Financial Services firms take note – new sector specific guidance on failure to prevent fraud

Financial services industry body, UK Finance, has published sector-specific guidance to assist financial services firms in preparing for the new failure to prevent fraud offence. 

New guidance issued by UK Finance on 11 February contains helpful illustrations and examples for financial services firms to clarify how the new failure to prevent fraud offence might apply to them and the wider financial services sector. 

As firms will be aware, the failure to prevent fraud offence (taking effect from 1 September 2025) makes an in-scope firm potentially criminally liable if it fails to prevent a "fraud offence" committed by a person associated with the firm. It is a defence if the firm had reasonable prevention procedures in place, or alternatively, it was not reasonable to have these. The offence applies to both UK and non-UK firms where the fraud offence was committed in the UK, or the harm or benefit took place in the UK. For more information see our previous article on the offence and listen to our podcast.

Key takeaways on associated persons and fraud offences

The guidance flags that the potentially far-reaching definition of an “associated person” (a third party that provides services for or on behalf of the firm) may make it difficult for financial firms to pinpoint their associated persons, given their extensive working relationships. The guidance lists examples in the financial services sector of who might be an associated person, these include a person who provides advisory, fund management, custody, arranging, placing, underwriting, brokerage or trust and fiduciary services; but not an appointed receiver, an insurance broker, a depositary or listing agent or a rating agency (e.g. for credit or ESG).

A couple of interesting points noted in the guidance, which are not featured in the statutory Home Office Guidance, include:

• actions taken by AI or other machine-driven automations (such as trading algorithms) would not ordinarily constitute a fraud offence (unless the AI or algorithm had been deliberately programmed to commit a fraud), as an underlying fraud offence will require intent, and usually dishonesty, to prove it; and
• that a fraud offence can involve the commission of one of the listed offences - such as false statements by company directors or false accounting - or the secondary offences of aiding, abetting, counselling or procuring the commission of a listed offence. The guidance notes that whilst the legislation refers to aiding, abetting, counselling or procuring an underlying offence, the expectation is that courts will interpret this to refer to secondary offences in their more recent legal framing, which is of encouraging or assisting an offence. 

At Appendix A of the guidance, there is a useful “decision tree” to aid firms in determining whether the offence is likely to apply in a particular scenario. 

Understanding reasonable prevention procedures

As well as unpacking the offence, the guidance also covers the defence of reasonable prevention procedures. It makes clear that firms are not expected to duplicate or repeat compliance controls or procedures which are already in place and it includes a section listing existing controls which may assist in respect of the new offence. Whilst it is clear that work is not required to be duplicated, the guidance, and the statutory Home Office Guidance, make clear that consideration must be given to how existing controls are relevant to the incoming offence and whether any adaptions are required. Some of the existing controls which may assist firms in preventing fraud include: assessment of full distribution chains; comparison of distributor performance against internal or independent source data or metrics; approval frameworks for entering into relationships; and screening and vetting of employees and agents. 

UK Finance have set out a range of risks for which they deem that it would not be reasonable in all circumstances for financial services firms to have prevent procedures in place. These include, but are not limited to, where there is no UK nexus at all for the in-scope firm, where distributors are subject to MiFID II or equivalent regulatory requirements, or where persons perform execution-only services such as sub-custody or clearing. However, the Home Office Guidance, which takes precedence in the event of a conflict to the UK Finance guidance, stresses that it will “rarely” be reasonable not to have even conducted a risk assessment. Accordingly, firms will need to explain any risks which they have deemed it not reasonable to implement preventative procedures in respect of.

We suggest the UK Finance guidance will be a useful source of reference for financial services firms as they conduct appropriate risk assessments, and implement reasonable preventative procedures, ahead of the offence coming into force on 1 September 2025.

UK Finance Failure to Prevent Fraud industry guidance.pdf