Reasonable fraud prevention procedures

Under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) (section 199), an organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated’ person, commits a fraud intending to benefit the organisation. It is a defence to the offence that the organisation had in place ‘such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place’.

The question of whether a relevant organisation had prevention procedures in place which were reasonable ‘in all the circumstances’ can only be determined in the context of a particular prosecution and can only be determined by a court, taking into account the particular facts and circumstances of the case. If a case comes to court, the onus will be on the organisation to prove that it had reasonable procedures in place to prevent fraud at the time that the fraud was committed. In accordance with established case law, the standard of proof in this case is the balance of probabilities.

However, it is possible to take steps to consider what is reasonable in the context of any particular organisation. The starting point will be to be able to demonstrate that an organisation has considered and had regard to the Home Office Guidance.

The Home Office Guidance (chapter three) is statutory guidance issued under Section 204 of the Act (see section on Statutory Guidance and references to NHSCFA) and sets out six principles that are intended to help organisations work towards the creation of reasonable prevention procedures before Monday 1 September 2025. Consideration and application of the Home Office Guidance is likely to be a critical consideration of any court in determining whether or not an organisation ‘had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place’ (Section 199 (4)(a) of ECCTA).

The Home Office Guidance states that the fraud prevention framework put in place by relevant organisations should be informed by the following six principles:

• top level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review

These principles are intended to be flexible and outcome-focussed, allowing for the huge variety of circumstances in which relevant bodies find themselves. Procedures to prevent fraud should be proportionate to the risk.

Reference to NHSCFA within statutory guidance

Chapter three of the Home Office Guidance states that public sector organisations are already required to implement the recommendations of the Public Sector Fraud Authority (PSFA). It describes how for organisations in the NHS, the NHSCFA provides detailed information on the PSFA requirements to be applied across the NHS and wider health group and the Government Counter Fraud Profession. Whilst NHS organisations are likely to have many of the elements of the fraud prevention framework in place already, they should where applicable adapt their procedures to take account of the new offence.

In the circumstances of an NHS body, the defence of having prevention procedures in place that were reasonable in all the circumstances may be less likely to be satisfied if the body has not considered and had regard to the Home Office Guidance and the NHSCFA’s information on the PSFA Guidance.

The six principles identified in the Home Office Guidance are reflected in the NHSCFA Requirements, which in turn derive from the Government Functional Standard Gov 013 for counter fraud. NHS funded services are already required to provide NHSCFA with details of their performance against the functional standard annually and NHSCFA provides guidance to NHS organisations on how to meet the requirements of the Government Functional Standard Gov 013.

• Top level commitment links with GovS 013 component 1; to have an accountable individual at board level who is responsible for fraud, bribery and corruption.
• Risk assessment links with GovS 013 component 3; to have a fraud, bribery and corruption risk assessment that feeds into the organisational workplan and is managed in line with the organisations local risk management policies.
• Proportionate risk-based prevention procedures links with GovS 013 component 5; to have an annual action plan that is informed by fraud risk, identifying activities to improve capability and resilience.
• Due diligence links to a number of components including GovS 013 component 2; the organisation should align their counter fraud, bribery and corruption work to the NHSCFA’s central strategy.
• Communication (including training) links with GovS 013 component 7; to have well established and documented reporting routes for staff, contractors and members of the public where necessary to report fraud suspicions. Staff awareness levels are regularly measured. This also links with GovS 013 component 11; ensuring that all staff have access to and undertake fraud awareness, bribery and corruption training as appropriate to their role.
• Monitoring and review links with GovS 013 component 6; to identify and report upon annual outcome-based metrics to support improvement in performance.

See section on ‘Next steps – how to comply’ for suggestions of actions that NHS organisations can take to ensure that they have reasonable fraud prevention procedures in place.