Building reasonable procedures to prevent fraud: 7 practical steps considering the new government guidance

With the "Failure to Prevent Fraud" offence introduced under the UK Economic Crime and Corporate Transparency Act 2023, businesses face new expectations in preventing fraud that benefits their organisation. To establish a robust defence, those in scope must demonstrate "reasonable procedures" to prevent fraud by Associated Persons (employees, subsidiaries, agents or other third parties acting on the organisation’s behalf).

Following the release of the Government’s guidance on reasonable procedures on 6 November 2024, corporates and partnerships that meet at least two of the following criteria: more than ￡36m turnover, more than ￡18m in total assets?or more than 250 employees, will have a nine-month window to implement their anti-fraud measures before the offence comes into force on 1 September 2025.

The guidance focuses on six key principles, which are intended to be proportionate to the risks a business faces. Those principles are:?

• top-level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review.

The guidance includes detailed advice on each of the principles. Below I set out some practical steps businesses should take to prepare considering the new guidance:

1. Formalise accountability for fraud and work across functions

• Designate a senior-level fraud lead: Assigning a clear point of responsibility within the organisation signals top-level commitment to fraud prevention. This leader should coordinate anti-fraud initiatives across departments and report to the board. In my experience, fraud risk management is often led by senior individuals from functions such as Finance, Compliance, Risk, Legal, or Internal Audit. However, it's preferable for Internal Audit not to own and lead, so they can provide independent assurance on the effectiveness of anti-fraud measures.
• Create a cross-functional fraud committee: While there is no one-size-fits-all answer to who should lead fraud risk management, adopting a cross-functional approach is crucial as fraud risk is not confined to one area of the business. Many organisations have set up fraud risk committees with representatives from finance, compliance, legal, and internal audit to foster a unified approach and ensure fraud prevention efforts are sufficiently resourced.

2. Identify your highest fraud risks

• Conduct a fraud risk assessment on a regular basis: A robust and detailed fraud risk assessment is fundamental to establishing reasonable procedures to prevent fraud. Fraud risks can be identified through interviews, workshops, surveys, reviewing business documentation, whistleblowing records and fraud data analytics. Benchmarking against external data sources can also highlight common sector-specific fraud risks. The guidance highlights that this is not a one-time activity; ongoing assessments ensure the business remains vigilant as new risks emerge.
• Adopt a top-down and bottom-up approach: The guidance highlights that subsidiaries of large organisations can be prosecuted?even if it is not itself a large organisation and the offence has a potentially very broad extra-territorial application. In my experience, the most effective fraud risk assessments combine a top-down and bottom-up approach. At the group or management level, a top-down review helps identify high-risk activities and locations within the business. Meanwhile, a bottom-up assessment at the subsidiary, geography or business unit level can uncover fraud risks at the coalface that may not be visible to senior management at the parent HQ.

3. Map and test controls for high-risk areas

• Map and test compliance, financial and operational controls: The guidance advises that companies implement and document proportionate risk-based fraud prevention procedures. These should be linked directly to the risk assessment. Your organisation will already have many controls in place that address fraud risk. These will consist of entity-level compliance type controls such as training, whistleblowing, financial / non-financial reporting controls and operational controls. The combination of these controls working effectively together will form the basis for your proportionate fraud prevention procedures.
• Avoid reverse engineering: I sometimes see some organisations work backwards from their existing internal controls to identify the potential fraud risks that they may address. This approach often limits the thinking to historic, traditional frauds rather than new and emerging frauds because of the changing internal and external landscape
• Close gaps and document rationale when no action is taken: Where controls fall short, promptly address these gaps and ensure the residual risk falls within the organisation’s risk appetite. Where a decision is made to not mitigate an identified fraud risk, the guidance states that the rationale for this should be clearly documented along with the name of individual accountable for that decision.

4. Build a fraud-aware culture

• Establish a fraud awareness training programme: Fraud prevention starts with awareness. Equip all employees with knowledge of fraud risks through ongoing training, using real-life cases to illustrate scenarios they may encounter in their roles. In my experience, learning lessons from previous investigations and real-life incidents is also key and training should include specific case studies so Associated Persons understand how to recognise potential fraud, feel safe to report it and know what the consequences are.
• Encourage reporting through a speak-up culture and investigate: Most frauds are detected via tip offs and having a trusted whistleblowing mechanism helps surface fraud risks early and reinforces the organisation’s commitment to integrity. A transparent and effective process that triages and investigates reported incidents is key for trust in the speak up process and for lessons to be learnt and integrated into the anti-fraud framework.?

5. Strengthen due diligence on third-party relationships

• Broaden third-party risk management to include fraud: The term “Associated Persons” includes a range of third parties who could engage in fraudulent activities. Ensure your existing economic crime vetting processes are updated to cover fraud risk. In my experience, high risk third parties may include agents, distributors or associated persons providing data / metrics that end up in the organisation’s external reporting, e.g. sustainability metrics.
• Review fraud Incentives for high risk third parties and integrate anti-fraud clauses in contracts: Review incentives for third parties that could motivate fraudulent behaviour e.g. sales agents acting on your behalf to earn commissions and bonuses. To help protect against such fraud risks, clearly define anti-fraud expectations in contracts, allowing for audits or contract termination if fraud is suspected.

6. Leverage data and technology to detect fraud and continuously improve

• Utilise fraud detection analytics: The guidance does not only focus on fraud prevention and encourages fraud detection through data analytics and artificial intelligence. In the investigations I perform, fraud prevention controls are often bypassed through collusion or management override. Companies should consider what data they have at their disposal and whether fraud analytics can be deployed to detect incidences of potential fraud. Fraud analytics does not have to be all encompassing straight away. The most effective fraud detection starts with focussed analytics on data from specific high-risk areas first, such as payments or manual journal entries and builds from there. ?
• Adapt anti-fraud measures regularly: Fraud prevention and detection procedures must be dynamic and adaptable as new fraud risks emerge and evolve. I often see a set and forget mindset adopted when it comes to fraud. Regular monitoring and review of the effectiveness of your anti-fraud framework, e.g. through internal audits, is essential to ensure they remain fit for purpose and can provide assurance to senior management.

7. Combine your preparations with compliance with UK Corporate Governance Code to avoid duplicating efforts

• Companies should integrate fraud risk assessments and control measures into their broader risk management frameworks to support compliance with both the requirements of revised UK Corporate Governance Code and the “Failure to Prevent Fraud” offence. While this approach enables companies to avoid duplicative efforts, additional measures may still be required to fully satisfy each of the individual requirements.

Conclusion: Proactive measures Are key

Preparing for the "failure to prevent fraud" offence requires a proactive, structured approach that emphasises accountability, targeted risk assessments, and an adaptable compliance framework. By following these practical steps and taking account of the government guidance, businesses can build reasonable procedures that not only protect them from prosecution but also strengthen overall resilience against fraud.

Register for EY's upcoming webcast to find out more: Register for Failure to prevent fraud: How to navigate reasonable procedures