Written by Rob Tharle, Head of Product

In a world of increasing fraud levels and sophistication of the threat actors involved, the proposed new UK law to make failure to prevent fraud a crime is very interesting.  

The UK like many countries across the globe, is suffering from significant levels of fraud, against consumers, firms and the government agencies. These frauds are increasingly undertaken through the utilisation of social engineering of the victim, where they authorise transactions themselves. There are a number of things that help enable the success of these social engineering scams and frauds: 

• Abuse of advertising firms and platforms to lure people into investment scams 
• Abuse of telcos – such as spoofing of numbers and SIM Swaps  
• Social Media and job site platforms abused to recruit mules to move the proceeds of fraud and scams  
• Dating Apps abused to help target people in Romance Scams and Pig Butchering 

• Poor controls at Companies House letting scam firms to be easily set up 

Let’s spend some time looking at how this new law may operate and the implications for those types of fraud above. 

What is the purpose of the new law? 

The whole point of this law is for firms to take greater corporate responsibility to help prevent frauds across the UK economy. It is to encourage firms to introduce more systems and controls to prevent or highlight frauds as they are happening. It is this aim, rather achieving a higher rate of prosecution, that is the primary driver. This fits with other fraud regulations that help align firms’ incentives, giving them the reason to invest in prevention tools. 

What happens if convicted? 

In the event of a conviction, there is scope for an unlimited fine, however, no imprisonment of the executive officers, where they had no knowledge or involvement. Individuals undertaking the crime can be prosecuted under existing legislation. This should provide incentives for senior executives to invest in greater controls to prevent fraud by staff or agents. 

What is the scope? 

This law takes its idea from the existing ‘failure to prevent bribery’ law contained in the 2010 Bribery Act, and similarly, tax evasion in 2017 Criminal Finances Act. Therefore, this is an extension of legislation to cover fraud. Interestingly, financial crime is not in scope here, so as to avoid duplication with the existing Money Laundering Regulation (MLRs) laws. 

The law will only apply to larger organizations (including charities), so these are firms that meet two out of three criteria: greater than £36m in turnover, more than 250 employees and more than £18m in total assets. Smaller firms will not be covered, which may prove to an issue in the future. 

The relevant offences that will be covered at this time are: 

• fraud by false representation (section 2 Fraud Act 2006) 
• fraud by failing to disclose information (section 3 Fraud Act 2006) 
• fraud by abuse of position (section 4 Fraud Act 2006) 
• obtaining services dishonestly (section 11 Fraud Act 2006) 
• participation in a fraudulent business (section 9, Fraud Act 2006) 

• false statements by company directors (Section 19, Theft Act 1968) 
• false accounting (section 17 Theft Act 1968) 
• fraudulent trading (section 993 Companies Act 2006) 
• cheating the public revenue (common law 

The coverage of the new law is actually limited in its scope and will not cover elements that you may think from its description. To be in scope the fraud must be committed by an employee or agent, that benefits the organisation. It is not meant to penalise firms who are victims of direct abuse and criminal acts themselves, but where there are insufficient controls to stop fraud within the firm.   

This means that it does not cover external and internal fraud against the firm itself, which I think is an area of misunderstanding for those only reading the headlines. This means that the points listed above are not directly impacted by this legislation. However, there may still be implications here for firms. 

What does this mean in practice?  

Whilst it doesn’t cover external parties abusing firms’ services directly or staff defrauding the firm, there could be situations where there is some overlap here. 

Firms with no controls to ensure that sales employees or their agents bringing in business (that benefits the firms’ sales figures and bottom line) that they misrepresent or don’t disclose, could be in scope. 

It’s plausible that this might apply to platforms benefiting from fraudulent ads placed with them, with telcos for certain types of services. Firms, for example that enjoy high growth, but that is based on misrepresentation by employees or agents to get that business through the door, might also be covered. 

Looking back at the list of fraud enablers, at the start, it is clear to see the potential risk for firms here, if their due diligence and controls are not significant enough. 

Therefore, this is an important piece of legislation, that could help stop some firms from turning a blind eye to deals and revenue that should not be occurring. The sort of behaviour that can help enable many other types of fraud and financial crime. As prosecution can be avoided if there are sufficient controls in place, it is an incentive for firms to do more.