Fraud has existed since ancient times. According to Fraud.com, the first documented case of fraud occurred in 300 BC. Two Greek sea merchants, Hegestratos and Zenosthemis, devised a plan to enrich themselves by taking out an insurance policy on their ship and cargo.
According to the agreement, they were required to repay loaned money with interest after selling their merchandise. If they failed to repay the loan, the lender would gain possession of the ship and its cargo.
After leaving the dock, the two men decided to sink the ship so they could pocket all the loaned money. However, they were caught in the act and one of them lost his life and the other one had to face the courts. And fraud has been part of the business world ever since.
The typologies may have evolved and changed with new technology and new business operating models, but the underlying drive—to gain a financial advantage—has remained the same.
As a result, governments, businesses and regulators have looked for ways to combat fraud to lessen its impact on business results and protect the public, who are often its ultimate victims.
The Economic Crime & Corporate Transparency Act 2023
The most recent move by the UK government to combat fraud is The Economic Crime & Corporate Transparency Act 2023, which received Royal Assent in October 2023 and is expected to come into force later this year or early next year.
The act introduces a wide range of measures that have the aim of preventing economic crime and improving corporate reporting and transparency. It includes a much-anticipated radical reform to the role of Companies House and the powers of the Registrar of Companies. The new law aims to reform the Registrar to prevent the creation of fraudulent companies, which are used to launder the proceeds of fraud.
There will be new requirements for companies registering with Companies House to have an appropriate registered office, and they will no longer be allowed to use a Post Office box address. Further, prior to these reforms, the Registrar did not verify the accuracy of information that was submitted by companies which registered with them.
As a result, it has been possible for criminals to establish and control companies without declaring their true identities. This has long been criticised as a weak link in the fight against economic crime in the UK.
These reforms will make it more difficult for fraudsters to establish and operate fraudulent companies in the UK. But what about fraud committed within genuine companies? To address that, the act expanded the scope of corporate criminal liability with the introduction of a new corporate criminal offence of failure to prevent fraud.
In summary, the act states if a “senior manager” of a company (or LLP, limited partnership or partnership), acting within the scope of their actual or apparent authority, commits an offence, the relevant organisation can also be found guilty of that offence.
A “senior manager” can be anyone who plays a significant role in the decisions or the management of the organisation. The economic crimes to which the act applies are wide-ranging and include fraud, false accounting, money laundering, sanctions evasion, bribery and tax evasion.
The new offence does not apply only to senior management. A company could also be criminally liable where an employee, agent, subsidiary or any other party performing services on the company’s behalf commits a specified fraud offence, with the intention of benefiting the company, or any person who receives services from the company.
That is quite a broad scope and could be quite far reaching. The only defence against being found guilty of the offence is being able to demonstrate that there were “reasonable procedures” in place to prevent fraud.
What does that mean, exactly? Government guidance on what to consider when implementing reasonable procedures is due to be published imminently, followed by a six-month implementation period before the offence comes into effect. This is expected to draw heavily on guidance issued for existing failure to prevent offences relating to bribery and the facilitation of tax evasion.
Based on that previous guidance, organisations should expect a focus on top-level commitment by management, risk assessments, risk-based procedures, due diligence of third parties and monitoring. Given the short implementation period, organisations are already considering the implications of these requirements on their current operations.
Organisations should designate a team who will be responsible for performing a gap analysis. If gaps are identified, a project plan and timeline should be documented which will ensure timely compliance.
The main areas to assess are:
1. Board and senior manager governance and oversight
Senior leadership should understand the new requirements and ensure the appropriate systems and controls are in place in their organisations to prevent fraud. They should understand their governance arrangements, including how instances of fraud are escalated when detected. They should also ensure they receive adequate and accurate management information regarding the anti-fraud systems and controls to be able to demonstrate their governance and oversight.
2. Fraud risk identification
Organisations should consider their exposure to risks captured by the new offence, in particular financial reporting, sales and distribution channels, and public disclosures, as well as consider whether there are mitigating controls currently in place. Given the fraud risk exposure through third parties and agents, organisations should consider how fraud could be committed by these parties and include that in their risk registers and assessments.
3. Policy gap analysis
Organisations need to identify whether the fraud risks within scope of the new offence are adequately covered by existing policies or whether changes and additions may be required. Contractual provisions, especially with third-party providers, may also need to be updated.
4. Fraud risk assessment and remediation
If not already in place, organisations should consider performing an enterprise-wide fraud risk assessment to document the fraud risks to which the business is exposed. The risk assessment should also document the controls which mitigate the risks and an assessment of whether all of the risks are mitigated to within risk appetite. Where risks are still outside of risk appetite, the organisation should have a plan and timeline to remedy this. They should also consider whether any further temporary controls could be put into place while a more permanent control is implemented.
5. Staff training and awareness
All staff should have an understanding of the new legislation and their responsibilities related to it, including how to report concerns. Bespoke, targeted training should be delivered to those in higher-risk functions—for example, finance, ESG, investor relations, and sales. Top-level commitment and communication of key requirements and resources will help foster an anti-fraud culture within the organisation.
Although there may be some work to do to implement the requirements of the Act, taking a more structured approach to fraud risk management will help organisations be more aware of the risks to their businesses and ensure robust controls are in place to detect and prevent fraud. We will never completely eliminate fraud but we should do what we can to prevent it happening—or detect it as early as possible to limit the damage it can cause, both financially and reputationally.
Rachel Sexton is a board trustee of the Fraud Advisory Panel and head of the UK Ashurst Risk Advisory practice