The New Failure to Prevent Fraud Offense

Compliance Considerations

· Fraud,Failure to Prevent Fraud,UK

The UK’s highly anticipated Failure to Prevent Fraud offense, introduced under the Economic Crime and Corporate Transparency Act of 2023, went into effect on September 1, 2025. Under this new law, a company can be held liable if an employee, agent, subsidiary, or other “associated person” commits fraud with the intent to benefit the company or its clients. The new offense significantly expands the ways in which large organizations may be prosecuted for certain fraudulent conduct and set off a cascade of commentary on how to prepare for its effective date.

As far-reaching as the Failure to Prevent Fraud offense is, there are steps companies can take to position themselves to respond to government inquiries from a position of strength. Specifically, organizations may be able to avoid liability by demonstrating that they had “reasonable fraud prevention procedures” in place. Why the emphasis on prevention procedures? Because, as Benjamin Franklin once wrote, “an ounce of prevention is worth a pound of cure.” Stated differently: it's a lot more efficient to put systems in place to prevent a problem than to forgo such systems and have to clean up a big mess later on.

Section image

Helpfully for Compliance professionals, the UK’s Home Office published guidance on this new law, which includes six principles that should inform the development of reasonable fraud prevention procedures:

  • Top level commitment
  • Due diligence
  • Communication (including training)
  • Monitoring and review
  • Risk assessment
  • Risk-based prevention procedures

These principles will be familiar to anyone who has been involved with Compliance programs, and large organizations have likely already implemented such principles while building their existing programs. Let’s take a closer look at some of the actions the Home Office recommends.

Top level commitment
Senior management support is essential for any Compliance program to succeed. Championing a culture of ethics and integrity should be a key responsibility of those in the C-Suite, Senior VPs, middle management, and all levels of leadership in between. From a fraud prevention perspective, senior leadership is expected to articulate that fraud is never acceptable, and should actively work to foster a culture dedicated to fraud prevention. As the Home Office guidance explains: “[s]enior management have a leadership role in relation to fraud prevention. The level and nature of their involvement will vary depending on the size and structure of the relevant body.” In general, senior management is expected to bolster fraud prevention programs by taking actions such as:

  • Communicating and endorsing their company’s stance on preventing fraud
  • Ensuring that there is clear governance across the organization with respect to a fraud prevention framework
  • Committing to establishing and maintaining adequate training and resourcing
  • Leading by example to foster an open culture that encourages staff to speak up and raise concerns

Due Diligence

Appropriately tailored due diligence procedures are another bedrock element of a reasonably designed Compliance program. In this case, companies should ensure they are performing due diligence on anyone who performs services for them or on their behalf. Due diligence best practices include:

  • Using sufficiently robust technical tools to screen relevant parties. Vetting solutions that allow for audit trails, centralized storage of vetting results, continuous monitoring, and customizable risk rankings are an example of the type of due diligence that may be expected (depending on an organization’s overall size, complexity, and risk profile).
  • Contracts with agents and other types of “associated persons” can also be reviewed for language that requires compliance with due diligence requests a company may make. Contracts should explicitly state compliance expectations vis-à-vis due diligence obligations, as well as the consequences of non-compliance with those obligations.
  • Due diligence obligations also extend to mergers and acquisitions. Whether a company seeks to merge with or acquire another company, it is expected that the company will conduct meaningful due diligence that is proportionate to the risks the transaction will bring. Such due diligence could include questions about an acquisition target’s Compliance program, anti-fraud measures it has in place, reporting mechanisms for employees to flag potential misconduct, geographic footprint, reliance on third parties, government touchpoints, and government investigations or enforcement actions.

Communications & Training

A well-educated workforce is one of the best protections against misconduct. Training on fraud risks and prevention can be a formidable tool in a Compliance department’s arsenal.

  • Training should be tailored to each organization and the relevant risks it faces. Employees in higher-risk roles should be trained accordingly.
  • Companies should keep detailed and easily accessible records demonstrating which employees receive which training(s), how often employees are trained, training completion rates, etc. In the case of a failure to prevent fraud investigation, the ability to show the government that the company had a reasonable and robust training program in place could be enormously helpful.
  • Trainings should be engaging and appropriately tailored. In my experience, small, in-person trainings tend to elicit the most employee engagement, but there are ways to make virtual trainings dynamic and engaging as well. Incorporating relevant hypothetical scenarios (“it happened here” stories, case studies), using tools to poll the audience, splitting learners into breakout rooms, creating visually appealing and easily legible presentation materials, allowing anonymous question submissions, and testing knowledge through competitive trivia sessions are ways to enliven any training session.
  • Integrating fraud prevention messaging into corporate communications, from the top brass through middle management, is another way to reenforce the message that the company takes its fraud
    prevention program seriously. Managers do not need to set up standalone meetings to bolster anti-fraud messaging, but can instead work such themes into periodic meetings they have with their teams. Taking five minutes during an all hands call to reiterate key Compliance messages around fraud prevention would help demonstrate management’s commitment to acting with integrity.
  • The Compliance team should look for opportunities to insert anti-fraud and integrity-related messaging into a variety of channels. Such channels could include employee onboarding
    communications, periodic newsletters, executive blogs maintained by department heads, group Slack channels, monthly or quarterly all hands meetings, and in-person summits or events.

Monitoring & Review

The guidance published alongside the Failure to Prevent Fraud offense explains that “monitoring” includes three elements: fraud detection, fraud investigations, and assessing the effectiveness of fraud prevention measures. Some questions companies can ask when assessing the maturity of their fraud monitoring programs include:

  • What processes are in place to detect fraudulent activities?
  • Are there technologies and data analytics solutions that could be used to detect potentially fraudulent activities?
  • Is there a person or a group responsible for overseeing reports of suspected fraud?
  • Are there sufficient reporting channels in place to allow employees to report concerns?
  • Are investigations into alleged fraud conducted independently?
  • Is there a clearly documented process with respect to responding to reports of fraud?

Companies should also periodically review the effectiveness of their fraud detection and prevention procedures. Such review can be accomplished in a variety of ways, including through soliciting internal feedback, engaging an outside third party to conduct the review, and incorporating lessons learned from relevant enforcement actions or prosecutions.

Risk Assessment

Risk assessments are the backbone of any Compliance program, and can inform how to best allocate resources, which controls to implement, training needs, and reveal program gaps. Companies should conduct a risk assessment to identify fraud risks from their employees and agents. Examples of
steps that can be taken include:

  • A risk assessment specifically focused on the new Failure to Prevent Fraud offense should be conducted to identify potential gaps.
  • Compliance teams can work with other internal functions, such as Risk Management, Finance, and Procurement, to identify potential sources of risk within their organization, and should account for
    industry fraud risks as well as company-specific ones.
  • High-risk roles, processes, and departments should be identified.
  • Risk assessments should be refreshed periodically – they are not a “one and done” exercise. Risk assessments should be updated to account for, among other things, changes in a given business
    model, new technologies, expanded geographic footprint, and new regulations.

The Home Office guidance suggests cataloguing the parties that may be deemed “associated persons” and asking the relevant risk owners within a given company to consider the circumstances under which such persons could be tempted to commit fraud. The guidance recommends risk owners consider the three
elements of the fraud triangle – opportunity, motivation, and rationalization – to facilitate this exercise. A fraud triangle exercise could start by looking at circumstances such as:

Section image

Risk-Based Prevention Procedures

Lastly, after identifying potential sources of fraudulent conduct, companies should ensure that the accompanying prevention procedures are proportionate to the identified risk. The Home Office guidance advises companies to “assess whether their existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment…Where existing mechanisms appear to be insufficient, organisations should develop appropriate measures to prevent fraud.”

Concluding Thoughts

As broad as the new Failure to Prevent Fraud offense may be, the companies within its scope likely already have much of the expected Compliance architecture in place. The new offense and the accompanying guidance should be used to identify gaps in existing programs and to update them accordingly. Compliance professionals can also use the Failure to Prevent Fraud offense as an opportunity to engage leadership and solicit their support for necessary updates or changes. To paraphrase Rahm Emmanual: one should never let a crisis go to waste. Though the advent of a new law is hardly a “crisis,” it can function as a great catalyst to remind company management of the ability of a well-resourced and supported Compliance function to mitigate risk and protect the enterprise.

Previous
Next
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save