ECCTA: Principle Three – Proportionate Risk-Based Prevention Procedures

The Government guidance, published on 6 November 2024, outlines six guiding principles for an effective fraud prevention framework:

1. Top-level commitment
2. Risk assessment
3. Proportionate risk-based prevention procedures
4. Due diligence
5. Communication (including training)
6. Monitoring and review

The principles are intended to be flexible and outcome-focussed, allowing for the huge variety of circumstances that relevant bodies find themselves in. Procedures to prevent fraud should be proportionate to the risk.

To assist with preparations and as part of our commitment to our clients, we will be reaffirming the Government’s guidance on each of the six guiding principles in the lead up to the September deadline, commencing in order with this article focussing on principle three.

3.0: Proportionate risk-based fraud prevention procedures

An organisation’s procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale, and complexity of the organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.
The relevant body should draw up a fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment.
It is a key principle that the fraud prevention plan should be proportionate to the risk and the potential impact. The level of prevention procedures considered to be reasonable should take account of the level of control and supervision the organisation is able to exercise over a particular person acting on its behalf and the relevant body’s proximity to that person. For example, a relevant body is likely to have greater control over the conduct of an employee than that of an outsourced worker performing services on its behalf. Nonetheless, appropriate controls should be implemented via the relevant contract.

In some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. Any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision and reviewed as appropriate.

Since the offence extends across organisations in all sectors of the economy, many of these businesses will also be subject to other regulations, for example, regulations concerning financial reporting, environmental, health and safety or competition matters. Processes for compliance with these regulations may address certain potential frauds (for example, robust processes for compliance with specific environmental regulations might reasonably be expected to prevent fraud by misrepresentation on the relevant environmental statements).

It is not necessary or desirable for organisations to duplicate existing work. Equally, it would not be a suitable defence to state that because the organisation is regulated its compliance processes under existing regulations would automatically qualify as ‘reasonable procedures’ under the Economic Crime and Corporate Transparency Act.

To avoid duplication of work, organisations are advised to assess whether their existing regulatory compliance mechanisms, financial reporting controls (source) and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment (as described in 3.2). Where existing mechanisms appear to be insufficient, organisations should develop appropriate measures to prevent fraud.

Example of examining existing regulatory requirements

The Producer Responsibility Obligations (Packaging Waste) Regulations 2007 (as amended) require regulated companies to meet certain obligations on recycling the waste they produce.

Under these regulations, accredited reprocessors and exporters issue packaging recovery notes and packaging exported recovery notes to represent the tonnage of packaging waste they have recycled, or exported for recycling, to a required standard. These evidence notes are used to offset producers’ packaging waste obligations.

In the context of the offence of failure to prevent fraud, we would expect packaging producers, producer compliance schemes, accredited reprocessors and exporters, to examine whether their processes under these regulations are sufficient to prevent fraudulent behaviour (such as issuing or knowingly accepting fraudulent packaging recovery notes or packaging exported recovery notes) and to amend them if not. In the event of a prosecution for failure to prevent fraud, it would not be sufficient simply to state that the company is subject to the Producer Responsibility Obligations (Packaging Waste) Regulations 2007 and therefore it automatically has reasonable procedures in place to prevent fraud relating to these obligations.

When considering the proportionality of reasonable prevention procedures, some suggested risk factors to consider may include the following.

3.1: Reducing the opportunities for fraud

Risk factors to consider may include the following:

• does the organisation undertake pre-employment and vetting checks? For high-risk roles, does it carry out ongoing vetting checks?
• do those in high-risk roles receive regular anti-fraud training and how vigorously is compliance with training evaluated or monitored?
• does the organisation assess emerging risks systematically?
• if new services or associated persons present a potential fraud-risk, is a fraud impact assessment made? What countermeasures can the organisation put in place?
• are fraud risks managed equally well throughout the procurement process (pre-tender, tender, contract management, during project delivery and project extension)? Do contracts include appropriate terms for associated persons and are these reviewed? Note also comments on reasonable procedures and supply chain issues, in 2.6.
• does the organisation use best practice with regard to financial reporting, for example, segregation of duties, reconciliation of accounts, suitable sign-off arrangements?
• have any internal or external audits raised any fraud concerns that have not been acted upon?
• do procedures for avoiding conflicts of interest need to be bolstered?
• what are the arrangements for limiting access to sensitive or commercial data? Are they kept up to date?
• what is best practice on reducing fraud risks in the sector? (source)

3.2: Reducing the motive for fraud

Risk factors to consider may include the following:

• if there is an existing bonus framework that encourages risk-taking, can any amendments be made to ensure that it does not encourage fraud?
• what can be done to prevent time pressures encouraging staff to cut corners, potentially fraudulently?
• does the organisation collect information on potential conflicts of interest and keep such information under review?

3.3: Putting in place consequences for committing fraud

Risk factors to consider may include the following:

• what are the internal disciplinary and reporting procedures for those found to be committing fraud?
• are the outcomes of fraud-related investigations communicated to staff and other associated persons?

3.4: Reducing the rationalisation of fraudulent behaviour

Over time, ‘one-off’ frauds may become normalised as people rationalise certain fraudulent behaviours, with arguments such as “other businesses do it.” This phenomenon is known as ‘ethical fading.’

Organisations may wish to encourage proactive challenge of these views as part of their training programmes, and in their organisation’s code of ethics, by pointing out the impact of fraud on colleagues, on the business, on the sector and on public trust. Organisations may also wish to stress that the prevention of fraud is the responsibility of everyone in the organisation, by, for example, incorporating a reminder about the organisation’s code of ethics into performance evaluation.

3.5: Sources of information for developing fraud prevention measures

When developing fraud prevention measures, organisations may choose to review relevant sector-specific information. Public sector organisations in scope should follow advice on the Public Sector Fraud Authority website or the relevant public sector counter-fraud authority website. Over time, there may be prosecutions or, in England and Wales, DPAs related to the offence (source). Since these are in the public domain, the anti-fraud measures they contain may be useful for other businesses in the same sector.

Other sources of information, such as Cifas and the Fraud Advisory Panel may be useful.

3.6: Emergency scenarios

Public sector organisations in scope should follow specific guidance on fraud prevention in emergency scenarios (source) or relevant information from specific counter-fraud authorities, such as NHS Counter-Fraud Authority. 

For private and non-profit sector organisations, good practice includes considering the fraud prevention measures that might need to be taken in emergency scenarios identified in the risk assessment and preparing the transition from emergency measures to business-as-usual measures once the emergency has passed.

It is recognised that not all emergencies are foreseeable and the defence that under the circumstances, it was reasonable not to have any fraud prevention procedures in place may apply. One example is when a public authority uses its legal powers to take action to resolve a crisis in the public interest. However, this situation should be time limited. The necessary procedures to prevent fraud should be put in place as quickly as reasonably possible following the crisis and this process should be documented.

3.7: Testing the fraud prevention measures

Organisations will want to know how effective their fraud prevention measures are. Best practice is for the prevention plan to be tested by members of the organisation who were not involved in writing it.
For public sector organisations, guidance on testing fraud controls is provided on the International Public Sector Fraud Forum page of the government website (source). These documents may also be helpful for non-governmental organisations when testing the effectiveness of their fraud prevention measures but there is no expectation that private sector organisations should follow them.

Private sector organisations may decide how to test their fraud prevention measures. However, large organisations that operate internationally may already use various international standards for testing fraud prevention controls (source).   

For premium listed companies, there may be some overlap with the UK Corporate Governance Code (which expects the boards of those companies to review and monitor all material controls, including financial, operational and compliance controls, and to report on that review. From 1 January 2026, these companies will also be expected to make a declaration about the effectiveness of these material controls). Where the effectiveness of a specific fraud prevention measure is assessed in the declaration made under the UK Corporate Governance Code, it should not be considered necessary to duplicate the work for the purposes of demonstrating that reasonable procedures were in place to prevent that specific fraud.

Based on the estimated effectiveness of the fraud prevention measures, organisations should qualitatively assess the residual risks.