The new 'failure to prevent' law presents challenges for D&O

The UK government are introducing a failure to prevent (FTP) law as a part of the Economic Crime and Corporate Transparency Act 2023 (the Act) which received Royal Assent on 26 October 2023.

While changes will be introduced gradually, it’s clear that the FTP law has potential implications for directors and officers (D&O) liability insurance.

Determining failure to prevent

Following the new law’s introduction, a corporate entity can be held accountable for an associated person’s criminal exploitation of poor fraud prevention systems for personal or organisational gain. The government hopes this will go some way to reducing fraud, the UK’s most committed crime (opens a new window) according to the government, accounting for 40% of all offences in England and Wales.

The law will apply to organisations of a certain size should they profit from fraud committed by an associated person or people. A company must meet two of the following criteria:

  • More than 250 employees

  • Turnover greater than £36 million

  • Assets totalling more than £18 million

Relevant offences include false statements by directors, false accounting, cheating the public revenue, fraudulent trading, and of course, fraud. Essentially, the FTP law pushes organisations to take responsibility for the exploitation of poor systems and controls.

The UK government’s definition of fraud itself is broad, covering misreporting of finances, dishonest sales, trading practices hiding information, and dishonest practices in the financial markets.

Potential implications for D&O insurance

The FTP law will bolster fraud prevention and protect victims through the increased chance of prosecutions against organisations. There is no threat of individual liability. This is a fresh policy, designed to facilitate prosecutions without duplicating existing legislation, as per the government’s factsheet (opens a new window). As for any damages, a guilty party could face an unlimited fine and significant reputational damage.

The FTP law means that a guilty company can be held accountable for the criminal conduct of associated people, resulting in an increased likelihood of claims against the wider corporate entity or the individual involved. By extension, directors and officers could be under the spotlight for not putting in place appropriate measures in place to mitigate the risk. What’s more, fines and penalties levied against the company are not likely to be insurable.

An involved company doesn’t necessarily need to reside in the UK to face an FTP offence charge. If an associated person targets UK victims or commits fraud under UK law, overseas organisations can also be prosecuted.

Recommendations to mitigate risk

Under the new legislation, a company could be prosecuted due to insufficient preparation against fraudulent events it did not know about or instigate. However, if an organisation can provide evidence of a prevalent anti-fraud culture and a robust internal framework designed to prevent fraud, it may avoid prosecution. Once the government publishes guidance on the ‘reasonable procedures’ to help companies navigate a defence, the FTP offence will become fully active.

Similarly, when the UK Bribery Act came into force in 2010, the government published guidance on ‘reasonable procedures’, which they modelled on six key principles (opens a new window) that may also apply to the FTP: proportionate procedures, top level commitment, risk assessment, due diligence, communication, monitoring and review. Although the government have not published similar guidance for the FTP offence yet, organisations may want to model their measures around these principles.

To avoid defending itself at all, an organisation should reexamine its current fraud prevention measures and augment them where required.For additional protection, companies must put measures in place, such as:

  • Procedural checks – to prevent an associated person exploiting weak systems and controls, it’s important to routinely check and update fraud prevention procedures.

  • Mandatory training – each employee should undergo mandatory training as part of a refresher course on fraud, regardless of seniority.

  • Notification provisions – pay close attention to notification trigger points, as they are often before the receipt of legal proceedings.

  • Conduct a thorough risk assessment – review and update of the compliance procedures that cover fraud prevention, as well as a code of conduct to cover the FTP law.

  • Encourage speaking up – a channel where employees can safely and confidentially raise concerns about any suspected fraudulent activities.

  • Third party audit – conduct a thorough assessment of third-party vendors and their contracts to ensure they share the same commitment to an anti-fraud environment.

Overall, the best defence is a comprehensive understanding of the company’s active fraud prevention measures.

For more information, visit our Management Liability (opens a new window) page.

Read our latest risk control insights

UK, York, Business people discussing charts on interactive screens

Harnessing risk intelligence to ensure business resilience