The Failure to Prevent Fraud- the New Exposure for Companies, Executives and their Insurers

According to a recent factsheet issued by the UK Government, fraud made up 41% of all crime in the year ending September 2022. It comes as little surprise, therefore, that the Government has announced its intention to tackle the problem and importantly, the solution comes from the inside out. Organisations will be held to account through the introduction of the new corporate criminal offence of “failure to prevent fraud”.

UK Government Fact Sheet

The offence will be introduced through the Economic Crime and Corporate Transparency Bill (the “Bill”) which is currently transitioning through the House of Lords.  The intention, it seems, is to drive a cultural change in attitudes towards fraud by shining a light on an organisation’s own affairs. Organisations will have to look inwardly at their own procedures and establish whether they need to take further action to prevent fraud on the organisation itself or to others.  In that sense, the aim of this legislation is not to prevent “fraud” as we ordinarily know it.  It is broader than banking fraud and online fraud: its aim is to prevent fraud being committed by an employee of an organisation with a view to the organisation itself benefitting.  According to the Government’s press release, this may take the form of dishonest sales practices, false accounting and hiding important information from consumers or investors, all of which are practices the offence intends to tackle.  

In this article, we discuss the key elements of the proposed offence, the potential steps an organisation might take to help prevent fraud (and thereby improve its defence to the offence), what the offence means for insurers and the points they need to start considering  

What is the new corporate offence of failure to prevent fraud and what are the sanctions? 

In general terms, the offence provides that organisations will commit an offence if an “associated person” commits a fraud offence whilst intending to benefit: (a) the organisation; or (b) any person who receives services from the organisation. 

The Government has identified nine underlying fraud and false accounting offences (listed in Schedule 9 of the Bill) which underpin the failure to prevent fraud offence.  These include fraud by false representation, fraud by failing to disclose information, false statements by company directors and fraudulent trading.  Money laundering offences are not included under the new offence on the basis that adequate provision has already been made in the existing regulatory regime. 

If convicted, an organisation can receive an unlimited fine. There will be no limit to the circumstances which a Court can take into account when deciding the appropriate level of fine.   

Which organisations will be affected? 

The offence applies to all large companies and partnerships, but not to individuals. Businesses, large not-for-profit organisations (such as charities) and incorporated public bodies will all be in scope of the offence. 

To qualify as a “large” organisation (as defined under the Companies Act 2006), the body must satisfy at least two out of three of the following criteria in the financial year preceding the year in which the offence is committed: 

1. More than 250 employees; 

2. More than £36 million turnover; and/or 

3. More than £18 million in total assets. 

Small and medium sized businesses will, therefore, not be within the scope of the legislation. However, the Government has warned that this threshold will be kept under review and amended in future if it is needed.  

For the time being, the Government has not considered it necessary to limit the jurisdictional scope of the offence.  It has, however, confirmed that the offence will apply where an employee commits fraud under UK law or targets UK victims, even if the organisation and employee are based overseas. 

Who is an “associated person”? 

An associated person will be anyone who is an employee, agent or subsidiary of the organisation, or anyone who performs services for or on behalf of the organisation.  This could include, therefore, consultants and advisers, whether they are employed by the organisation or not. 

Are there any carve-outs available? 

An organisation will not be criminally liable if it is a victim, or intended victim, of the fraud.  This means that if an employee commits a fraud on its own employer, such that the organisation becomes the victim, the organisation will not have committed the offence. 

An organisation will also have a defence if it can prove that it either had reasonable procedures in place to prevent the fraud, or that it was reasonable not to have such procedures (such as where the risk of fraud is extremely low).  

What might reasonable procedures look like? 

The Government will publish guidance on good practice in due course, which will outline the kinds of reasonable procedures that organisations will be advised to implement to prevent fraud occurring.   It is likely that adherence to such guidance will form the benchmark for determining the reasonableness of the procedures in place.   

One might assume that the Government will mirror the procedural framework that it has laid down for the offences of failure to prevent the facilitation of tax evasion, under the Criminal Finances Act 2017, and failure to prevent bribery, under the Bribery Act 2010 (albeit the latter has the higher threshold of “adequate procedures”).  We can therefore speculate that the Government’s guidance may include the following recommendations:  

• the organisation should develop a fraud prevention programme comprising a policy of zero-tolerance to fraud and detailed policies and procedures for the prevention of fraud; 

• the policies and procedures should be developed following risk assessments to ensure that they adequately cover the risks posed to the organisation.  There should be a procedure for regular risk assessments to ensure that the organisation’s policies continue to protect against the specific risks posed to it; 

• HR policies and practices should be developed with the requirement for mandatory training and clearly-communicated sanctions for violation.  The programme should be incorporated into employee contracts and performance appraisals; 

• there are procedures to ensure the organisation is informed of emerging best practices; and 

• board members and senior executives should have oversight of the programme.   

Businesses will need to reflect on their current fraud prevention procedures and consider whether they need to develop new procedures to meet the statutory guidance, or whether they can adapt or extend their current procedures to meet that standard.   

The initial effort required in the designing of programmes, risk assessments and procedures in order to meet the threshold is likely to be extensive.  Of equal importance, however, will be effective implementation, which will require the support and commitment of HR management and the organisation’s employees.   

What impact will the new offence have on organisations? 

The new offence will ultimately make it easier to convict organisations of failing to prevent fraud. Currently, if prosecutors want to secure a criminal conviction against a corporation, they must prove that the individual involved in the fraud represents the “directing mind and will” of the organisation – this is known as the identification principle. This is very difficult to establish, especially in larger organisations and has led to a low number of corporate convictions. It is interesting to note that the Government does not intend to reform the identification principle, which was an option put forward by the Law Commission and which was included in various proposed amendments to the draft Bill. 

The new offence, however, means that an organisation can be responsible for failing to prevent fraud committed by any employee.  The offence therefore casts a much wider net and large companies, comprising numerous staff with high levels of temptation to conduct fraud, face the increased chance of getting caught. 

However, the Impact Assessment prepared by the Home Office indicates that prosecutions are likely to be limited in number.  The expectation, it appears, is that cases will result in a Deferred Prosecution Agreement (“DPA”) in common with other “failure to prevent” regimes.  Under a DPA, the prosecution of an organisation can be suspended on several conditions. These conditions usually require the organisation to take remedial action and to co-operate with the Serious Fraud Office (“SFO”) in its ongoing investigations, which often concern the executives involved in the wrongdoing. As a result, D&Os may be exposed to subsequent prosecutions (though, so far, the SFO has only secured one conviction against an individual further to a DPA).  

New investigatory powers of the SFO 

The Bill also includes provisions to expand the SFO’s powers to the extent that they will be able to compel organisations to disclose information.  Currently, the SFO can only compel individuals and companies to provide pre-investigation information when the case involves international corruption and bribery. The Bill will grant the SFO powers to compel this information in domestic cases as well, thereby reducing the SFO's reliance on the voluntary provision of information by third parties.  

What will be the impact for Insurers? 

Whilst the Bill goes through the legislative process, there may be further amendments to the scope of the offence and/or the sanctions associated with it.  What is clear though, is that the companies themselves are the conduit for reform.  They will be held accountable for the criminal conduct of their employees, widening the pool of potential culpability.   

Insured entities

Insured entities may therefore seek extended Side C cover under a D&O policy and/or cover under their civil liability insurance in respect of claims for their failure to prevent fraud.  If they do, it is unlikely that it will be challenging to meet the requirement for a wrongful act or omission.  One can foresee situations in which the definition might be fulfilled automatically upon commission of the fraud, given the strict-liability style of the offence.

Looking further at the components of the insuring clause, insurers are faced with a striking irony:  the offence is committed where the organisation benefits from the fraud committed by its associated person, yet that same organisation is entitled to present a claim to insurers for the “Losses” it has sustained by virtue of the fraud.  Whilst this is not in itself prohibitive to cover, it does pose wider public policy questions of whether an organisation should benefit from insurance cover in respect of a prosecution where it has already been found that the company has benefitted from the underlying fraud.  The answer is likely to lie in whether the organisation's conduct was morally reprehensible.  Ordinarily, insurers may look to the conduct exclusion to protect themselves in such circumstances, but the absence of any requirement of dishonesty for the offence to be made out against the organisation means that the conduct exclusion may not be applicable until a final conviction against the entity, or an admission.  It will be important for insurers to review the conduct exclusion with this in mind, in addition to (and not instead of) the fact that the underlying fraud offence requires the perpetrator to have acted dishonestly in the first place.

What is clear though, is that any criminal fines and penalties imposed on an organisation would still be excluded from cover, at least under English law.

As we have discussed above, the SFO will benefit from new investigative powers.  These new powers increase the prospect of investigations into individuals and companies, which in turn may result in more claims for investigation costs and pre-investigation costs.  Insurers will therefore need to be clear on the trigger for these covers and their scope.   

In a similar vein, where a DPA is granted, an organisation may have a continuing duty to co-operate with the SFO, meaning that it may be required to provide evidence for the SFO’s investigation.  The disclosure of such evidence may increase the potential for prosecutions of individuals, which in turn may trigger the advancement of defence costs to those insured persons. 

Individuals

In light of that, one might also expect more civil claims and/or criminal prosecutions to be pursued against senior management or the “associated persons”. Cover may be afforded to individuals, under a civil liability policy or under Side A or B of a D&O policy. Irrespective of the way the claim is presented, Insurers will need to have careful regard to the “Insured Persons” definition to ensure that the appropriate level of cover is afforded to the individual (particularly where the individual is also the “associated person”) and that cover is not afforded to those for whom it was not intended.

Conclusion

Through the introduction of the failure to prevent fraud offence, large organisations look to become  the new stewards of economic and cultural change and they will have to bear greater responsibility as a result.  The new legislation will shift the burden of combatting economic crime onto those entities and they will have to look inwardly at their procedures and processes to ensure that they are reasonable by reference to the incoming government guidelines.  Inevitably, some will slip through the net, so insurers would do well to consider what steps they can take ahead of time to ensure that their policies respond only in the way that is intended.