An in-house lawyers’ guide to the new ‘Failure to Prevent Fraud’ (FTPF) Offence

The Home Office has now published its government guidance on the corporate offence of failure to prevent fraud (the “FTPF Offence”), which was introduced in the Economic Crime and Corporate Transparency Act 2023.

The new offence will come into force on 1 September 2025, giving companies a longer period to prepare than had been expected.

Adam Finch, Partner, Head of Commercial Disputes at HCR Law, takes us through what in-house legal teams need to be aware of and how to mitigate fraud within their organisations.

What is the corporate offence of failure to prevent fraud (the “FTPF Offence”)?

An organisation will be liable for the FTPF Offence where a specified fraud offence is committed by an associated person, for the organisation’s direct or indirect benefit, and the organisation did not have reasonable procedures in place to prevent fraud.

The definition of associated person is broad; it encompasses employees, third parties, employees of a subsidiary of the organisation, or any other person who otherwise performs services for or on behalf of the organisation.

The FTPF Offence is a “strict liability offence”, meaning there is no requirement for evidence that the organisation’s directors instigated, instructed, or were aware of the fraudulent offence for an organisation to be liable.

To commit a specified fraud offence, the associated person must commit one or more of the following offences:

1. Fraud (Section 1 Fraud Act 2006)
2. Fraud by False Representation (Section 2 Fraud Act 2006)
3. Fraud by failing to disclose information (Section 3 Fraud Act 2006)
4. Fraud by abuse of position (Section 4 Fraud Act 2006)
5. Participating in fraudulent business (Section 9 Fraud Act 2006)
6. Obtaining Services Dishonestly (Section 11 Fraud Act 2006)
7. False statements by company directors (Section 19 Theft Act 1968)
8. False accounting (Section 17 Theft Act 1968)
9. Fraudulent trading (Section 993 Companies Act 2006)
10. Cheating public revenue (common law).

If convicted of the FTPF Offence, an organisation receives an unlimited fine.

Who does it apply to and what are the main points the guidance covers?

The FTPF Offence will only apply to ‘large organisations’ that meet two or more of the following criteria:

• They have over 250 employees
• Their annual turnover exceeds £36m
• They hold assets worth over £18m.

This includes all large bodies, corporates, subsidiaries and partnerships, and any large not-for-profit organisations including charities.

It is important to note that if your organisation is part of a wider group of companies, if resources held cumulatively by the parent and subsidiaries meet this threshold, the group must ensure they are all compliant. If not, the individual entity within the group responsible for failing to prevent fraud would be liable for the FTPF Offence, but liability could also be attached to the parent company if they were to benefit from the fraud – directly or indirectly – and did not take reasonable steps to prevent it.

The guidance focuses on six key principles:

1. Top-level commitment
2. Fraud risk assessments
3. Proportionate risk-based prevention procedures
4. Due diligence
5. Communication, including training
6. Monitoring and review

When is the implementation period and what monitoring and review processes should in-house legal teams put in place within their organisation?

The FTPF Offence implementation period is from now until 1 September 2025, when the FTPF Offence comes into force. Organisations should be mindful that this longer implementation period will be indicative of the level of work the government is expecting organisations to complete in order to ensure compliance with the new guidance.

Within this time, it is important for in-house legal teams to assess the specific fraud risks faced by their organisation, and to consider ways these risks can be mitigated. It will be important for them to work with senior management, stakeholders and their supply chain to ensure a consistent, clear and robust approach to preventing fraud.

It may be possible to adapt some of the organisation’s existing policies and procedures to comply with new guidance, adding in specific reference to fraud prevention measures where appropriate. However, it is likely that this option will only be revealed by the conducting of the suggested initial fraud-specific risk assessment.

Five key steps organisations can do to mitigate fraud include:

Informed by the six key principles, here are five key steps all organisations should take to mitigate against fraud:

1. Top level – Ensure that the commitment to preventing fraud is consistent throughout your organisation, including employees and third parties, with senior management clearly demonstrating best practice and instilling an anti-fraud culture from the top.

For example, it may be worth setting up an internal fraud prevention team with your in-house legal team working with representatives from senior leadership across the organisation – consider teams such as finance, compliance, and risk management – to ensure a consistent approach and adequate resourcing of efforts to prevent fraud.

2. Mitigate fraud risk – Conduct specific fraud risk assessments relevant to your business. This may include interviewing key staff and stakeholders, reviewing audit papers and whistleblowing records, and taking note of any fraudulent activity occurring in the wider sector. It will also be important to consider whether additional fraud specific risk assessments will be required in the event of an expansion, or acquisition of a new business area.

If you identify a fraud risk, promptly address this to ensure that residual risk levels are within your organisation’s appetite and control. If it is decided not to mitigate an identified risk, you should clearly document the rationale, and the individual accountable for this decision.

Mitigation will most likely involve the implementation of specific policies and risk-based procedures. It is recommended that organisations prepare a specific fraud prevention plan, detailing the proportionate fraud prevention procedures being implemented in accordance with risks identified in the initial assessment. Ensure these procedures are informed by sector-specific guidance, including case law and regulatory enforcement decisions, and guidance from industry bodies.

3. Due diligence – The broad definition of associated persons means organisations need to broaden their risk management accordingly and build in fraud risk detection into any existing due diligence processes.

As organisational fraud can encompass financial statements, non-financial statements– for example misreporting carbon emissions– IP theft and corruption, it is more important than ever for organisations to carefully monitor the employees and third-party agents who may provide data used in their external reporting.

They must also consider the incentives for third parties which could motivate agents to commit fraudulent offences for their own benefit too, for example commissions or bonuses, and ensure contracts clearly define their expectations, and any repercussions, related to fraudulent behaviour.

4. Communicate – Improve awareness of fraud, educate employees on what fraud is, and introduce training on how to identify, report in confidence, and ultimately prevent fraud. This may also involve appointing key people to be accountable for managing fraud risk and allocating them specific responsibilities in the procedure you implement. As mentioned in point one above, the communication around fraud needs to be consistent throughout the organisation, with senior leadership through to juniors demonstrating best practice.

In more high-risk areas, such as finance, sales and ESG teams, bespoke and targeted training should be provided, so that the individuals can identify the signs and prevent fraud more effectively.

5. Monitor and review – The FTPF Offence is new, and so the thresholds and guidance will be subject to change after it is in force.

It will be important for organisations to appoint risk owners responsible for monitoring and reporting on fraud prevention compliance in specific areas. It may also be useful for the organisation to set regular reminders or trigger events, such as acquisitions, for these appointed people to check for any changes in the guidance, and to review and update any relevant policies, procedures and other practices to ensure that they are compliant with the latest requirements.

The regularity of these reminders or triggers, and the necessity of updates, should be proportionate with the risks faced by the organisation and by the specific department in question.

For more information on the New ‘Failure to Prevent Fraud’ Corporate Offence or on general fraud advice within your organisation, please contact Adam Finch, Partner, and Head of Commercial Disputes on: 03301 075 954 or 07772 481 550.