UK Home Office Guidance Failure to Prevent Fraud

UK Home Office Guidance: Failure to Prevent Fraud

6 Min Read

The much-anticipated guidance regarding the new UK corporate offence of Failure to Prevent Fraud (FTPF Offence) was published on 6 November 2024. This FTPF Offence is part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which was granted Royal Assent on 26 October 2023.

The aim of the FTPF Offence is to change the way in which organisations look at fraud and to encourage measures aimed at detecting and preventing fraud in much the same way as the failure to prevent provisions in s.7 of the Bribery Act 2010 changed the way in which businesses looked at Bribery when that Act was introduced

This offence applies across the UK and can have extra-terrestrial reach when there is a “UK nexus” – see below for an explanation of what this means in practice.

Since the FTPF Offence was introduced, one of the main questions was what “reasonable procedures” should look like for fraud prevention. This Guidance outlines some recommended procedures that organisations can put in place to help prevent fraud.

What is the FTPF Offence?

This offence is set out in sections 199 – 206 and schedule 13 of the ECCTA, and applies to large,  incorporated bodies and partnerships across all sectors of the economy,

Organisations will be guilty of an offence if an associated person commits a fraud offence intending to directly or indirectly benefit the organisation or their clients. The definition of associated persons is again similar to that under the Bribery Act 2010.  Associated persons include employees, agents, subsidiaries and others. It does not need to be demonstrated that senior managers or directors ordered or knew about the fraud.

A defence is available where the organisation can prove that they had reasonable prevention procedures in place, or that it would have been unreasonable to have expected prevention procedures to be in place. As mentioned above, businesses had many questions about what “reasonable procedures” might look like.

What are large, incorporated bodies and partnerships?

“Incorporated bodies” include organisations incorporated or formed by any means, including but not limited to the Companies Act 2006, Royal Charter, and the Limited Liability Partnerships Act 2000. The offence also applies to partnerships which are not bodies corporate, including Scottish Partnerships and Limited Partnerships formed under the Limited Partnerships Act 1907. As detailed below, this offence can also apply to incorporated bodies and partnerships outside of the UK in certain circumstances.

“Large organisations” meet at least two out of the below three criteria, which apply to the whole organisation including subsidiaries:

  • More than 250 employees.
  • More than £36 million in turnover.
  • More than £18 million in total assets.

What does the Guidance say about reasonable fraud prevention procedures??

The Guidance provides more details regarding the meaning of “intending to benefit”, territoriality, and enforcement. However, a significant portion of this Guidance address reasonable fraud prevention procedures. In essence, the Guidance recommends that an organisation’s fraud prevention frameworks be informed by 6 flexible and outcome focused principles:

  1. Top level commitment from those charged with the governance of the organisation.
  2. Risk assessment that is dynamic, documented, and regularly reviewed. Consider factors such as opportunities to commit fraud, systems that could incentivise fraud, and whether a culture might quietly tolerate fraud.
  3. Proportionate risk-based prevention procedures which are effectively implemented and enforced.
  4. Due diligence regarding people who perform or will perform services for or on behalf of the organisation.
  5. Communication and training to ensure that the prevention policies and procedures are embedded and understood throughout the organisation.
  6. Monitoring and review.

Again there are significant similarities here with the guidance issued to accompany the Bribery Act 2010 and it should be relatively simple for most businesses to be able to extend those principles to also deal with the new FTPF Offence.

Who has written the guidance?

The guidance has been written by the UK Home Office.  It says it has been developed with input from the Crown Prosecution Service (CPS), Serious Fraud Office (SFO), HM Treasury, HMRC, Ministry of Justice, Cabinet Office, Attorney General’s Office and Financial Conduct Authority (FCA). 

Are non-UK businesses in scope?

Possibly.  Again the extra-territorial provisions are similar to the Bribery Act 2010.  Firstly if an employee or associated person of an overseas-based organisation commits fraud in the UK, or targeting victims in the UK, the organisation could be prosecuted.

If a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based.

But the guidance says “The offence will only apply where the associated person commits a base fraud offence under the law of part of the UK. This requires a UK nexus. By UK nexus, we mean that one of the acts which was part of the underlying fraud took place in the UK, or that that the gain or loss occurred in the UK…The offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus. This would be a matter for law enforcement in the country concerned.”  

It is also important to remember that a subsidiary undertaking of a large organisation is an associated person for the purposes of the new offence. This means that it is possible for a parent company to be prosecuted for failure to prevent fraud where the initial fraud offence is committed corporately by a subsidiary and where the beneficiary is the parent organisation, or there is a connection with the parent company’s clients.  Again we have seen cases under the Bribery Act 2010 where parent companies outside the UK have been involved because of the acts of subsidiaries in the UK.

In addition, there are two ways in which frauds committed by the employee of a subsidiary may be in scope:

  1. if an employee of a subsidiary of a large organisation (where that subsidiary is not itself a large organisation) commits a fraud that is intended to benefit the subsidiary, the subsidiary may be prosecuted
  2. if the employee of a subsidiary of a parent company that is a large organisation commits a fraud that is intended to benefit the parent company, that parent company may be prosecuted

What are the next steps?

According to the Guidance itself, this offence will come into effect 9 months after publication of the Guidance, which would be 6 August 2025. The Home Office website currently states that it will come into force on 1 September 2025. This date will likely be clarified shortly.

The clock has started, and as a result businesses will want to take a look at their own fraud prevention policies and procedures.

For more information please contact Jonathan Armstrong, Partner.

The full guidance can be found at Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud.

Jonathan Armstrong Lawyer

Jonathan Armstrong

Partner

Jonathan is an experienced lawyer based in London with a concentration on compliance & technology.  He is also a Professor at Fordham Law School teaching a new post-graduate course on international compliance.

Jonathan’s professional practice includes advising multinational companies on risk and compliance across Europe.  Jonathan gives legal and compliance advice to household name corporations on:

  • Prevention (e.g. putting in place policies and procedures);
  • Training (including state of the art video learning); and
  • Cure (such as internal investigations and dealing with regulatory authorities).

Jonathan has handled legal matters in more than 60 countries covering a wide range of compliance issues.  He made one of the first GDPR data breach reports on behalf of a lawyer who had compromised sensitive personal data and he has been particularly active in advising clients on their response to GDPR.  He has conducted a wide range of investigations of various shapes and sizes (some as a result of whistleblowers), worked on data breaches (including major ransomware attacks), a request to appear before a UK Parliamentary enquiry, UK Bribery Act 2010, slavery, ESG & supply chain issues, helped businesses move sales online or enter new markets and managed ethics & compliance code implementation.  Clients include Fortune 250 organisations & household names in manufacturing, technology, healthcare, luxury goods, automotive, construction & financial services.  Jonathan is also regarded as an acknowledged expert in AI and he currently serves on the New York State Bar Association’s AI Task Force looking at the impact of AI on law and regulation.  Jonathan also sits on the Law Society AI Group.

Jonathan is a co-author of LexisNexis’ definitive work on technology law, “Managing Risk: Technology & Communications”.  He is a frequent broadcaster for the BBC and appeared on BBC News 24 as the studio guest on the Walport Review.  He is also a regular contributor to the Everything Compliance & Life with GDPR podcasts.  In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing.  He has spoken at conferences in the US, Japan, Canada, China, Brazil, Singapore, Vietnam, Mexico, the Middle East & across Europe.

Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology and risk and governance matters for more than 25 years.  He is regarded as a leading expert in compliance matters.  Jonathan has been selected as one of the Thomson Reuters stand-out lawyers for 2024 – an honour bestowed on him every year since the survey began.  In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK.  In 2016 Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica.  In 2019 Jonathan was the recipient of a Security Serious Unsung Heroes Award for his work in Information Security.  Jonathan is listed as a Super Lawyer and has been listed in Legal Experts from 2002 to date. 

Jonathan is the former trustee of a children’s music charity and the longstanding Co-Chair of the New York State Bar Association’s Rapid Response Taskforce which has led the response to world events in a number of countries including Afghanistan, France, Pakistan, Poland & Ukraine.

Some of Jonathan’s recent projects (including projects he worked on prior to joining Punter Southall) are:

  • Helping a global healthcare organisation with its data strategy.  The work included data breach similuations and assessments for its global response team.
  • Helping a leading tech hardware, software and services business on its data protection strategy.
  • Leading an AI risk awareness session with one of the world’s largest tech businesses.
  • Looking at AI and connected vehicle related risk with a major vehicle manufacturer.
  • Helping a leading global fashion brand with compliance issues for their European operations.
  • Helping a global energy company on their compliance issues in Europe including dealing with a number of data security issues.
  • Working with one of the world’s largest chemical companies on their data protection program. The work involved managing a global program of audit, risk reduction and training to improve global-privacy, data-protection and data-security compliance.
  • Advising a French multinational on the launch of a new technology offering in 37 countries and coordinating the local advice in each.
  • Advising a well-known retailer on product safety and reputation issues.
  • Advising an international energy company in implementing whistleblower helplines across Europe.
  • Advising a number of Fortune 100 corporations on strategies and programs to comply with the UK Bribery Act 2010.
  • Advising of Financial Services Business on their cyber security strategy.  This included preparing a data breach plan and assistance in connection with a data breach response simulation.
  • Advising a U.S.-based engineering company on its entry into the United Kingdom, including compliance issues across the enterprise. Areas covered in our representation include structure, health and safety, employment, immigration and contract templates.
  • Assisting an industry body on submissions to the European Commission (the executive function of the EU) and UK government on next-generation technology laws. Jonathan’s submissions included detailed analysis of existing law and proposals on data privacy, cookies, behavioural advertising, information security, cloud computing, e-commerce, distance selling and social media.
  • Helping a leading pharmaceutical company formulate its social media strategy.
  • Served as counsel to a UK listed retailer and fashion group, in its acquisition of one of the world’s leading lingerie retailers.
  • Advising a leading U.S. retailer on its proposed entry into Europe, including advice on likely issues in eight countries.
  • Working with a leading UK retailer on its proposed expansion into the United States, including advice on online selling, advertising strategy and marketing.
  • Dealing with data export issues with respect to ediscovery in ongoing court and arbitration proceedings.
  • Advising a dual-listed entity on an FCPA investigation in Europe.
  • Acting for a U.S.-listed pharmaceutical company in connection with a fraud investigation of its Europe subsidiaries.
  • Acting for a well-known sporting-goods manufacturer on setting up its mobile commerce offerings in Europe.
  • Comprehensive data protection/privacy projects for a number of significant U.S. corporations, including advice on Safe Harbor Privacy Shield and DPF.
  • Risk analysis for an innovative software application.
  • Assisting a major U.S. corporation on its response to one of the first reported data breaches.
  • Work on the launch of an innovative new online game for an established board game manufacturer in more than 15 countries.
  • Advice on the setting up of Peoplesoft and other online HR programs in Europe, including data protection and Works Council issues.
  • Advising a leading fashion retailer in its blogging strategy.
  • Advising one of the world’s largest media companies on its data-retention strategy.
  • Advising a multinational software company on the marketing, development and positioning of its products in Europe.

Related Insights