Zelda Pitman
Retail Client Executive, Management Liability
The UK’s Economic Crime and Corporate Transparency Act 2023 (the Act) makes sweeping changes to law and regulation to fight fraud, corruption and money laundering, and bolster legitimate business, which are designed to have a significant impact on organisations’ culture and behaviours.
The Act achieves this in various ways, including changing the role of Companies House to be a more active regulator, reforming the rules for creating companies and limited partnerships, and enabling the seizure of crypto assets. It also creates a new criminal offence — the failure to prevent fraud — for which entities can face a heavy fine, and changes the “identification doctrine” to make it easier to establish an entity’s legal liability for economic crimes.
In this article, the first in our two-part series on the Act, we focus on the new failure to prevent fraud offence and identify ways in which Marsh can support organisations. The second article will examine changes to the “identification doctrine” and the implications for directors and officers (D&O) insurance.
The stated aims of the Act are as follows:
The new failure to prevent fraud offence is committed when “large organisations” fail to prevent fraud by an “associate”, where the fraud benefits the organisation or those to whom the organisation provides services. A relevant entity is a “large organisation” only if it satisfies two or more of the following conditions:
However, smaller subsidiaries of large organisations are caught by the Act, and smaller organisations that fall outside this definition may also need to take steps if they are an “associate” of a large organisation that now requires them to have appropriate controls in place. It has also been suggested that the definition of large organisations may expand in the future to include more, smaller entities.
“Associate” is a broad term. It covers entities and individuals, and encompasses any employees, agents, subsidiaries, or service providers of the organisation. The Act applies if the associate is based overseas, provided the offence would constitute fraud under UK law or defraud UK residents.
Similarly, if an employee commits fraud overseas, the employer can be prosecuted in the UK.
The penalty if found guilty of failing to prevent fraud is an unlimited fine for the entity, though not for individuals. There is no requirement to prove that directors or senior management within the organisation were aware of the fraud. However, there is a defence if the organisation had reasonable fraud prevention procedures in place at the time, to encourage organisations to adopt a more proactive approach to fraud prevention.
As mentioned above, an organisation will have a defence if it has taken reasonable steps to prevent fraud, or if it can evidence that it was not reasonable for it to have any fraud prevention measures in place. What would constitute reasonable steps has yet to be articulated. The Government is set to produce guidance in 2024, but organisations should review their existing fraud prevention controls to make sure they are up to date and robust.
The question of what fraud prevention measures are reasonable depends on the risk of fraud, making it imperative that organisations properly assess their fraud risk. Although the fraud must benefit the organisation, this can be interpreted widely.
The failure to prevent fraud offence will come into force in late 2024 or early 2025, after the Government issues its guidance. Now is the time for organisations to assess whether current fraud detection and prevention measures are sufficiently robust and what “reasonable” prevention measures means for them.
To support organisations in identifying gaps in their fraud risk management framework and improving their internal controls, Marsh Advisory has developed a comprehensive suite of fraud risk management services. Marsh Advisory’s engagement is bespoke to an organisation’s needs and aims to elevate the maturity of the organisation in preventing and detecting fraud via four key areas.
1. Organisation and guidelines
Organisations should ensure there are clearly defined roles and responsibilities related to fraud risk management. There should be endorsement from senior leadership, and internal policies and procedures need to be put in place and disseminated widely, supported by appropriate staff training.
2. Fraud risk assessment
Organisations should proactively identify and evaluate fraud risks through frequent fraud risk assessments with input from internal and external stakeholders. Findings from assessments should be escalated appropriately and acted upon.
3. Fraud risk monitoring
Depending on the size of the organisation, the use of data analytics tools should be explored to assist with identifying fraud in real time. If advanced technology is out of scope, regular monitoring activities can include random checks, sample audits, inventory reviews, and records audits.
4. Strategic insurance review
For known fraud risks, in addition to implementing mitigation and preventative controls, organisations should assess whether the fraud events are already, or can be, covered by insurance.
Our engagement is specifically designed to meet the unique needs of your organisation and aims to elevate the experience in preventing and detecting fraud via the areas discussed above. For information about Marsh Advisory’s fraud risk management services, contact Thu Nguyen (thu.nguyen@marsh.com) or your Marsh contact.
Our second article in this series will be out shortly and will address what this and other changes in the Act mean for D&O insurance.
Retail Client Executive, Management Liability