On 6 November 2024, the UK Government published the much-anticipated guidance on the new corporate offence of failure to prevent fraud1 (the “Guidance”). The failure to prevent fraud offence forms part of a huge shift in the UK corporate crime landscape and, together with the recent overhaul of the means by which liability for economic criminal conduct is attributed to corporate entities, significantly increases the likelihood of domestic and foreign organisations being successfully prosecuted in the UK (for more, see previous alerts here and here).
The new offence holds large organisations2 criminally liable for fraud committed by associated persons who provide services for or on behalf of the organisation with the intention of benefiting the organisation. It is a defence for the organisation to establish that it had reasonable procedures in place to prevent the fraud.
Liability for failure to prevent fraud can attach to large organisations in the UK and, importantly, those based overseas if an associated person commits a fraud in the UK or targets UK victims. It is therefore essential for large overseas organisations with a UK nexus to engage with the Guidance well before the offence comes into effect on 1 September 2025.
Interpretation of the Failure to Prevent Fraud Offence
- Extraterritorial Reach. The Guidance confirms that the offence applies to large non-UK organisations which have a UK nexus. A UK nexus means either that an essential element of the offence occurred in the UK or, for certain of the underlying fraud offences, that harm is suffered in the UK. A US company could be investigated and prosecuted for the offence therefore if, with the necessary intent, either one of its UK-subsidiary employees committed fraud; one of its employees committed fraud in the UK; or one of its US subsidiaries committed fraud against a UK victim. Whilst the technical jurisdictional reach of the offence is very broad, UK law enforcement agencies must still satisfy themselves that the prosecution of a foreign organisation is in the public interest. We don’t anticipate a flood of criminal prosecutions being brought against foreign organisations on the basis of the new offence, but the risk of harm, in terms of time, cost, business disruption and reputation, to foreign organisations becoming caught up, directly or indirectly, in UK criminal investigations focused on the new offence is one which should be taken seriously.
- Associated Persons. An associated person is an employee, agent or subsidiary of the organisation, while acting in that capacity, or a person providing services for or on behalf of the organisation, while providing those services. The Guidance makes clear that the following persons are not associated persons for the purposes of the offence:
- Persons providing services to, as opposed to for or on behalf of, a relevant organisation. The Guidance seeks to draw a very fine and potentially unworkable distinction in this regard. The Guidance cites external lawyers and accountants as examples of persons providing services to organisations. It is not clear how an external law firm engaged by a client could be said not to be acting on behalf of their client when they are providing legal services to the same client. This distinction, which doesn’t appear in the equivalent guidance to the other UK failure to prevent offences (bribery and facilitating tax evasion), is not merely semantic and could have a significant bearing on the practical application of the offence.
- Persons providing goods to, rather than services for or on behalf of, the organisation. The Guidance is clear that “services” does not include goods. One important implication is that persons providing goods to an organisation within its supply chain are not associated with the organisation, while persons providing services for it within its supply chain are. This aspect of the Guidance will be welcome given the length and complexity of most global supply chains.
- Intent to Benefit. Organisations will be potentially liable only if the associated person intends to benefit the organisation at the time that the associated person commits the fraud offence, regardless of whether the organisation actually benefits. The Guidance specifies that the intent to benefit element may be made out even if the organisation is required by regulation to reimburse the proceeds of the fraud.
Guidance on Reasonable Fraud Prevention Procedures
The aspects of the Guidance that address what constitutes reasonable fraud prevention procedures are familiar and adopt the framework of six non-prescriptive principles which large organisations which have previously dealt with the failure to prevent bribery and facilitation of tax evasion offences will recognize:
- Top level commitment.
- Risk assessment.
- Proportionate risk-based prevention procedures.
- Due diligence.
- Communication (including training).
- Monitoring and review.
In certain important respects, however, the Guidance goes further than it did previously and provides more detail on the practical steps that senior management can take to foster an anti-fraud culture.
- Risk Assessment. Risk assessments are the cornerstone of an organisation’s fraud prevention framework. Whilst recognising their central importance, the Guidance acknowledges that organisations may already undertake risk assessments in relation to other economic crime. Helpfully, the Guidance confirms that these organisations do not need to duplicate existing risk assessments but must adapt them to incorporate fraud risks. To properly assess in-scope fraud risks, the Guidance recommends nominated risk owners within the organisation adopt an approach that is as focused on personnel, behaviours and culture as it is on policies, procedures and controls. The Guidance recommends organisations start by identifying the different categories of associated persons within their corporate ecosystem. Using these categories, organisations may then consider a wide range of circumstances under which associated persons could attempt in-scope fraud, taking into account the three elements of the fraud triangle: opportunity, motive and rationalization.
- Integrated financial crime landscape. The Guidance acknowledges that the failure to prevent fraud offence sits within a landscape of other related and sometimes overlapping domestic and overseas financial crime laws and regulations, and related guidance. In recognition of this, it refers organisations to various other sources on fraud prevention measures, including the UK Corporate Governance Code, and to international standards such as the US Department of Justice’s Evaluation of Corporate Compliance Programs3 guidance.
- Whistleblowing. The Guidance stresses the importance of organisations having appropriate whistleblowing arrangements in place, including having board-level accountability to oversee the programme. The focus on whistleblowing arrangements will chime with recent statements from the UK Serious Fraud Office and Financial Conduct Authority regarding the importance of whistleblowers in economic crime cases.4
ESG – Key Future Risk Area
The Guidance contains scenarios which detail how organisations might be liable for the new offence. Several of the scenarios relate to environmental, social and governance (“ESG”) issues, including with respect to a company whose employee falsifies environmental data, and an investment fund promoting investment in a sustainable company knowing that its environmental credentials are fabricated. The breadth of the in-scope fraud offences means that criminal liability could attach to a wide range of corporate conduct, including nonfinancial reporting such as ESG disclosures and modern slavery statements.
As one example of the potential ESG overlap, the specified fraud offences include the offence of false statements made by company directors. Directors of certain large companies are already legally obliged to publish annual nonfinancial and sustainability information statements, which may include representations as to environmental and other matters. Absent reasonable fraud prevention procedures, therefore, any such statements made by a company director which to their knowledge are materially misleading, false or deceptive would be capable of rendering an in-scope organisation criminally liable for the offence of failure to prevent fraud.
The threat of ESG-related investigation and prosecution is also compounded by the increased risk of private prosecutions being brought against companies by victims of fraud or by activist investors for their failure to prevent fraud.
Next Steps
The new offence comes into force on 1 September 2025, and its impact will be felt not just by those large domestic and foreign organisations directly within scope but also indirectly by small and medium-sized organisations which are likely to fall within the “associated person” definition and will therefore be subject to onerous contractual certification requirements. Whilst doing nothing is not a good option for in-scope organisations, the first and most important step is a well-designed, documented refresh of any existing risk assessment, tailored to accommodate the Guidance.