Financial Services: sector specific guidance on the new failure to prevent fraud offence

With just over 6 months to go, the new Failure to Prevent Fraud offence under s.199 of the Economic Crime and Corporate Transparency Act 2023 (“the Act”) will come into force on 1 September 2025.

Anna McIntyre from our Business Crime and Investigations team, and Sarah Drew, from our Financial Services team, explore what this means for financial services firms.

What is the new offence?

The offence is the latest in a suite of strict liability corporate offences in the financial crime space – making it a criminal offence for a ‘large organisation’[1] to have failed to prevent a fraud from being committed for its benefit by its ‘associated persons’ – even in the absence of senior management knowledge or any intention that it be committed.

The offence joins the Failure to Prevent Bribery (Bribery Act 2010) and Failure to Prevent the Facilitation of Tax Evasion (Criminal Finances Act 2017) offences already in force, further increasing the expectation that corporates should perform a delegated gatekeeper role in the fight against financial crime.

Defence and compliance

The only defence to the new offence (again, mirroring the existing approaches in the bribery and tax evasion spaces) is to prove to the authorities that a business had in place reasonable procedures to prevent the fraud from being committed.

On 6 November 2024, the Home Office published its guidance on what will constitute ‘reasonable procedures’ for the purpose of the defence. At the same time, the authorities started their clock; with an announcement that the offence would come into force on 1 September 2025, giving businesses just under 10 months to ‘get their house in order’.

Financial services guidance

The Home Office guidance makes it clear that, when reviewing and preparing fraud prevention procedures, businesses must prepare bespoke, risk-proportionate policies; but what are those risks?
To help financial services businesses answer this question and to provide guidance on conducting appropriate risk assessments, on 11 February, UK Finance published its (non-exhaustive) industry-specific guidance, supplementing the Home Office guidance.

Key takeaways from UK Finance

The new guidance details the ways in which financial services firms can evidence compliance with the Home Office guidance via their existing controls, in place by virtue of their FCA regulatory requirements (page 21 of the guidance onwards).

Below are some of the key takeaways from the guidance:

General

In line with FCA expectations for effective control frameworks, what will constitute ‘reasonable procedures’ will be informed by six core principles:

1. Risk assessment that informs:
2. Proportionate policies and procedures commensurate to the risk
3. Due diligence
4. Communication (training)
5. Monitoring and review

Each of which supported by:

6. Top level commitment (‘tone from the top’)

A firm may conclude that its existing procedures, as a regulated firm, are sufficient to mitigate the risk through existing controls, and it can leverage existing regulatory requirements. Firms should keep this under regular review as its business and the legal and industry landscape changes.

• As an example, firms will likely already have reasonable procedures in place to prevent false misstatements from being made to markets or to the regulatory authorities of the firm.

The new offence does not require firms to undertake excessively burdensome procedures that eradicate all risk but firms must demonstrate their fraud prevention procedures are considered and commensurate with the risks that it has identified.

Financial services-specific risks

Subsidiaries within group control environments

• Subsidiaries and parents will operate as each other’s ‘associated persons’ for the purpose of the legislation.
• Where a firm is a subsidiary of another in-scope parent, and the in-scope parent has implemented reasonable prevention procedures, the firm may not need to establish its own; but the firm should review the group control framework and evaluate if the parent procedures are reasonable in light of the firm’s own individual risk assessment.

Supply chain management

• Through its risk assessment, the firm should identify and document where outsourced service providers provide services on behalf of the firm, or to benefit the firm.
• The firm may require in its contractual terms that third parties adopt a similar approach to fraud prevention to them / that they meet the firm’s standard.

Own-account mergers and acquisitions (M&A)

• When a firm purchases a new business or subsidiary, it becomes potentially liable under the Failure to Prevent Fraud offence for fraud offences committed by its new associated persons after the date of acquisition.
• As part of pre-acquisition due diligence, firms should identify risks including gaps in the new business’ fraud policies and procedures and implement a reasonable plan to plug those gaps promptly.

Conclusion

Given the extent of existing FCA obligations for authorised firms, many financial services businesses will have existing procedures in place to mitigate against financial crime, which will meet the requirements of ‘reasonable fraud prevention procedures’. However, firms would do well, at a minimum to:

• Consider carefully both the Home Office Guidance and the UK Finance guidance
• Conduct an up-to-date risk assessment well in advance of the 1 September deadline
• Evaluate fully whether the existing procedures mitigate adequately against the fraud risk of their business and
• Document the above exercise and its conclusions fully, as well as keeping those conclusions under ongoing review.

[1]  Defined in section 201 of the Act as meeting two or three out of the following criteria:

• more than 250 employees
• more than £36 million turnover
• more than £18 million in total assets

Anna McIntyre

Senior Associate

Share post on: