The new “Failure to Prevent Fraud” offence comes into force in the UK on Monday 1 September, with wealth managers and other financial firms in the firing line.

WealthBriefing attended a recent webinar on the subject of this new offence, which flows from the Economic Crime and Corporate Transparency Act 2023. An organisation may be criminally liable if an employee, agent, subsidiary or other "associated person" commits a fraud intending to benefit the organisation (or, in some cases, a client) and the organisation did not have reasonable fraud prevention procedures in place.

The new offence is therefore a "strict liability" one, which holds a person responsible for damages or injuries that he/she causes, regardless of intent or fault. The only defence that a wealth management firm might have to this offence is to demonstrate that it has "reasonable procedures" to offset fraud.

On the panel were Philip Allen, a learning consultant, Mark Spiers, the managing partner of the Ocorian Group, a regulatory consultancy in London, Layla Abdel-Spence, a senior consultant at Ocorian, and Adrian Harvey, the chairman and co-founder of Elephants Don't Forget, a consultancy that uses artificial intelligence to improve the performance of its client-firms' employees.

An intrusive new law
The panel looked at the nature of "reasonable procedures" and the ways in which firms could evidence the fact that they had done enough, the teams and functions that the new offence will affect the most, the need to move away from one-off anti-fraud training sessions, the things that regulators are bound to look for, and the ways in which a firm under investigation can defend itself while avoiding mistakes.

Mark Spiers explained why this piece of legislation was different from others.

"I think it's really the senior management element that stands out. It brings in a criminal liability for failures by senior management to prevent fraud. You can then draw a straight line between a failure/misdeed by an individual through to the failure by senior management to implement reasonable procedures. Also, there is a nexus with the Financial Conduct Authority (FCA) and what it may do to a senior manager who has been found guilty of this corporate offence."

The FCA has long insisted on its firms taking a "risk-based approach" (RBA) to compliance and Layla Abdel-Spence affirmed this by saying that "the risk assessment is the pillar of this new legislation – one of the requirements is to do this risk assessment on a yearly basis, same as with the policies, every year." The panel noted that fraud-related risks are evolving all the time.

The last chance saloon
Ocorian asked hundreds of attendees, many of whom were from wealth management firms that had to comply with the regulatory rules of the Financial Conduct Authority, whether they had conducted any formal fraud risk assessments. Panellists were surprised to learn that 11 per cent had not started one yet; 26 per cent had one in progress. Most firms had some form of fraud risk assessment in place already, although probably not targeted accurately at all of the offences that the new law will cover.

Spiers said that Ocorian's client base contained some significant firms whose fraud assessments were still in progress. The others, he said, were in the "last chance saloon."

How confident were delegates that the effectiveness of their current fraud controls would meet the legal test of "reasonable procedures"? A small number of firms (17 per cent) felt very confident, having recently tested their controls, but a considerable majority appeared to be on an uncertain footing.

An overwhelming 64 per cent of respondents said that they had policies in place but had not tested them against the new legal standard of “reasonable procedures.” Additionally, 19 per cent of firms admitted that their controls were incomplete or poorly written down or 'documented.' 

Last year HM Government published "guidance to organisations on the offence." Philip Allen thought that the six principles that the guidance offered should indicate the right path forwards for controls. These are: top-level commitment (responsibility for the prevention and detection of fraud rests with those who govern each organisation); risk assessment (of a firm's exposure to the risk of employees, agents and other associated persons committing fraud); proportionate risk-based procedures to prevent fraud; due diligence; communication (including training); and monitoring/review.

Layla Abdel-Spence added that "reasonable procedures" had to be practical and proportionate to the risk involved. She said that regulators and auditors would ask wealth management firms how they knew that their procedures and controls were working and whether they calculated or guessed a percentage or not. 

When employees play a part in fraud
Adrian Harvey told wealth managers and bankers that their employees in relation to the new legislation were their "weakest link" because, according to the National Crime Agency, they deliberately caused 20 per cent of all frauds perpetrated in the corporate space. He said that 3 per cent of firms had fallen victim to fraud in the last 12 months, while 95 per cent of successful cybersecurity attacks happened because employees who had had fraud training (including fraud simulations every month) were letting the criminals in through the front door. In most instances, training practices were inappropriate and outdated.

Last year saw the highest number of fraud cases ever. Artificial intelligence and generative technology have amplified identity fraud and the takeover of accounts. Meanwhile, phishing (where attackers deceive people into revealing sensitive information or install malware that gathers it) remains the most common method by which fraudsters take control of existing accounts.

What reasonable procedures look like in practice
Harvey thought that each firm had to have a culture in which it tested and refined the things that it did, rather than "ticking boxes." This applied to training as well. He predicted that the first prosecution under the new law that did not involve insider dealing or insider-instigated fraud would cite inadequate training.

How does a wealth management firm show the FCA evidence that it has done enough? The panel had a list of answers to this question.
 
• On the "board-level ownership" principle, it ought to show the FCA its board minutes, SMF (senior management function) responsibility statements, and risk committee reports.
• On the comprehensive risk assessment that must occur every year, it must present dated, signed-off risk-assessment documents with action plans.
• For robust policies, procedures and controls, it must produce version-controlled policies, update logs and staff sign-off records.
• On training, it must produce training logs, completion rates, staff feedback, and competency scores.
• For monitoring and review, it ought to produce reports about MI (management information, i.e. data and knowledge about business operations that supports decision-making), incident logs, internal audit findings and remediation plans.

The hot spots
Where are the most exposed teams and functions at a wealth management firm? Mark Spiers thought that fraudulent misrepresentation, where someone makes a false representation knowingly, or without belief in its truth, or recklessly as to its truth, was a top danger.

"I would probably pick the finance and treasury function, which is in charge of how our accounts look and whether we're misrepping those, but equally people involved in product management, maybe in the front office, if there's pressure to sell more, because P&Ls [profit-and-loss accounts] are under pressure across UK plc and there's pressure to sell. Maybe some of the ESG [environmental, social and governance-related] certifications manifesting in client-facing roles."

Harvey said that figures showed that the more pressure that banks put on their employees, the higher the likelihood of fraud.

An initial to-do list
The Ocorian team suggested the following procedures that a financial firm might do to set prorities for its exposure to fraud risk.

• Map the highly risky functions first. Every firm must decide where its fraudulent 'hot spots' are likely to be, choosing between front offices/client-facing jobs, business development/intermediary management, operations/payment and trade processing, finance and treasury, and technology/data teams.
• Conduct scenario-based risk reviews. For each of those functions the firm must ask the following.
(i) What frauds could someone in this job commit?
(ii) What incentives or pressures might lead him/her to do it?
(iii) What controls do we have today that prevent or detect this?
• Assess third-party and intermediary risk. This applies to all "associated persons," as the Act calls them. Banks can use surveillance/due diligence, contracts and training to close the gaps.
• Form a working group of people from the legal, risk, compliance, internal audit and HR departments, plus front-line managers, to prioritise risks and plan accordingly. Risk categories of high, medium and low are typical. 

When Layla Abdel-Spence worked at the FCA, which she did until 2023, she saw a couple of instances where board members at financial firms knew some high-risk clients and "allowed them to come through" without putting them through the usual sanctions screening, etc. The regulators only found them out because telltales contacted them, proving that "training on whistleblowing" is important.

Training
The panel joked that "one-size-fits-all training fits none," adding that the guidance clearly states that training has to be personalised and, indeed, measured.

In a poll, delegates were asked to describe their firms' approaches to training staff to prevent fraud – 59 per cent said that they went in for annual mandatory training only.

Ocorian's team brandished a list of the things that a wealth management firm ought to do to move away from such one-off training and set up a genuine anti-fraud culture. Mark Spiers' favourite factor was "the tone at the top," with senior leaders regularly reinforcing "anti-fraud values" in meetings, decisions and communications. 

Also on the list were: the need to use real-world fraud case studies in training, preferably citing internal near-misses; the use of pop-up reminders for risky transactions; tailoring training to suit staff members' jobs; providing continual micro-learning throughout the year, using fraud awareness months, internal campaigns and intranet spotlights to keep up momentum; and tracking much more than the completion of training – this involves checking staff members' knowledge and tracking the time it took to respond to various incidents.

The need for a good culture
The financial firm's culture must stand behind good training, or it will fail, as Mark Spiers explained.

"If the board doesn't particularly mind if people slightly make up the figures along the way, what starts off as non-criminal can very quickly descend into criminal behaviour. If we just tweak this, or recognise that revenue next quarter or this quarter, that'll be great, they might say. Then you're on a slippery slope to the criminal. Tolerances are pushed and it shifts the culture all the way down."

Expectations
What do boards expect from the new regime and what will regulators be looking for? Layla Abdel-Spence summed up the regulatory mission tersely: "How can you prove that this is working? Then...numbers."

The FCA set up the Senior Managers and Certification Regime (SM&CR) to increase individual accountability at financial firms in 2016 and is now revising it. Mark Spiers did not think that such reforms were likely to influence firms' observance of the new fraud law.

Regarding the expectations of boards, the Ocorian team displayed a "board fraud oversight checklist" and the panel discussed the questions that board members ought to be asking themselves about culture, training and the use of informants. The list was as follows:

• Have all staff (including senior leaders and third parties, i.e. IT contractors etc) completed fraud awareness training?
• Is there a demonstrable effort to move beyond training and into a fraud prevention culture?
• Are speak-up/whistleblowing channels (i.e. reporting systems through which staff can divulge their suspicions to internal fraud officers without fear of retaliation) well publicised, trustworthy and monitored independently?
• Has the board reviewed the whistleblowing MI?

Other questions pertained to the effectiveness of the tone at the top, governance, accountability, the annual fraud risk assessment, reasonable procedures and controls, monitoring, MI, assurance, incident response, learning, evidence and documents.

Harvey added: "You need an appropriately curious – not witchhunting – culture. If you're witchhunting, people will lie."

What does a strong defence look like?
Philip Allen asked the question: "If we get caught in the headlights of the SFO [Serious Fraud Office, which often goes on regulatory visits with the FCA], what do we evidence and demonstrate as a robust defence?"

An Ocorian at-a-glance list displayed in the webinar contained seven crucial answers, with sub-categories:

-- A documented risk-based approach, including: (i) the existence of a clearly-defined and board-approved fraud risk assessment; (ii) the identification of risks by function, product, country and relationships with third parties; and (iii) regular reviews and updates for the risk assessment; 

-- Proportionate and effective controls, including: (i) written policies, procedures and internal controls tailored to the risks of fraud specific to the firm; and (ii) evidence of implementation; 

-- SM&CR-linked governance, including (i) someone licensed to perform a designated senior management function (SMF) who is responsible for preventing financial crime/fraud; (ii) regular MI and escalation of matters to the board or risk committee; and (iii) documented oversight and 'challenge' from senior leaders; 

-- Comprehensive, ongoing training. This must pertain specifically to the recipients' job and not be generic. The firm must test people's understanding with refreshers. It ought to include third parties or intermediaries if that is relevant; 

-- Effective monitoring and response mechanisms, such as (i) internal audit or compliance reviews, (ii) MI showing real-time monitoring of incidents and near misses and (iii) staff knowing how to raise concerns; 

-- A culture that supports prevention; and 

-- An audit trail of continuous improvement, with reviews leading to real changes.

Common mistakes to avoid
The list of common mistakes could have been much longer, but Philip Allen outlined seven:

-- A gulf between an anti-fraud policy's design and procedure. This undermines a firm's defence against regulatory opprobrium because its policies are in place but there is no evidence that people use or understand them, or that the firm has trained them to do so; 

-- Generic training. This is a failure to tailor training to actual fraud-related risks in each function; 

-- A lack of SM&CR-related accountability; 

-- Failures to reassess fraud-related risks regularly or after changes to the business model; 

-- No third-party oversight. This undermines the firm's wall of defence because it ignores agents, contractors or introducers who might be associated with high risks; 

-- A weak reporting culture. If tipsters do not trust the system or fear retaliation if they "blow the whistle," they will report nothing and the FCA/SFO will know that; 

-- No paper trail. Even strong controls are ineffective in a prosecution if the firm cannot prove that it applied them.

Firms ignore these warnings at their peril. In the words of Serious Fraud Office director Nick Ephgrave in April this year: "Come September 2025, if they haven't sorted themselves out, we're coming after them. I'm very, very keen to prosecute someone for that offence. We can't sit with the statute books gathering dust. Someone needs to feel the bite."