With the upcoming failure to prevent fraud (FTPF) offence coming into force in September 2025, the UK Government are seeking to motivate organisations to take responsibility for the prevention, monitoring and review of fraud committed by employees or other associated individuals. Critically, the offence concerns fraud which brings a benefit to the organisation at the cost of losses to third parties.
Organisations are likely to already have in place arrangements for investigating attempted frauds against the organisation, but may need to ensure that these cover frauds that have the effect of benefiting the organisation.
While a strong fraud risk assessment and effective internal controls are important for the prevention of fraud, a robust investigations programme is key for an organisation to respond to cases of potential fraud.
Hear from Deliveroo’s Head of Compliance Daniel Jarman in conversation with FRA fraud risk experts in our live webinar 26 June, where we explored the practicalities of preparing international businesses for the FTPF offence. Watch here.
Key stages of a robust investigation response
- Identify
The first stage of any investigation is the identification of an incident or allegation. The output from some of the activities set out in our article on internal controls provide this – red flags raised by detective controls, whistleblower allegations or the results of audits should all be fed into the investigation process.
- Filter
An effective triage system will help organisations separate cases of suspected fraud from allegations of other forms of inappropriate activity. An individual or team with appropriate competence and independence should be in place to decide whether a reported issue appears credible, and whether it should be considered further. Triage is a key stage in ensuring that allegations are appropriately prioritised and any patterns or hotspots identified.
It is also important to understand early on if an issue should be investigated under privilege (and so require engagement with legal counsel), and whether the organisation has sufficient skills to investigated the issue. Outside technical expertise may be required where the allegations concern particularly sophisticated or large scale frauds.
- Assign
Ensuring that the response is matched to the seriousness of the allegation is critical. The risk associated with the failure to properly investigate allegations is significant and the appointment of an appropriately skilled and independent team is essential.
If the allegation is sufficiently serious it should be escalated to board level to consider whether an independent outside counsel or consultant should be engaged. Early engagement with regulators may also be required – and, as noted in [article 2], help to mitigate the severity of outcomes.
- Analyse
Once the groundwork has been completed, the actual investigation begins. The team should perform evidence collection, organise interviews and perform other technical analysis until all the facts of the case are understood. The involvement of external experts at this stage may be key to understanding some of the technical aspects of the fraud. Regular review is required to ensure that the response remains appropriate as further facts are uncovered, the veracity of the allegations is understood and the quantum at stake becomes clearer.
- Resolve
Once the conclusion has been reached, an organisation should consider how to communicate the findings, both internally and externally. Internally, arrangements should be in place to communicate to both the board and throughout the organisation (if the matter is not subject to privilege). Externally, the organisation should determine whether any disclosure to the authorities, financial markets or other stakeholders is required.
- Remediate
A key output of the investigations process is the identification so weaknesses revealed by the incident. For example, can any findings from the investigation be brought into the fraud risk assessment? Are there any improvements which can be made to internal controls which would prevent a similar fraud from happening in the future? Can the investigations process itself be improved? The organisation must take consistent action and ultimately improve the system so that the organisation becomes better at preventing, detecting and responding to similar incidents in the future.
Looking ahead
The nature of the fraud risks an organisation faces will evolve as a natural result of external developments or changes in an organisation’s activities. Through risk assessment, controls testing and the investigation of allegations and incidents, organisations can continuously adapt as the nature and scale of fraud risk changes. In this way it will both be prepared for the introduction of the FTPF offence and continue to give itself the best chance of avoiding an incident of fraud that causes harm to others and adverse enforcement consequences to itself.
