Failure to prevent fraud: how law firms and legal teams can prepare

The Home Office guidance explains that under the failure to prevent fraud offence:

“An organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’, commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place.”

The list of 'base fraud' offences is set out in Schedule 13 of ECCTA.

The offence applies to:

• all large incorporated bodies, subsidiaries and partnerships
• large not-for-profit organisations (such as incorporated charities)
• incorporated public bodies

“Large organisations” must meet at least two of the following criteria:

• turnover of more than £36 million
• balance sheet total of more than £18 million
• more than 250 employees

So, what do law firms and legal teams now have to consider to make sure they comply with ECCTA?

What you need to know

The government’s guidance states that:

• the benefit of the fraud does not need to be financial
• the organisation or its clients do not need to receive any actual benefit for the offence to have occurred (the intention is sufficient)
• the intention to benefit the organisation or its clients does not need to be the sole or dominant motivation for the fraud: it can be a secondary motive
• senior management does not need to know about the fraud for the organisation to be liable. Previously, corporate liability for fraud would have required evidence of wrongdoing at a senior level

Organisations found liable of this new offence can be subject to an unlimited fine.

An organisation will be liable where an offence has been committed unless it can demonstrate that it had reasonable fraud prevention procedures to prevent such a fraud taking place.

The date for the failure to prevent offence to come into force is fast approaching.

This means there is a short implementation period for affected organisations to review and tailor their fraud prevention procedures to meet the specific needs and risks of their business.

The Home Office guidance details six principles organisations should be guided by when designing and implementing reasonable procedures.

These measures are only compulsory for firms in scope of the offence.

However, you may choose to implement these measures even if your firm does not fall within the definition of a large organisation.

How you can prepare

1. Risk assessment

This is crucial to assessing your organisation’s risk exposure to each fraud offence.

Consider the specific profile and activities of your organisation’s business and the potential risks presented by associated persons.

Your organisation’s risk assessment should be documented and kept under regular review.

While it is not possible to anticipate all potential fraud risks, the guidance encourages nominated risk owners to consider the three elements of the fraud triangle:

• opportunity – arising from weak controls and or inadequate oversight
• motive – arising from financial stress and or meeting targets
• rationalisation – motivation by the belief that no harm has been caused or resentment

The Home Office guidance provides detailed examples of the types of factors to consider when assessing each element.

2. Proportionate risk-based prevention procedures

To avoid duplicating work, assess whether your organisation’s existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures would sufficiently prevent each fraud risk you identify in the risk assessment.

It is advisable to draw up a fraud prevention plan, with procedures being implemented to prevent fraud being proportionate to the risk identified in the risk assessment.

Your organisation's policies should be clear, practical, accessible, effectively implemented and enforced.

Fraud prevention policies and procedures should focus on:

• reducing the opportunities and motive for fraud in your organisation
• enforcing and reinforcing the consequences for committing fraud (if this does not already exist)
• reducing the rationalisation of fraudulent behaviour amongst individuals
• considering emergency scenarios

This is not an exhaustive list.

Document any decision made not to implement procedures to prevent a specific risk, together with the name and position of the person who authorised the decision. Keep these decisions under regular review.

3. Top-level commitment

Your organisation’s senior management should take a leadership role on fraud prevention.

The processes implemented in your organisation should be overseen by named senior stakeholders.

4. Due diligence

Organisations should carry out proportionate and risk-based due diligence on persons who perform or will perform services for or on behalf of your organisation.

The level of checks on an individual who is heavily supervised and has no authority to make decisions should be lesser than checks conducted on an individual with some autonomy (such as a partner).

Examples of best practice include:

• using appropriate technology (for example, third-party risk management tools, screening tools and or internet searches)
• reviewing contracts with those providing services to include appropriate obligations requiring compliance and ability to terminate in the event of a breach where appropriate
• reviewing contracts for agents
• monitoring wellbeing of staff and agents to identify persons who may be more likely to commit fraud because of stress, targets or workload

5. Communication (including training)

All staff should understand the failure to prevent fraud offence and their responsibilities.

It's imperative to communicate your fraud prevention policies within your organisation.

It may be helpful to integrate fraud messaging into existing policies and procedures.

Bespoke training should be provided to fit the roles, responsibilities and levels of the individuals being trained.

Those in the highest risk posts should receive more in-depth training.

Training should cover the nature of the offence, as well as the procedures to address it.

These policies should be regularly shared (for example, during regular training) and reinforced at all levels of the organisation.

You may also choose to publicise within the organisation the outcome of investigations, particularly the sanctions imposed which may act as a deterrent to others.

Whistleblowing and culture feature highly in the government’s guidance.

It's important staff and other associated persons are trained on your organisation’s whistleblowing arrangements.

Staff should be trained to be able to understand how to report any concerns.

6. Monitoring and review

Your organisation’s procedures should be reviewed regularly to make sure they are sufficient, and

Changes should be made where necessary (for example, where new risks are presented).

It is advisable to have a way to monitor lessons learned from any instances of whistleblowing or any investigations.