The UK Failure to Prevent Fraud offence is now live — what is next?

Since the announcement of the FTPF Offence, we have been advising corporates on what this means for their business. Central to this work has been understanding how different business functions within a corporate could be used to commit fraud for the corporates' benefit. Given the much broader scope of fraud offences, when compared to the existing failure to prevent bribery and tax evasion regimes, the exposure has tended to be greater than first expected. 

While many have undertaken a fraud risk assessment and implemented the required policies and procedures, many more have either yet to take this step or remain unaware of their obligations to do so. We set out below the key points to be aware of now that the FTPF Offence is live and what businesses should prioritise to help prevent their associated persons from committing fraud.

For further details on the FTPF Offence and on ECCTA more generally please see our longer reads available here:

1. FTPF Offence
2. ECCTA
3. Fieldfisher ECCTA Webpage

What is the offence?

The FTP fraud offence is a strict liability offence that occurs when a large organisation (1) fails to prevent an employee, agent, subsidiary and / or intermediary who performs services for or on behalf of the organisation from committing a fraud offence and (2) where that fraud is intended to benefit, directly or indirectly, the organisation or its client. Benefiting the company extends beyond profit and includes non-financial benefits, such as an unfair business advantage or causing a competitor to be disadvantaged. 

Who is in scope?

Corporates across sectors, and in both the regulated and non-regulated industries, are subject to the FTPF Offence provided they are a large company, as defined by s.382 of the Companies Act 2006. This means that any company that meets two of the following three criteria, either on its own or from a group perspective, should be taking steps to prepare for the FTPF Offence:

• more than 250 employees;
• more than £36 million turnover; and / or
• more than £18 million in total assets.

In addition, the offence has broad extraterritorial application. This means that large organisations based outside the UK may still need to take note of this new offence. It will be sufficient to establish jurisdiction if any act or omission occurs in the UK or the intended loss or gain was due to take place in the UK.

What defence is available?

The only defence to the FTPF Offence is if, at the time the fraud offence was committed, either:

1. The corporate had in place reasonable prevention procedures, or
2. It was not reasonable in the circumstances to expect the corporate to have any prevention procedures in place.

The burden of proof for this defence is on the corporate, meaning it has to prove that one of the above defences exists rather than the prosecuting agency having to prove that it does not exist. The key task for in-scope entities is therefore to demonstrate that they have reasonable prevention procedures in place in the event a fraud offence is committed for their benefit (or intended benefit).

This exercise is informed by the UK Government's statutory guidance on the FTPF Offence (the "Guidance"), which clarifies the scope and application of the new offence, as well as giving advice on what will constitute reasonable fraud-prevention procedures. In this regard, the following six core principles form the backbone of the corporate defence:

1. 1. 1. Fraud risk assessment, that informs:
      2. Proportionate risk-based prevention procedures;
      3. Due diligence;
      4. Communication (including training);
      5. Monitoring and review; 

each of which is supported by:

1. 1. 6. Top level commitment.

For most organisations, this will not be a 'from scratch' exercise. Once the fraud risk assessment is complete, a controls gap analysis should then identify what existing procedures require augmenting or updating to account for this new corporate criminal risk.

Key risk areas?

Each company will have its own unique exposure to fraud risk, dependent on how it runs its business. However, certain business areas and business practices will pose a higher risk than others and how you resource those risks will need to reflect that.  

We set out below a few of the main risk areas which featured across all of the corporates we have advised on this topic, regardless of business type or sector focus:

• Culture: An overarching factor relevant to all companies, is the culture within the business. Instilling an anti-fraud culture will be one of the strongest weapons available to a corporate. However, achieving this in practice takes significant investment from effective leadership oversight, internal and external messaging through to educating associated persons of the business on how to identify fraud and that managing fraud risk is each of their responsibility.
• Whistleblowing: it is long established that whistleblowers are key in uncovering fraud and wider economic crime issues. An effective whistleblower channel allows a corporate to identify and investigate fraud issues at an early stage. If a corporate's associated persons do not feel empowered to escalate matters internally then the risk of these issues being reported externally rises exponentially. In this regard, external whistleblowing activity has increased in recent months in the lead up to FTPF Offence, with the FCA receiving 315 whistleblowing reports from April to June of this year.
• ESG & Greenwashing: Corporates are already familiar with the litigation risk posed by ESG and greenwashing claims, however, the FTPF Offence will lower the bar significantly for related criminal prosecutions. The Guidance on the statutory defence for the FTPF Offence makes several references to greenwashing offences and UK enforcement agencies have been vocal about the fact that these are priority enforcement areas for them. In this environment, companies must ensure that all statements, particularly those concerning environmental impact or sustainability, can be substantiated. Modern Slavery statements should be revisited, supply chains should be analysed, and supplier term and anti-economic crime clauses should be updated.

What next?

The Serious Fraud Office ("SFO") under Director Nick Ephgrave has made its enforcement intentions clear. The SFO has consistently warned that companies failing to implement reasonable procedures will face severe consequences. Ephgrave is “very, very keen” to prosecute under this law, describing it as a long overdue tool to hold large organisations to account. His message is simple: “come September, if companies haven’t sorted themselves out, we’re coming after them.”

In addition, the SFO and CPS recently published their "Joint SFO-CPS Corporate Prosecution Guidance", which sets out their common approach for prosecuting corporate offending. This guidance underlines the UK prosecuting authorities' focus on the FTPF Offence and the requirement to follow the Guidance (as set out above) if a corporate wishes to avail of the statutory defence to the FTPF Offence.  

In the immediate term, as corporates roll out their anti-fraud compliance programme, their internal investigations function will likely experience a learning curve as they establish what misconduct will give rise to corporate liability and what will amount to individual liability only.   Ensuring a robust internal escalation system exists for instances of fraud, which appropriately records issues faced and how they were addressed, will be essential. 

For corporates caught in the cross hairs of the FTPF Offence, it is worth noting the SFO's guidance on self-reporting from earlier this year states: "If a corporate self-reports promptly to the SFO and co-operates fully we will invite it to negotiate a DPA rather than prosecute unless exceptional circumstances apply." For the right case, a self-report is something that will require early consideration. 

Conclusion

FTPF is no longer theory. The SFO has made clear it is now hunting for early test cases. Whether it is fraud, dishonest sales practices, misleading ESG claims or misstatements buried deep in a supply chain, organisations must be able to demonstrate their reasonable prevention procedures exist and are effective. Those who cannot risk facing the full force of an external investigation which can be catastrophic for a business.

With thanks to Daniel Bishop, Fieldfisher trainee, for his assistance in drafting this article.

The contents of this update are for information purposes only and do not constitute legal advice. If you have any questions regarding the topics discussed in this update, please contact the authors and Fieldfisher's Commercial Crime Team to discuss further.

For regular updates on commercial crime matters, please follow Fieldfisher's Fraud & Commercial Crime Blog.