Failure to Prevent Fraud: UK Finance publishes guidance to the financial services sector

UK Finance has published guidance (Guidance) on the failure to prevent fraud (FTP Fraud Offence) which was introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA). This Guidance is in addition to the Home Office's guidance on the FTP Fraud Offence (Home Office Guidance) and focuses specifically on the impact of the FTP Fraud Offence on the financial services sector. However, an important point of difference is that, unlike the Home Office Guidance, the Guidance is not statutory guidance (as was required to be published under ECCTA). As such, the Guidance is advisory only, and in the event of a conflict, the Home Office Guidance will take priority.

The two sections of the Guidance that will be of particular interest to financial services firms are likely to be: (i) 'Part 2: Reasonable prevention procedures'; and (ii) 'Part 3: Circumstances where it is not reasonable to expect firms to have prevention procedures in place', as these explore sector-specific examples. As with the Home Office Guidance, the Guidance is not intended to be exhaustive.

We set out below a high-level overview of the Guidance, focusing on these two sections. Look out for further consideration of the implications of the FTP Fraud Offence for financial institutions on our podcast

Reasonable prevention procedures

The Guidance expands upon the principles-based approach detailed in the Home Office Guidance (further details of which can be found in our blog post) by providing examples of how this can be interpreted by financial institutions, and in particular where firms can leverage their existing frameworks. We have summarised the key takeaways from the Guidance below.

• Risk assessment: the Guidance emphasises that the purpose of the risk assessment is to identify the areas of highest risk and focus prevention procedures on these. Firms should already be familiar with their own services and how these are offered and performed and should use this existing knowledge as part of this exercise. Existing risk assessments can also be leveraged, but when scoping the assessment, firms should consider including the following features:
  • an assessment of the areas of risk, noting that there will likely be a focus on the activities, departments and/or roles where there is an increased risk of criminal mis-selling (for example as a consequence of the remuneration structures in place), third party product distributors, regulatory and financial reporting and marketing;
  • a determination of the level of risk exposure across these areas against the effectiveness of the control environment;
  • consideration of territorial scope;
  • a clear assignment of ownership and responsibility, and ensuring that the persons responsible are sufficiently senior and experienced;
  • clear documentation of the process, conclusions and resulting actions; and
  • periodic review (including the need for ad hoc reviews in light of material new information / significant changes).
• Proportionate prevention procedures: Firms will need to demonstrate that their procedures are proportionate to the identified risks in order to have a defence to the FTP Fraud Offence. However, regulated firms will likely already have demonstrated this requirement as they need to show the FCA that they have effective systems and controls to manage financial crime risk under SYSC. Accordingly, regulated firms may be able to leverage existing frameworks; for example, market abuse controls, false misstatement and dishonesty controls implemented under MiFID or MiFIR, whistleblowing procedures, and the three lines of defence can all be used and/or adapted for the purposes of ensuring that proportionate fraud prevention procedures are in place. As mentioned in the Home Office Guidance, firms should also consider the level of control that they are able to exercise over a particular party; the Guidance considers various relationships that may arise for financial services firms and the different approaches that may be reasonable in light of these varying relationships.
• Due diligence: As in a number of other areas, due diligence related to fraud prevention will often form part of a wider due diligence framework. Due diligence should be applied on a risk-sensitive basis, and therefore informed by the risks identified during the risk assessment.
• Communication (including training): Training should be designed in accordance with FCA expectations by being risk-based.  It should include topics such as the Code of Conduct and the firm's fraud prevention policies, supplemented by role-based tailored training and enhanced/supplemental training for higher risk roles, departments and/or activities. Again, FTP Fraud Offence training does not need to be separate to other sessions, and firms can leverage the existing training courses they have in place.
• Monitoring and review: In line with FCA expectations, firms should already operate a cycle of continuous review and enhancements of their compliance programmes. In respect of identifying emerging risks, firms should be able to leverage existing oversight mechanisms and frameworks (e.g. transaction monitoring, whistleblowing procedures and unusual activity reporting) as well as existing policies and procedures. While firms may not need to implement any new frameworks, they should ensure that their existing frameworks are able to capture the FTP Fraud Offence requirements and are not solely focused on frauds against the firm.
• Top level commitment: UK Finance notes that the responsibility for setting the "tone from the top" will fall to the firm's senior (executive) managers. While the Home Office Guidance notes that the FTP Fraud Offence will not extend to personal liability, regulated firms will likely need to refer to the FTP Fraud Offence in the accountabilities mapping for relevant holders of senior management functions under the FCA’s senior managers regime.

Circumstances where it is not reasonable to expect firms to have prevention procedures in place

The Guidance provides specific examples of the circumstances in which UK Finance considers it would not be reasonable for a firm to have prevention procedures in place.  It recommends these should be taken into account by a supervisory or enforcement agency when considering and/or prosecuting suspected FTP Fraud Offence(s). The Guidance provides the following examples.

• No UK nexus: Given the need for a UK nexus, the Home Office Guidance suggests that where a firm provides services entirely outside of the UK, it would not be expected to implement prevention procedures.
• Certain associated persons: There are certain types of relationships where there would be virtually no risk to the firm in respect of the FTP Fraud Offence by virtue of the nature of the associated person or the relationship itself. For example, distributors who are subject to MiFID II requirements, or equivalent regulatory controls (as they will already be under strict control frameworks), or persons who perform services for the firm on an execution-only basis at the instruction of the firm, as they have no discretion to deviate from these instructions.
• Existing contractual commitments: Where the firm has existing contracts that cannot be amended or terminated to implement contractual controls or rights to exercise controls for the new FTP Fraud Offence, the firm may be able to establish that it is not reasonable to have prevention procedures in place, provided it is able to evidence that it cannot mitigate the risk in another way.
• UK listed companies: The various existing rules and framework governing the content of, and responsibility for, a prospectus impose reasonable prevention procedures on the listed, selling or issuing company. Per the Guidance, therefore, it would not be reasonable in all circumstances for the underwriting or placing firm to have reasonable prevention procedures in place in the event that representations in a prospectus prove to be false.
• Main market transactions: The Guidance notes that the UK is looking to simplify its Listing Rules and reduce the burden on firms acting as sponsor in a main market transaction. It concludes that expecting the sponsor to implement reasonable prevention procedures would defeat the purpose of the legal changes being made, such that it is not reasonable for the sponsor to have these in place.
• Public M&A transactions: The strict requirements stipulated in the UK Takeover Code already impose reasonable prevention procedures on directors regarding information published in connection with an offer, so it would not be reasonable in all circumstances for financial services firms involved in supporting the takeover to have reasonable prevention procedures in place.
• Data protection restrictions: Where the data protection laws applicable to the associated person limit the data that they can provide, it would not be reasonable in all the circumstances for the firm to have in place reasonable prevention procedures for the affected parts of its control framework (for example where the associated person is in a different jurisdiction to the firm).  

Further examples of third-party relationships that UK Finance considers should not be defined as 'associated persons' of the firm can be found at Appendix C of the Guidance. Whilst this Guidance will no doubt assist firms, it is important to reiterate that it is advisory only, and also to bear in mind that there may be other financial crime or regulatory reasons which weigh in favour of ensuring that there are controls in place in respect of particular types of third parties, such that a determination in the Guidance that a particular category of third party is not "associated" for the purposes of the FTP Fraud Offence should not automatically be interpreted as meaning that firms need not analyse and address any broader compliance considerations or risks associated with these relationships.  Care should also be taken to avoid a "blanket" categorisation of particular types of third party provider based upon the examples, without considering other capacities in which they may be acting for the firm.  For example, external counsel, where they make official statements or filings on behalf of the firm.

Firms operating in the financial sector should carefully review the Guidance in the context of their risk assessments and other preparations for the FTP Fraud Offence to come into force on 1 September 2025.