Countdown to Compliance - Failure to Prevent Fraud Guidance Released

Reasonable procedures

The section of the new Guidance that sets out procedures that organisations can put in place to prevent fraud is based on the same ‘six principles’ familiar from the previous Government guidance on other ‘failure to prevent’ offences. However, there are notable differences and changes of emphasis. The new Guidance offers a more detailed and structured set of procedural recommendations. It encourages businesses to draw on a broader array of resources, including the UK Corporate Governance Code, and the US Guidance on Corporate Compliance Programmes, relevant caselaw, and industry publications.

The Guidance reflects a more comprehensive and mature approach than we have seen from the previous guidance documents. This is perhaps to be expected in circumstances where law enforcement agencies have been grappling with what ‘adequate’ or ‘reasonable’ compliance procedures should look like since the earliest investigations under the failure to prevent bribery offence. The past 15 years have been a period of significant development in the way in which risk generally, and financial crime risk in particular, is managed within organisations, including the increased professionalisation of compliance as a specialised area of expertise.

The Guidance is advisory only and is not legally binding. Further, while it serves as a very useful starting point, the Guidance remains somewhat flexible – it does not provide a straightforward blueprint for implementation. It is expressly stated in the Guidance that “departures from suggested procedures within the guidance will not automatically mean that an organisation does not have reasonable fraud prevention procedures” and “[e]qually, this guidance is not intended to provide a safe harbour: even strict compliance with the guidance will not necessarily amount to having reasonable procedures.”  The Guidance is clear that organisations need to evaluate their own unique risk profile and develop bespoke, but proportionate, mitigation strategies in response.

Despite its inherent flexibility, the Guidance does offer an important insight into the approach that investigating authorities and prosecutors will take when, in the context of investigating the new offence, they assess whether reasonable procedures were in place. In practice, organisations attempting to rely on the defence who have not implemented the specific recommendations in the Guidance will need to be able to explain, with evidence, why they did not do so.

Further detail on the content of the Guidance is set out below, under the ‘six principles’.

(1) Top level commitment

The new Guidance goes beyond previous guidance documents on this principle, offering greater detail on the practical steps and best practice for senior management, to help foster a culture where fraud is unacceptable. Some of the recommended practical steps include:

• Designating responsibility for horizon scanning for new fraud risks.
• Updating the board on fraud compliance as part of its ongoing oversight responsibilities.
• Actively articulating the business benefits of rejecting fraud and the consequences for individuals who breach the fraud policies.

Promoting an open culture for reporting fraud concerns is a central theme in the new Guidance, emphasising senior management’s key role in driving ethical conduct. Senior management is expected to actively participate in anti-fraud initiatives and ensure that adequate training and resources are available to support fraud prevention.

(2) Risk assessment

The Guidance is clear that an organisation’s fraud risk assessment is the bedrock on which ‘reasonable procedures’ are built. In a sign of the more mature approach taken in this Guidance, it acknowledges that it is not possible to anticipate all potential fraud risks but gives some guidance on how organisations should approach their fraud risk assessments, including consideration of the ‘fraud triangle’^[2]. The Guidance notes that failing to carry out a risk assessment will “rarely be considered reasonable” and failure to review it periodically might mean that reasonable procedures were not in place at the relevant time.

(3) Proportionate risk-based fraud prevention procedures

This principle closely aligns with that in previous guidance documents – after completing a risk assessment, organisations should develop a fraud prevention plan tailored to the identified risks and to the scale and complexity of their organisation. An interesting addition to this principle that appears in the new Guidance is that “[a]ny decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision and reviewed as appropriate” – guidance that will likely make organisations think carefully about whether it is reasonable for there to be no mitigating procedures in place for a particular risk.

(4) Due diligence

The actions of third parties outside the business can, as with other ‘failure to prevent’ offences, lead to corporate liability. However, the guidance on this principle is relatively sparse, advising only that organisations take a ‘proportionate and risk-based approach.’ In practice many organisations within the scope of the new offence will already have mature due diligence processes in place for employees and third-party service providers. Whilst the Guidance notes that merely applying existing procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud, it only offers limited examples of best practice, such as using third-party tools and including compliance obligations in contracts with third parties.

Given the central role of third-party due diligence in any financial crime compliance programme it is surprising that the Guidance does not provide more detailed advice on this principle. Organisations may find it useful to consider the US Guidance on Corporate Compliance Programmes, which is referenced elsewhere in the Guidance and offers detailed insights on due diligence – including the importance of a risk-based integrated approach, effective controls and relationship management.

(5) Communication

This principle highlights the importance of communicating and embedding fraud prevention policies and training across the organisation. Notably, it includes a new section dedicated to whistleblowing – a development from previous guidance, in which whistleblowing was only briefly mentioned. This addition reflects the increasing focus on effective ‘speak up’ procedures and sets new expectations for whistleblowing programmes, even outside the regulated financial sector. This emphasis on whistleblowing will likely be welcomed by the SFO, which has advocated in recent times for financial incentives for whistleblowers.

(6) Monitoring and review

This principle advises organisations to continually monitor and refine their fraud detection and prevention measures, incorporating lessons from past investigations and whistleblowing incidents. While this aspect is familiar, the Guidance reflects an increasing emphasis on integrating technology and AI into these processes. Indeed, four of the six principles expressly refer to technology solutions for fraud prevention – reflecting not only developments in compliance practices but also the growing prominence and accessibility of advanced tools and AI. Prosecutors may increasingly consider the use of these technologies when evaluating not just the new offence, but all ‘failure to prevent’ offences. However, it is important to recognise that the effectiveness of these technologies hinges on accurate data, thoughtful implementation, and ongoing human oversight. Without these elements, these technologies risk becoming more of a compliance checkbox than meaningful prevention measures.

Back to the top

Enforcement outlook

The SFO appears eager to deploy the new offence and make an example of corporate offenders, but any enforcement actions are likely to take time. SFO investigations are notoriously lengthy, despite almost every incoming SFO Director saying that they will speed them up, and the offence will only apply to conduct occurring after 1 September 2025. In the meantime, the hypothetical case studies in the Guidance offer some insights into the types of scenarios that could trigger investigations. Notably, eight of these case studies focus on ESG-related fraud and the offence's extraterritorial reach, signalling that these are areas of interest for law enforcement – although of course they are in fact likely to be some of the hardest to investigate, let alone prosecute.

The Guidance also suggests that enforcement actions in relation to the new offence, such as prosecutions and Deferred Prosecution Agreements (DPAs), could, over time, shed light on what constitutes reasonable and proportionate anti-fraud measures. However, whilst this is possible, it is unrealistic to expect this to happen. The failure to prevent bribery offence came into force in July 2011, but prosecutions and DPAs for that offence have, to date, provided very little clarity on the scope of the 'adequate procedures' defence in that legislation. For now, the responsibility lies with companies and their advisers to carefully review the Guidance and anticipate what prosecutors and the courts might deem reasonable in the context of their business.

Back to the top