7 min read

Our previous blog on this topic (found here: Fraud: ‘failure to prevent fraud' offence - KPMG UK) set out the background to the new ‘failure to prevent fraud’ offence contained in the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”). As a one-line recap, this is where an organisation can be prosecuted under the ECCTA (potentially resulting in a fine) if a fraud is committed by an associated person, for the organisation’s benefit, and the organisation did not have ‘reasonable procedures’ in place to prevent the fraud.

Government guidance supporting the ‘failure to prevent fraud’ offence

The Government has now published the guidance to sit alongside this legislation (found here: New failure to prevent fraud guidance published - GOV.UK). The six principles behind the ‘reasonable procedures’ that provide an organisation with a defence to prosecution are now confirmed as:

  • Top level commitment;
  • Risk assessment;
  • Proportionate risk-based fraud prevention procedures;
  • Due diligence;
  • Communication (including training); and
  • Monitoring and review.
Damien Margetson blog posts
Damien Margetson
Director in Forensic
KPMG in the UK
Profile | | Phone

The above principles don’t bring much surprise given we were expecting to see a lot of similarities with the two other ‘failure to prevent’ offences regarding bribery and the facilitation of tax evasion. However, there are slight nuances around the precise wording and order of the procedures. In particular, does ‘Top level commitment’ moving to the very top of the list signify that they consider the effectiveness of all other procedures stems from this?

The full guidance document is a must-read. Our 5 key takeaways are set out below.

‘Benefit’ can be financial or non-financial

We tend to see organisations placing a greater focus on frauds where they are the victim, such as misappropriation of assets by employees or external criminals. While it is undoubtedly important to recognise and seek to address these risks, the ECCTA is not concerned with this type of fraud. It is frauds where the organisation benefits that are in scope. These are wide-ranging and include, as examples, false accounting, false statements and fraudulent trading. In our experience, consideration of the types of fraud where the organisation itself benefits rarely extend past the Finance department (and the numbers in the financial statements) or are not considered at all.

But what about all of the other information that could be misreported to provide a benefit? ESG is an obvious place to consider here with pressure from investors, other stakeholders, society and even bold commitments from organisations themselves that they don’t want to be seen to backtrack on.

And what about other departments? Think of a sales agent making a misleading claim about the organisation’s products/services while seeking to win more sales, or even making false statements about a competitor with the intention to disadvantage them.

It is this breadth that has the real potential to catch an organisation out. Suddenly it is less about the Finance department and the numbers and more about everyone and everything in the organisation.

Benefit can be inferred

Complexity is added because benefitting the organisation does not always have to be the motivation behind the associated person committing the fraud. An example drawn upon in the guidance is where a salesperson working on commission mis-sells to increase their own commission. With the money going into their own pocket, this would typically be thought of as misappropriation. However, this fraud also increases the organisation’s sales and, critically, the intention to benefit the organisation can be inferred in this instance. Even though this was not the associated person’s sole, or primary, motivation for committing the fraud, the organisation may still be in breach of the ECCTA.

And another layer of complication? Frauds by an associated person that benefit an organisation’s clients are also caught by the Act, with the inference of benefit to the ultimate organisation (presumably because – why else would you do it?).

Risk assessment is only one of the principles

Given the breadth of frauds in scope of the ECCTA, carrying out a thorough risk assessment is incredibly important, there’s no doubt about that. If an organisation doesn’t properly understand its fraud risks (financial or otherwise) then it is ill-equipped to deal with them. But the ‘reasonable procedures’ defence is so much more than a risk assessment.

After all, the impact of the risk assessment lessens if, for example, controls are circumvented because culturally employees think it’s ok to do so. Expected behaviours need to be communicated but can only truly be embedded via top level commitment. In other words, it’s not enough to just state that the organisation has a zero-tolerance approach to fraud, there has to be genuine action from those at the top help the organisation to live and breathe it at the various levels. Monitoring is also crucial to ensure that the processes actually work.

Think of the ‘reasonable procedures’ like a jigsaw puzzle – all of the pieces need to fit together to increase the likelihood of a successful defence.

Document the decisions made and revisit them

The guidance is clear that “the fraud prevention plan should be proportionate to the risk and the potential impact.” The principles are not prescriptive as it is recognised that what is appropriate for one organisation may not work for the next. A common theme in the guidance, however, is that decisions should be documented. For example, there may be instances where it is appropriate for an organisation to take no, or limited, action with regards to a certain risk but the message is that there should be clear rationale behind this which should be captured in writing.

It’s also important to remember that an organisation’s “response” to this legislation is not something to be done once and then neatly filed away. Risks evolve and circumstances change, whether driven by internal developments or the wider economic environment. It is clear from the guidance that a frequency of review is expected to ensure that the ‘reasonable procedures’ evolve with the organisation.

The extent of overseas impact is not clear cut

The guidance says “The offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus”. It goes on to explain “By UK nexus, we mean that one of the acts which was part of the underlying fraud took place in the UK, or that the gain or loss occurred in the UK”.

For a UK group with overseas subsidiaries, it is difficult to see how a fraud that benefits the overseas company does not ultimately flow back to provide a gain in the UK too. It seems that the kind of fraud committed may be particularly important here in determining whether or not the UK company could be found wanting. Practical application of the rules will become more apparent as prosecutions occur but it may be advisable for organisations to err on the side of caution with actions taken to improve fraud risk management around the Group and not just in the UK.

What can an organisation do now to respond to the legislation?

First and foremost, organisations should be concerned about having ‘reasonable procedures’ in place not simply to provide a defence to a potential prosecution, but to actually protect the organisation from fraud in the first place. You’ve heard the saying that prevention is better than cure – this would be a great example of that in practice.

Unfortunately, when things do go wrong, we commonly see that organisations have not committed the resources to ensuring that a robust fraud risk management framework is in place. It is worth remembering that the cost of getting it “right” could be a fraction of what an organisation may have to pay out should they be successfully prosecuted under this Act. It’s also important to note that, even though the legislation isn’t concerned about frauds where the organisation is the victim, taking steps to improve the fraud risk management framework off the back of this legislation will provide support across the piece, because we can say without doubt that every organisation experiences misappropriation frauds on some level. Although there are different angles of fraud, the way that an organisation ultimately tries to protect itself is really the same.

Organisations should now find themselves in a key window of activity as there is a 9-month implementation period written into the guidance to allow organisations time to respond and ensure that they have ‘reasonable procedures’ in place that are proportionate for their circumstances. There is no “one size fits all” answer. The guidance is clear that an organisation should have governance over its fraud prevention framework, so formally designating responsibility to an appropriate individual is likely to be a critical step in ensuring that someone is accountable for driving action, reducing the risk of this topic falling down the agenda and exposing the organisation to potentially significant risk.

With the 9-month implementation period ending on 1 September 2025, take action now to avoid being left on the starting blocks now that the clock has begun ticking.

Contacts

Damien Margetson
Forensic Director
KPMG in the UK
Email: damien.margetson@kpmg.co.uk

Kate Newton
Legal Senior Manager
KPMG in the UK
Email: Kate.Newton@kpmg.co.uk

Annie Hewitt
Forensic Senior Manager
KPMG in the UK
Email: annabel.hewitt@kpmg.co.uk

Related Insights

Forensic consulting - Woman working on tab
Forensic consulting

Helping, prevent, detect and respond to fraud and misconduct.

woman working on a laptop
Fraud: what does the forthcoming ‘failure to prevent fraud’ offence mean for your organisation?

Fraud is a serious problem in the UK

Financial Crime - Man with bag climbing stairs purple background
Financial crime

Using technology, data and analytics to prevent financial crime.