As noted at the start of the year, the new criminal offence of a failure to prevent fraud will come into force for large organisations on 1 September 2025. Although largely a compliance matter, HR and employment teams should be aware of this new offence and work with their compliance colleagues to ensure proper implementation of any new internal measures that impact HR policies and procedures.
The Basics
Section 199 of the Economic Crime and Corporate Transparency Act 2023 introduces a new criminal offence holding certain large organisations criminally liable if an “associated person” commits one of the specified fraud offences with the intention of benefiting either the organisation or any person to whom the associated person provides services for or on behalf of the organisation.
Importantly, an organisation will not be liable if it can demonstrate that it had reasonable fraud prevention procedures in place or it was not reasonable to expect such procedures in the circumstances.
It is a strict liability offence and organisations could be subject to an unlimited fine if convicted.
The new rules set out what is meant by a large organisation. The application of the rules are complex, but in summary, a large organisation is one which meets at least two out of three following conditions in the financial year that precedes the year of the fraud offence:
- More than £36 million turnover
- More than £18 million in total assets
- More than 250 employees
The criteria apply to the whole organisation, including subsidiaries and regardless of where the organisation is headquartered or where its subsidiaries are located. Therefore, a UK subsidiary of a US company which did not meet the definition of large organisation, could still be within the scope of the legislation if the organisation as a whole was large, with potential liability for either the subsidiary or the parent company.
There is a broad definition of “associated person” i.e. those whose fraudulent activity could create liability, which includes employees, agents, and subsidiaries, as well as third parties providing services for or on behalf of the organisation.
The precise rules are complex (particularly as to the application of the above criteria to group companies) and have broad application, which is outside the scope of this article, but Government Guidance provides useful guidance and examples as to which organisations will be covered and when, and who is an associated person.
Prevention
The Government Guidance, which will be taken into account by courts when considering compliance, sets out some of the procedures that in-scope organisations can put in place to prevent associated persons from committing fraud offences. What is reasonable will differ from organisation to organisation and the guidance is not considered to be a “safe harbour.” It also suggests that although the offence applies to large organisations, the principles outlined in the guidance represent good practice and may be helpful for smaller organisations.
The Guidance sets outs six core principles which should inform fraud prevention frameworks, including top level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication (including training) and monitoring and review. This approach will be familiar to many organisations and may overlap with other regulatory or compliance obligations (such as anti-bribery). As a minimum, covered organisations will likely need to undertake a risk assessment and consider introducing new proportionate risk-based prevention measures and procedures for spotting and preventing fraud.
Considerations for HR
Although responsibility for compliance matters will usually fall outside the scope of most HR and employment teams, HR should be aware of this new offence and may need to work with compliance colleagues to ensure proper implementation of any new internal measures that impact HR policies and procedures. This may include reviewing hiring processes or considering contracts with staff or consultants to see if there is a need to insert anti-fraud clauses or duties to comply with any new anti-fraud policies or procedures. In addition, if new policies are put in place, ensure they dovetail with existing policies, such as whistleblowing policies and investigation procedures. HR may also wish to review their existing disciplinary rules to ensure fraud is an example ground of gross misconduct and consider updating any compliance training.
As for all risk prevention duties, this is not a one-off exercise and policies and procedures should be reviewed and updated regularly.
For further information, see the Government guidance. The Crown Prosecution Service and Serious Fraud Office also recently published updated guidance here. If you have questions about this article, please reach out to your usual Littler contact.
