Rules Navigator

What is the territorial scope of the Failure to Prevent Fraud Offence?

A man holds Zimbabwean Dollar Bond Notes.
Photo: Dan Kitwood/Getty Images

Thomas Cattee | Gherson

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Considerations for compliance in large organizations.

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) created a new offence of Failure to Prevent Fraud (FtPF), which will come into force in September 2025. A key question for those seeking to design compliance processes prior to September is what the territorial scope of the FtPF offence is, and accordingly, where is it advisable for reasonable procedures to be implemented.

The ECCTA extends corporate liability to the actions of employees, agents and other associated persons in circumstances where the criminality (in this case fraud) is intended to benefit the organization or its clients.

Large organizations

FtPF applies to “Large Organizations”, who fail to prevent fraudulent misconduct (ECCTA, Schedule 13 sets out the full list of offences) of those acting on their behalf, including but not limited to false accounting, fraud by false representation, failure to disclose information, abuse of position, participation in a fraudulent business and obtaining services dishonesty.

This is not an exhaustive list and anything from manipulating financial records, reporting inaccurate loan defaults, and misrepresentations of investments can result in the potential prosecution of financial service firms under the ECCTA. 

“Large Organizations” are defined as those which meet two of the following criteria:

  • more than 250 employees;
  • more than 36m ($46m) in turnover;
  • more than £18m ($23m) in total assets.

Importantly, for international organizations, the Guidance to organizations on the Offence of Failure to Prevent Fraud makes it clear that the criteria applies to “the whole organization, including subsidiaries, regardless of where the organization is headquartered or where its subsidiaries are located.”

It follows that, even organizations with a fraction of their customer base in the UK and limited UK presence (by way of subsidiaries or otherwise) are exposed to the risk of being caught by the ECCTA. The key for prosecutors will be to establish a UK nexus to the fraudulent act, loss or benefit.

The broad scope of the ECCTA means that the UK will have jurisdiction for the offense provided that the fraud has a UK nexus, meaning the fraudulent act (1) must include an act that occurs in the UK; or (2) results in a gain or loss in the UK.

The only defence available is for the corporate to prove that it had in place at the time of the offense reasonable fraud prevention procedures. The Guidance suggests that the procedures should follow the well-established compliance principles outlined below:

  • top level commitment;
  • risk assessment;
  • proportionate risk-based prevention procedures;
  • due diligence;
  • communication (including training);
  • ongoing monitoring and review.

Importance of location

Under the ECCTA, jurisdiction is determined based on the location of the conduct, loss or benefit – not the location of the corporate seat. This means that if, for example, a UK-based employee commits fraud in the UK for the benefit of their employer, the employing organization could be prosecuted for a failure to prevent fraud no matter where the organization is based.

In the context of an overseas organization, if an employee or associated person of that organization commits fraud overseas for the benefit of the organization, but there is a victim in the UK, the overseas organization could be prosecuted for a failure to prevent fraud. The same would apply if the committed fraud resulted in a benefit in the UK. In situations where there is no UK nexus to the fraud, the offense will not apply even to UK registered organizations.

In practical terms, for example, a large US-based financial services firm which has a strong client base in the UK can be prosecuted in the UK for a Failure to Prevent Fraud if one of their employees operating out of a US office (acting for or on behalf of the US firm) fraudulently mis-sells investments in a US fund and the victims of the fraud are in the UK.

The offense will also apply if the same firm provided its services exclusively to the European market but relied on advisory services provided by a board of advisers based in the UK which was discovered to be fraudulent.

Conversely, if a US-based employee of a UK headquartered financial services company commits an offense with the intention to benefit the US-based subsidiary, the firm cannot be prosecuted for failing to prevent fraud as there is no UK nexus.

Large global organizations should therefore consider the following:

  • Does the organization itself act directly or indirectly within the UK (for example, are there UK-based offices, employees, subsidiaries or associated persons who act for the benefit of the organisation)?
  • Is there is a customer base in the UK, which could be the victim of a fraud by the organization (or those acting on its behalf)?
  • Is there is a vehicle for corporate benefit in the UK (bank accounts etc)?

If any or all of the above apply to the organization, further steps to complete a specific fraud risk assessment and design reasonable procedures to prevent fraud should be considered – regardless of where the organization is located or headquartered.

Thomas Catte, partner at Gherson Solicitors LLP. Tom joined Gherson from the Serious Fraud Office (SFO) where he initially worked as disclosure counsel on LIBOR cases as well as the Barclays Qatar case.

, , , ,

You may also like