Many companies are currently considering what steps they need to take in relation to the new UK failure to prevent fraud offence (which is expected to come into force later this year or in early 2025).
By way of recap, a company will be liable for failing to prevent fraud by its associated persons (e.g. employees, subsidiaries and third parties) where the fraud (of a prescribed type) is committed for the benefit of the company or its clients. The only defence for the company will be to have in place reasonable procedures to prevent fraud. More details on the new offence, including the underlying fraud offences covered, are set out in our article here.
In this blog, we set out some practical guidance informed by our work to date supporting clients in various sectors to prepare for the new offence. This is the first of a series of short blogs explaining the steps companies will need to take to put in place "reasonable procedures".
The first step when considering putting in place or enhancing anti-fraud procedures is to conduct a risk assessment, which is the focus of this piece. This helps to ensure anti-fraud policies and procedures are focused on the areas of highest risk for the company. The risk assessment will take some time (and real thought): the Home Office issued an impact assessment (see here) in November 2022 which estimated that risk assessments should take companies between c.100-130 hours to prepare.
Please do not hesitate to email or call us if you have any questions or would like to discuss any of the points raised in this blog, or in relation to the failure to prevent fraud offence more generally.
1. Decide who will conduct (and oversee) the risk assessment and implementation/enhancement of anti-fraud procedures
Ownership: Based on our recent experience, there is often not one function that can on its own conduct the failure to prevent fraud risk assessment, or enhance / implement the requisite procedures to ensure compliance with the new offence (although Legal/Compliance will need to take a central role). This point stems in large part from the complexity arising from the range of fraud risks which may arise and applies regardless of how corporate functions are organised. Many clients have put in place a cross-function working group and are seeking input from a variety of different business units including finance, marketing, sales, legal, ethics/compliance and internal audit (as well as external legal advisers).
Oversight by senior management: We expect that the reasonable procedures guidance will suggest that some level of approval or certification of the risk assessment should be given by senior management or the board. We would recommend that the approach taken in conducting a risk assessment is agreed at a senior level at the outset, with appropriate consideration given to resource allocation, coordination (e.g. via a working group) and reporting.
Jurisdictional scope: As part of the risk assessment, companies will need to consider which parts of their business are covered by the offence (and take particular care over joint ventures, in relation to which there is currently a grey area as to the applicability of the offence). The jurisdictional reach of the offence is in some ways broader than the UK Bribery Act. It will apply to non-UK companies where part of the offence takes place in the UK – such as a meeting or communication in the UK – or where there are victims in the UK, which could include investors or counterparties. It will also apply for certain offences where there is a gain in the UK. This means that whether a company is subject to the offence will vary depending on the specific circumstances in which the fraud takes place. Many multinational companies are therefore conducting risk assessments and enhancing fraud procedures on a global basis.
Level of external input: It is worth thinking upfront about what (if any) external input is required in conducting a risk assessment and where any external resource is best utilised. Whilst most of the knowledge required to conduct the risk assessment will be held internally, many companies will need some external legal support in conducting a risk assessment, particularly in terms of understanding the details of the offences, the jurisdictional scope of the failure to prevent fraud offence, and benchmarking against peer companies.
2. Understand the relevant risk assessments already in place; and what they do and don't cover
Most companies have some kind of risk assessment that covers or touches on fraud (whether as part of a broader business-wide risk assessment or register, as part of a financial crime risk assessment, or a specific fraud risk assessment). In our experience, however, many of these risk assessments do not adequately cover fraud intended to benefit the company or its clients (but instead focus on preventing fraud where the company is a victim). Appreciating this distinction is essential in terms of ensuring the risk assessment is fit for purpose.
3. Get to grips with the underlying offences
It is key that those undertaking the risk assessment and implementing anti-fraud procedures understand the underlying offences in sufficient detail. The offences are complex (much more so than those under the UK Bribery Act). Often the precise conduct covered by the offence is not obvious from the shorthand description set out in the relevant legislation, which complicates any assessment of the associated risks. For example, the underlying criminal offence of false accounting would also include concealing documents made for an accounting purpose (for example withholding a document from auditors). Further, there are a lot of grey areas about where conduct would meet the standard of dishonesty (a defining characteristic of fraud) which need to be thought through.
Given these challenges, many clients have found it useful to break down each offence into its constituent elements and to bring these to life with examples of how each offence can be committed in practice in their sector (and, as set out below, in each different business unit). This would need to cover potential examples in a number of different business units within the company, and so will require input from multiple different people.
4. Consider for each offence how (and where) it could arise in your business
Once the underlying offences are understood, it is then important to assess how they could arise in your business. Companies could be thinking about scenarios in which, for example:
- Employees in the finance team are dishonestly underestimating provisions to improve forecasts for the company;
- Third party distributors dishonestly misrepresent the quality of a product to increase sales for the company; or
- An employee dishonestly includes false references in a statement to the market (or an email sent by a director to shareholders) that certain targets have been hit, to encourage investment or inflate the share price for the company.
This is where having a cross-functional working group can be really beneficial in ensuring that all key risks are captured.
A strategy we have seen work well is having each function lead within the working group have a structured (and documented) discussion within their function (for example sales/marketing, finance, legal) and then feeding back on real-life scenarios which have been identified as risk areas, so that the company can build up one document setting out risk areas for each underlying offence.
It is also helpful to feed in other input, such as reviewing fraud issues raised through speak-up programmes, by internal audit or otherwise in recent years, as well as looking at enforcement action or relevant litigation involving other companies (particularly in the same industry / sector).
5. Assess what policies and procedures are already in place and identify any areas for enhancement
Clearly in order to assess the level of risk, it is important to understand the extent to which existing policies or procedures (whether fraud specific or otherwise) can be adapted or supplemented – and we will come onto this in more detail in our next article. Many companies will already have in place, for example, third party due diligence and monitoring processes related e.g. bribery and corruption, as well as controls around financial reporting and approval of marketing materials.
What many clients have found useful is breaking down for each offence (and the scenarios which have been identified) all relevant controls in place and where there are gaps or enhancements required.
6. Produce a written risk assessment – and agree when it will be reconsidered
Whilst the primary purpose of anti-fraud procedures is, of course, to stop fraud happening in the first place, it is also crucial that a company can defend itself if allegations of fraud are raised and it is facing a criminal investigation. This means the company's procedures, including the risk assessment, need to be documented and subject to periodic review.
To defend procedures effectively requires contemporaneous documentation of the decisions made and steps taken in conducting a risk assessment, to inform the enhancement / implementation of procedures. For example, where an offence arises in an area of a business which was deprioritised in light of the risk assessment, following a risk-based approach it will be important to demonstrate why the specific decision was made at the time to maintain the "reasonable procedures defence".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.