Checklist: Putting in place fraud prevention procedures (UK)

Introduction

This checklist will assist in-house counsel and compliance professionals with the development and implementation of fraud prevention procedures. This checklist can be used as a general checklist for any organisation that wishes to put in place a fraud prevention framework, but it contains specific reference to guidance that has been issued by the UK Home Office in connection with the offence of failure to prevent fraud, which was introduced into law by the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023). The focus of this checklist is on controls that can be put in place to address fraud which is intended to benefit the organisation (either directly or indirectly) and is committed by persons associated with an organisation.

This checklist addresses the following steps:

1. Identify gaps in existing controls
2. Develop and implement fraud prevention procedures
3. Communicate your procedures
4. Conduct training
5. Monitor and review your procedures

The checklist is presented as a list of requirements that can be checked off as they are addressed. At the end of each step, there are explanatory notes corresponding with each requirement in the checklist.

This checklist can be used in conjunction with the following How-to guide: Understanding the failure to prevent fraud offence and Checklists: Fraud prevention procedures – due diligence and Fraud prevention procedures – communications and training.

Step 1 – Identify gaps in existing controls

Step 2 – Develop and implement fraud prevention procedures

Step 3 – Communicate your procedures

Step 4 – Conduct training

Step 5 – Monitor and review your procedures

Explanatory notes

General notes

Legal framework

Legal changes introduced by the ECCTA 2023 mean that it is more important than ever that organisations have appropriate frameworks in place to prevent fraud.

ECCTA 2023 introduced two major changes to the corporate criminal liability regime that affect organisations:

• the introduction of the failure to prevent fraud offence (the FTPF offence); and
• reform of the corporate identification principle.

Failure to prevent fraud offence

ECCTA 2023 created a new criminal offence whereby certain corporate entities and certain partnerships (termed ‘relevant bodies’ in ECCTA 2023 and in this resource as organisations for simplicity) will be liable for failing to prevent fraud that is intended for the organisation’s benefit that is committed by a person associated with the organisation – the FTPF offence (pursuant to sections 199 to 206 and Schedule 13 ECCTA 2023). The FTPF offence comes into force on 1 September 2025. For more information, see How-to guide: Understanding the failure to prevent fraud offence.

Even where the various elements of the offence are made out, it is a defence that an organisation had in place reasonable procedures to prevent fraud, or that, in all the circumstances, it was not reasonable to expect the organisation to have prevention procedures in place (currently, it is unclear in what type of circumstances it will be reasonable to have no prevention procedures in place, but such circumstances are expected to be rare).

To mitigate the risk of liability, those organisations that fall within the scope of the FTPF offence (because they meet the relevant criteria set out in the ECCTA 2023) should assess their fraud risk and implement reasonable fraud prevention procedures. A fraud prevention framework will likely be multi-layered and include a combination of policies and procedures that aim to prevent fraud.

The Home Office has published Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (the Guidance), which sets out procedures that relevant bodies can put in place to prevent persons associated with them from committing fraud offences.

The Guidance makes clear that fraud prevention frameworks should be informed by six principles, including top-level commitment and communication. The Guidance states that an organisation should seek ‘to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication’. Articulation and endorsement by senior management of an organisation’s policies or codes of practice on fraud prevention and its key fraud prevention procedures are therefore an important part of a fraud prevention framework. Drafting and implementing an anti-fraud policy may help to demonstrate adherence to the principles set out in the Guidance and mitigate the risk of corporate liability for the FTPF offence.

There is, at present, little other guidance on what types of procedures might be reasonable under which circumstances. Seek support as necessary from specialist counsel as to which reasonable fraud prevention procedures are appropriate and proportionate to your organisation’s exposure to risk.

The Guidance is referred to throughout this checklist. Even if an organisation does not meet the criteria to be within the scope of the FTPF offence, the Guidance represents a useful indicator of best practice when it comes to putting in place fraud prevention measures.

Reform of the corporate identification principle

In addition to the introduction of the FTPF offence, section 196 ECCTA 2023 introduced changes to the way in which certain organisations (body corporates or partnerships, see section 196 for full definitions) might be held liable for the actions of certain members of its staff. These changes make it easier for criminal acts committed by staff to be attributed to an organisation. These changes mean that an organisation may be liable if certain economic crimes are committed by a senior manager who is acting within the actual or apparent scope of their authority.

The definition of ‘senior manager’ under section 196(4) ECCTA 2023 in relation to a body corporate or partnership is wide and means:

an individual who plays a significant role in – (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or (as the case may be) partnership are to be managed or organised, or (b) the actual managing or organising of the whole or a substantial part of those activities.

Unlike the FTPF offence, it is no defence that an organisation had reasonable procedures in place to prevent a senior manager from committing an economic crime. However, while not a defence, having anti-fraud measures in place will be an important part of a risk management strategy.

Anti-fraud measures may help an organisation to limit risk through prevention. A clear anti-fraud framework may deter those who may be considered senior managers from engaging in fraudulent behaviour. Failing prevention, having in place procedural controls may help an organisation to identify fraud, and the existence of controls may serve as potential mitigating factors in the event of an investigation or prosecution, even if they ultimately did not prevent fraud.

Step 1 – Identify gaps in existing controls

1.1 Identify where risks are not appropriately mitigated by existing controls

According to the Guidance, one of the six principles that should inform a fraud prevention framework is that of proportionate risk-based fraud prevention procedures (the others being top level commitment, risk assessment, due diligence, communication (including training), and monitoring and review).

To address this principle, an organisation’s procedures to address fraud by persons associated with it should be ‘proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities’. Therefore, prior to putting in place fraud prevention procedures, you should conduct a risk assessment that seeks to identify your organisation’s potential exposure to fraud as a result of the conduct of its associated persons.

After conducting a risk assessment, conduct a gap analysis to identify risks where either there are no existing controls or where the existing controls do not adequately address the risk in question. The questions your organisation might seek to answer for each identified risk are:

• Is the risk adequately mitigated against? And, if not:
  • What existing controls and procedures need to be modified to adequately mitigate against the risk?
  • What additional controls and procedures need to be implemented to adequately mitigate against the risk?

Many organisations will already have in place processes to prevent fraud. The Guidance advises organisations to:

assess whether their existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment . . . Where existing mechanisms appear to be insufficient, organisations should develop appropriate measures to prevent fraud.

For those risks where either new or enhanced controls and procedures are necessary to adequately mitigate against the risk of fraud, your organisation may wish to prioritise its resources by focusing initially on either those risks that are most likely to materialise or those that would have the greatest impact on your business if they arose.

Step 2 – Develop and implement fraud prevention procedures

Fraud prevention procedures should be clear, practical, accessible, effectively implemented and enforced. They should also be developed to address the specific risks that are identified as a result of your organisation’s risk assessment. Therefore, it is not possible to set out in a definitive or exhaustive way which fraud prevention procedures would be considered reasonable to establish a defence to the FTPF offence. Set out below are examples of the types of procedures that an organisation may wish to consider as part of its process of putting in place reasonable procedures to address the fraud risks identified. What are reasonable fraud prevention procedures will need to be assessed on a case-by-case basis depending on the specific risks faced.

2.1 Develop and implement fraud detection measures

Fraud detection measures may include:

• processes to detect unauthorised access to premises, systems and data;
• transaction monitoring (ie, the monitoring of financial transactions in order to detect suspicious, potentially fraudulent transactions;
• analysis that is carried out to identify discrepancies in relation to payments, invoicing, procurement matters, etc;
• exception reporting that aims to identify activities that deviate from usual processes or transactions, and then put in place processes to investigate these further;
• systems for audits and reviews that evaluate fraud prevention controls and their effectiveness;
• a culture that encourages associated persons to seek advice on questions or concerns that they might have over the legality of a course of action – a culture that encourages this may prevent small ethical issues from snowballing into full-blown criminality;
• training to ensure that staff recognise the risks of fraud and the signs of it within the organisation;
• whistleblowing procedures that are clearly communicated to associated persons and which they are encouraged to use without fear of recrimination; and
• procedures for the investigation of reports of suspected fraudulent behaviour.

Consider whether various tools can be deployed to detect suspicious activity. For example, monitoring systems that track and analyse IT systems and user behaviour to identify anomalies that might indicate suspicious activity. As the development of Artificial Intelligence (AI) tools grows, consider whether AI can be effectively used to identify potential fraud. The use of analytical tools will help spot patterns and eliminate personal bias, although they are not yet a substitute for human involvement or oversight.

Clearly allocate responsibility to identified staff members to collate and verify management information on suspected fraud and put in place an effective process for this to be flagged to the board for further consideration.

2.2 Develop and implement due diligence procedures

Due diligence is one of the six principles that the Guidance states should inform a fraud prevention framework. Take a proportionate and risk-based approach to the application of due diligence in respect of persons who perform or will perform services for or on behalf of your organisation.

Due diligence processes aim to screen persons for red flags that could indicate that they might expose an organisation to a risk of damage or liability.

Although your organisation may already have in place due diligence procedures, you cannot simply rely upon these procedures if they are not specifically aimed at fraud risk. The Guidance is clear that ‘merely applying existing procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud’. Consider the risks identified as part of your risk assessment and whether existing procedures are sufficient to address these or whether they need to be augmented or adjusted.

For further information on due diligence as a fraud prevention procedure, see Checklist: Fraud prevention procedures – due diligence.

2.3 Develop and implement procedural controls

Develop and implement procedural controls to reduce the motivation, opportunity and temptation to commit fraud. Implement procedural controls at every stage of your organisation’s operations where there is potential exposure to fraud and where it is reasonable to have controls in place.

As fraud prevention procedures should be informed by an organisation’s risk assessment and proportionate to the risks faced, it is not possible to provide an authoritative or exhaustive list of the procedures that an organisation should implement in order to be able to mount a defence of having in place reasonable prevention procedures. However, set out below are examples of the types of procedural controls that might be considered, if deemed appropriate.

To avoid duplication of work, the Guidance advises organisations to:

assess whether their existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment . . . Where existing mechanisms appear to be insufficient, organisations should develop appropriate measures to prevent fraud.

2.3.1 System and physical access controls

Inadequate systems and physical access controls could lead to unauthorised access to and manipulation of systems, which could lead to the commission or facilitation of fraud. This could happen where associated persons are able to access and manipulate information, process fraudulent payments, make fraudulent claims, etc. Limit the ability to do this by implementing system and physical access controls.

Physical access controls are those controls that restrict who can physically access systems and might include:

• the use of secure rooms for storage of certain types of information and limitations on how access is gained to these, including restrictions on key copying;
• restricting access to certain buildings or parts of buildings;
• restricting access to systems to work-issued devices;
• restrictions on printing information or otherwise reproducing it;
• technical surveillance measures; and
• processes for the disposal of old or unnecessary systems.

System access controls are those controls that restrict who can access and use data and resources within a computing environment and might include:

• implementing restricted access to systems (or parts thereof) based on specific business needs and taking into account the nature of information stored in the systems. Controls might include:
  • segregation of sensitive data and information within your systems;
  • limiting who can access certain aspects or areas of your organisation’s systems;
  • requiring users to have a specific business need in order to be granted access;
  • implementing approval procedures for the grant of access;
  • having in place processes for the audit and revocation of access (eg, when staff leave or change roles);
  • requirements for passwords, including two-factor authentication;
  • mechanisms for protecting data from manipulation;
• policies, procedures and controls related to remote working and access to systems;
• monitoring the use of high-risk (privileged) accounts; and
• processes for the regular review of access rights and privileges to ensure that these are kept up to date.

2.3.2 Financial and business controls

The nature of financial and business controls that will be appropriate will depend heavily on an organisation’s activities. Notwithstanding this, some general themes can be applied to financial and business controls, which are set out below.

There may be occasions when it is necessary to deviate from normal procedures. Put in place a process for this, for example, requiring the approval of the chief compliance officer. Deviations should be the exception, not the rule, they should be limited in time, the risk should be assessed and the reasons for deviation fully documented.

Delegation of authority

Delegation of authority serves as a crucial fraud prevention procedure. Delegation of authority involves assigning specific responsibilities and decision-making powers to individuals with appropriate competency levels, particularly for higher-risk processes such as payments above certain thresholds or high-value claims processing. Without proper delegation controls, allowing all staff to process any type of request or claim significantly increases the risk of employees deliberately processing fraudulent requests or being coerced by others to approve illegitimate transactions.

Delegation of authority might be appropriate for aspects of the business such as:

• high-value claims;
• supplier creation;
• travel and other expense processing; and
• payment authorisation.

Consider setting different threshold limits that require different levels of authorisation within the business; this avoids senior staff having to spend time dealing with smaller and more routine matters. As part of this process, consider putting in place processes to identify linked activities that have been artificially split to avoid exceeding thresholds and scrutiny.

Implement system workflows for the processing of requests and to ensure that staff are made aware of those processes. Once implemented, test the systems to ensure that the controls cannot be bypassed or deviated from.

Segregation of duties

Segregation of duties is another fundamental internal control mechanism. The process of segregating duties by systematically distributing responsibility for financial processes across multiple individuals, thereby ensuring that no one staff member has sole control. This creates natural checks and balances and reduces the risk that company assets could be misused to facilitate fraud.

Key elements involved in the segregation of duties include:

• separating operational functions from record-keeping activities;
• ensuring different personnel handle purchasing and payables functions; and
• implementing counter-signature requirements.

Effective implementation requires clear documentation of roles and responsibilities, regular monitoring through audit trails, and systematic reviews to ensure that controls remain robust and are relevant to changing business needs and processes.

Consider rotating staff periodically to reduce the risk of staff complacency and the opportunity for fraud being committed without detection.

Financial controls

Implement financial controls around the processing of transactions and record-keeping.

Industry guidance produced by UK Finance entitled Failure to Prevent Fraud: Guidance for the financial services sector (UK Finance Guidance), notes that where there is a risk of unauthorised payments or trading:

reasonable prevention procedures may include the following…:

• Requirements for verbal and written instructions to be recorded accurately and correctly
• Processes for validating and checking instructions and recording the validation activity once completed
• Requirements or processes for handling transaction errors and exceptions consistently, and for conducting root cause analysis to identify trends that might indicate control weaknesses
• Requirements to process transactions accurately and maintain records of all processed transactions.

It is important that all transactions are accurately recorded and supported by documentation, and that controls are in place to ensure there are regular bank account reconciliations. Maintaining comprehensive records serves as a vital fraud prevention measure by establishing clear audit trails that make financial transactions more transparent and accountable. Mandating the collection and preservation of adequate supporting evidence for all monetary activities creates barriers against fraudulent behaviour, as perpetrators find it more challenging to misappropriate company resources without leaving detectable traces. Thus, documentation acts as both a prevention and a detection mechanism.

Regular monitoring and review processes are also essential components of financial controls, involving periodic audits, variance analysis, and exception reporting that highlight unusual patterns or transactions. Ensure that you have processes in place to remedy any identified fraud concerns or indications that controls are not working effectively.

2.3.3 Conflict of interest controls

The existence of conflicts of interest can create incentives to commit fraud. As part of the process of putting in place fraud prevention procedures, review your organisation’s existing procedures for gathering information on potential conflicts of interest, update that information and consider whether those processes need to be bolstered.

The UK Finance Guidance suggests:

managing the risk arising through conflicts of interest by:

• Identifying types of conflicts of interest that might reasonably arise in the context of the activities of the firm
• Supervising separately those whose principal role involves serving multiple customers whose interests could conflict
• Requiring employees to report external relationships where there might be a risk that a conflict of interest might arise, and if so identify if any mitigating controls would be appropriate to manage the risk and applying the information about the external relationship within monitoring controls
• Reviewing pay structures and incentives to identify where improper incentives might encourage them to commit a fraud offence.

2.3.4 Staff controls

When it comes to associated persons, according to the Guidance, ‘the level of prevention procedures considered to be reasonable should take account of the level of control and supervision the organisation is able to exercise over a particular person acting on its behalf and the relevant body’s proximity to that person. For example, a relevant body is likely to have greater control over the conduct of an employee than that of an outsourced worker performing services on its behalf’.

Resourcing controls

Ensure that staff have the necessary experience or receive appropriate training for their roles. Untrained or unqualified staff create substantial fraud risks if they may fail to recognise inconsistencies or red flags or fail to follow appropriate procedures. Take steps to ensure that staff have the necessary qualifications to perform their duties; understand any training needs and ensure that appropriate training is attended; analyse any error rates or complaints; and take steps to ensure that any gaps in knowledge or performance are addressed. Investing resources in trained and qualified staff will equip your organisation with a knowledgeable workforce capable of maintaining robust defences against both internal and external threats.

Ensure that resourcing levels are sufficient. Under-resourcing creates significant fraud risks such as a reduced ability to recognise red flags and suspicious patterns, inadequate management of fraud and corruption risks, and conditions where staff may abuse their positions of trust to commit fraud. Implementing sufficient resourcing levels serves as a crucial prevention measure by:

• ensuring that prevention and compliance teams have adequate staffing and the technical capabilities needed to effectively monitor, investigate and respond to potential fraud indicators, and properly implement and maintain critical controls such as identity verification and transaction monitoring;
• providing staff with manageable workloads that enable careful scrutiny of documentation and transactions;
• maintaining consistent application of fraud prevention processes across the organisation; and
• creating a work environment that reduces the likelihood of internal fraud while enabling the recognition and investigation of external threats.

Human resources and contractual controls

In addition to putting in place controls in the workplace, consider the inclusion of contractual controls within staff contracts. Contractual controls may include:

• a definition of the staff member’s role and the scope of their authority and remit;
• a requirement to abide by your organisation’s code of conduct, code of ethics or similar values framework and/or anti-fraud policy; and
• incorporation of your organisation’s staff handbook by reference to the terms of employment – this gives your organisation greater flexibility when it comes to making changes to your processes and procedures around fraud prevention.

Be clear within your policies and handbooks as to the HR investigation processes that will be carried out in the event of a suspected breach of your organisation’s fraud policies or allegations being made of suspected fraud, and also of the disciplinary consequences of fraud being proven.

Incentive and remuneration controls

The Guidance considers motive to be a key element in fraud because it addresses the fundamental ‘why’ behind behaviour. Addressing motive enables organisations to target root causes rather than just symptoms.

Financial incentives, external pressures, time constraints and cultural factors may create an environment where individuals may feel compelled, tempted or justified to commit fraud – whether to secure bonuses tied to unrealistic targets, meet critical deadlines or avoid the consequences of missing financial targets.

To address employee motivation to commit fraud, businesses should implement comprehensive fraud prevention procedures that focus on designing ethical incentives aligned with company values and culture and ensuring that the overall approach to rewards does not inadvertently undermine ethical standards or create pressures that might lead to fraudulent behaviour. Possible fraud prevention procedures include:

• establishing achievable targets that do not require staff to resort to illegal, unethical or negligent behaviour to meet expectations;
• ensuring that staff have the resources they need to achieve their targets;
• creating an environment in which staff feel empowered to speak up if they feel under pressure to achieve their targets at any cost, or if they feel that they are being encouraged to engage in potentially fraudulent behaviour;
• ensuring that bonus frameworks do not encourage risk-taking;
• setting ethical targets and rewards that focus on the means used to achieve outcomes (rather than the outcomes themselves);
• introducing ethics and values measures into performance reviews and promotion processes and procedures, and ensure that staff who have breached company principles are not promoted or rewarded; and
• implementing a culture that rewards and recognises ethical conduct above financial performance.

2.3.5 Third-party associated person controls

The Guidance notes that even though an organisation is likely to have a lesser degree of control over the conduct of a third-party associated person (for example an outsourced worker performing services on its behalf), ‘appropriate controls should be implemented via the relevant contract’.

Contractual controls might include contractual provisions that:

• explain the scope of the services that are to be provided and the service standards that the associated person is expected to achieve;
• prohibit the associated third party from acting in a way that might constitute a base offence for the purposes of the FTPF offence;
• require the associated person to have and maintain adequate policies and procedures to detect and prevent fraud, and require the associated person to adopt a similar approach to its subcontractors or those in its supply chain;
• require the associated person to ensure that fraud training is rolled out to all staff;
• require the associated person to notify the organisation if it has reason to suspect that fraud has occurred or is occurring;
• require the associated person to maintain accurate books and records;
• require the associated person to cooperate with any investigation and allow the audit of any books, records and relevant documentation;
• require the associated person to provide annual compliance certifications; and
• provide for the right to terminate where the associated person does not or has not complied with any of their obligations relating to fraud prevention.

Contractual clauses with third parties should contain appropriate representations and warranties as to behaviour, together with an indemnification in favour of the organisation against any loss, liability, damage or claim (including legal costs) incurred by the organisation as a result of or in connection with any allegations that the organisation failed to prevent fraud arising from the performance of the contract by the third party associated person.

2.4 Develop an internal commitment to an anti-fraud culture

The Guidance emphasises the importance of top-level commitment when it comes to fraud prevention. Within an organisation, senior management set the tone about its culture. An organisation’s staff are much more likely to act honestly, ethically and in compliance with the law where there is a genuine culture of compliance that is both demonstrated by senior management’s actions and where staff are encouraged to uphold the organisation’s standards and feel able to speak up about concerns.

In addition to appropriate communications (see Step 3 for further information), the implementation of whistleblowing procedures (see Step 2.5) and training (see Step 4), consider things like reviewing employee appraisal, advancement and recognition mechanisms to ensure that:

• a culture of compliance and commitment to being anti-fraud is not undermined by employee objectives or incentive structures; and
• promotions are awarded to staff who uphold the organisation’s values, have participated in training and who demonstrate knowledge of the organisation’s policies and procedures.

Encourage managers to foster a culture within which staff are encouraged to question behaviour and where they feel safe to seek advice on whether a particular behaviour or course of action is appropriate.

2.5 Develop and implement whistleblowing procedures

The Guidance states that ‘to help prevent fraud, organisations should have appropriate whistleblowing arrangements’.

Whistleblowing refers to an individual reporting certain types of wrongdoing, typically occurring within or related to the workplace, to someone in authority or to an external entity. The law provides specific definitions and protections for certain whistleblowers, primarily through the Public Interest Disclosure Act 1998 (PIDA), and its incorporation into the Employment Rights Act 1996 (ERA). For more information see How to-guide: Understanding the legal protections for whistleblowers.

Some organisations may already have whistleblowing procedures in place (either because it is a regulatory requirement or because an organisation has chosen to put in place such procedures). Where this is the case, assess whether existing arrangements are suitable to address the identified fraud risks. Where either this is not the case or where there are no such existing arrangements, the Guidance suggests that organisations:

may wish to consider measures such as:

• having board level accountability to oversee whistleblowing
• overseeing a culture where employees feel able to raise concerns
• consulting trade unions and/or employee representatives about the content of formal systems for receiving concerns raised by whistleblowers
• ensuring that reporting channels for whistleblowers are independent
• signposting internal and external whistleblowing arrangements, such as those of the relevant regulators and, if appropriate, trade unions
• training staff to ensure that they are aware of how to access whistleblowing arrangements and managers on how to respond when whistleblowing concerns are raised
• investigating and responding to internal concerns appropriately and in a timely manner
• conducting victimisation risk assessments and protecting whistleblowers from potential victimisation
• providing feedback to whistleblowers
• learning from the issues raised by whistleblowers
• keeping systems under review, including, if appropriate, external assessment of arrangements.

Further information on whistleblowing, including policies and procedures can be found in the government document Whistleblowing Guidance for Employers and Code of Practice.

Clearly communicate your organisation’s whistleblowing procedures to those who will be expected to abide by them and provide appropriate training (see section 4).

2.6 Develop and implement investigation procedures

One of the six principles that should inform a fraud prevention framework is that of monitoring and review. Within this, the Guidance notes that investigations are one of the elements of monitoring.

Organisations should have in place arrangements and protocols for internal investigations. The Guidance notes that ‘investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice), and legally compliant. Investigations should strive to be fair to all parties’. In achieving this aim, organisations should consider having in place a fraud response plan that sets out a process for assessing which reports or indications of misconduct to investigate, how they will be investigated and how to manage the investigations process.

Many organisations will already have in place arrangements for investigating suspected wrongdoing (eg, bribery, breaches of competition law, fraud against the company) but these may need to be extended in order to cover fraud that is intended to benefit the organisation or its clients. The Guidance notes that:

organisations may wish to consider the following questions:

• What factors would trigger an investigation?
• Who authorises the investigations?
• Are decisions to investigate documented?
• What factors determine whether the investigation is internal or whether an external investigator is appointed?
• What arrangements are in place to ensure that internal investigations are independent?
• What are the arrangements for reporting the results of investigations to the board?
• How are the results of any investigations communicated through the organisation?
• What arrangements are in place for learning from investigations?

For more information on investigations see the Global Practitioners’ Guide to Investigations.

2.7 Document your fraud prevention plan

The Guidance states that organisations should ‘draw up a fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment’.

The term ‘fraud prevention plan’ is not a defined term within the Guidance and there is no assistance as to what this should contain. To be able to mount a defence of having in place reasonable fraud prevention procedures, it is prudent to document all aspects of your organisation’s fraud prevention framework, including:

• your organisation’s risk assessment and risk registers;
• the results of your gap analysis;
• the procedures that were developed and implemented to prevent fraud and the reasons why they were considered proportionate to the risks identified;
• links out to relevant policies and procedures;
• a record of communications from top-level management regarding the importance of fraud prevention;
• a record of training delivered and a record of who has undertaken the training and when; and
• a plan for how your organisation will monitor your fraud prevention framework.

Without adequate documentation, it may be difficult to evidence in any prosecution for the FTFP offence that fraud prevention procedures were in place and that these were considered reasonable in all the circumstances.

The Guidance notes that:

in some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. However, it will rarely be considered reasonable not to have even conducted a risk assessment. Any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision.

2.8 Test the fraud prevention procedures

Once fraud prevention procedures have been developed, test their effectiveness.

Testing fraud prevention procedures involves the systematic assessment and evaluation of internal controls, processes and systems to detect vulnerabilities and ensure they effectively prevent fraudulent activities. This means that organisations need to examine their fraud controls from a fraudster's perspective, employing creative and critical thinking alongside various testing methods to eliminate blind spots, uncover weaknesses and challenge assumptions about fraud management effectiveness. The Guidance notes that ‘best practice is for the prevention plan to be tested by members of the organisation who were not involved in writing it’.

Qualitatively assess the residual risks and determine whether any adjustments to your controls are required in order to mitigate the risk of fraud. Amend your fraud prevention plan accordingly.

The effectiveness of existing controls can degrade over time as fraudsters develop new methods to circumvent them and organisational changes create new vulnerabilities. By regularly testing fraud prevention procedures, you can proactively identify and address specific vulnerabilities in a measurable way, maintain robust control environments that adapt to evolving threats.

2.9 Ensure that there is clear governance in respect of the fraud prevention framework

The Guidance is clear that ‘organisations should ensure that there is clear governance in respect of the fraud prevention framework’.

As part of ensuring that there is clear governance in place, clearly designate responsibility for:

• developing and implementing fraud detection measures;
• developing, implementing and testing fraud prevention measures;
• ensuring that appropriate management information is collected and shared to enable senior managers to understand the risks and the effectiveness of fraud prevention procedures;
• developing and implementing disciplinary measures relating to the breach of the relevant body’s policies;
• whistleblowing;
• investigations if fraud is detected or suspected; and
• monitoring and review of the framework.

In addition, the Guidance makes clear that best practice involves:

• ensuring that the head of ethics and compliance (or similar person) has direct access to the board or CEO as they think necessary, even if their primary or day-to-day reporting line is to another senior leader or a committee;
• reporting to the board as appropriate;
• reviewing the fraud prevention framework and its implementation;
• minuting decisions and actions; and
• maintaining governance when members of staff move to other positions, leave the organisation or are off work with illness.

Step 3 – Communicate your procedures

3.1 Communicate your fraud prevention procedures

According to the Guidance, communication is one of the six principles that should inform a fraud prevention framework. To address this principle, an organisation should seek to ‘ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication’. The reason given for this is that ‘a clear articulation and endorsement of an organisation’s policy against fraud deters those providing services for or on behalf of the relevant body from engaging in such activities’.

The Guidance is clear that ‘communication should be from all levels within an organisation. It is not enough for the senior management to say that staff should not commit fraud, if middle management then actively ignore this and encourage junior members to circumvent the relevant body’s fraud prevention procedures’.

For further information on communication of your fraud prevention procedures, see Checklist: Fraud prevention procedures – communication and training.

Step 4 – Conduct training

4.1 Conduct training on fraud prevention

According to the Guidance, training is a form of communication, which is one of the six principles that should inform a fraud prevention framework. Although expressed as one of the six principles that informs a fraud prevention framework in the Guidance, it is only once you have developed your fraud prevention procedures that you can conduct effective training that includes details on your organisation’s fraud prevention procedures such as whistleblowing mechanisms.

The Guidance states that:

Training should be proportionate to the risk faced. Consideration should be given to the specific training needs of those in the highest risk posts. Training should cover the nature of the offence as well as the procedures to address it.

Some relevant bodies may wish to incorporate training into their existing financial crime prevention training, while other organisations may wish to introduce bespoke training to address specific fraud risks. Relevant bodies may choose either to train third party associated persons or encourage them to ensure their own arrangements are in place.

For further information on training as a fraud prevention procedure, see Checklist: Fraud prevention procedures – communication and training.

Step 5 – Monitor and review your procedures

One of the six principles that should inform the fraud prevention framework that an organisation puts in place is monitoring and review. The Guidance explains that the principle is that ‘the organisation monitors and reviews its fraud detection and prevention procedures and makes improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector’.

5.1 Monitor fraud prevention measures

Monitoring includes monitoring the effectiveness of fraud prevention measures. This contributes to the continuous improvement of an organisation’s fraud prevention framework as it aims to identify whether the implementation of prevention procedures is effective and whether there are areas for potential improvement.

The Guidance addresses this briefly and notes that:

monitoring fraud prevention measures might include:

• monitoring of financial controls
• collecting data on how many staff have attended fraud prevention training courses and any test results, if applicable
• monitoring updates to procedures (for example, due diligence procedures)
• monitoring updates to contractual clauses for associated persons

Monitoring should aim to check that fraud prevention measures are effective and working as intended.

Consider which technological and data analytics tools (including AI) might be available to assist in monitoring of fraud prevention measures. Regardless of the means of monitoring, gather appropriate data to enable senior managers to understand the risks and the effectiveness of fraud prevention procedures and to make decisions on how to enhance prevention procedures (if necessary).

5.2 Review the fraud prevention framework and its implementation

Carry out a review of your organisation’s fraud prevention framework and its implementation where either:

• a review of your organisation’s risk assessment suggests that the risks to your organisation have changed, perhaps due to new threats, organisational changes or identified instances of fraud; or
• monitoring of your fraud prevention measures has identified deficiencies or areas for improvement.

The Guidance suggests (as a non-exhaustive list) that:

relevant organisations can review their fraud detection and prevention procedures by:

• seeking internal feedback from staff members
• reviewing fraud detection analysis
• examining any investigations or relevant whistleblowing cases and the subsequent action taken
• examining other financial crime prevention procedures
• conducting formalised periodic review with documented findings
• working with other organisations, such as trade bodies or other organisations facing similar risks
• following advice from professional organisations (for example, accountancy or legal bodies)
• examining any relevant prosecutions or deferred prosecution agreements
• collating and verifying management information on the effectiveness of the fraud prevention measures and flagging to the board.

Such a review may be conducted by an external party or an organisation may choose to conduct its review internally. The approach to this may depend on the circumstances. For example, a more in-depth external review might be warranted in circumstances where fraud has been found to have been committed by someone associated with the organisation.

Regular internal reporting on fraud prevention framework reviews is crucial for maintaining effective governance and ensuring continuous improvement of anti-fraud measures and for demonstrating a culture of compliance and top-level commitment. Senior management should receive regular reports on reviews that enable them to assess whether the fraud prevention programme is functioning effectively, so they can identify any deficiencies or emerging risks and determine necessary strengthening actions.

Additional resources

Related Lexology Pro content

How-to guides:

Understanding the failure to prevent fraud offence

Checklists:

Fraud prevention procedures – due diligence
Fraud prevention procedures – communication and training
Drafting an anti-fraud policy
Drafting an external anti-fraud statement

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.