Briefing
Tax-related reasonable prevention procedures under the new Failure to Prevent Fraud offence
The UK’s corporate criminal law framework was bolstered last year with the passing of the Economic Crime and Corporate Transparency Act 2023 which, among other things, introduced a new Failure to Prevent Fraud offence (the FTP).
So far as tax is concerned, there are some distinct similarities between the FTP and the corporate criminal offence of failing to prevent the facilitation of tax evasion (the CCO), which has been on the UK’s statute book for almost seven years now. Most notably, the CCO and the FTP are both strict liability offences subject to a reasonable procedures defence.
With guidance on the reasonable procedures defence in the context of the FTP released last week, and the FTP itself now expected to come into effect on 1 September 2025, businesses will need to understand how to avail themselves of this defence.
In this briefing, we consider the extent to which businesses’ existing CCO prevention measures may provide a helpful starting point in the tax context – although differences between the two offences (and related guidance) mean that they should not be relied on to provide a defence to the tax aspects of the FTP without further thought.
(For more commentary on this development from our colleagues, see here.)
The FTP and CCO compared
As a reminder of the similarities and differences between the FTP and CCO, the table below compares the key requirements of each offence:
|
FTP (see further here) |
CCO (see further here) |
|
|---|---|---|
|
Applies to |
Large organisations |
All corporates |
|
Underlying offence |
Specified fraud offences (including certain tax offences), committed by an associate of the organisation |
Tax evasion offences, committed by another person |
|
Further requirements |
Associate has the intention of benefiting the organisation in some way |
Person associated with the corporate commits an offence which facilitates the tax evasion |
|
Defence |
Reasonable procedures were in place to prevent the fraudulent activity |
Reasonable procedures were in place to prevent the facilitation |
The six principles
The CCO guidance proceeds on the basis that reasonable prevention procedures should be informed by six guiding principles: (i) proportionality of risk-based prevention procedures; (ii) top level commitment; (iii) risk assessment; (iv) due diligence; (v) communication (including training); and (vi) monitoring and review. Helpfully, the FTP guidance adopts the same approach. The FTP guidance promotes ‘top level commitment’ to first place on the list of principles, and although they are not expressed to be listed in a hierarchical order, this may indicate that particular importance will be attached to this principle in the FTP context. It is therefore where we begin.
'Top level' commitment
Perhaps unsurprisingly, a lot of the commentary on the principle of ‘top level commitment’ is similar in both the FTP and CCO guidance. Both documents stress that responsibility for the prevention and detection of the underlying offence rests with senior management, who should be involved in developing and reviewing the prevention policies (personally or by overseeing the committee to whom responsibility is delegated), as well as actively communicating and endorsing the organisation’s stance on these issues.
There are, however, some points of difference between the FTP and CCO guidance for businesses to be aware of:
-
The FTP guidance explicitly notes that – in addition to the responsibilities outlined above – senior management should ensure that there is ‘clear governance’ in respect of prevention procedures, and that they ‘foster… an open culture where staff are encouraged to speak up early if they have any ethical concerns, no matter how minor’. These points are not called out in the CCO guidance.
-
The CCO guidance recognises that the manner and form of communications from senior management on this topic may vary in light of factors including the size, nature, complexity and jurisdiction of the business in question. The FTP guidance contains no such caveat, recognising only that communications may vary depending on the target audience.
-
The FTP guidance notes that ‘best practice’ includes senior management committing to ‘a reasonable and proportionate’ budget for the ‘leadership, staffing and implementation of the fraud prevention plan, including training’. Since there is no equivalent language in the CCO guidance, one might infer that more significant tangible action is required to establish reasonable prevention procedures in the FTP context.
Risk assessment
It is clear from both sets of guidance that, to be able to rely on the reasonable prevention procedures defence, businesses must continually (re)assess the nature and extent of the risks they face from the actions of others. The relevant risks differ (because the FTP, insofar as it relates to tax offences, and the CCO are targeting different types of wrongdoing), but the core idea of carrying out a risk assessment, documenting the process and findings, and keeping it under regular review is the same.
The FTP guidance suggests that this risk assessment should involve considering the ‘opportunity, motive and rationalisation’ for relevant individuals to commit fraud. A similar suggestion is also found in the CCO guidance, and both recognise the risk to businesses of a reward and recognition system which incentivises bad behaviour.
It is important for businesses to be aware though that the examples given in each set of guidance diverge significantly because of the differences between the FTP and the CCO. Because of these substantial differences, care should be taken not to combine the risk assessments required to establish reasonable prevention procedures in each case. While there may be some overlap with respect to the process followed and conclusions reached, businesses would be well-advised to treat them (and document them) as separate exercises.
Proportionality
It is a similar story with respect to proportionality: both the FTP and CCO guidance indicate that businesses should implement prevention procedures which are ‘proportionate’ to the relevant risks identified during the risk assessment, but there are some significant differences for businesses to be conscious of.
As to what may be proportionate, for both FTP and CCO purposes:
-
the procedures put in place must be proportionate to the identified risk – it is not necessarily the case that every risk must have a corresponding mitigation measure;
-
businesses should reflect on the motive and opportunity for relevant persons to commit the underlying wrongdoing and consider how prevention procedures could reduce that; and
-
businesses are not required to duplicate existing work – if proportionate processes are already in place which mitigate a particular risk identified by the FTP or CCO risk assessment, there is no need to reinvent the wheel.
The key difference to note is that (again) because the identified risks will differ between the FTP and the CCO, so will the prevention procedures it is proportionate for businesses to introduce. The guidance explicitly notes this: compliance processes put in place to comply with other rules will not automatically satisfy the reasonable procedures defence under either the FTP or CCO. There will almost certainly be an overlap – training finance teams and robustly auditing their work is likely to be important both for preventing tax fraud and the facilitation of tax evasion, for example – but they should not be unduly conflated. The examples given in the FTP and CCO guidance reflect that.
The FTP guidance also goes further than the CCO guidance in suggesting that businesses should consider introducing prevention procedures designed to challenge ‘ethical fading’, impose consequences for committing the underlying fraudulent activity, and arrange for their prevention procedures to be stress-tested by individuals in the business who were not involved in their creation. Road-testing proposed procedures to test whether they work in practice as intended may not be a proportionate step to take for all identified risks, but strikes us as a sensible thing to do (and document) for the most significant and most likely risks.
It is also worth highlighting that the FTP guidance seems to set a higher standard than the CCO guidance for the minimum prevention procedures that should be in place. For FTP purposes it is suggested that it may be proportionate not to have specific prevention plans in place for specific risks, whereas for the CCO ‘in some limited circumstances’ it may be proportionate to have no prevention procedures in place at all. That difference may be a consequence of the FTP applying only to large organisations (unlike the CCO which is more broadly applicable), but the clear hint is that there should at least be a general prevention procedure relevant to each risk identified as part of an FTP risk assessment.
Due diligence
As one might expect, both sets of guidance indicate that businesses should undertake due diligence in respect of relevant persons in order to mitigate the risks they pose. That due diligence can be performed externally or internally, should be proportionate to the identified risks, and should be regularly reviewed and updated. Due diligence procedures originally formulated in relation to a different type of risk may not be sufficient and, although there is no blanket requirement to do so, businesses ‘with exposure to the greatest risk’ should consider whether to articulate their due diligence procedures specifically by reference to the relevant corporate offence.
The FTP guidance is slightly more fulsome than the CCO guidance in relation to this principle: it lists examples of best practice in respect of due diligence on relevant persons and explicitly recognises the importance of conducting due diligence in relation to M&A transactions. It does not, though, acknowledge that a single organisation may have different due diligence procedures across different parts of its business, reflecting the different levels of risk posed by particular activities.
Communication
Both documents explain that, to meet expectations on communication, businesses should ensure that their prevention procedures are ‘communicated, embedded and understood throughout the organisation, through internal and external communications’. The core idea – that policies should be clearly articulated, with communication coming from all levels within the business – is therefore the same. The CCO guidance expands on what this might look like in practice to a far greater extent than the FTP guidance, and we think it may be useful for businesses to bear this guidance in mind in the FTP context.
Training (and maintaining training) forms part of this principle too. Both sets of guidance are clear that training must be proportionate to the risk faced, may be incorporated into existing financial crime training or established as a standalone programme, and should be subject to monitoring and evaluation. However, the content of that training will clearly need to be tailored to the individual offences.
The FTP guidance includes an additional section on whistleblowing. It explicitly states that ‘[t]o prevent fraud, organisations should have appropriate whistleblowing arrangements’ in place – suggesting that this must form part of the package of prevention procedures implemented if that defence is to be available. Of course, many large organisations will already have whistleblowing processes in place (see further here), but the FTP guidance is clear that these should be reviewed to ensure they are effective in facilitating the identification of fraud.
Monitoring and review
The FTP guidance is by far the more extensive on requirements for monitoring and review. It stresses that monitoring includes three elements: the detection of (attempted) fraud, investigations of suspected fraud, and monitoring the effectiveness of fraud prevention measures.
Although the CCO guidance only deals with the third of these, to keep prevention procedures under review and make improvements as required would seem necessarily to require monitoring the extent of any underlying wrongdoing. That said, in the FTP context it seems likely that more attention will be paid to ensuring that businesses are clearly taking steps to monitor each of these three elements – and it will therefore be important for business to do, and document, this.
What does all this mean for businesses?
There will almost certainly be overlap between the reasonable prevention procedures required for FTP purposes (at least insofar as tax fraud goes) and those that organisations already have in place because of the CCO. (This is perhaps especially likely in respect of organisations subject to the Senior Accounting Officer (SAO) regime, as regards appropriate tax accounting arrangements.)
Critically, though, since the FTP and CCO impose strict liability for different types of underlying wrongdoing, it is likely that the output of the processes highlighted in the FTP guidance will be different to that from the similar processes in the CCO guidance. Given the consequences of a criminal prosecution, businesses would be well-advised to ensure their processes and prevention procedures for both offences would stand up to scrutiny.
Tax-related reasonable prevention procedures under the new Failure to Prevent Fraud offence
(PDF - 211.9 KB)
