Clifford Chance

The new offence of failure to prevent fraud will make large organisations criminally liable for failing to prevent fraud unless they can demonstrate that they had reasonable fraud prevention procedures in place.

Here, we consider some practical issues that corporates are facing as they prepare for the new offence to come into force.

Where a corporate group as a whole meets two or more of the 'large organisation' criteria (see right), then every company within the group is subject to the new offence, regardless of the size of the company.

When applying these criteria, the turnover/assets/employees of all companies within the group are considered, regardless of whether the company is incorporated in or does business in the UK.

We have found that the breadth of the offence is not always fully understood. In particular, small UK companies within a large international corporate group can be subject to the new offence. Equally, non-UK companies within a UK corporate group can be caught. 

We are finding that many companies are unsure of the approach to take with non-UK entities within their group.

Whilst non-UK companies can be subject to the new offence, liability will only arise where the company has failed to prevent a UK fraud offence - typically, requiring one of the acts which was part of the fraud to have taken place in the UK, or any gain or loss resulting from that offence to have occurred in the UK.

The key starting point for non-UK companies will therefore be to assess the extent of their UK exposure. For example, whether the company sells to UK customers, or has a UK representative or agent, will be relevant factors in assessing the risk and will inform what fraud prevention procedures (if any) the company should have in place.

Companies will have a defence if they can demonstrate that they had reasonable fraud prevention procedures in place at the time of the wrongdoing (see our practical guide to fraud prevention procedures for corporates here). A key component will be demonstrating that a fraud risk assessment has been conducted to assess the company's exposure to fraud risks and take mitigating actions as a result.

The scope of the risk assessment required for the new fraud offence is significantly wider than companies may be used to in other contexts, for example in relation to bribery-related risks.

Given the breadth of the offence, fraud risk assessments should thoroughly consider all parts of the business, given the many different contexts in which fraud offences may occur.

The new offence criminalises companies for failing to prevent fraud committed by 'associates' of the company, where the fraud is for the benefit of the company or a person to whom the associate provides services on behalf of the company.

The definition of associates automatically includes employees, agents and subsidiary undertakings, and few companies will have difficulties in defining this group of associates. However, it also includes any person performing services for or on behalf of the company, and we have found that companies have found it more challenging to define this category of associates.

It will be important for companies to have a clear view of the third parties that perform services for or on their behalf so that appropriate steps can be taken to mitigate the risk that they pose. Third parties only providing services to the company (for example suppliers) will not be associates; corporates should focus on identifying those acting for or on their behalf. This analysis will ultimately be fact-specific to each third party, but examples might include subcontractors providing services to the company's customers or intermediaries used by companies to source business opportunities.

Once a company has identified its associates it will need to consider how best to mitigate the risk. A wide range of options is available: the key is to ensure that any measures to be taken respond to and are proportionate to the risks identified in the fraud risk assessment.

For example, contractual provisions may be used. For lower risk associates, these could be straightforward, such as requiring the associate to comply with all applicable laws, including relevant fraud legislation; for higher risk associates, more substantive provisions might include requiring the associate to comply with relevant company policies, to give fraud specific representations and warranties, and/or to permit the company access to its business records in order to ensure compliance with its obligations.