Failure to prevent fraud

Management

Thomas Cattee at Gherson Solicitors LLP shares his insights into the territorial scope of the offence of Failure to Prevent Fraud, and explains the types of organisation affected and the fraudulent conduct which must be prevented

In 2023, the Economic Crime and Corporate Transparency Act 2023 (ECCTA) was introduced to assist the fight against financial crime in the UK. As part of ECCTA, a new corporate offence of Failure to Prevent Fraud (FtPF) was created, which will come into force on 1 September 2025.

The offence provides that companies will be held legally responsible for the actions of their employees and those acting on their behalf when committing fraud. The “fraud” includes numerous offenses relating to financial misconduct – from fraudulent representations, false accounting and fraud by failing to disclose information. The only defence available will be for the company to show that it had reasonable fraud prevention procedures in place.

One aspect which appears to be causing confusion is the jurisdictional reach of the offence. This article seeks to provide clarity on this important topic.

Corporate liability

The offence applies to all Large Organisations, defined under the ECCTA as those which meet at least two of the following requirements:

Having more than 250 employees
Having more than £36 million in turnover
Having more than £18 million in total assets

The corporate liability extends to fraud committed by an associated person acting in the course of their duties, not in a personal capacity, where the fraud is intended to benefit the organisation. It is sufficient for the organisation to be a beneficiary of the fraud (but importantly not the sole beneficiary) for the offence to apply.

The ECCTA defines associated persons to include any individual or entity acting for or on behalf of the organisation. Practically, this can include agents, employees, subsidiaries, and anyone else providing services for or on behalf of the organisation.

Jurisdiction

The territorial scope of the offence will include Large Organisations which are headquartered or operating overseas, provided that the fraud has a UK nexus. This means the fraud must include an act that occurs in the UK or results in a gain or loss in the UK. It therefore follows that an organisation with only a minimal presence or customer base in the UK could be caught.

For example, if an employee or associated person of an overseas-based organisation commits fraud overseas for the benefit of the organisation, but there is a victim in the UK, the overseas organisation could be prosecuted for a failure to prevent fraud.

In practice, let’s consider a large US-based accounting firm which has a strong client base in the UK. An employee operating out of New York, acting on the firm’s behalf, intentionally manipulates the firm’s financial statements to misrepresent the financial health of the firm. The victims of the fraud are in the UK. Here, the US firm can be prosecuted in the UK for the failure to prevent fraud.

The offence will not apply to UK based organisations whose overseas employees, agents or subsidiaries commit fraud abroad with no UK nexus.

In determining the jurisdictional reach of the act, Large Organisations should consider whether:

There are customers in the UK, which could be the victim of a fraud by the organisation (or those acting on its behalf).
There UK based offices, employees, subsidiaries or associated persons who act for the benefit of the organisation.
There is a vehicle for corporate benefit in the UK (bank accounts etc).

If the above criterion is satisfied, then the organisation should consider further steps to risk assess and implement reasonable fraud prevention procedures under ECCTA, wherever the organisation is located.

Reasonable procedures defence

The only defence available is for the organisations to prove that it had in place reasonable fraud prevention procedures at the time the fraud was committed. Reasonableness will not be a one size fits all, but will depend on of control, proximity and supervision which the organisation was able to leverage over the relevant offender’s actions.

The Guidance To Organisations on the Offence of Failure to Prevent Fraud (Guidance) sets out that the following well-established compliance principles will apply to the assessment of reasonable procedures:

Top-level commitment
Risk assessment
Proportionate risk-based prevention procedures
Due diligence
Communication (including training)
Ongoing monitoring and review

The Guidance states that in some circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk, but it will rarely be considered reasonable not to have conducted a risk assessment. In advance of September, organisation falling within the jurisdiction of the FtPF offence should be focussing on assessing risks and creating a proportionate response.

Thomas Cattee is a partner at Gherson Solicitors LLP

Main image courtesy of iStockPhoto.com and designer491