Ethicast Reacts - The Failure to Prevent Fraud Act

[00:00:01] Speaker A: On September 1, 2025, the failure to prevent fraud offense under the Economic Crime and Corporate Transparency act will go into effect. This means that an organization can be held criminally liable if any employee, agent, subsidiary or other associated person or entity commits a fraud intending to benefit the organization or its clients if the organization did not have reasonable fraud prevention procedures in place. Is your organization ready? I'm Julia Boies and this is Ethicast Reacts. Today we are joined by Erica Salmon Byrne, Ethisphere's Chief Strategy Officer to get her thoughts as organizations are likely making some final tweaks to their fraud prevention procedures. Erica, thank you so much for joining us today. [00:01:02] Speaker B: Oh Julia, thank you so much for having me. And many may I say welcome to your first Attic Reacts. I usually get to do these sessions with our friend Bill Coffin, but given the fact that Bill was not able to join me, I'm really happy that you and I could have this conversation because you're quite right. Organizations should be getting ready right now for the implementation of the of the act starting on 9. [00:01:24] Speaker A: 1. [00:01:24] Speaker B: However, I know from my conversations with a lot of organizations that they this might have flown a little bit under their radar, right? There have been a handful of folks in the ethics and compliance space, including our good friend Tom Fox, who have written about the impact of the failure to prevent fraud offense. But I don't think it's gotten nearly as much attention as it needs because it is a seismic shift in the landscape for organizations. And I say that because it is the first time that there has been a very broadly written potential corporate offense coming out of the United Kingdom. Now we've had the Bribery act for a long time, but that was very focused on anti corruption. And the failure to prevent fraud offense in the Serious Frauds Office own words is going to be something that they are able to use in situations where the Bribery act criteria may not potentially be met. In other words, this is bigger, this is broader. You and this is something that organizations have to be ready for. I think also to a certain extent we've seen some folks in our ethics and compliance community, particularly here in the US not pay as much attention to this particular implementation process because it has the word fraud in it. And generally speaking, you know, people might think well that's audit's problem or that's finance's problem, right? That's not necessarily my responsibility. If you read the way the definition the crime of fraud is defined in the eccta, you will see very quickly that if you thought this was somebody else's problem you were wrong. [00:02:47] Speaker C: Right. [00:02:47] Speaker B: This is a situation where if your employee engages in fraudulent behavior that is intended to benefit your organization and you don't have adequate procedures that you can point to to have prevented that fraud, you are going to be on the hook. So as long as the employee engaged in fraud with the intent to benefit the organization and you don't have the right procedures in place, you are going to have yourself a little bit of a mess. So thinking about all of the ways in which this could potentially impact you is going to be really important. The other thing is there's great stuff in this guidance, Julia, for the kinds of companies and communities that we support. So if you are an ethics and compliance professional out there listening to me talk about this, go read the guidance because it has very helpful language in it that is in some cases very supportive of the work you're already doing that is probably largely driven by the Department of the Justice's evaluation of corporate compliance programs. But it goes a little bit broader. It includes things like incentives. [00:03:50] Speaker C: Right. [00:03:50] Speaker B: We've all been talking about looking at how we pay people, but the Serious Frauds Office's failure to prevent fraud guidance actually pulls in the coastal fraud triangle. [00:03:59] Speaker C: Right. [00:04:00] Speaker B: This concept of what is your motivation, what is your rationalization and what is the incentives that potentially, potentially drove you to this action? And so making sure that your program is effectively engaged with incentive setting is going to be a piece of making sure that you have the right kind of practices in place. [00:04:19] Speaker A: Yes. And Erica, for all of our listeners, we're going to be linking that guidance in our show notes. But one thing you brought up that I wanted to sort of get some feedback on from you is within the guidance, it says that if a company has reasonable prevention procedures in place, or you had used the word adequate, can you give us a scope of what that means? How can a company know if they have reasonable procedures in place? [00:04:43] Speaker B: Yeah, it's a really good question, Julia. And I think. I think that we won't really have a sense of what the Serious Frauds Office thinks of as reasonable procedures until we see a couple of prosecutions under this piece of legislation. Because ultimately the question of was what I did, reasonable is going to be something that a court is going to have to decide. But I do think we can point people to some other languages in the guidance that will give them at least some guardrails around reasonable. So is it risk driven? Have you really taken a look at your fraud risk and said, you know what, I don't think that our people are likely to misrepresent the features of our product. And so that's a lower fraud risk. [00:05:25] Speaker C: Right. [00:05:25] Speaker B: Or I don't think our people are likely to, to misrepresent our accounting numbers. And so our potential fraud against investors is lower. I don't think our people are likely to try to evade taxes. [00:05:37] Speaker C: Right. [00:05:38] Speaker B: Those asking yourself, as you think about what your risk profile looks like for each one of those risks, who's potentially involved? What do we think the likelihood of this risk is and what potential mitigation practices are we going to put in place as a result of this? And would a reasonable person think those were reasonable? So unfortunately it's going to be a little bit of an open question until we see some prosecutions under the, under this piece of legislation. But you know, you can get a sense of it by starting with your risks. [00:06:10] Speaker A: Thank you. Yeah, that makes a lot sense. [00:06:12] Speaker B: Serious Frauds Office, by the way, for putting into the guidance document scenarios or exemplar situations where a failure to prevent fraud offense would come up. So if you're sitting there thinking to yourself, well I don't think in terms of language of fraud, that's not the way I think about my risks. Spend a little time with the guidance because they've got enough scenarios in there that it'll get you thinking. [00:06:37] Speaker A: Thank you. That is so helpful as a follow up question. One of the things that I noticed was not only could this apply to a company's employee or agent, but but also the subsidiary of a potential parent company. So how should parent companies be thinking about their subsidiaries with this new offense? [00:07:01] Speaker B: Yeah, you definitely want to go all the way down in your chain. So Julia, you picked up on an important point there, which is if the subsidiary engages in fraud with the intent to benefit the parent, the parent's going to be on the hook. [00:07:13] Speaker C: Right. [00:07:13] Speaker B: So if you've got an employee who engages in fraud to inflate the sales numbers of the subsidiary, that with the ultimate, you know, benefit going to the subsidiary, that is going to be enough to tag the parent or from the subsidiary up to the parent rather that is going to be enough to tag the parent in the issue. So definitely you want to think through your chain. You also want to think carefully about your third parties. So the, the language in the, in the guidance talks about agents, talks about representatives, talks about third parties, talks about JV partners, all of those, that network of people who are out there in the world engaged in business or business relationship activities on your behalf, you are going to need to think about your fraud risk. And your fraud prevention activities across that chain. So it's not enough to just due diligence on your agents. You also need to be asking yourself questions about what else can I do to make sure that I am appropriately trying to mitigate the likelihood of fraud happening in my supply chain, the likelihood of fraud happening in my agent relationships, the likelihood of fraud potentially happening with my declaration of where my goods comes from because I'm trying to evade tariffs or, you know, other import duties. All of those things are going to fall under the umbrella of this extraordinarily broadly written piece of legislation. [00:08:31] Speaker A: Well, as I start to think through how companies could, I don't know, find, find help, find resources, it makes me think of our ethisphere data that we have within the sphere surrounding risk assessments. And we know, we know the pivot importance of the risk assessment. And so when you think about the data we have surrounding risk assessments and preventing fraud within the sphere, if a listener would want to utilize our data, how could they best do that to help them prepare? [00:09:01] Speaker B: Yeah, it's a really good question, Julia, because it does. Everything starts with the risk assessment. And so if you have not already done your fraud risk assessment in response for the forthcoming eccta, then that definitely is something you want to hop on right away. We have tagged in the sphere all of the data that we have that relates to this piece of guidance. So you'll be able to go into the sphere if you are a sphere user and be able to look at these different, these different pieces of guidance. The other thing I would say is to the extent that you are not already working with your enterprise risk management teams and with your finance teams, I would definitely try to figure out what they are thinking about and doing in response to this forthcoming piece of legislation. Because one of the things that the guidance talks about is specifically looking at the likelihood of fraud in your industry. So very, you know, a lot of us, a lot of us who are very accustomed to traditional enterprise risk management systems, right, we think about the likelihood of something happening, we think about the impact of something happening, and then we think about the mitigation activities that we might take into account. But those like that likelihood piece, that's generally speaking something we think about internally, right? We don't think about the likelihood being influenced by external factors. But what the guidance has said very clearly to people is we also want you thinking about whether or not you are in an industry that is rife with fraud. And so that makes me think about the DOJ's recommendation that you learn from not only things that have happened inside your organization, but things that are happening outside your organization. And so it's that same message that we're getting from two different regulatory bodies, phrase differently. [00:10:41] Speaker C: Right. [00:10:41] Speaker B: But really aiming at the same thing. What's happening in your sector? [00:10:45] Speaker C: Right. [00:10:45] Speaker B: Is there a particular kind of activity that you should be paying attention to? And look, take the label of fraud off of it. [00:10:53] Speaker C: Right. [00:10:54] Speaker B: Think about it as an inappropriate type of behavior that exposes the company to risk. That's going to make it easier for you to navigate from a risk assessment perspective and get the. Get the help of your partners and friends inside your organization. [00:11:08] Speaker A: That's a really helpful way to reframe it. Thank you. I feel like September 1st is right around the corner. [00:11:14] Speaker B: It sure is. [00:11:15] Speaker A: Right. I think by the time this is published, we're going to be only a handful of days away. If you could give leadership of different organizations just one piece of advice or one little bit of, maybe even encouragement as they're grappling with this and getting ready, what would you tell them? [00:11:36] Speaker B: I would tell them that if they are a multinational organization of any meaningful size, the chances are they've got pieces of this in place already somewhere inside their organization. It may not be framed the way that the Serious Frauds Office's guidance indicates that they want to see it framed. But much of this is not new. [00:11:55] Speaker C: Right. [00:11:56] Speaker B: Much of this is an emphasis of an existing practice. [00:12:00] Speaker C: Right. [00:12:00] Speaker B: Whether it is the focus on risk assessments or it is the focus that the. The guidance has on making sure that the head of compliance has access to the board. [00:12:12] Speaker C: Right. [00:12:12] Speaker B: There's a whole section about making sure that the, the compliance program, the compliance team has the right level of seniority and stature inside the organization. Well, guess what? We've been grappling with that for a couple of years, you know, thanks to the DOJ's guidance. There's a lot of language in here on culture, there's language in here on incentives. There's language in here on the behavior of managers. So much of this is going to be one of those situations where really what you need to do is take what you're already doing and map it against this guidance. And then if you have gaps, right. If you have that thing where you're like, oh, I hadn't really thought about that through the lens of whether or not this is a failure to prevent fraud. [00:12:53] Speaker C: Right. [00:12:53] Speaker B: Is there something about this particular type of risk or behavior that maybe no one, you know, was one of those things that fell through the cracks or. I thought this part of my business had responsibility for this. And in fact, it was another part of the business that had responsibility for it. [00:13:09] Speaker C: Right. [00:13:09] Speaker B: That's going to be, those are going to be the places where you're going to find yourself needing to think strategically about how to shore up that particular gap. So I guess that that would be, that would be my piece of advice. Take a deep breath. You probably have a lot of this already. It's really going to be about looking at the guidance and saying, okay, where are the places where I don't have this? Who is responsible if a salesperson misrepresents the features of a product in a way that benefits the company and causes harm to somebody else? Like, what's my training practices to make sure that doesn't happen? Am I looking at my incentives to make sure that no one's feeling pressure to misrepresent product features or that sort of thing? So really putting that broader behavioral lens on it and asking yourself those questions. The good news also in this, Julia, is it's another opportunity. It gives you a tool to go to the people inside your organization who are responsible for thinking about culture and permissive manager behavior and having a question about whether or not you have the right analysis data practices around those key topics. Because this, this set of guidance and kudos to the Serious Frauds Office, to whomever there drafted it, this set of guidance is really strong on the culture piece. It's really strong on the environmental components that go into a fraud happening. It is looking at, to borrow Professor Linda Trevino's structure, the informal aspects of a program as much as it's looking at the formal aspects. And so if you haven't already done that work, for whatever reason, it hasn't been something that's been a priority. This is going to give you a chance to build those relationships and have those conversations and get your arms around the data inside your organization that exists already that is potentially sending signals that would indicate that somebody is tempted to engage in fraudulent behavior? [00:15:14] Speaker A: Well, Erica, we really appreciate you taking the time to come speak to us about this because it's imminent and it's important and your guidance is. I really value it. So thank you so much for your time. [00:15:27] Speaker B: Oh, my pleasure. Absolutely. Julia. You know, as you said, we'll link some of these pieces in the show notes. But you know, anytime you, you grapple with a new piece of legislation like this, it's a, it's always going to be a journey. So hopefully you and I will have a chance to talk more about it as we see particularly additional guidance coming out of serious frauds and then eventually some prosecutions that we can unpack from a fact pattern perspective and see what they tell us. [00:15:49] Speaker A: That sounds great. Thanks so much, Erica. Take care. [00:15:51] Speaker B: You too. [00:15:52] Speaker A: If you're interested in reading the guidance surrounding the failure to prevent fraud offense that Erica referenced, see the link in our show notes. If you're interested in learning more about Ethisphere's data platform, the Sphere, and how it can help your organization benchmark against best practices, as well as receive guidance from several different regulatory bodies, reach out to your BELA Engagement director or email infoethosphere.com to receive guest access. For more resources, visit ethisphere.com resources it was great to have you join us today. I'm Julia Boies and this is Ethicast Reacts.