The UK’s new failure to prevent fraud offence – should crypto firms brace for impact?
Monday 15 April 2024
Jessica Lee
Brown Rudnick, London
jslee@brownrudnick.com
Menelaos Karampetsos
Brown Rudnick, London
mkarampetsos@brownrudnick.com
The line of failure to prevent offences goes back to the introduction of the Bribery Act in 2010. The rationale behind such offences is to make businesses directly liable for criminal misconduct by their employees. The introduction of a failure to prevent fraud offence is, according to the government, intended to prevent fraud and discourage organisations from ignoring fraud by employees which may benefit them. The offence, according to the government, will encourage more companies to implement or improve prevention procedures, driving a major shift in corporate culture to help reduce fraud.
The new offence
The failure to prevent fraud offence is a new corporate offence which applies to ‘large organisations’. This definition derives from the Companies Act 2006 framework and captures both bodies corporate and partnerships: therefore, large organisations are those who exceed two of the following figures:
- more than 250 employees;
- more than £36m in turnover; and
- more than £18m in total assets.
An organisation is liable if an associated person commits a specified fraud offence, and does so with the intention to directly or indirectly benefit the organisation or the person who is receiving services. The offence has extraterritorial scope; if an employee commits fraud under UK law, or targets UK victims, their employer could be prosecuted, even if the organisation and the employee are based overseas. The place of incorporation is therefore irrelevant in terms of the scope of the offence, as it applies to large organisations wherever incorporated or formed.
The specified fraud offences currently covered by the Act (the list can be amended through secondary legislation) include:
- fraud by false representation;
- obtaining services dishonestly;
- false accounting;
- fraud by failing to disclose information;
- participation in a fraudulent business; and
- false statements by company directors.
The offence can be committed by a broad range of ‘associated persons’, including an employee, agent or subsidiary of the organisation; an employee of any of the organisation’s subsidiaries; or a person who otherwise performs services for or on behalf of the organisation. Whether a particular person performs services for or on behalf of an organisation is to be determined by reference to all the relevant circumstances and not merely by reference to the nature of the relationship between that person and the body.
An organisation can receive an unlimited fine if convicted.
There is a defence available for an organisation which has reasonable procedures in place to prevent fraud or where it is reasonable not to have such procedures in place. Guidance on what the procedures should entail will be published by the UK Government in due course. Practically, this requirement should also be considered by smaller organisations than those in-scope, as they may be associated persons of larger organisations.
If resources held across a parent company and its subsidiaries cumulatively meet the size threshold, that group of companies will be in scope of the failure to prevent fraud offence. Liability can be attached to whichever individual entity within the group was directly responsible for failing to prevent the fraud. Liability can alternatively be attached to the parent company, if a fraud was committed by a subsidiary’s employee for the benefit of the parent company, and the parent company did not take reasonable steps to prevent it.
Relevance to crypto firms
For crypto firms that are either based in the UK or which service UK customers, it is important to prepare for the introduction of this offence, particularly as reported losses to crypto fraud in the UK increased by more than 40 per cent over the past year. While the offence is not expected to come into force immediately, firms whose compliance protocols and procedures are tailored around the Money Laundering Regulations, for example, will need to review their fraud detection processes against the government’s guidance when such guidance is published.
More broadly, firms which embrace decentralisation will need to consider and assess the risks that their business model may generate, particularly where the definition of an associated person is as broad as in the Act and could, in theory, extend to founders and developers.
The offence may also pave the way for UK authorities to investigate crypto exchanges outside the UK, where there may be an allegation that those exchanges have failed to prevent fraud against UK persons. Some high profile crypto fraud cases provide indications as to how that may come about; for example, the first witness for the prosecution in the US criminal trial of FTX founder Sam Bankman-Fried, was a London-based trader. Moreover, exterritoriality arises as some of the specified offences already contain an extraterritorial element in that they can be committed so long as a relevant event occurs within England and Wales.
Conclusion
The failure to prevent fraud offence is a clear signal to businesses, including crypto firms, that they should embed the prevention of fraud in their structure and their conduct.
Government guidance will need to clarify what sort of reasonable procedures businesses are expected to adopt, as well as how the offence will interact with existing controls that regulated firms may have for financial crime purposes.
In advance of the guidance, however, crypto firms, given the pace of their innovation and growth of their products, should take proactive steps to ensure that their approach to compliance is comprehensive and that commitment to preventing fraud is embraced across all levels of the corporate pyramid.