Categories
Life with GDPR

Life With GDPR – Understanding the UK’s Failure to Prevent Fraud

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning Life with GDPR. This episode delves into the UK’s Failure to Prevent Fraud guidance.

The podcast spans the initial implications and conflicts these new provisions present, especially in the context of GDPR and compliance with bribery investigations. Jonathan explains the concept of ‘failure to prevent fraud,’ drawing parallels with the 2010 UK Bribery Act, and outlines six key principles organizations must adhere to to demonstrate compliance. Additionally, the episode delves into specific steps compliance professionals should take before the new provisions come into force by July 2025, including gap analysis, policy updating, training, and more.

Key takeaways:

  • Failure to Prevent Bribery and Fraud
  • New Legislation and Its Implications
  • Reasonable Procedures Under the Failure to Prevent Fraud Act
  • Comparing Fraud and Bribery Compliance
  • Steps for Compliance Professionals

Resources:

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Blog

Failure to Prevent Fraud: The Guidance

Last week, the much-anticipated Guidance regarding the UK’s new Failure to Prevent Fraud (FTPF) offense was released (the Guidance). This offense, embedded within the Economic Crime and Corporate Transparency Act 2023 (ECCTA), introduces a proactive requirement for organizations to take measurable steps in fraud detection and prevention. Much like the influence of the Bribery Act 2010 on corporate anti-bribery measures, the FTPF aims to reshape how organizations tackle fraud. Compliance professionals need to understand the core elements of this new offense, its global reach, and the practical steps they must implement to establish a robust fraud prevention framework.

Overview of the FTPF Offense

The FTPF offense holds large, incorporated bodies and partnerships liable if an associated person—defined similarly to the Bribery Act as employees, agents, subsidiaries, or other connected individuals—commits fraud to benefit the organization. Unlike some traditional liability structures, there is no need for senior management or directors to have knowledge of the fraud for the offense to apply. Instead, liability rests on the failure of the organization to have reasonable fraud prevention procedures in place.

Under the FTPF guidelines, organizations with over 250 employees, £36 million in turnover, or £18 million in total assets qualify as “large organizations.” This broad reach ensures the inclusion of all significant organizations across various sectors.

What Constitutes “Reasonable Procedures”?

The core of the FTPF offense lies in the expectation that organizations adopt “reasonable prevention procedures” to mitigate fraud risks. In guidance similar to that issued for the Bribery Act, the Home Office has outlined six key principles to inform these procedures. By adopting these principles, organizations can create a robust fraud prevention strategy that may also serve as a defense in the event of an FTPF prosecution. These principles and their applications will sound familiar to the anti-corruption compliance professional.

  1. Top-Level Commitment

The Guidance emphasizes that fraud prevention must start at the top. This principle requires those charged with governance, such as the board and senior executives, to actively promote an anti-fraud culture. Senior leaders should publicly commit to anti-fraud initiatives, participate in training, and regularly communicate the importance of ethical behavior throughout the organization. This sends a powerful message that fraud will not be tolerated and that compliance is a priority.

  1. Dynamic and Documented Risk Assessment

Organizations must conduct regular and dynamic risk assessments. This means continually assessing vulnerabilities to fraud, understanding how systems and structures might incentivize fraudulent behavior, and recognizing any cultural factors that might quietly tolerate fraud. The key is to develop a documented fraud risk assessment process. This should include identifying high-risk areas, reviewing internal controls, and monitoring for red flags that may indicate potential fraud.

  1. Proportionate, Risk-Based Procedures

The Guidance advocates for risk-based and proportionate procedures tailored to an organization’s specific risks and operational context. This principle ensures that prevention measures are realistic and directly address identified risks. Based on your company’s risk assessment findings, you must establish clear, enforceable policies on fraud prevention. For instance, organizations with high fraud risk should consider more robust internal controls, while low-risk entities may implement fewer but targeted controls.

  1. Due Diligence on Third Parties and Staff

Due diligence is a cornerstone of every compliance type, specifically fraud prevention. It requires organizations to scrutinize those performing services on their behalf. By understanding the backgrounds and affiliations of employees, agents, and subsidiaries, organizations can reduce the likelihood of associating with individuals likely to engage in fraud. Your company should implement a structured due diligence process for all new hires, contractors, and third-party partners. This might include background checks, financial reviews, and regular audits of high-risk partners.

  1. Effective Communication and Training

A policy is only effective if understood and practiced throughout the organization. The Guidance emphasizes embedding anti-fraud measures through communication and training. Your company should develop fraud prevention training programs for all employees, focusing on high-risk roles. Ongoing training and communications should reinforce policies, address emerging fraud risks, and equip employees to recognize and report fraud indicators.

  1. Ongoing Monitoring and Continuous Improvement

Finally, the guidance stresses the need for continuous monitoring and review of fraud prevention procedures. This principle ensures that procedures evolve in response to emerging fraud risks, changes in business structure, and lessons learned from incidents.

Your organization should set up regular audits and establish metrics for assessing the effectiveness of fraud prevention measures. Organizations should also review any incidents to identify weaknesses in current controls and revise them accordingly.

Extra-Territorial Reach and the UK Nexus

One of the more complex aspects of the FTPF offense is its extra-territorial scope, reminiscent of the Bribery Act’s reach. Under the FTPF, organizations outside the UK may still be subject to prosecution if fraud committed by an associated person has a UK nexus. This could mean that any part of the fraud, or the resulting gain or loss, has occurred in the UK, even if the organization is headquartered overseas.

Additionally, parent companies may be liable for fraud committed by their subsidiaries if the fraud benefits the parent or involves their clients. This extra-territorial reach ensures that subsidiaries, especially those operating internationally, adhere to the same standards as their parent companies.

Key Steps for Compliance Professionals

The FTPF offense goes into effect on September 1, 2025, giving organizations approximately nine months to prepare. Below is a roadmap to help compliance teams proactively address the requirements:

  1. Evaluate and Revamp Existing Procedures. Review current anti-fraud policies and practices against the Guidance. Identify gaps in due diligence, risk assessment, and top-level commitment.
  2. Conduct a Fraud Risk Assessment. If an organization has not recently performed a comprehensive fraud risk assessment, now is the time. This Fraud Risk Assessment should include all subsidiaries and associated persons, especially if the organization has a UK nexus.
  3. Update Training Programs. Fraud prevention training should be robust, engaging, and frequent. It should cover both general anti-fraud policies and specific red flags relevant to different roles. Training should also encourage employees to report suspected fraud.
  4. Set Up Continuous Monitoring Mechanisms. Implement regular audits and monitoring processes to identify potential fraud risks. Ensure that fraud incidents are analyzed to understand what went wrong and how similar issues can be prevented.
  5. Engage with Leadership. Work closely with leadership to reinforce the tone from the top. Schedule periodic updates to senior management on fraud prevention initiatives and engage them in visible support of anti-fraud efforts.

Lessons from the Bribery Act 2010

The similarity between the FTPF guidance and the Bribery Act 2010’s failure-to-prevent provisions suggests a familiar path for organizations implementing robust anti-bribery frameworks. Those frameworks can provide a strong foundation for meeting FTPF requirements, with adjustments tailored to fraud risks. However, the Bribery Act’s implementation highlighted common challenges, such as ensuring proportionality and maintaining engagement over time. Organizations should leverage lessons learned, balancing robust prevention measures with practical, context-appropriate implementations.

The introduction of the FTPF offense represents a new era for corporate fraud prevention. With its expansive definition of associated persons, extra-territorial reach, and focus on proactive measures, the FTPF compels organizations to be vigilant, proactive, and thorough. Compliance teams should view this offense as an opportunity to strengthen organizational resilience, mitigate fraud risks, and protect stakeholders. By aligning with the six principles in the guidance, organizations can meet regulatory expectations and foster a culture of integrity and trust that supports long-term success.