Key role for HR ahead of UK’s new ‘failure to prevent fraud’ offence, says lawyer

The Home Office has published its long-awaited guidance on the offence of failure to prevent fraud. The new law, introduced by the Economic Crime and Corporate Transparency Act 2023, means that to avoid liability when fraud happens large and medium sized organisations must be able demonstrate that they had reasonable fraud prevention procedures in place at the time it was committed. We’ll speak to a corporate crime expert about HR’s role in achieving that. 

The corporate crime of failure to prevent fraud will come into force on 1 September 2025  and will place significant obligations on organisations to ensure they have adequate procedures in place to prevent fraud committed by employees, agents, or others associated with their business. Failure to do so could result in criminal liability for the organisation, with penalties including unlimited fines.

The Home Office guidance highlights six key principles for organisations to follow. These include conducting a thorough fraud risk assessment, establishing clear policies, and training, and ensuring robust oversight by senior management. Importantly, the law applies on a “strict liability” basis—meaning that a fraud committed by an employee or agent can automatically result in liability unless the organisation can prove it had adequate prevention measures in place. 

To comply effectively with the new offence organisations must adopt a top-down approach, ensuring that anti-fraud measures are embedded into their culture and operations. As the guidance makes clear, responsibility for implementing and maintaining these measures lies squarely with senior leadership, including the board of directors and executive management. 

So, what responsibility lies as the door for the HR Director and what is the role of the HR team in this area? Earlier I caught up with corporate crime lawyer Neil McInnes and put that question to him:

Neil McInnes: “The guidance, if you word-searched it, you won't find, unfortunately, HR mentioned at all but if you word searched ‘employee’ you'll find many, many examples of employees being relevant to compliance with this legislation and there are other aspects in the guidance which are essential for HR directors to be inputting to. Where there would be a potential fail is if the whole responsibility for implementation of fraud prevention procedures fell on an HR director. That's clearly not the intention of the guidance and if organisations are looking at doing that, that is unlikely to meet the tests of reasonable prevention procedures. It is a multi-disciplinary, multi-function, response needed across an organisation with a critical role for HR directors and chief people officers.”

Joe Glavina: “The guidance makes a big play of risk assessments, Neil. Can you talk me though that?” 

Neil McInnes: “So in relation to risk assessment, as an example, it's one of the fundamental principles of compliance with the legislation. The guidance talks about what we call a fraud triangle. So this is looking at the opportunities within an organisation for someone to commit a fraud, their motivations for why they might commit a fraud, and how they might rationalise that and in all of those different parts of that triangle there's an essential role for the knowledge and insight about organisational culture, about different parts of a business that HR directors and their teams will have that should feed into the risk assessment, and we can give some examples of that. So for example, if there has been a lot of churn, or there are outstanding vacancies in one part of the business, that might mean there's less oversight in particular functions which might give an opportunity for fraud to occur more readily. That's an example of the opportunity part of the triangle. If we look at motivation, there might be particular stresses, or financial pressures, in a different part of an organisation, maybe because targets haven't been met, and that could be a risk that leads to a fraud risk. Similarly, in terms of motivation, if reward structures, bonus structures, are weighted in a particular way that incentivises profit at all costs then that could be an opportunity for people to gain the system for their own personal benefit, but also having a knock-on effect on the organisation and their customers in a way which could create a corporate criminal liability and a fraud risk. Then rationalisation. If the culture of the organisation, for example, has had some failures in the past about people feeling uncomfortable to speak up about a whole range of issues, not necessarily anything to do with financial crime, then that's an indicator that there could be a risk there, which should be picked Up in risk assessment, and HR teams are very well placed to feed in that wide understanding of organisational culture which should inform an effective risk assessment.”

Joe Glavina: “The guidance also places a heavy emphasis on the importance of training which is, of course, usually a key responsibility for HR teams within the business. What type training is needed under the new offence?”

Neil McInnes: “Well I think, looking at employee training as an example, the sort of specialist training that is needed in response to this piece of legislation is fraud awareness training for different post holders that is suitable for the particular risks that they might be exposed to. I doubt very much that an HR team on their own would be delivering that training. What we're seeing is it's a planned training program that compliance, legal, finance teams, and HR are all thinking about in terms of effective communications of what the organisation's expectations are around a zero-tolerance approach to fraud and making sure people understand what that what that looks like, what the practical typologies of it are for their industry and their business. That's the training part. So, again, it shouldn’t be falling on an HR director to come up with this programme themselves. That would not meet the expectations of the guidance. In relation to whistleblowing systems, HR teams are regularly involved in the promotion and effective management of whistleblowing. Here it's about, as we've talked about in other compliance areas, making sure whistleblowing reports are adequately triaged so that reports around fraud or theft or dishonesty are looked at with the right people involved in triaging those and that could be legal compliance, HR, all having that discussion, involving internal audit, involving others, every organisation is different. It shouldn't, again, be a sole responsibility for the HR team.”

Joe Glavina: “Now a key question for many of our clients is how do we make this happen within our business? How do we divide up the work and responsibilities? Thoughts on that.” 

Neil McInnes: “So if we look at the principle of top-level commitment in the guidance, a fundamental part of that is how senior leaders within an organisation are thinking about how they're resourcing the organisation's response so what a response should not be is piling on more jobs to existing, stretched, compliance, HR, legal, functions. This will require, in many cases, thinking about designation of responsibilities and, potentially, it will need some additional resource in the right places. It's probably the first time we've seen such an articulation in government guidance of this kind of the need to effectively resource. So that means not just more money, it means the right people doing the right jobs with the right reporting lines that are suitably independent, where it's necessary for them to be independent, to make sure this fraud prevention plan, which all organisations need to be thinking about, is meeting the expectations of the guidance.”

Joe Glavina: “So, in a nutshell Neil, what do you want firms to do between now and 1 September 2025?”  

Neil McInnes: “The key thing is to get, if you haven't already, if you haven't been part of a group, a working group, within a senior team within an organisation, to think about the organisation's response to this legislation. There is time to do so in the run up to September. A starting point is top level involvement. Move through to your risk assessment work, then think about the other areas that need to be, perhaps, enhanced and making sure that you've worked out what controls you have already on fraud prevention and you've worked out what the gap is between those controls and what you might need after your risk assessment.”

The Home Office guidance on the new offence of ‘failure to prevent fraud’ was published on 6 November. We’ve included a link to it in the transcript of this programme for you.

- Link to Home Office guidance