ECCTA: preparing for the new ‘failure to prevent fraud’ offence

The failure to prevent fraud offence was introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA) (376 pages / 3.7 MB). The new offence is not yet in force and will only come into force following the publication of official guidance and a subsequent lead-in period allowing organisations time to prepare. The offence will apply to ‘large organisations’. For the purposes of the Act a large organisation is one that meets two of three criteria: turnover is more than £36 million; balance sheet total is greater than £18 million; and it has more than 250 employees.

Under the new offence, an organisation will be liable if one of the economic crimes listed in ECCTA (Schedule 13) – which includes fraud - is committed by an ‘associated person’ with the intention to benefit the organisation or any person to whom the associated person provides services on behalf of the organisation.  For the purposes of the offence, an ‘associated person’ can be an employee, agent or subsidiary of the organisation, or any person who otherwise performs services for or on behalf of the organisation.

There is a defence to the new offence, namely, that the organisation had reasonable procedures in place to prevent fraud. 

The new offence is intended to drive a cultural shift across the corporate world towards better fraud prevention practices tackling the ongoing fraud epidemic in the UK. Experts are urging all in-scope organisations to start preparation now, if they have not already, by carrying out various assessments and analysing any risks or gaps in their current fraud prevention and detection frameworks. 

Current state assessment

Conducting an assessment of the current state of an organisation’s fraud risk management framework is critical ahead of the new offence coming into force. This is different, and in essence a precursor, to conducting a fraud risk assessment. Many organisations will have elements of a framework in place to prevent fraud, but this is often directed towards preventing the organisation being the victim of fraud rather than preventing fraud being committed with the intention of benefitting the organisation, which is what the new offence targets. The current state assessment will help organisations understand the maturity and readiness of their existing fraud risk management framework by affirming what is already in place and establishing whether the requisite ownership and sponsorship exist.

There are a number of questions an organisation should seek to ask to understand what its ‘current state’ actually is, such as what policies, procedures and controls already exist and underpin the existing framework, and what other relevant risk assessments does it have. For instance, any measures in place for the failure to prevent facilitation of tax evasion and failure to prevent bribery offences.

A current state assessment will provide the opportunity for organisations to think about what is meant by ‘fraud’ within the existing framework. For example, fraud within the oil and gas industry may be very different to fraud that can occur in the financial services industry. How the organisation defines fraud will create the foundations for the fraud risk assessment which is the focus of ECCTA. The current state assessment will provide the opportunity for the necessary teams to come together too.  Fraud is a multi-functional topic and finance, compliance, HR and other teams will have a role in developing an effective response.

Fraud risk assessment

Organisations are not expected to start from scratch in implementing reasonable prevention procedures.  Instead, organisations should build on their existing framework, using the measures already in place as a starting point. Organisations should think of the current state assessment and subsequent fraud risk assessment as the building blocks, with the fraud risk assessment providing organisations the opportunity to identify and assess new fraud risks, align current anti-fraud initiatives and identify any potential gaps.

Organisations can then take the opportunity to align various processes that they already have in place, making improvements to these existing measures, and introducing additional controls and processes only where required.

Failure to prevent fraud guidance

While official guidance is likely to be published in the coming months it is not expected to provide an in-depth work programme for organisations to follow.  As such organisations should be assessing now and readying themselves ahead of the official guidance focusing on what is reasonable and proportionate for their organisation.

In identifying risks, organisations will need to have regard to the offences to which the new failure to prevent fraud offence applies, listed in Schedule 13 of ECCTA. The draft official guidance directs organisations to consider the ‘opportunity, motive and means’ that an associated person may have to commit any of the listed economic crimes with the intention to benefit the organisation or someone to whom they provide services on the organisation’s behalf. The draft guidance also makes it clear that having a documented risk assessment will be a key pillar of the reasonable procedures defence.

Due to the breadth of the failure to prevent fraud offence, organisations should take a holistic approach to ensure compliance and proper preparation. A current state assessment to identify the anti-fraud measures not in place, followed by a fraud risk assessment highlighting any additional fraud risk exposure that needs to be considered to ensure organisations are ready and compliant with the obligations of ECCTA’s failure to prevent fraud offence.

Co-written by Rosie Kós and Hanah Bragg of Pinsent Masons.