Enhancing corporate transparency and combatting economic crime in the UK
April 2025 | TALKINGPOINT | FRAUD & CORRUPTION
Financier Worldwide Magazine
April 2025 Issue
FW discusses corporate transparency and economic crime in the UK with Terry Seagreaves, Emma Browne, James Hensser, Alistair Grange and Michelle Davies at EY LLP.
FW: How would you assess the UK government’s new ‘failure to prevent fraud’ (FTPF) legislation, in terms of the types of fraud and economic crime it covers and its scope of application?
Seagreaves: The extraterritorial reach of the ‘failure to prevent fraud’ (FTPF) legislation is an important consideration for large global organisations. The legislation applies to companies based outside the UK if the fraudulent activity affects UK interests, creating a UK nexus. An example of this could be an overseas company that has shareholders or lenders based in the UK, committing financial statement fraud, thereby affecting the interests of those UK stakeholders. It will be important for organisations to consider these complexities from the outset when determining which of their entities and geographies may fall within the scope of the legislation.
Browne: The new offence marks a significant advancement in corporate accountability for fraud and economic crime. The definition of fraud is broad, covering diverse fraudulent acts – spanning misrepresentation, omission and financial manipulation – provided they intend to benefit the organisation or its clients, even if indirectly. Specific examples within its scope includes misleading or fraudulent practices aimed at investors, such as misrepresentation of business prospects or misleading environmental, social and governance (ESG) claims.
Hensser: The offence holds organisations liable if an ‘associated person’ commits fraud for their benefit and reasonable prevention procedures are lacking. The definition of ‘associated persons’ is broad, covering employees, agents, subsidiaries and other third parties performing services on the organisation’s behalf. Large organisations could have thousands of associated persons, and a crucial point is that it is not necessary to demonstrate that the organisation’s senior management were involved in or aware of the fraud.
“Many companies are grappling with the challenge of determining which legal entities within their operations fall under the scope of the offence.”
FW: How does the broadening of the definition of fraud to include non-financial reporting fraud increase compliance risks for companies?
Hensser: I have increasingly observed cases involving allegations of greenwashing and manipulation of non-financial metrics in recent years. This increases exposure for clients as these cases align closely with the fraud triangle, which comprises motivation, opportunity and rationalisation. First, in terms of motivation, ESG-related key performance indicators (KPIs) are increasingly linked to executive and employee compensation, creating a strong incentive to manipulate figures that rely on estimates and judgments. Second, in terms of opportunity, as companies expand their non-financial disclosures, controls over how these metrics are compiled remain immature and untested compared to financial reporting. Third, in terms of rationalisation, employees justify ESG fraud much like financial fraud, using rationales such as ‘no one gets hurt’, ‘it benefits the company’ or ‘it has no financial impact’.
Seagreaves: It will be important for companies to consider and define the types of non-financial reporting that they are preparing across the organisation. While ESG metrics are one area, there are likely to be other areas that are embedded into the day to day operations, such as health and safety reporting, regulatory reporting KPIs and product quality claims, to name just a few. While many of these risks are likely to have already been included in existing risk and compliance frameworks, companies should confirm that they have been considered through a fraud risk lens and that appropriate and proportionate controls are in place to mitigate the identified fraud risk.
Browne: A broadening of the definition of fraud will have an impact on the complexity and scope of compliance risks for organisations and could led to increased compliance costs. The risk landscape is changing and therefore companies are required to monitor, verify and report a much wider array of information. For many companies, this can be an entirely new area of focus, requiring new processes, systems and expertise to ensure that all claims are accurate and substantiated. Companies may need to invest in more comprehensive compliance frameworks, hire additional experts in areas such as ESG, and implement new technology tools for monitoring non-financial disclosures.
“By implementing strong access controls, organisations can not only prevent unauthorised activity but also detect fraudulent behaviour before it causes significant damage.”
FW: What steps should companies take to prepare for the FTPF offence, particularly in light of the government’s November 2024 statutory guidance?
Davies: ‘Reasonable procedures’ to prevent fraud is a defence that is fundamentally legal in nature, placing legal counsel at the heart of the process. To effectively leverage this defence, companies must adopt a holistic, cross-functional approach that integrates practical fraud prevention measures with a robust legal strategy, and legal counsel must be involved throughout to advise and review. This means not only implementing operational processes, such as risk assessments and controls, but also ensuring these align with the legal framework, addressing potential liabilities, subsidiary-level governance and the specific policies, documents and contractual amendments required to substantiate a ‘reasonable procedures’ defence. It is critical to bridge operational practices with statutory requirements, ensuring the company’s efforts withstand regulatory scrutiny and provide a defensible position in the eyes of the law.
Browne: Given that organisations only have six months to prepare, it is critical they understand what existing processes they already have in place and, more importantly, allow them to fully understand their existing compliance landscape in relation to the FTPF offence. Many organisations are starting with a fraud risk framework gap assessment to identify any weaknesses or gaps in their compliance. By recognising these issues early, aligning policies with the latest statutory guidance and implementing measures to address any deficiencies, companies can ensure legal compliance while also safeguarding themselves against potential legal, reputational and financial risks associated with fraud.
Hensser: Many companies currently lack robust fraud risk monitoring controls, leaving them vulnerable to both internal and external fraudulent activities that regulators increasingly expect them to address proactively. With advancements in data analytics and artificial intelligence (AI)-powered fraud detection tools, firms have an opportunity to strengthen their defences. Regulators such as the Serious Fraud Office, themselves now leveraging such tools, expect companies to harness available data effectively. Businesses can begin modestly, such as by analysing journal entries for anomalies, before expanding into broader areas like payment fraud or customer fraud, where they are the victims of fraud. Implementing these technologies not only enhances detection but also serves as a deterrent, signalling to associated persons that oversight is active and helping to reduce the likelihood of fraud.
Seagreaves: An obvious first step is for companies to ensure that they fully understand the guidance and its applicability to them. From the outset they should ensure appropriate engagement and sponsorship by the board, senior executives and audit committee, where applicable. The foundation of an effective defence under the legislation is a robust fraud risk assessment that considers and appropriately prioritises the inherent fraud risks across the company’s operations and activities. It is important that the risk assessment is facilitated by individuals experienced in fraud investigations and risk management. In addition, it will be important that the risk assessment in conducted with employees who are undertaking the activities on a day to day basis, rather than those who may think they know what happens. Often the reality is different from expectations, and this can mean fraud risks do not get identified or controls are not appropriate or operating effectively to mitigate the risk identified.
Grange: From a cyber perspective, in-scope organisations should consider a number of best practices. One area is training and awareness. The UK Home Office guidance notes that best practice is likely to include an anti-fraud training programme. Raising awareness on cyber issues like phishing can reduce risk exposure by raising employee awareness to successfully identify and respond to malicious communications. Another consideration is personnel security. Vetting checks are a useful tool to gain assurance before employees take up high-risk roles. This screening should then be updated periodically to take account of any change in personal circumstances. Also important is knowing your counterparties. Several recent high-profile security breaches have emanated from third parties. In addition to conducting due diligence on employees, organisations should also consider the risk they are exposed to via their third parties. This may include risk assessments and screening prior to engaging with a third party and reviewing contractual arrangements to ensure they contain controls proportionate to the risk associated with the specific service being delivered.
“Establishing a clear risk tolerance level is crucial, as it aligns the organisation’s fraud risk appetite with its business objectives, regulatory requirements and ethical standards.”
FW: What challenges are corporates encountering when preparing for this legislation? How should they address them?
Grange: Corporates frequently find implementing effective IT access controls challenging. A failure to clearly enforce the principle of ‘least privilege’ and weak identity governance can create opportunities for malicious insiders to exploit gaps in the system. Without robust authentication and monitoring, privilege creep goes unnoticed, making it easier for fraudsters to manipulate financial records, access sensitive data or approve unauthorised transactions. Business pressures frequently lead to security being deprioritised in favour of operational efficiency, allowing these vulnerabilities to persist. By implementing strong access controls, such as role-based access, multifactor authentication and continuous monitoring, organisations can not only prevent unauthorised activity but also detect fraudulent behaviour before it causes significant damage.
Davies: Many companies are grappling with the challenge of determining which legal entities within their operations fall under the scope of the offence. This complexity is compounded by unique legal structures, such as sprawling multinational subsidiaries, joint ventures or franchise models, making it difficult to pinpoint where liability begins and ends. Legal counsel plays an essential role in navigating this uncertainty, in assessing the organisation’s corporate framework to identify in-scope entities, in interpreting how the law applies across jurisdictions and hierarchies, and in ensuring compliance efforts target the right parts of the business. Without this expert input, companies risk misjudging their exposure and undermining their ability to mount a ‘reasonable procedures’ defence.
Seagreaves: The definition and understanding of fraud across the organisation is often limited. To date, most organisations have concentrated their fraud risk management frameworks primarily on fraud committed against them, such as asset theft. As a result, there tends to be a lack of understanding and appreciation for both financial and non-financial statement fraud. This is often justified by the belief that ‘no one is stealing anything’ or that ‘there are always shades of grey and every company plays with their numbers’.
Browne: While the risk of fraud has long been a major concern for organisations, accountability for managing it varies across organisations, often leading to a lack of transparency in mitigation efforts and potential gaps. To address this, many companies are formalising fraud accountability by appointing senior-level fraud leads to coordinate anti-fraud initiatives across departments and report to the board, signalling top-level commitment. Others are forming cross-functional fraud committees with representatives from finance, compliance, legal and internal audit to ensure a unified approach and adequate resources for effective fraud prevention and detection.
Hensser: Organisations often face challenges in determining what constitutes a proportionate response to fraud risks. They must strike a balance between implementing effective prevention measures and avoiding excessive investment in impractical or costly controls. Establishing a clear risk tolerance level is crucial, as it aligns the organisation’s fraud risk appetite with its business objectives, regulatory requirements and ethical standards.
“A broadening of the definition of fraud will have an impact on the complexity and scope of compliance risks for organisations and could led to increased compliance costs.”
FW: How does the FTPF legislation link to other legislation and guidance, such as the Corporate Governance Code, the Corporate Sustainability Reporting Directive and UK Bribery Act?
Browne: The UK Corporate Governance Code sets out principles for good governance emphasising effective leadership, oversight and risk management in public limited companies. The FTPF legislation strengthens the Code, particularly in risk management and internal controls. The Code stresses robust controls, while the FTPF places a legal obligation on companies to take ‘reasonable steps’ to prevent fraud, aligning with broader risk management practices. Both highlight board accountability, with the Code holding board members responsible for legal compliance. Similarly, under the FTPF, a company’s failure to prevent fraud can directly implicate senior leadership, linking the governance principles with the legal liabilities introduced by FTPF legislation.
Seagreaves: The Corporate Sustainability Reporting Directive (CSRD) and FTPF legislation aim to enhance corporate transparency and accountability. The CSRD legislation requires companies to report on non-financial information, including ESG factors. The reporting of this non-financial information is also covered by the FTPF legislation. It is therefore important that organisations ensure a joined-up approach to understanding and complying with both pieces of legislation, so that they can implement robust reporting and verification processes for non-financial information.
Hensser: Both the UK Bribery Act and FTPF legislation aim to hold organisations accountable for the actions of their associated persons. Although each legislation has its own specific focus area, clear similarities can be observed in the ‘reasonable procedures’ guidance that organisations must implement as a key defence. Both encourage a proactive approach to risk management that deters unethical behaviour, rather than merely responding to incidents after they have occurred. The penalties for failing to prevent fraud or bribery are severe, including significant fines and reputational damage. Under both Acts, organisations can face unlimited fines if found guilty of failing to prevent bribery or fraud.
“Often the reality is different from expectations, and this can mean fraud risks do not get identified or controls are not appropriate or operating effectively to mitigate the risk identified.”
Terry Seagreaves has over 18 years’ experience supporting clients to investigation allegations of fraud and bribery and corruption, as well as supporting the implementation and monitoring of anti-fraud and anti-bribery & corruption frameworks. He is currently supporting a broad range of listed and private clients to understand and prepare for requirements of the failure to prevent fraud legislation. He can be contacted on +44 (0)7799 433 943 or by email: tseagreaves@uk.ey.com.
Emma Browne is a partner in EY’s UK forensics compliance and ethics team with over 18 years of experience. She specialises in developing, implementing and enhancing compliance initiatives for organisations. Recently, she has been supporting businesses in preparing for the new FTPF legislation by strengthening their fraud risk management frameworks. Her expertise in business conduct and ethics is valued by clients across industries. She can be contacted on +44 (0)7771 808 428 or by email: ebrowne@uk.ey.com.
James Hensser is a director in EY London’s forensic team specialising in compliance, fraud risk management and forensic due diligence, with experience in the energy and infrastructure sector. He has 14 years’ experience of investigating fraud, bribery & corruption and other misconduct and leverages this knowledge to uncover potential red flags. He has operated on the ground in over 20 jurisdictions. He can be contacted on +44 (0)7880 487 707 or by email: jhensser@uk.ey.com.
Alistair Grange is a director in EY’s tech risk practice, and the firm’s lead for cyber assurance. He has a particular focus on cyber risk, regulation and strategy, and is an experienced adviser on critical national infrastructure security. He can be contacted on +44 (0)20 7806 0593 or by email: alistair.grange@uk.ey.com.
Michelle Davies is the global head of sustainability for EY Law with over 25 years’ experience. She advises across all aspects of sustainability and environmental, social and governance, including regulatory regimes and operationalising sustainability to manage risk and access value. She sits on various boards and is a dual qualified lawyer both in the UK and the US. She can be contacted on +44 (0)20 7806 0417 or by email: michelle.t.davies@uk.ey.com.
© Financier Worldwide