As featured in Accountancy Daily
In April 2023, the UK government announced the “failure to prevent fraud” offence, which will make it easier to hold large organisations criminally liable for fraud committed by their employees, or by agents “for the organisation’s benefit”, whether under UK law or targeting UK victims from overseas.
Compliance and internal audit teams will be familiar with the concept of failure to prevent from the UK Bribery Act. They will know what it means in practice for keeping compliance programmes fit-for-purpose, and being able to defend their policies in front of regulators and courts. Large organisations – the main target of this new fraud offence – undoubtedly have some anti-fraud policies and procedures already in place. What will change is that these organisations will no longer be treated purely as victims of fraud. They must reframe their approach to one that accepts accountability and prevents fraud, which is ultimately the positive shift the new offence aims to implement.
What is “reasonable”?
To avoid liability – and the potential “unlimited fines” currently envisioned for this offence – an organisation will need to prove that when the offence happened, (i) it had reasonable procedures in place to prevent fraud, or (ii) it was not reasonable to expect the organisation to have any prevention procedures in place in all the circumstances.
Home Office guidance on what constitutes reasonable prevention has been promised before the new offence comines into force. For now, the Economic Crime and Transparency Bill simply explains that “prevention procedures” means procedures designed to prevent persons associated with the organisation from committing fraud and “reasonable” means that which is reasonable in all the circumstances.
Decades of experience helping companies and counsel prove reasonable anti-bribery and corruption efforts to regulators have led us to five key preventative elements, which we argue all companies should factor into their preparation against failure to prevent fraud.
- Risk assessments will be key
Risk assessment is bound to be a central element in the Home Office guidance, as it is in the Bribery Act. Existing risk assessments should refocus on identifying the organisation’s exposure to committing fraud, including through its global network of third parties given the scope of the new fraud offence.
Implementing an off-the-shelf anti-fraud programme will not only be a time- and resource-consuming exercise, it might also prove ineffective or create “compliance fatigue” among employees when the programme eventually needs to be revised to better suit your organisation’s risk.
A tailored risk assessment should broadly follow three phases: (i) scoping the target areas and stakeholders of interest, in relation to the list of offences already indicated by the government, (ii) assessing your gross risk and agreeing on key gaps according to impact and likelihood, and (iii) taking remediative action.
For accounting and internal audit teams in particular, it is worth noting the breadth of fraud and false accounting offences that the government aims to include under the failure to prevent offence. Multinational companies with extensive networks of suppliers and distributors will appreciate the challenge of protecting the organisation against liability for a third party’s failure to disclose information or participation in a fraudulent business, for example.
- Financial and accounting controls must be fit for purpose
Once the organisation’s fraud risk exposure has been re-assessed, internal controls against financial and accounting fraud must similarly be reviewed and mapped accordingly. Existing controls designed to protect your organisation from falling victim to fraud will not pass muster as reasonable controls against committing fraud. A comprehensive gap analysis will be required, likely resulting in adaptations or completely new controls.
- Policies and procedures bring clarity of intent and action
Once again leveraging your fraud risk assessment, target gaps in your anti-fraud policy and ensure that it clearly communicates your stance on fraud. An effective anti-fraud policy should (i) clearly define what constitutes fraud and provide examples of fraudulent actions tailored to your organisation’s activity; (ii) state the potential disciplinary and legal consequences of committing fraud; (iii) outline the procedure for handling fraud and fraud suspicions by both the organisation and employees, including stating that all instances of fraud suspicion will be investigated; and (iv) refer to related roles, responsibilities and procedures (e.g. your whistleblowing hotline).
How you roll out your policy also has an impact on its effectiveness. Consider making it a mandatory policy for employees to review, or include attestations or a short quiz as requirements.
- Set the tone from the top and conduct training
Culture and behaviour start at the top. Ensuring that your organisation’s tone from the top and decision-making processes foster an anti-fraud culture will be key for an anti-fraud mindset to cascade throughout the organisation. Simple measures can be adopted by management at all levels to demonstrate your efforts towards preventing fraudulent behaviour. These include internal communications (e.g. organisation-wide meetings, intranet sites, newsletters) to spotlight and reinforce support for fraud prevention initiatives. Management can create opportunities to encourage open communication between employees and team leads, and properly address concerns immediately.
Business functions should work together to identify risk areas according to the organisation’s activities and develop appropriate training materials targeted at the relevant fraud offences.
- Implement ongoing monitoring and reporting
It is key to that your internal controls are designed to both prevent fraud and, should they fail, act as early detection controls. Proving reasonable preventative measures will entail demonstrating that your reporting mechanisms can swiftly address and escalate suspected fraud.
For example, you can tailor data analytics solutions to identify suspicious activity that may indicate potential fraud; use thresholds in accordance with your performance targets as a flag for suspicious activity; maintain an anonymous whistleblowing channel that is actively promoted among employees, monitored by appropriate teams, and leads to all reports being investigated.
To internal audit teams in particular, align your reporting plans with fraud prevention and detection controls, and incorporate testing on relevant areas such as segregation of duties, review and approval processes. Regularly report findings and suggested remediation actions for any identified gaps in the design of your controls. Finally, repeatedly revisit the above five elements, as the foundation of a reasonable fraud prevention programme is acknowledging that key risks will continue to evolve over time.