Failure to prevent fraud: Implications for financial institutions

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced a new offence of failure to prevent fraud (FTP Fraud Offence), which will come into effect on 1 September 2025. Our previous briefing  provides an overview of the offence and the Home Office's Guidance (Guidance) as well as exploring what organisations should be doing to prepare. This blog post focuses on the impact of the FTP Fraud Offence on the financial sector specifically and how financial institutions can best prepare before the September implementation date.

Risk areas for financial institutions

One of the main hurdles that financial institutions will face in grappling with the FTP Fraud Offence is the breadth of fraud typologies firms are exposed to. When taking into account firms' (i) business, (ii) size, and (iii) third party and employee profiles, it quickly becomes apparent that there are a multitude of potential risk areas for fraud within any given financial institution, and in order to prepare for the offence's implementation, firms will have to assess all these possible risk areas. This is particularly the case if a firm operates across multiple business lines: for example, the retail arm of a bank will be impacted differently from the investment arm of a bank. In addition, firms will also want to keep in mind the jurisdictional scope of the offence: multi-national institutions in particular will need to be alert to the fact that if the relevant fraud is committed abroad, it may still be within scope of the FTP Fraud Offence if there is a UK-nexus. For further discussion of the jurisdictional scope of the FTP Fraud Offence, please see our previous briefing.

While the risk areas for financial institutions will in large part depend on firms' business structure and products sold, areas that may pose a potentially higher risk, such that firms may wish to consider as part of their FTP Fraud Offence risk assessment are: 

• Product mis-selling: As financial institutions will already be aware, the breadth and range of potential mis-selling claims that could be brought is wide. Consideration will need to be given to the type of products that are high risk as well as the teams that may be exposed. Where mis-selling activity contains an element of dishonesty, it may amount to a substantive fraud offence, potentially engaging the FTP Fraud Offence if committed by an associated person such as an employee, with the intention of benefitting the firm;
• Unauthorised trading: The scope of potentially unauthorised trading offences is again wide given the number of different forms this activity can take, as well as the fact that many different departments may be impacted. Where such trading may involve dishonesty or fraud, it has the potential to engage the FTP Fraud Offence;
• Third party distributors: These will likely be classified as associated persons and therefore within scope of the FTP Fraud Offence. As a result, firms will want to map their distributors to establish if they are considered associated persons, perform appropriate due diligence and ensure that they have appropriate fraud prevention controls in place in relation to these relationships;
• Regulatory, client and financial reporting: Firms will need to (continue to) ensure that reporting produced for clients, the market or regulatory authorities is accurate and not misleading or overstated – misleading content produced with an element of dishonesty could potentially constitute a substantive fraud offence, thereby engaging the FTP Fraud Offence for the firm; and
• Marketing: Similarly, only claims that can be substantiated should be included in any marketing materials, to mitigate the risk of fraudulent claims appearing in such materials. An area that firms may want to pay particular attention to is any greenwashing claims.  

In addition, the above risk areas will be heightened in roles where renumeration structures are linked to profits made and number of products sold as this could incentivise employees to commit fraud offences to drive sales. Firms should ensure that individuals are appropriately trained and vetted, and prevention processes are put in place. Firms will of course already have various controls in place to address the risks associated with the above areas. We consider below the interaction between existing systems and controls and the FTP Fraud Offence.

When assessing fraud risk areas, it is worth noting that authorised push payment (APP) fraud will not be in scope of the FTP Fraud Offence as (absent potential collusion with employees etc.) an APP fraudster will not be considered an associated person for the purposes of the offence (as further explored in our podcast on the topic). Therefore, it is not a risk that will need to be considered as part of the analysis of the scope of the FTP Fraud Offence. However, the FCA is increasingly focussed on the importance of improving customer treatment in line with Consumer Duty so firms may want to consider how broadly they want to focus any fraud risk assessment and prevention projects. At the risk of stating the obvious, there will be benefits to putting in place /enhancing controls that seek to detect and prevent any type of fraud, irrespective of whether it is a fraud capable of engaging the FTP Fraud Offence.

Heighted risk of enforcement

Financial institutions will be familiar with Principle 11, which imposes a duty on FCA-regulated entities to disclose anything of which the FCA "would reasonably expect notice". As a result, if a financial institution identifies any fraudulent activity, it will likely have to self-report to the FCA: following the introduction of the FTP Fraud Offence, if a financial institution self-reports a fraud, it will effectively be notifying the FCA of not only the underlying fraud but also the fact that it may be guilty of the FTP Fraud Offence if it does not have reasonable procedures in place. Corporate entities do not have this same self-reporting obligation, meaning that financial institutions are potentially more exposed to enforcement action than those outside the regulated sector. A financial institution (Standard Bank, as it was named at the time) was the first party to enter into a deferred prosecution agreement  with the Serious Fraud Office (SFO) in respect of the offence of failure to prevent bribery (the first of the UK's "failure to prevent" offences, introduced by the Bribery Act 2010), indicating that regulated entities are not removed from the risk of criminal enforcement action.

Potential to leverage pre-existing frameworks

To have a defence to the FTP Fraud Offence, firms will need to demonstrate that they have in place reasonable fraud prevention procedures, which will be assessed by reference to (among other things) whether their procedures are proportionate to the identified risks. ECCTA does not require the wholesale introduction of new and duplicative controls, where relevant risks are already appropriately mitigated. While financial institutions have a broad set of risks that they will need to have procedures in place for, it is likely that they are already well-prepared for the offence's implementation. This is in large part because it is a regulatory requirement under SYSC to have in place effective systems and controls to manage financial crime risk and regulated firms already need to be able to demonstrate that they have fulfilled this requirement to the FCA. Similarly, the requirements that regulated firms will have had to implement under regulatory regimes such as MIFID and MIFIR will provide frameworks that can be utilised in this context.  UK Finance further explores the pre-existing processes and infrastructure that financial institutions can leverage in their guidance (see our blog post).

Regardless of the ways that firms decide to prepare for the FTP Fraud Offence's implementation, it will be crucial that they properly document their risk assessment and decision-making and ensure that it this properly collated into one centralised location. The Guidance is clear that organisations should implement a fraud prevention plan and while it does not specify what this plan should look like, a centralised document setting out the pre-existing procedures designed to prevent fraud within the organisation, and mapping these to identified fraud risks, will likely fulfil the requirements (assuming that there are already procedures in place which adequately address all identified risks). Furthermore, given the wide range of fraud risk that firms will likely be exposed to, input from different teams will be needed to best understand (i) what controls are already in place and (ii) how best to set up additional controls where gaps are identified. That being said, we would typically recommend that there is one project team responsible for the implementation of the fraud prevention plan and to ensure that there is clear governance in respect of this framework.

As such, although the "new" work to get ready for 1 September may be more limited for financial institutions than companies operating in other sectors, it will still be crucial to ensure that the firm has appropriately considered its existing controls and documented its risk assessment and fraud prevention plan to ensure that it will be able to benefit from the "reasonable procedures" defence should this become necessary in due course.