Clarke Willmott’s guide to getting business ready for new regulation on Corporate Offences and Fraud

Fraud is the most commonly recorded category of crime in the UK, amounting to around 40 per cent of all reported crime in England and Wales. Now the regulatory landscape around fraud is changing – and businesses will need to be ready.

The Economic Crime and Corporate Transparency Act 2023 introduces new obligations on the part of companies to combat fraud, including the creation of the criminal offence of “failing to prevent fraud”.

From September 2025, companies could face heavy fines for failing to take steps to reduce the risk of fraud being carried out on their behalf.

November 2024 Guidance and its six principles

Implementation

The Guidance offers advice on the procedures that may be put in place by large organisations to prevent associates of the organisation from committing fraud offences.

There will be a degree of flexibility and the Guidance is “not intended to provide a safe harbour” or to strictly set in stone a set of procedures which all large organisations must follow.

Departures from suggested procedures will not automatically result in a conclusion that an organisation does not have reasonable fraud prevention procedures. Equally, strict compliance with the face of the guidance will not necessarily amount to having reasonable procedures to prevent fraud.

In practice, organisations will need to consider the potential overlap between the existing regulatory requirements and the new regulatory requirements regarding fraud prevention, with specific fraud prevention measures being woven into existing compliance safeguards and procedures.

Reasonable Prevention Procedures

The Guidance outlines six principles that should inform the fraud prevention framework put in place:

1. Top level commitment
2. Risk assessment
3. Proportionate risk-based prevention procedures
4. Due diligence
5. Communication (including training)
6. Monitoring and review.

With the offence of failing to prevent fraud coming into law on 1 September 2025, businesses should consider this Guidance carefully, and act now to reduce associated risk.

We’ll outline each principle along with how each could be achieved:

1. Top Level Commitment

In our experience, leaders within large organisations recognise they have responsibility for setting business policies and so will be well placed to review and decide on their approach to fraud prevention. What’s important is that they will need to show how this top-level commitment is communicated throughout the organisation. This could be achieved in the following ways:

• Communication:
  • Making sure that any statement on behalf of the business rejecting fraud articulates the business benefits of doing so.
  • Naming the key individuals or departments involved in fraud prevention procedures.
• Governance:
  • Drafting a clear policy establishing who is responsible for design and implementation of fraud prevention policies.
  • Establishing a clear chain of reporting between any delegated team and senior managers/ the Board
  • Ensuring continuity of responsibility where a key individual leaves the business will be essential.
• Commitment to training and resource:
  • Ensuring that a reasonable budget is allocated specifically for training.
  • Ensuring that a reasonable budget is allocated for staffing and leadership involved in implementing the organisation’s fraud prevention plan.

2. Risk Assessment

Organisations should assess the nature and extent of any exposure to the risk of employees, agents or associated persons committing fraud. It may be that there is already a range of risk assessments relating to fraud or other economic crime. For example, law firms may already have significant fraud and anti-money laundering risk assessments.

In practice, an organisation must consider the following questions when assessing risks of fraud:

• Opportunity
  • Do employees, agents or associates have the opportunity to commit fraud?
  • Are risks increased by taking on external contractors or agents, and how can this be managed?
  • Are there any areas of the business where associated persons operate with little to no oversight?
  • Have there been any previous internal examinations or audits which have identified risks, and if so, have these been addressed?
• Motive
  • Does a reward and recognition system internally work effectively, or incentivise fraud?
  • Are there financial pressures on the organisation, such as financial targets, proposed tenders, or upcoming mergers?
  • Is there a time-pressure culture which encourages staff to take risks or cut corners with work?
• Rationalisation
  • Is the organisation quietly tolerant of fraud? Is whistleblowing encouraged?
  • Is fraud common in the organisation’s sector?

It goes without saying that risk assessment is not a static process and that risks are constantly evolving. Organisations should always have in mind the need to review risk assessments on an ongoing basis.

3. Proportionate

An organisation’s fraud prevention procedures must be proportionate not only to the risks it faces, but also to the scale and complexity of its activities and to the potential impact of the risk.

A fraud prevention plan should be drawn up, with fraud prevention procedures being proportionate to risks identified in any risk assessment. Such procedures should take into account the level of control and supervision which the organisation is able to exercise over a particular person.

It may be reasonable not to respond to a given risk. Any decision taken not to implement positions should be documented and reviewed regularly.

An organisation may wish to consider the following when drawing up its fraud prevention procedures:

• Carrying out pre-employment checks on any new starter.
• Reviewing how often employees are trained, particularly those in high-risk roles
• Reviewing whether any internal or external audits have raised concerns that have not yet been acted on.
• Reviewing procedures with regards to conflicts of interest and regularly reviewing conflicts information.
• Reviewing any existing bonus framework to ensure that it does not act as an incentive to commit fraud.
• Reviewing existing internal disciplinary and reporting procedures and considering whether these need to be tightened up.
• Establishing a mechanism to test fraud prevention measures.

4. Due Diligence

Due diligence consists not only of monitoring financial agreements such as proposed mergers and contractual arrangements with agents and service providers, but also monitoring of staff wellbeing. Organisations already have a duty under the Health and Safety at Work Act 1974 to safeguard the mental health of their employees and protect against stress, and the Health and Safety Executive is currently two years into a ten-year strategy to improve awareness of mental health management in the workplace.

5. Communication and Training

It is one thing to draft effective fraud prevention procedures, but another thing entirely to ensure that they are properly implemented and understood by staff. The Guidance stresses the importance not only of clear and regular communication, but regular training to ensure understanding is maintained.

Organisations must ensure that communication is consistent, and ensure that those representing the organisation, or providing services to the organisation, understand not only the risks of fraud but how to report risks. Organisations should consider:

• Training: it is a matter for businesses whether they seek to tailor existing financial crime prevention training, however it is advisable that a review of the quality of existing fraud training should be undertaken in any event. Regular training underpins an effective fraud prevention programme.
• Whistleblowing: creating an open culture that fosters the ability of junior staff to raise concerns will assist in preventing fraud. Any training given to staff members should ensure that staff are familiarised with, or reminded of, the organisation’s whistleblowing processes.
• Learning: organisations may consider whether they internally publicise the outcome of fraud investigations arising out of whistleblowing, as a cautionary tale to other employees and a show of confidence in the whistleblowing system.

6. Monitoring and Review

As with all risk assessment, fraud detection and prevention procedures are live procedures and are not set in stone. They cannot simply be left once drafted, and must be regularly reviewed and maintained, particularly in the wake of any internal or external investigation or audit, or as risks change. Do your colleagues know and apply what they are supposed to do and not do?

When investigating fraud, the Guidance anticipates that organisations will already have in place procedures concerning the investigation of attempted fraud against the business. These will almost certainly need reviewing following the creation of the new offence.

Going Forward

The Guidance is an advisory document and is not exhaustive.

Existing fraud prevention procedures and financial crime prevention training can and should be reviewed at the earliest opportunity to identify areas for improvement. Organisations should undertake a market review to identify external risk factors, combined with an internal review of potential pinch points within the business. Overseas businesses should assess in which territories work is being undertaken on their behalf, to ensure they do not inadvertently come within scope of the Act.

Organisations should also review their contractual arrangements with third parties such as agents or contractors, as well as their onboarding arrangements for new employees. This will ensure that future agreements are automatically brought into line with the organisation’s beefed up fraud prevention procedures.

Speak to our team

Please contact the firm’s specialist Regulatory team for an initial ‘check in’ call to discuss your organisation’s existing fraud risk prevention measures and how these might evolve to reflect the new corporate duties.

Posted: 29 January 2025