The one-year anniversary of the entry into force of the corporate criminal offence of failure to prevent fraud (“FTP Fraud Offence”), introduced by the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”), is fast approaching.
This article sets out five key lessons on the scope of the FTP Fraud Offence and the development of reasonable prevention procedures.
“Large organisations” and subsidiaries
It is not just “large organisations” that are “in scope” for the FTP Fraud Offence.
Section 199(2) of ECCTA can bring subsidiaries of large parent companies within scope in their own right.
As set out at page 7 of the Government Guidance (the “Guidance”):
“the subsidiary undertaking of a large organisation, which is not itself a large organisation, can be prosecuted rather than the parent undertaking if an employee of the subsidiary undertaking commits a fraud intending to benefit the subsidiary undertaking, as set out in section 199(2)” (emphasis added).
Territoriality
Overseas companies and parent companies can be prosecuted under the FTP Fraud Offence where there is a nexus to the UK.
An initial, practical test for a foreign parent company to apply can be: “what companies, employees within the Group, and/or associated persons of the Group, are based in the UK”?”
Another important test can be: “what interactions across the Group happen with the UK?”
That will often include asking: “are any Group customers or service users based in the UK?”
Parent undertakings, including those overseas, can be prosecuted for frauds committed by employees of subsidiaries where the fraud was intended to benefit the parent – s.199(8) ECCTA.
Risk assessment
The following practical considerations are important when conducting a fraud risk assessment.
Organisations should understand what “associated persons” they use and for what purposes, with consideration given to those who provide services for or on behalf of an organisation and to staff who work in higher risk roles.
The use of questionnaires sent to and/or discussions with relevant people in an organisation are practical and effective ways of obtaining the necessary information to inform risk assessments.
The FTP Fraud Offence requires organisations to assess ‘externally facing’ fraud risk. That is the risk that one of its associated persons commits fraud intending to benefit the organisation, as opposed to ‘internal’ fraud risk where the organisation is the victim of fraud.
The risk assessment process and the outputs from it must be documented. That audit trail will be vital in demonstrating the reasonableness of an organisation’s fraud prevention procedures.
Existing control framework
The Guidance states that:
“It is not necessary or desirable for organisations to duplicate existing work. Equally, it would not be a suitable defence to state that because the organisation is regulated its compliance processes under existing regulations would automatically qualify as ‘reasonable procedures’ under the Economic Crime and Corporate Transparency Act.”
Doing nothing and relying solely on existing procedures is unlikely to be adequate to create a defence in respect of the FTP Fraud Offence.
Senior Management responsibility
The Guidance places greater emphasis on governance and individual responsibility compared with equivalent guidance for other ‘"failure to prevent’" offences.
Organisations must ensure that there is clear governance in respect of their fraud prevention framework, identifying a member of senior management or a committee responsible for that, with Board oversight where appropriate.
Comment
Nine months on from the FTP Fraud Offence coming into force, now is an appropriate time for organisations to reflect on their approach to the offence.
Should you need any assistance or advice regarding the FTP Fraud Offence or related issues, please do not hesitate to contact us.
