White collar crime and compliance

Horizon scanning

Failure to prevent fraud: key guidance released

What's happening?
On 6 November 2024, the Home Office released its much-anticipated statutory guidance on the new failure to prevent
fraud offence.

The guidance sets out a framework that large organisations should implement by September 2025 to ensure they have in place reasonable fraud prevention procedures.

Why does it matter?
The Economic Crime and Corporate Transparency Act (ECCTA), which passed into law in October 2023, introduced the offence of "failure to prevent fraud".

This corporate criminal offence creates new potential criminal risk for companies and focuses on situations where the company is a beneficiary of a fraud (rather than the victim of the fraud).

The failure to prevent fraud offence applies to "large organisations" that fail to prevent their “associated persons” – which includes employees, subsidiaries, agents, and other third parties providing services on their behalf – from committing fraud offences that benefit the organisation.

In scope "large organisations", are organisations incorporated anywhere in the world that meet at least two of the following criteria: 250 or more employees, a turnover of £36m or more, and/or

assets of £18m or more. Consequences can be severe, with organisations facing potentially unlimited fines if convicted.

Organisations can establish a defence by demonstrating that, at the time its "associated person" committed an underlying fraud offence on its behalf, it had reasonable fraud prevention procedures in place.

The newly released guidance outlines what is expected of organisations to meet this standard and includes wide-ranging requirements including regular risk assessments, adequate resourcing and appropriate use of data analytics and AI.

What action should you take?
The guidance is structured around six risk-based principles of compliance. These principles are intended to be outcome-focused and proportionate to the risks a business faces. The principles are:

top level commitment
risk assessment
proportionate risk-based prevention procedures
due diligence
communication (including training)
monitoring and review

Key areas of focus for companies arising from the guidance
1. Risk assessments – a risk assessment will be the cornerstone of a company's fraud prevention framework and it is often the starting point for identifying areas of vulnerability within an organisation. It outlines potential areas requiring additional resources and focus. Risk assessments are not static; the guidance recommends reviewing them regularly, annually or biannually, depending on the business risks. Failure to update assessments can undermine the credibility of a company’s fraud prevention program.

2. Jurisdiction and territorial scope – the law applies broadly, covering companies worldwide if an associated person commits a UK fraud offence. Typically, this involves fraudulent acts taking place in the UK, or causing gain or loss there. UK-based victims may also meet the jurisdiction threshold. Even international businesses must assess whether any part of their operations links to the UK, including connections within a broader corporate group.

3. The “fraud triangle” and risk typologies – companies are encouraged to adopt a proportionate approach by analysing fraud risks posed by associated persons. The guidance highlights the “fraud triangle” – motives, opportunities, and rationalisations driving fraud – and suggests developing tailored risk typologies. Companies should dynamically assess risks by leveraging data, industry trends, and past incidents to proactively address vulnerabilities.

4. Resourcing and training – sufficient resources and training are critical to effective fraud prevention. Companies and their senior management should:

provide leadership and staffing to manage fraud prevention frameworks
deliver role-specific training to help staff understand fraud risks and reporting procedures
allocate budgets for technology, such as third-party due diligence platforms and tools.

5. Technology and AI – the guidance underscores the importance of technology, including data analytics and artificial intelligence (AI), for fraud detection. These tools can monitor anomalous behaviours, improving oversight and identifying risks. Companies investing in these technologies demonstrate a strong commitment to fraud prevention while benefiting from enhanced detection and mitigation capabilities.

6. Management information systems – organisations should establish systems to collect and analyse fraud-related management information. This includes tracking incidents, monitoring compliance metrics, and reviewing risk assessments. Regular reporting helps leadership evaluate the effectiveness of anti-fraud measures and refine strategies as needed.

7. Learning from past incidents – companies should learn from internal audits, investigations, and previous issues, as well as external data, such as industry trends and legal developments. Incorporating these lessons into fraud prevention procedures, risk assessments,

and employee communications strengthens resilience against future threats.

8. Policies and code of conduct – while standalone fraud policies are not mandated, fraud prevention principles should be integrated into existing policies or codes of conduct. These should express the organisation’s commitment to combating fraud, outline anti-fraud procedures, and specify consequences for non-compliance.

9. Fraud prevention procedures – the guidance outlines reasonable steps organisations can take, such as:

employee vetting: thoroughly vet high-risk roles to ensure integrity
financial controls: adopt transparent and accountable financial practices
conflict of interest management: strengthen procedures if necessary
third-party contracts: include anti-fraud clauses and review regularly
disciplinary measures: clearly define
and communicate consequences for committing fraud.

10. Investigations – organisations should establish protocols for investigating potential fraud. This includes deciding when to appoint external investigators and how to oversee these processes. Companies must also determine
how to share investigation findings with management and use insights to enhance fraud prevention measures.

11. Fraud Risk Impact Assessments – these assessments address risks arising from new services or associated persons. Organisations should ensure existing controls can mitigate novel risks and deploy countermeasures
where necessary.

12. Differentiated procedures – it is acceptable to apply varying fraud prevention procedures to different categories of associated persons (eg employees vs overseas agents). This is particularly relevant where local laws restrict certain controls.

Key dates
The offence will come into effect on
1 September 2025. This means, organisations now have nine months to ensure their procedures align with the standards set out in the guidance. Although this sounds like a fairly long time period, many companies will face much work to meet the standards set out in the guidance, and those that have not already begun to develop their fraud prevention procedures should start now.

Sam Tate
Partner
+44 7375 489750
sam.tate@rpclegal.com

Thomas Jenkins
Senior Associate
+44 7856 279455
thomas.jenkins@rpclegal.com

Robert Semp
Associate
+44 7545 100 522
robert.semp@rpclegal.com

Recent developments

Ignorance of sanctions obligations not an excuse: OFSI issues first monetary penalty for breach of financial sanctions imposed on Russia following its invasion of Ukraine

On 29 August 2024, the UK Office of Financial Sanctions Implementation (OFSI) issued its first monetary penalty for breach of the financial sanctions imposed on Russia following its invasion of Ukraine^[1], as set out under the Russia (Sanctions) (EU Exit) Regulations 2019 (the Regulations).

A penalty of £15k was imposed on Integral Concierge Services Limited (ICSL), a small
UK-registered property management and concierge company, for its failure to comply
with the regulations.

^[1] OFSI's previous Russia-related enforcement was connected to the sanctions imposed following the Russian occupation of Crimea in 2014.

Under the regulations, companies and individuals are prohibited from dealing with funds or non-monetary assets such as property that are owned, held, or controlled by a person who is subject to an asset freeze due to their involvement in Russia's invasion of Ukraine (known as the "Designated Person"). The Regulations also prohibit making funds available to any person for the benefit of a Designated Person.

Companies face strict liability for transactions entered into after 15 June 2022 that breach sanctions, meaning OFSI can take action against a person in breach of the Regulations regardless

of whether the person knew or had
"reasonable cause to suspect" that their actions were in breach.

In this case, ICSL was found to have made or received 26 payments in 2022 and 2023 from one of its clients, who was named as a Designated Person in early 2022. The payments were in relation to property management services that ICSL provided on behalf of the Designated Person, who owns a residential property in the UK (the Property).

ICSL had collected rent from tenants, paid for upkeep and maintenance of the Property, collected its own management fees from the Designated Person's client account, and made multiple transfers between accounts which dealt with the Designated Person's funds, all without obtaining the required licences from OFSI.

While some of ICSL's actions took place before strict liability came into effect, OFSI concluded that ICSL knew or had reasonable cause to suspect that it was in breach of sanctions when dealing with the Designated Person's funds in those earlier transactions.

This is the first case where OFSI has categorised a breach of the sanctions in connection to Russia's invasion of Ukraine as "serious enough to justify a civil monetary penalty", which ICSL did not contest.

OFSI proactive enforcement
ICSL's sanctions breach was discovered through what OFSI describes as its own "proactive means", rather than through a voluntary disclosure by ICSL. Such proactive enforcement may involve OFSI reviewing the assets it knows to be owned or controlled by Designated Persons and confirming with entities holding these assets that they have been appropriately frozen.

In this context, companies in possession of frozen assets should be alert to the possibility that OFSI may contact them directly to confirm the assets are being managed in accordance with legal requirements and will not simply wait to be told that a breach has occurred.

OFSI may make up to a 50% reduction in any monetary penalty it imposes if the subject of the penalty made a prompt and complete voluntary

disclosure of the breach. This reduction was not available to ICSL.

Aggravating and mitigating factors
OFSI identified a number of aggravating factors that added to the severity of ICSL's breach. These included ICSL's general lack of awareness of sanctions risk. ICSL admitted that it had not sought legal advice or guidance about the sanctions regime, despite having mainly Russian and Ukrainian nationals as its client base and despite being aware that the client in question had been named as a Designated Person. As a result, OFSI noted that the company had "extremely limited" knowledge of its sanctions obligations and wrongly believed that it was only prohibited from making or facilitating direct payments to the client's account.

In addition, although the individual transactions made by ICSL in breach of the Regulations were small, their aggregate value and repeated nature were flagged by OFSI as increasing the severity of the breach.

These aggravating factors were offset to some degree by mitigating factors, including ICSL's cooperation with OFSI's investigation once it had been initiated (including providing information on breaches it had committed of which OFSI was not yet aware) and the fact that ICSL would likely have been granted a licence for the relevant transactions if it had applied for one.

For businesses, especially in the real estate sector, a key takeaway from this case is that ignorance of financial sanctions obligations is not an excuse. Any company holding assets that have been frozen under a sanctions regime should give serious consideration to taking advice on its legal obligations and what it can and cannot do with those assets. OFSI has demonstrated in this case that it proactively looking for sanctions breaches and that companies face potential financial penalties if it finds them, regardless of whether or not the company knew it was in breach.

Relevant links:

Report of penalty for Breach of financial sanctions
HM Treasury press release
Collection of OFSI enforcement actions to date (see enforcement action against Wise Payments Limited which is the only other case of enforcement for breach of the Russian Regulations)
Russian sanctions: guidance (updated 31 October 2024)

Toby Lamarque
Managing Consultant, Regulatory & Financial Crime
+44 7864 248050
toby.lamarque@rpclegal.com

Oluchi Nnadi
Trainee Solicitor
+44 7542600346
oluchi.nnadi@rpclegal.com