What financial services firms should know about the new UK 'failure to prevent fraud' corporate criminal offence

A new corporate criminal offence of failure to prevent fraud is contained in the Economic Crime and Corporate Transparency Act 2023.  The new offence should (on paper) make it easier for companies to be criminally prosecuted for fraudulent conduct by associated persons which has benefitted the company, its clients or its customers. 

Financial services firms’ obligations to prevent financial crime include the need to implement reasonable prevention procedures as regards bribery, money laundering and tax evasion. Regulated firms will already have governance and monitoring systems in place, including policies and procedures to detect and prevent fraud. Whilst it is unlikely that the new offence will mean a need for a complete overhaul of all fraud prevention and detection policies and procedures currently in place, it should not be assumed that current measures are sufficiently robust. The only substantive defence to the new offence is the existence of reasonable procedures to prevent fraud, and the new offence will test the adequacy of these controls in terms of internal or third party fraud. 

Heavier political focus – accompanied by a bigger stick – for adequacy of anti-fraud controls 

The government is politically focused on cutting down fraud, with public backing for this objective in the latest March Economic Crime Plan, and the May Fraud Strategy which sets out an overarching goal of fraud reduction by 10%. In line with this objective, the Serious Fraud Office (SFO) and the Financial Conduct Authority (FCA) have both re-committed to cracking down on corporate economic crime. In its recently published 2023 Business Plan, the FCA emphasised its commitment to enhancing fraud prevention measures, with additional supervisory assessments. Slightly further down the track, as part of wider corporate governance and audit reforms, directors of Public Interest Entities (large companies with both 750 or more global employees and an annual turnover of £750 million or more) will be required to make a statement on steps taken to prevent and detect material fraud. This seems like an opportune time then to review current controls. 

Within the penumbra of possible investigations, we would therefore expect to see an increased willingness on the part of authorities to take up investigations where anti-fraud controls in a regulated institution are called into question, particularly on a systemic basis. In practice, such investigations in a financial services context may be likely to be instituted by the FCA – but the involvement of the SFO in a criminal prosecution cannot be ruled out in the more egregious cases, or in circumstances of greater consumer harm. 

The new offence also carries the additional and more unusual risk for financial services firms of aggrieved victims of fraud seeking to bring private prosecutions, as the new offence makes it easier for individuals to seek redress through the criminal courts. 

Risk mapping for the new offence

While firms may consider themselves already well versed in the anti-fraud space, comprehensive risk-mapping and development of reasonable procedures within the institution will be a vital part of preparation for the introduction of the new offence. Further clarity on what policies and procedures will be deemed ‘reasonable’ is expected to be published in further guidance due to issued by the Government (we expect it will follow a similar framework to the guidance issued for the corporate failure to prevent bribery offence). 

For now, there are a number of key areas that financial services firms would do well to bear in mind when conducting risk mapping as potentially within the ambit of the new offence: 

• Environmental, social and governance (ESG): Misrepresentation of ESG-related credentials, also known as ‘greenwashing’, has created concern for how financial services firms are reporting their ESG progress and commitments to investors, with worries that firms often overstate their ESG achievements. 

• Mis-selling: Fraudulent mis-selling by employees, agents and brokers, even in circumstances where the firm’s management was unaware of the conduct of the individual(s) responsible, will fall within the scope of the new offence. This may be particularly relevant for firms in the retail banking and insurance sectors. 

• Rogue trading: Fraudulent rogue trading conducted by an individual which results in a benefit for the company and/or its clients may be caught by the new failure to prevent fraud offence. While trading may be undertaken with the intention of benefitting the perpetrator, a benefit for the perpetrator often also results in a benefit for the company for which they work and/or their clients, and so may be within the scope of the (still to be tested) offence. This may be particularly relevant for regulated firms in the securities and derivatives industry.

• Complaints handling and reporting: Historically, minor or small scale frauds may be captured as part of internal complaints handling or reporting; the approach to such cases, particularly where indicative of systematic issues, may need to be reassessed in light of the new offence.

• Misleading statements by listed issuers: Fraudulent market statements or published financial information by a listed company could trigger the new offence. In certain situations, this would be easier to prosecute than, eg a s89 Financial Services Act 2012 offence as there would be no need for the prosecution to show that the ‘directing mind and will’ of the company was dishonest or reckless. 

What next?

The new offence is not yet in force. Government guidance on 'reasonable procedures' is not expected until Spring 2024. 

In the meantime, companies (including financial services firms) would do well to start the process of examining their own anti-fraud controls, management information and policies and procedures. All eyes will be on the adequacy of controls should there be any enforcement. Those tasked with investigating misconduct at firms should consider what they will need to do as a result of the new offence, such as:

• understanding the jurisdictional nexus of any allegations with the UK, as this will be key to assessing exposure under the new offence – this appears to be very broad indeed with the offence likely to bite if an essential element of the underlying fraud occurs in the UK or some harm is felt in the UK; and 

• understanding the legal test for dishonesty, which is not always straightforward to apply in practice. Investigation interviews will need to be planned and conducted very carefully to avoid eliciting inaccurate evidence on dishonesty and intention. 

This risk mapping and associated assessment of policies and procedures is no light burden for large entities – the Government’s Impact Assessment, when considering set-up costs to business, estimated that the largest organisations would need a core team of five full time personnel, with a project director at 20% capacity. While financial services entities may have a head start from pre-existing regulatory compliance measures, there will still no doubt need to be a significant investment of time and resource to adequately prepare in advance of any implementation date.

With thanks to Anouska Jantzen who helped draft this article.