider and address the risks arising from the unique facts of its own business.

Begin with the end in mind: The Benchmarking Exercise deliverable should be a written document summarizing the following:

  • The purpose, scope and methodology of the Benchmarking Exercise
  • Key findings on whether the organisation’s current fraud prevention framework and procedures are “reasonable.” This includes the reasonableness of any current fraud risk assessment and corresponding fraud prevention plan
  • The agreed-upon remediation plan, including a timeframe for any required improvements

An organisation may decide to conduct this Benchmarking Exercise internally. Alternatively, the organisation may decide to engage an independent third-party expert such as K2 Integrity to conduct the Benchmarking Exercise and/or deliver core components of the fraud prevention framework such as the fraud risk assessment or fraud prevention plan.

Secure Internal Buy-In for the Benchmarking Exercise

Fraud and compliance risk owners should first ensure internal buy-in for the Benchmarking Exercise; for the exercise to be a success, meaningful input and actions are required from the board of directors, senior management, and the teams responsible for fraud controls (e.g., finance, human resources, investigations and training teams). Additionally, we recommend that business representatives assist in identifying the relevant fraud risk typologies.

Strategies for obtaining internal buy-in include:

  • Highlight the criminal nature of the offence, the potential for an unlimited fine and the protections afforded by the reasonable procedures defense.
  • Nominate a project sponsor and project lead, identify key stakeholders, and propose governance arrangements for the project.
  • Map out a reasonable timeframe for the Benchmarking Exercise with key milestones.
  • Highlight efficiencies: existing fraud-relevant materials and framework components can be leveraged, plus any outputs from relevant industry working groups.
  • Factor in, plan to address, and budget for any obvious deficiencies (e.g., if the organisation does not have a current fraud risk assessment).

It is important to manage stakeholder expectations from the outset. Clearly communicate that this is not a one-off exercise; the fraud risk assessment and the broader fraud prevention framework should be reviewed annually or biannually (plus ad hoc if triggered by external events). The Guidance explicitly states that if the risk assessment has not been reviewed, a court may determine that it was not fit for purpose and therefore that reasonable procedures were not in place at the time of the fraud.

If Your Organisation Does Not Already Have a Fraud Risk Assessment in Place, Make It a Priority

The Guidance notes that it will rarely be considered reasonable not to have even conducted a risk assessment. In its fraud risk assessment, the organisation must assess the nature and extent of its exposure to the risk of employees, agents, and other associated persons committing fraud in scope of the offence.

Some organisations may not have previously conducted a fraud risk assessment. Other organisations may have a fraud risk assessment which does not adequately cover the in-scope offences.

Define the Relevant Associated Persons by Group

The Guidance advises impacted organisations to begin the risk assessment by identifying typologies of associated persons:

  • Staff in specific sensitive roles—for example, finance, procurement, investor sales and marketing
  • Agents—anyone with authority to contract on behalf of the organisation
  • Contractors providing a particular service (not goods) “for or on behalf of” the organisation. This excludes contractors providing services “to” the organisation (e.g. external lawyers)
  • Subsidiaries, including where employees of a subsidiary of the parent organisation commit a fraud intended to benefit the parent organisation

As the Guidance notes, different types of associated persons may present different fraud risks. For example, fraud by false representation can be committed by a range of associated persons, while fraud by failure to disclose information, false accounting or abuse of position are more likely to be committed by those in certain roles.

Develop Typologies of Risk

The Guidance notes that it is not possible to anticipate all potential fraud risks; indeed, the biggest potential pitfall in conducting the risk assessment is to go down a rabbit hole on fraud typologies. The risk assessment will be most effective if, at the outset, the organisation accurately identifies the key relevant in-scope risk typologies. We suggest that the identified risk typologies are limited to a manageable number, since each typology will need to be addressed from a controls perspective as part of the fraud prevention plan (see further below).

The Guidance suggests that typologies of risks should be developed by considering the three elements of the fraud triangle alongside the territorial scope of the offence:

  • Opportunity (e.g., inadequate oversight)
  • Motivation (e.g., meeting targets)
  • Rationalization (e.g., no harm)

We recommend holding a workshop with key internal risk owners and stakeholders to agree on the relevant risk typologies flowing from the typologies of associated persons. The Guidance suggests leveraging data analytics, previous audits, and information from industry bodies. Additionally, we recommend leveraging the organisation’s previous fraud incidents.

The risk assessment should consider emergency scenarios since failing to undertake any risk assessment for emergencies may mean the organisation is not considered to have reasonable fraud prevention measures in place.

Document the Rationale

The purpose of the risk assessment is to determine inherent risk, meaning risks that exist before any additional fraud prevention measures are put in place. The Guidance suggests classifying each inherent risk by its likelihood and impact and describing why that classification has been chosen.

Ensure the Fraud Prevention Plan Is a Proportionate Response to the Risk Assessment

The fraud prevention plan is the organisation’s documented response to the inherent risks and their potential impact as identified in the risk assessment. This means there must be connectivity between the two exercises. It is a key principle of the Guidance that the fraud prevention plan should be proportionate to the risks identified and their potential impact. The fraud prevention plan is essentially an assessment of the controls and measures which are in place, or should be in place, to prevent or mitigate in-scope risks identified in the risk assessment. This includes a qualitative assessment of the residual risk. For some organisations, this controls assessment will already be a component of their fraud risk assessment process (although both need to cover in-scope risks).

When considering proportionality, the Guidance suggests assessing a broad range of risk factors (again, according to the three elements of the fraud triangle), which we categorise below. This illustrates the importance of stakeholder input from risk and control owners such as human resources.

  • Processes—HR vetting checks, procurement processes, conflicts of interest
  • Results of audit findings
  • Best practice and sector-specific information
  • Approach to assessing emerging risks
  • Training and communications
  • Compensation framework
  • Disciplinary and reporting procedures
  • Organisational culture

The Guidance notes that in some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk; however, any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision.

Remember that Governance Is a Critical Success Factor

Good governance throughout is crucial for several reasons:

  • To ensure that the Benchmarking Exercise and any subsequent remediation plan are executed in a timely manner, before the 1 September 2025 deadline. Identified remediation actions should be clearly allocated to the relevant risk owner, with regular reporting on progress to senior management.
  • Top-level commitment to fraud prevention is one of the core six principles in the Guidance. Responsibility for the prevention and detection of fraud rests with those charged with governance of the organisation, and senior management should ensure there is clear governance of the fraud prevention framework.
  • Senior management should commit to resourcing. The fraud framework and prevention plan should be resourced over the long term and receive a reasonable and proportionate budget for personnel costs and technology. The organisation should monitor the effectiveness of its fraud prevention measures and review its fraud framework and procedures in response to changing risk factors.
  • As the Guidance clearly states, management and those charged with governance cannot rely solely on external audits to provide them with an assurance about the appropriateness of their fraud prevention and detection controls in the context of the failure to prevent fraud offence.

Please reach out to Joanne Taylor, senior managing director at K2 Integrity, for a free-of-charge discussion on implementation within your organsation.

[1] This article does not analyse the criteria for determining which organisations fall in scope of the offence.

2024

Don’t Let Cyber Scams Ruin the Holidays: Keep the Holiday Season Festive for Your Organization

19 December 2024
2024

Strengthening Security Protocols Amid Heightened Risk

12 December 2024
2024

Construction Dive: Christopher Ward Pens Opinion Piece on Potential Deregulation

5 December 2024
2024

Email Deception: Unmasking VEC and BEC Scams

21 November 2024
k2 footerlogo

Looking for a financial crimes, risk, or regulatory advisory firm?
Contact us today to find out how we can help you manage risk.

Talk to Us
Shares

Share

To receive a copy of the article, please complete the required fields and click “Submit.”