Preparing for the UK's New Failure to Prevent Fraud Offense: A Conversation with Grant Thornton
Ben Wheway: Welcome to Legal 500 podcast in association with Legal Business. I am Ben Wheway and today we are joined by Grant Thornton and we are going to be discussing a major development for UK businesses: the new corporate criminal offense of Failure to Prevent Fraud, which is set to come into force this autumn. As of September this year, organisations are set to face much greater scrutiny over the procedures they have in place to prevent fraud and early this year at Enterprise GC conference, Grant Thorton hosted a very popular break-out session on this very topic and so today we’re going to continue that conversation.
So, to do that I am joined by Emma Young, Emma’s a director in business risk services, she’s a risk governance and control specialist who leads Grant Thornton's control advisory service line, and she supports clients in getting ready for the Failure to Prevent Fraud Regime and the new UK corporate governance code. Also, with us today is Tom Townson, Tom is a partner and head of Grant Thornton's financial crime team. He has particular experience in advising firms of the impact of new financial crime legislation and how they can prepare to ensure they’re in a good position to withstand external regulatory scrutiny. So welcome Emma and Tom!
Ben: Alright so, to get started let's go back to Enterprise GC at Wembley where you hosted a session on this subject, so can you tell me a little bit about what you covered what stood out to you from the conversations with in-house lawyers in the room on that day?
Tom Townson: There were lots of industries represented people engaged well. There were groups of people who had understood that this legislation was coming, and they had obviously done some preparation. There were some that were there to be informed because they knew it was important. And there was a subset of that group that perhaps had left things quite late—they were still looking to be informed but were also concerned about the steps that they should be taking.
We took them through the events and then engaged in some interactive chat with everybody there. There were multiple industries represented there were people from financial services industry, people from logistics, people from tech, mostly GCs, although some heads of compliance. But generally, everybody really engaged and looking to see how they could understand how to comply with the legislation.
Emma Young: And I think also in the room, there were people looking to get some reassurance that others were in the same boat as them. Maybe they were having trouble engaging stakeholders, or maybe they not quite as far forward in their plans, or maybe September was approaching a bit faster than they had originally envisaged. So, I think there was a bit of mutual comfort-giving in the room just to make sure everybody was sort of on the same page and heading towards the same target and having some of the same challenges.
Ben: So, were there any particular surprises, things that jumped out on the day any common misconceptions?
Tom Townsend: I think on that particular day, as I had said before, there were some people that maybe left it late. There were some people that were in the wrong room—not many of those, but there were some. I think in subsequent meetings that we've had, it's been interesting where some people thought the deadline was the end of September, only to realise that the deadline is the 1st September. If you're running a project and you've left it late and somebody in the room says you've got one month less to achieve what you need to achieve, that can be a little bit of a shock. There aren’t many of those people around, but we did have one of those. I think as Emma said there’s a little bit of people wanting to understand where they sit compared to others and it is not a comfortable place if you go to one of these sessions and feel like you are behind the curve.
There were definitely some people that were there, there’s a group of people that got ahead of the guidance on the basis that there other similar offenses relating to bribery, corruption and tax evasion and the pattern is very similar. There are some people in that room that had obviously got ahead of it because they knew what was coming. They didn't really need to wait for the specific guidance; they knew the path and could get 80% of the way there before the guidance was even published.
For others, there's a group there that are less confident and wanted to hear from people like ourselves and their peers to understand what they needed to do. They waited for the guidance or even waited beyond the guidance before actually doing anything.
Emma: And to just add to that probably what surprised me was the real variety in where organisations were, but particularly that a lot of companies hadn't really thought through yet who their associated persons, who are the people who can trigger and create these situations where these fraudulent offenses could take place.
And I think some of the early thinking hadn't been done. Less so that they were far down with the program, but they hadn't done some of the foundational thinking about getting engagement from senior leadership in the organisation to help set the tone from the top, maybe really understanding what they already have in place, and also thinking about who they're going to need to engage within the projects. It did feel like there was definitely a group who were a little bit back on the curve there and there’s quite a lot of work needed before you can get into delivering a project like this.
Tom: Indeed, for the financial service firms in the room that are heavily regulated, they obviously spot this type of offence coming a mile off, because they’ve got an army of people that are doing horizon scanning, when new legislation changes, they’re all over it. They have policy teams that jump on it, certainly the top ones do, and so everything kicks into gear. Now they might need help from firms like ours and indeed from law firms, they might need help in specific aspects of trying to get compliant or because they need some overspill resource because they need some extra horsepower. And then you have other industries represented there who don’t regard themselves as being very heavily regulated, they are covered by this offence and equivalent offences for bribery and corruption, tax evasion, but they don’t have the infrastructure in their companies that would necessarily lend themselves to getting complied relatively and for them it’s a lot harder. Paradoxically, they leave it later, so they don’t have the support infrastructure, one, and two, they leave it later to create a kind of unfortunate circumstance which, we’re in July now, is a little bit difficult.
Ben: So, let's zoom out a little. Can you talk about the background to this legislation and how we got here?
Tom: We’ll let Emma talk about the how we got here. But if we talk about the offence, I think the UK has developed this penchant for corporate-level offenses. The reason for that is really that historically, it has been difficult to prosecute things like bribery and corruption, tax evasion and now fraud at a corporate level. It's very difficult to prove, or historically been very difficult to prove, a criminal mind for an organisational entity to be able to prove that criminal behaviour is going on, but also that criminal mind.
That's what created this situation where those responsible for public policy have this animus for offenses that don't require the proving of that criminal mind. Of course, we're in good company because the US likes these types of offenses and they like the extra-territoriality, which is also a feature of this corporate criminal offence.
Back in the day, it was expected that these corporate criminal offenses would be unified in some kind of "failure to prevent financial crime" type offense. I’ve talked about it, others have talked about it, but it didn't materialise. What has materialised is this failure to prevent fraud offense, which has some elements to it which are interesting.
There are nine different underlying fraud offenses whereby if somebody has committed a fraud offense for or on your behalf and you're an organisation covered by this offense, and if there's been a benefit to your organisation and you don't have what Emma will no doubt talk about these "reasonable procedures" as a defence then you're going to be found guilty of this corporate offense if you have these circumstances existing in your firm. And so, it’s definitely worth people’s attention and definitely worth trying to get up to speed with these requirements and the government’s guidance to try and forestall any unfortunate action.
Emma: I think it’s worth stressing that this legislation marks a major change and major shift in how large organisations are held accountable for fraud and yes, it has specific elements and specific ways of looking and considering what those fraud events are that I’m sure we’ll talk about in a little while. But this is in a context of there being a real emphasis in the UK corporate governance sector of there being increasing reform. For a number of years, the government did a consultation, a base consultation, around audit market sector reform. At one point there was an element within that that was going to include a director statement on fraud and how fraud is managed. That's gone away as some of that legislative agenda has changed, but this has come in.
I think to some extent, a lot of organisations haven't done a lot because they were waiting to see what landed. Those who, as Tom said, jumped first and have the infrastructure in place are in a better place. But there has been quite a long trail of this landing. This is one aspect of the ECCTA legislation it’s not all, there are other things within that broader legislation but in terms of the failure to prevent fraud piece. The guidance that came out in November is pretty clear and pretty prescriptive and is pretty aligned to other "failure to prevent" offenses. Some organisations have taken that and really run with it, and others are maybe just still navigating some of the basics around where it all comes from and what to do.
Ben: How does this compare to existing legislation? What are the key distinctions to be aware of?
Tom: I think Emma alluded to it, the pattern of these offenses is that there has to be an underlying fraud offense committed by somebody, but with this added element that it's for or on behalf and for the benefit of the organisation concerned. With that comes this corporate criminal liability.
A key component of this particular offense is that you can defend yourself at a corporate level if you can demonstrate that you have what the legislation calls "reasonable procedures." Now in other incarnations of this type of offense related to tax evasion and bribery corruption, the term is either "adequate procedures" or "reasonable procedures"—this one, it's reasonable procedures.
Essentially how that operates is if you can demonstrate that you have those reasonable procedures, you have a defence. That defence is built into this piece of legislation, and that's why it's really important. These six pillars, if we can call them that, set out in the guidance help you to understand what reasonable procedures might look like is where firms should really be going to in order to help them understand how they can build something which protects them from legal or regulatory intervention.
Emma: I think just to restate again, as Tom saying, there are these underlying fraud offences that sit within ECCTA but really critically what it's putting in place is a corporate criminal liability in across the top of these existing fraud offenses. The underlying fraud offenses are still there, but what the ECCTA and the "failure to prevent fraud" legislation has is this layer of corporate criminal liability.
It also introduces, due to this "associated persons" concept, who is able to trigger this corporate criminal liability being broader. It opens up the nature of what those fraud offenses can be, because traditionally, the focus of most organisations' fraud risk management frameworks are "what could happen to me", “how could this event” “what could happen to us”, that we could we be a victim of.
And there's this external perspective that comes through when you look at what are the fraudulent offenses that you could benefit from as an organisation, but there could be victims external to the organisation.
Tom: Yes, it’s an interesting thing, isn’t it? Even for financial services firms that have a lot of systems and controls in place, even for them a lot of their focus on fraud is either fraud that they are subject to, or it's around their controls in protecting their customers from being the object of fraud. What this is really about is the firm being able to demonstrate they've got procedures in place to show that they've tried to stop itself from being the perpetrator of fraud.
And so, even for those entities that are heavily regulated, they're having to think about fraud in the opposite sense, in a way they don’t traditionally think of it.
Ben: One of the themes that came up at the event was collaboration within industries. Are there any specific examples you can point to that are of interest now?
Tom: In the financial services industry, there has been guidance published by UK Finance. There are messages circulating from people at the Investment Association, and that industry obviously, already has quite a handle on this type of thing. So, they're very active. As I said earlier, it doesn't necessarily mean they're fully compliant or going to be fully compliant on day one, but it does mean that they talk together. Their kind of baseline level of understanding of what they're going to do as an industry is organised and probably better than industries where there isn't that type of guidance. So, they’re kind of ahead of the game that doesn’t mean to say there aren’t difficult things for them to cover, I think Emma alluded to the definition of these “associated persons”. So, one of the features of this offense is that the people who can get you into difficulty are people who are acting for or on your behalf. That's not just employees, that can be people who are representing you in some way, shape or form. In the financial services industry, it's heavily intermediated, so answering that question about who is acting for or on your behalf is not a very simple question.
And this is a podcast for Legal500, people are consulting decent magic circle law firms on those questions, because it really does matter. Where does the buck stop in those heavily intermediated industries? How far down that chain do you have to look? The general guidance that has been published tries to help on that, but there's a limited amount of guidance that you can give when that central guidance is trying to cover so many different industries. So, there are definitely interesting things they can help inform as the general guidance suggests until it’s tested in court on a matter, it’s difficult to be very certain, even for lawyers to be very certain about what the situation there is. Who is acting for and on behalf of your offence is a question of the circumstances really.
Emma: I can echo that certainly where I've been leading and delivering readiness assessments and helping organisations get ready for the offence, there have been some comments that there's been inconsistency about how much engagement peers want to have. I've got one organisation I’m working for in the real estate sector, and they had quite positive engagement within their sector around defining some of the parties that typically operate in that space and how do they engage, how do you interpret their activities, and who's an associated persons.
In other sectors, people have had phones put down and doors shut in their faces because it's deemed there might be an element of some commercial advantage accidentally given away by having a discussion around how they're managing fraud or even how they're defining who some of the associated persons are.
Because I think, defining associated persons is sometimes it’s very obvious and sometimes there are discussions and challenges about how do you interpret and include that because it’s a really critical defining piece because the nature of the fraud exposure that you have under this legislation is defined by who you think is able to create these fraud events and to instigate them. So, if you misdefine the associated persons grouping at the beginning, it can send you down a very different direction when you're doing a fraud risk assessment. So, I think that bit is very important, and I do think that I’ve definitely had many organisations saying to me they are in discussions with law firms about shaping how they define who those associated persons are particularly and looking at contractual arrangements in place and what does that imply. What’s the precedent that it’s trying to set? And trying to reach some sort of sector-wide interpretation, but it’s an evolving piece and people are at very different stages of the process and quite how much they are willing to share is difficult, and ultimately as Tom said, it’s not in effect yet and there isn’t any legal precedent to hold any of this to. So, it’s all still about putting a sensible framework in place with a sensible reasoned discussion and judgment and the basis for how you’ve made definitions captured. All of that will support a reasonable procedures defence in the event that a fraud event takes place and someone comes looking.
Tom: I mean one of those key aspects of a reasonable procedures that Emma’s been alluding to, is the risk assessment and we’re both involved in, sometimes in the same sessions or different sessions with different clients in different industries. I was in one the other day where, I mean it’s obvious isn’t it, that not only are you interested in who’s acting for or in your behalf, downstream from you. Obviously sometimes you’re acting for or on the behalf of someone else who is upstream from you. It’s quite interesting how you would treat those people downstream of you often is mirrored by the behaviours of people upstream of you and how they’re treating you. So, when it comes to things like policies and procedures, which are another aspect of the reasonable procedures as talked about in the guidance. How your contractual arrangements are with associated persons are often mirrored by people upstream of you are wanting to amend their contracts with you and they’re wanting to cover of this offence and trying to define the rules of the game and how they interact with you and what it is that you’re doing. Revisiting the things that you do for them and the guard rails around it just like you’re trying to do with people who are your associated persons who are downstream of you.
A really interesting discussion the focus of those sessions where we generally speaking like to get involved with workshops with people where we explain the offences the underlying fraud offences things like misrepresentation or misreporting all these different types of offences and getting people to think about and hypothesis about how their organisations could be used to commit some of these offences, helping to think about how those offences might play out. Misselling, for instance, if you’re in the financial services industry, I know were talking to people here that are across different industries, it’s really interesting. It’s a very mature process, but also, the sales process in the financial industry is very heavily regulated but it’s not been without its problems. There has been rampant misselling in certain areas across the financial services industry for the last 30 or 40 years. Even before there was a properly regulated sale process and even with the introduction of this offence it is going to create and cause some extra thoughts about how you can put some controls around mitigating against people in the sales cycle committing various different types of fraud, misleading customers, intentionally misleading customers for their own gain, but which in a way, inadvertently or sometimes deliberately causes a gain for the firm itself.
Ben: One thing you guys touched on there was risk assessments. Can you talk about how risk assessments should be approached and what best practice looks like?
Emma: When it comes to risk assessments, what is really important is to look at, as an organisation what is your established risk management framework. Where you've got infrastructure built up and a framework and approach for how you perform risk assessments, this is another area in which you need to do that. So don't reinvent the wheel. If you've already got a framework and approach that works, then use that to start with.
Obviously, when it comes to risk assessment, one of the key aspects, yes absolutely there's an activity that needs to be done now, but we also need to think about how you build a dynamic, sustainable approach. A risk management process—if you do it once, you do it fantastically, put it in a drawer, it will be completely out of date and invalid in short order because the world keeps changing. The environment changes, your interaction with customers, maybe your service lines, your products, everything changes, and that's going to change your risk profile. So, you need to keep updating it.
What needs to be done as one of the pillars of the reasonable procedures defence that sits in the ECCTA guidance is around performing this fraud risk assessment as an exercise initially. There's quite a lot of information in the guidance that's quite sensible in terms of what you would expect to see covered.
It does talk through what you need to do. The key aspects that I think are important is, we've mentioned already, identifying who the associated persons are, because yes that's an important concept to understand when you think about the fraud events. But also, it's important to think about who's going to need to be part of the exercise that you do to refresh the fraud risk assessment.
Typically, we’ve mentioned, we support workshops, and that's one of the best ways when it comes to building risk assessments is to perform workshops. And so, you need to make sure you've got the right people in the room or in the rooms during those assessments, who will engage with the process and who speak to the end-to-end operation of some of your core business activities.
So, I think having the right people in the room is key. I think having a standardised approach and framework—developing one if you don't have it or absolutely leveraging something that you will have certainly in sectors like financial services and other regulated sectors that will have a very well-established process and that could be leveraged.
And then it's about teasing out all of those scenarios under all those offenses where those fraud events can take place. And it’s about thinking and using concepts like the fraud triangle—what's the opportunity, what's the motive, and what's the rationalisation behind those fraudulent acts. Thinking about all of those aspects to really pull out what those fraud risks are.
That's step one. Step two is if we're comfortable that we've got a complete picture, how do we manage these fraud risks. What we often see in these workshops is "we don't have to worry about that because we do all these things and that will never happen, let's move on." Actually, getting people in the mindset to say this is trying to capture your universe of all the frauds you have, not what you're managing, but all the frauds that you have.
Getting that full picture captured and written down is really important because, as with all different types of risk management, you need to manage fraud risk but within the appetite that you have for that particular type of fraud risk. There are different levels of activity, different levels of resources and effort that you might want to deploy to manage particular fraud risks. And others you may choose to accept some aspect of it, or you may choose to prioritise in different ways. And I think that’s an important aspect to also think through is getting the right people in the room, capturing all the fraud risks but then also thinking, which of this fraud risks do we want to prioritise the activities against, what do we already do. Capture what those fraud controls look like and then stand back and say are we comfortable with this position. And if you do this exercise with the right people in the right room with a good structure framework to it, then you should end up in a place where you have your fraud risk assessment version one and then that’s your starting point to build up a process to refresh on a periodic basis.
Tom: Absolutely and you want, as an organisation, to deploy your resources against the things that are most risky and that are likely to cause you the most damage, as part of that, you’re doing an assessment of probability and impact. As Emma is saying, what you want is to capture and these documents at the high level, your universe of inherent risk. What we find is when people ask for our help is very often, they'll say, "We know what these are. These are the things we want you to focus on." Really, in the spirit of the guidance, define your universe first. By all means, if you think that these things are low risk, low probability, low impact, then you've got the ability to say these are things that don't really need any new controls because they're so far-fetched they're not going to actually happen. But you've documented it, and you've come to that decision and you've reasoned it and it's logical.
What you don't really want to do is not do that bit, focus on what you think are the high risk things without documenting it, and then down the line post-September, one of those things that you didn't document then crystallises. Then the exercise hasn’t provided you any kind of cover or assistance, if for no other reason than you can go back to it, revisit it and ask, "How did we assess that incorrectly?" If we addressed it incorrectly what is now going to be our approach to control.
Deploying that methodology and as Emma was alluding to, making this approach and exercise dynamic—you're not doing this assessment, putting it on the shelf and gathering dust. It's got to be something that lives and breathes.
Emma: Just to add to that the risk assessment exercise will be the piece that identifies where there are gaps in how you're managing those controls. The sorts of things we're seeing flesh out of the risk assessments we've been doing have been around things like training. What fraud management or anti-fraud training already exists? Do you have something that captures and also, takes the new perspectives we've been talking about here with the failure to prevent fraud offense, where maybe the definition of what a fraud is, is not just the traditional definition of an internal fraud, but will also have that external perspective? Do people understand what we mean when we talk about fraud now? What’s the definition of that?
Training often comes out, and its things around the governance—the governance gap. In some organisations, where the fraud investigation activity sits here and some of the controls operate over here and something else is done over here. What this is looking to do is to pull together all the different aspects of your fraud risk management framework so you can look at it in totality.
When you do that, it's flagging up some questions about who's going to own this. If we're going to say these are the key activities that we do to manage these fraud controls and these that we think are our most critical controls, how are we going to get comfort that those controls are operating? If we get comfort that they're operating, who finds that out? Where does it go? What happens to this information? It's pulling together all the pieces.
A lot of what the risk assessments flushes out is that there's a lot of individually very well-managed fraud risks, but the totality of the picture of the fraud risk framework is maybe not brought together and as visible in some organisations.
Tom: If you asked somebody to articulate it prior to this activity, a lot of firms would struggle to find, A, somebody who could articulate it. And, B, if you found somebody who was competent to do so, them actually being able to do it in a comprehensive way. If you go through this exercise, there should be somebody at the end of it who's able to do that, and you would have some ongoing governance around it.
I think in these reasonable procedures, of course, we talked about dynamism of the risk assessment ultimately, if there are some gaps and there are some actions that come out of these risk assessments that lead you to develop new controls. Then were into the world of an ongoing basis of testing those controls that have been introduced. Some of the work that Emma does commonly, is testing those controls on an ongoing basis, part of the programme of internal audit work. So, this type of offence feeds that activity as it did with bribery and corruption and as it did with tax evasion offence.
Emma: In the corporate governance landscape in the UK with the updated corporate governance code and some of the reporting requirements that are going to come in after 2026 around material controls and managing those controls, a lot of organisations have projects stood up around that. They're also thinking about if they're building assurance frameworks around some of the key controls there, some of the key fraud controls captured within there and trying to think about how you bring some of these bits together.
Which is part of why 1st September is approaching quite quickly for lots of organisations because they're trying to navigate how to pull the pieces together. What you don't want is to have parallel lines of activity in the organisation looking at risk here, and some control testing there, and some fraud risks here. How do you pull the picture of that all together?
That's very live conversations that I've been part of over the last few weeks with organisations—how do we pull the pieces of the story together to ultimately tell us how we're managing risk as an organisation and within that, how we're managing fraud risk as an organisation? It's all part of the same story.
There’s lots to do, there is still time to do it and the expectation here and what we find, and we’ve talked about is that a lot of what this is about is pulling together what’s here. When you pull it all together, you will find pieces that could be articulated more clearly or could be advanced. But majority of what you seem to have in place organisations will have, it’s pulling it together to have that one person who can answer the question of how does fraud risk management framework work and what are your key controls where does it go, how do you know what is happening? You’re going to get a clear answer in one place with this exercise, but you would hope the majority of it is there, because organisations are managing risks.
They are managing in different ways, exposure to the activities of your partners and your third parties. You’ll have contractual clauses in place like most organisations do. Our suppliers need to adhere to our code of conduct; all of those sorts of things are setting the rules of the game of how people are operating on or of your behalf perform. Or if they go out in the world, they have guardrails or protocols about how they do that. A lot of all this stuff is here it’s just pulling the picture together to say are there any gaps within it and if we’re happy with where we are then fantastic, we’ve just captured a really comprehensive, good story that provides our reasonable procedures defence within our organisation.
Ben: That’s all been very enlightening thank you very much, just to wrap up, can you offer your top tips on the key actions companies you think should be doing right now with the day approaching?
Tom: We’re getting calls, particularly in the last couple of weeks, and no doubt this will be a feature running up to September. People are getting more and more worried because they realise they have more to do than perhaps can be done in that timeframe. One of the questions we keep getting asked is, "Is everybody really ready for the offence? How many people that you're speaking to are going to miss that deadline?"
I think it's worth having conversations with your key stakeholders in your organisations. That would be a top tip now. If you feel like you're not going to get everything in place for 1st September —obviously it would be the best situation if you were ready for 1st September —but if you're not, make sure you understand what your exposure is and that the senior people in your organisation who need to know that, know that.
If that is the situation in your organisation, you can make sure you close those gaps as quickly as you can because you don't really want to be the test case for this particular offense. If you can close that exposure down as quickly as possible, I think that would be a good thing for everyone.
Emma: Building from that, one of the pieces that comes up very often is around training and internal communication around this. Nobody needs to tell you that the holiday season is coming up, but if you're going to try to implement communications and training, it does need to start to happen sooner rather than later. Once people are on holiday, it's harder to chase them down to update the training records that you want them to do.
Fundamentally, at this point, it's all about communication upwards to senior stakeholders and out into the business about what you need to do and just keep going with what you already have in train.
Ben: Well, thanks very much, Tom and Emma. I really appreciate you being with us today, it's been a very interesting conversation. Thank you.
