The government stresses that business’s reasonable fraud prevention procedures are to be proportionate to the fraud risk. The effect is not to create a one-size-fits-all approach, but rather to allow for flexibility while ensuring that companies are taking steps to prevent fraud.
The guidance sets out six principles that should inform the reasonable fraud prevention procedures put in place:
1. Top level commitment: Emphasis is placed on the importance of senior management demonstrating a clear commitment to preventing fraud, including allocating appropriate resources and ensuring the organisation’s fraud prevention measures are effectively implemented.
2. Risk assessments: Companies must carry out risk assessments to understand where fraud could occur within their operations including across their internal systems, third-party relationships, and external risks.
3. Proportionate risk-based prevention procedures: The procedures implemented should be proportionate to the size, complexity, and nature of the company’s business.
4. Due diligence: Companies must undertake appropriate due diligence on third-party relationships (e.g., suppliers, contractors, and joint ventures) to ensure they are not exposed to fraud through external partnerships.
5. Communication (including training): Regular training should be provided to all employees to raise awareness of fraud risks, the company’s fraud prevention procedures, and how to report potential fraud.
6. Monitoring and reviewing: Fraud prevention measures should not be static. They must be monitored regularly to ensure they are effective, and businesses should be ready to adjust their approach if weaknesses or new risks are identified. This includes evaluating the effectiveness of controls and investigating incidents of suspected fraud.
The guidance recommends that companies consider the following:
(i) Look at what the organisation is already doing: Companies may already be undertaking a range of risk assessments and, to the extent they are not already doing so, it may be most effective to extend such existing risk assessments to include the risk of fraud in the scope of the offence.
(ii) Identify the risks: Companies should start by identifying their exposure from certain associated persons, such as their agents and contractors providing a particular service for or on behalf of the organisation, or staff in specific sensitive roles. The guidance acknowledges that it is not possible to anticipate all potential fraud risks so it suggests that companies consider the three elements of the “fraud triangle”: opportunity, motive, and rationalisation. The guidance also prompts companies to consider the scope of their use of AI and data analytics to identify potential fraud.
(iii) Make the prevention policies clear: Companies should start integrating messaging about preventing potential fraud into existing policies and procedures.
(iv) Keep procedures updated: Companies should establish procedures to ensure ongoing monitoring and review of fraud prevention procedures. This includes ensuring that companies learn from investigations and whistleblowing incidents and benchmarking experiences across a company’s sector.
(v) Culture: To demonstrate a corporate commitment to fostering a culture committed to preventing fraud, companies should codify their position in their code of ethics.
We will follow up with a more detailed analysis. In the meantime, if you have any questions, please contact any of the authors of this alert.