New fraud offence could lead to uptick in deferred prosecution agreements

Expected impact

Criminalising the failure to prevent fraud will make it easier to attribute criminal fraud liability to firms. The move aims to strengthen government efforts to address an epidemic of fraud plaguing the UK economy. Along with wider changes, the ECCTA's failure-to-prevent-fraud offence has been on enforcement agencies' wish lists for over a decade. Enforcement agencies have backed the effort.

Given the lower bar for corporate criminal fraud enforcement and the numerous ways that fraudulent conduct might arise in a business, it seems inevitable that UK enforcement agencies will conduct more corporate fraud investigations. Indeed, Nick Ephgrave, director of the Serious Fraud Office, has warned the market to "get their house in order or face investigation." He has also repeatedly stated his intention to be the first to prosecute a corporation for this offence. 

In practice, increased enforcement is unlikely to produce a sudden influx of prosecutions. Rather, it appears set to facilitate a rise in deferred prosecution agreements (DPAs).

DPAs are agreements between prosecutors and organisations that suspend prosecutions subject to certain conditions being satisfied. Eight of 12 existing DPAs in the UK relate to the corporate bribery offence, demonstrating their popularity among regulators seeking more efficient investigation, remediation and case closure.

With the growing expectation that corporates uncover wrongdoing sooner through whistle-blowing channels and compliance audits, they will carefully consider what they do with that information. Whether they resolve a matter through internal investigation or by self-reporting misconduct to negotiate a DPA, the threshold at which corporates decide to self-report fraud will be lower. 

The offence

The failure to prevent fraud offence is a strict liability offence that occurs when a "large organisation" fails to prevent an "associated person" from committing a fraud offence and where that fraud is intended to benefit, directly or indirectly, the organisation or its client. Benefiting the company extends beyond profit and includes non-financial benefits, such as an unfair business advantage or causing a competitor to be disadvantaged. 

The restriction of the offence to "large organisations" is a deviation from what observers have come to expect under the failure-to-prevent construct, such as the failure to prevent bribery (Bribery Act 2010) and the failure to prevent tax evasion (Criminal Finances Act 2017), which apply to all organisations regardless of size. While reflecting serious concerns about a disproportionate compliance burden for smaller businesses, this aspect of the legislation is controversial.

When the bill was debated, many questioned why larger companies should be held to a different standard than smaller peers, with an analogy drawn that it was equivalent to excusing short burglars while their taller colleagues were prosecuted.

It remains to be seen whether smaller companies will be included within the scope of the offence in due course. For now, it will only bite "large organisations," which are defined by the Companies Act 2006 as those meeting two or more of the following: a turnover of more than £36 million, a balance sheet total exceeding £18 million and/or more than 250 employees.

Although, on its face, application of the FTPF offence appears restricted, in practice, there will likely be a requirement for smaller corporates to implement prevention measures where they are in the supply chain of large organisations or are otherwise considered an "associated person" of large organisations.

As those familiar with the existing failure-to-prevent offences will know, the term "associated person" has a wide ambit and includes employees, agents, subsidiaries and intermediaries who perform services for or on behalf of the company. There is, therefore, a less obvious indirect effect on smaller companies and one which such companies must be alive to, particularly when entering into contracts with "large organisations."

Large firms will seek to mitigate their risk by insulating themselves from the actions of their associated persons to the fullest degree possible.

The scope of the offence is also expansive, seeking to target core fraud offences, such as fraud by false representation, fraud by failing to disclose information and false accounting. In circumstances where the company does not have to be aware of the fraud to be liable, this will significantly increase the workload for legal and compliance teams to ensure an organisation's risk areas are known and monitored accordingly.

Importantly, the offence will have an extra-territorial effect. While this extraterritoriality is narrower than that of the Bribery Act 2010, it means that where conduct occurs abroad which would constitute fraud under UK law or where it targets UK victims, the company could still be liable. Similarly, where conduct occurs in the UK, but the company is not based in the UK, it could still be held liable. 

The defence?

A complete defence to the new failure to prevent fraud offence is available where an organisation can show: (1) it had reasonable fraud prevention procedures in place to prevent the fraudulent activity; or (2) it was unreasonable to expect it to have such procedures in the first place. 

The guidance on what constitutes reasonable prevention procedures adopts a familiar approach focusing on the following six compliance principles: 

• Top-level commitment
• Risk assessment
• Proportionate, risk-based prevention procedures
• Due diligence
• Communication and training
• Monitoring and review

While these largely mirror the "adequate procedures" under the failure-to-prevent-bribery regime, there is a difference in emphasis and application. The guidance heavily emphasises top-level commitment, showing a clear expectation that senior-level buy-in to tackle fraud is a fundamental requirement. Documenting c-suite discussions on this topic and demonstrating an investment in promoting an open culture will be crucial here. 

Firms can show good compliance by evidencing that their fraud risk assessments properly evaluate the nature and extent of risk that associated persons will commit fraud to befit the firm or its clients. This will be a dynamic assessment, revisited regularly and reviewed when fraud is identified within the business.

The guidance could not be clearer, effectively indicating that while it may be defensible in certain circumstances for a company not to change its compliance procedures in response to the new offence and guidance, it will rarely be defensible not to conduct a fraud risk assessment. 

What's next?

Organisations benefit from a generous implementation period before the FTPF offence goes live. Accordingly, they will have little excuse if their processes fall short of the expectations set by the new guidance.

An updated risk assessment focused on outward fraud ought to be prioritised. It should include an internal review of existing systems and controls to identify weaknesses. Corporates should also take note of sector-specific guidance on the FTPF offence, due to be published in the coming months, which will help tailor their internal procedures.

If you have any questions about any of the themes in this article, or need advice in this area of law, please get in touch with Quinton Newcomb, Natalie Quinlivan or Farheen Ishtiaq-Stansfeld.

This article was first published by Thomson Reuters Regulatory Intelligence.