Preparing startups for the Economic Crime and Corporate Transparency Act
Companies with between 50 and 249 employees are at an above average risk of fraud, according to research by law firm, Foot Anstey. The survey of 1,000 senior managers across the UK revealed that 53% of medium businesses have had to act on fraud in the last year against a national average of 45%, and while the risk for businesses with less than 50 employees is lower, it is still significant with one in five having been affected.
Fraud can be extremely damaging and even fatal for some companies. Despite the implications of fraudulent activity on finance and reputation and its evident prevalence in businesses of all sizes, there are not nearly enough proactive fraud prevention strategies in place. Foot Anstey’s research shows that over half (53%) of businesses are particularly vulnerable as they have no anti-fraud policies in place at all.
The Economic Crime and Corporate Transparency Act was granted Royal Assent at the end of October and is expected to come into force in 2024. This act aims to reduce white-collar crime from several angles, including making Failure to Prevent Fraud (FTPF) a criminal offence. This means that fraud will become even more dangerous for some businesses, as they will be criminally liable for fraud committed by employees or associated persons and fines for this will be unlimited. Business fraud is broad and includes financial statement fraud, non-financial statement fraud, rogue trading, bribery and corruption, and intellectual property breaches including theft, and these must all be protected against.
At the moment, criminal liability only applies to businesses with over 250 employees, £36 million turnover and/or £18 million in total assets, but businesses of all sizes should take heed of the law as it will have a ripple effect throughout the whole business landscape.
How does the Failure to Prevent Fraud offence impact startups and SMEs?
The defence available to corporations against the FTPF offence is that they show they have reasonable procedures in place to prevent fraud from happening. These procedures have not yet been defined by the Government, but they will set out best practices for fraud prevention and should be observed by all companies. This offers small and medium protection from fraudulent activity, which may help to ensure viability and continuity in the future.
Earlier drafts of the ECCT Act included medium businesses within the remit of the FTFP offence, and there is a call within the industry to expand. Spotlight on Corruption UK has pointed out that currently, the offence excludes 99.9% of British businesses and deprives them of the defence of having reasonable policies in place. Considering this, there may be a movement in the future to include more businesses within the remit of the Act and the sooner policies are introduced, the better.
There is also a strong business case to implement robust fraud strategies for SMEs that work with large businesses in any capacity. The FTPF offence includes anyone acting on behalf of the business, so large enterprises will be scrutinising their supply chains, partners, contractors and any other associated persons to ensure that fraud is being prevented in their entire business ecosystem – this is expected to be a reasonable procedure. Companies which find themselves liable for fraud may be insistent on associated businesses demonstrating policies, delivering training to staff, and otherwise following best practices, no matter their size.
What are reasonable procedures?
While the preventative measures that businesses will be expected to follow haven’t yet been defined, businesses can turn to the Bribery Act for guidance. Organisations should consider and revise current policies and procedures, provide education and awareness to all staff and associated persons and conduct a thorough and well-documented assessment into fraud risks.
Fraud as a strategic risk
Strategic fraud risk management is a first line of defence and is a process that needs to be set from the top of the company to ensure it is front and centre across the organisation. Effective fraud risk management not only assesses and identifies risks, but also analyses them and ensures that they are responded to appropriately.
A fraud risk assessment will examine assets, financial documentation and disclosures and consider both internal and external fraud. Each assessment will be tailored to the individual needs of an organisation and needs to be updated regularly as the business environment changes.
There is a cost that comes with a fraud risk assessment, but a worthy investment to avoid financial and reputational damage, or indeed prosecution, down the line.
Mapping out controls
Controls can be preventative or detective, and company management needs to identify and differentiate between them. These controls should be documented as policies and then the fraud risks identified in the assessment related to relevant controls. This allows risk managers and company leaders to identify where there may be gaps and evaluate which extra policies may be required to bolster fraud defences.
Review and update policies
Every business should have a public anti-fraud policy. This displays commitment to risk assessment and prevention and sets the tone of an anti-fraud culture throughout the whole company. Policies need to be simple, focused and easily understood to raise awareness among staff of fraud response plans and make it clear what is and isn’t acceptable.
Policies need to define what fraudulent actions are, who is responsible for fraud management, a statement of preventative measures, what employees should do if they suspect fraud and steps to be taken if fraud is discovered.
In light of the ECCT Act, businesses should ensure policies are up to date and aligned with the business in its current form. This also needs to be clearly communicated with staff and associated parties on an ongoing basis.
Delivering fraud training to employees is likely to be absolutely crucial for small and medium-sized businesses as large businesses will want to be certain that everyone in associated businesses or within their supply chain is aware of what fraudulent activity looks like and its consequences.
As well as fraud committed by employees and associated persons being a risk to businesses, employees are also often the key to discovering fraud through whistleblowing and tip-offs. Training staff to be aware of signs of fraud can help catch it early and mitigate risks as much as possible.
Training should be delivered regularly to staff, contractors and supply chain, and not just as a one-off, and it should be made a part of the onboarding process for any new employees.
Associated persons review
As businesses will be liable for fraud committed not only by staff, but also by any associated persons, it is critical for due diligence to be undertaken around anyone who is not an employee. This is as important for startups as it is for established businesses, as again large businesses will be ensuring their supply chain is compliant and safe.
All associated persons and the risks they pose need to be identified, and control measures need to be defined and put in place. These controls must be scrutinised on an ongoing basis.
While the Failure to Prevent Fraud offence may not immediately seem like something for startups to be concerned with, there are clear reasons for smaller businesses to operate within the realms of potential guidance and best practices.
Fraudulent activity is a major risk for all businesses, whether or not the offence applies to them, and robust preventative policies, procedures and reviews are the best strategy for protecting finances and reputations against fraudsters.
Written by Robert Brooker, Head of Fraud and Forensics, at PKF GM