UK Finance Guidance on the Failure to Prevent Fraud offence: A missed opportunity in relation to risk assessments?
On 11 February 2025, UK Finance issued its guidance (the UK Finance Guidance or the Guidance) on the Failure to Prevent Fraud (FtPF) offence which will come into force for firms on 1 September 2025.
Having a proportionate and risk-sensitive control framework is going to be critical for any defence under the legislation. So, guidance written through the lens of financial services is to be welcomed to help firms with their alignment of these frameworks in light of the specific risks that they will be facing.
And to a certain extent, the UK Finance Guidance delivers on this expectation, through the use of helpful illustrations and decision trees, as well as an alignment of key concepts (such as associated persons) with what many firms are likely to encounter in a typical financial services business.
However, there are still gaps in the UK Guidance, particularly around the risk assessment (compounding some of the weaknesses of the original Home Office Guidance on the FtPF offence), that will continue to present an unnecessary challenge around the efficient and effective operationalisation of the requirements.
Evolution as opposed to revolution
The UK Finance Guidance quite rightly frames the six principles of the reasonable prevention procedures within the context of the FCA’s wider expectations around effective control frameworks.
As such, whilst the six principles that firms must address are not groundbreaking (in fact they’re identical to the MoJ’s six principles in the Bribery Act Guidance), the UK Finance Guidance should reassure firms that for most businesses, demonstrating effective compliance with the offence and the Guidance will involve a relatively low-effort recalibration of an existing control framework rather than a major overhaul. The flipside, however, is that those businesses with weaker existing foundations, particularly in relation to governance arrangements, may need significant adjustments.
Similarly, the UK Finance Guidance builds on the “hooks” offered in the Home Office Guidance on the FtPF offence, by identifying those elements of other regulatory regimes that can be leveraged to deliver against the requirements of the FtPF offence, particularly the reasonable prevention procedures. The UK Finance Guidance has a long list of considerations, ranging from the specific regulatory requirements associated with the due diligence on distributors through to regulatory expectations around the three lines of defence that firms should be drawing on for their reasonable prevention procedures.
Helpful illustrations, as well as shining a light on the “perimeter” of the offence
The real strength of the UK Finance Guidance, though, is in its use of illustrations, both in terms of potential scenarios that firms can work through to understand the impact of the offence (the Schedule to the Guidance) and the arguably bolder assertions as to what would not constitute being applicable under the legislation.
Part 3 of the Guidance in particular reinforces the perimeter of the FtPF offence by highlighting those circumstances where it is not reasonable to expect firms to have prevention procedures in place. These include, but are not limited to:
Certain Associated Persons, including distributors who are subject to MiFID II requirements, or equivalent regulatory controls, persons who perform services for the firm on an execution-only basis at the instruction of the firm, as well as single-purpose relationships (Appendix 3 expands further on those third-party relationships which would not be considered Associated Persons of the firm);
Existing contractual commitments, the firm does not have grounds to terminate or amend existing contracts, although the firm would need to evidence why it cannot mitigate the risk by other means; and
Main market transactions, specifically the role of the sponsor where changes are forthcoming to simplify the regime and make the UK listing environment more attractive by reducing the expectations on the sponsor.
Furthermore, a useful ‘decision tree’ is also included at Appendix 1 of the Guidance to outline when the FtPF offence might crystallise when a fraud offence occurs.
An effective risk assessment should be the beating heart of any reasonable procedures, and yet …
Whilst the UK Finance Guidance is undeniably valuable in helping a financial services firm navigate the FtPF offence, we consider it to be a missed opportunity in terms of helping those same firms implement an effective risk assessment. Given how central that risk assessment is to the quality of the corresponding reasonable prevention procedures, which the Guidance itself acknowledges, this is disappointing.
To give the Guidance its due, it is helpful that the section on risk assessment frames the potential fraud risks in the context of the actor (in this case, the associated person) and their actions (the commissioning of one of the relevant fraud offences for the benefit of the firm or one of their clients). This resonates with our conviction that risk assessments need to be driven by the “real risks”, as opposed to the risk factors , which themselves should inform the vulnerabilities of a given business or assessment unit.
However, we believe that there were other elements of the risk assessment that could have been transformational if the Guidance had addressed them. Specifically:
Explicit alignment with the other financial crime risk domains. Whilst the Guidance acknowledges that the FtPF risk assessment sits within the context of various other financial crime risks, it doesn’t grasp the opportunity to help firms consolidate these efforts. In particular, the other regimes, whether money laundering, bribery and corruption or the facilitation of tax evasion, utilise common risk factors but this was a missed opportunity to frame how they might relate to each other in order to develop a consolidated (albeit differentiated) view of the vulnerabilities of a business as a consequence of its unique and specific characteristics. Moreover, the Guidance acknowledges the behavioural elements of the fraud risk (in terms of motive and rationalisation), which should resonate with the facilitation of tax evasion, and to a lesser extent bribery and corruption risk; and yet doesn’t lean into how they might work in a consolidated financial crime risk assessment.
Framing the real risks in relation to specific controls. Whilst the Guidance discusses controls in the context of risks (offering the examples of staff vetting and screening and a clear anti-fraud message from top-level management), there was an opportunity to go further, both in terms of how specific controls mitigate elements of the fraud risk in question, as well as the respective merits of preventative, detective and directive controls. The combination (and assessment) of these different components can really help a firm target those controls that are going to have the greatest impact in mitigating the risks identified, and as such which warrant the most attention in terms of testing and assurance.
Contacting us
Although the Guidance may have been silent on these elements, delivering genuinely purpose-led risk assessments happens to be something that we are preoccupied with, so we’ve already done so much of the thinking for you. If you would like to hear more on what you can do differently to ultimately deliver more favourable outcomes and maintaining a defendable risk based framework, we are keen to speak with you contact@avyse.co.uk.