Reasonable Fraud Prevention Procedures: What the Six Principles Require in Practice

Once the prosecution establishes that an associated person committed a base fraud offence intending to benefit the organisation, the burden shifts to the organisation to prove on the balance of probabilities that it had reasonable fraud prevention procedures in place at the relevant time. This is not an evidential burden — it is a full legal burden. The organisation must affirmatively prove that its procedures were reasonable, not simply raise a doubt.

Reasonable does not mean perfect. An organisation may still be able to rely on the defence even if the fraud slipped through its procedures, provided those procedures were proportionate to the risk at the time. The assessment is backward-looking: were the procedures adequate given what the organisation knew or should have known about its fraud risks? Evidence of continuous, documented compliance activity throughout the period in question is more persuasive than evidence assembled after an investigation begins.

The Home Office guidance is explicit that the six principles are not a checklist and compliance with all six does not guarantee the defence succeeds. Conversely, non-compliance with one principle does not mean the defence fails. The principles are guidance on what reasonableness looks like; the ultimate question is whether, taken as a whole, the procedures were proportionate to the risk profile.

Top-level commitment requires that the organisation's board or equivalent senior leadership takes visible ownership of the anti-fraud framework. This goes beyond approving a policy: it requires evidence that leadership understands the organisation's fraud risks, has considered whether the procedures are proportionate, and continues to receive and act on information about how the programme is performing.

In practice, evidence of top-level commitment includes board minutes recording approval of the fraud risk assessment and procedure documentation, a board-level policy statement that is communicated to employees and relevant associated persons, a designated senior individual with accountability for the programme, and board oversight of monitoring reports. The SFO's compliance programme evaluation guidance asks whether tone from the top is genuine: whether senior leaders act consistently with stated policies or whether the compliance function operates without meaningful board engagement.

A common gap is the board that approved a policy once but has not received an update since. Periodic board reporting — showing what the monitoring found, what gaps were identified, and what remediation was taken — is evidence that the commitment is continuous rather than nominal.

Principle 2 requires the organisation to assess the nature and extent of its exposure to fraud by associated persons. The risk assessment should identify the fraud scenarios most plausible given the organisation's sector, business model, and associated-person network, map those scenarios to the Schedule 13 base offences, document the controls already in place, identify gaps, and set a residual risk rating for each scenario.

The risk assessment is not a one-time exercise. It should be refreshed when the organisation's risk profile changes — for example, when it enters a new market, acquires a new business, or changes a material third-party relationship — and on a periodic basis regardless. Each version should be dated and version-controlled; the organisation needs to be able to show what its risk assessment said at any particular point in time.

The quality of the risk assessment is often the weakest link in an organisation's ECCTA compliance. Generic fraud-risk registers that list 'fraud' as a risk category without mapping scenarios to specific associated-person categories and specific Schedule 13 offences provide a thin basis for the reasonable-procedures defence. A scenario-specific assessment — who could commit this offence, in what circumstances, intending to benefit the organisation, and what currently stops them — is a more defensible foundation.

Proportionate procedures are calibrated to the risks identified in the risk assessment. An organisation that has identified a high risk of supply-chain fraud needs substantive due-diligence procedures for supply-chain associated persons; one that has assessed that risk as low can apply lighter-touch procedures, provided the assessment is documented and defensible. The proportionality requirement cuts both ways: procedures that are inadequate for the risk will fail the test; procedures that are more elaborate than the risk justifies are not required.

Proportionate procedures typically include an anti-fraud policy and code of conduct, supplemented by role-specific procedures for high-risk functions. Controls embedded in business processes — approval limits, segregation of duties, payment controls, tender controls — often constitute some of the most effective fraud prevention procedures because they make fraud harder regardless of intent. Evidence that those controls exist and are operating is as valuable as evidence of a standalone anti-fraud training programme.

Procedures that exist in documentation but are not followed in practice are not proportionate procedures — they are paper compliance. The SFO's guidance consistently emphasises the gap between what a compliance programme says and what it does. If the documented procedure requires three-party approval for payments above a threshold but the finance team routinely bypasses that control, the procedure does not provide the protection it appears to provide.

Principle 4 requires proportionate due diligence on associated persons. The depth of due diligence should be calibrated to risk: a senior agent with authority to bind the organisation in high-value transactions requires more scrutiny than a low-risk administrative contractor. Due diligence records should document what was done, when, by whom, and what the outcome was — not just a binary pass or fail, but enough to reconstruct the reasoning.

Principle 5 requires that the organisation's anti-fraud procedures are communicated to employees and relevant associated persons, and that they understand what is expected of them. Training records and attestation records are the primary evidence of communication. Attestations — documented confirmations from individuals that they have read and understood the relevant policies — create a contemporaneous record that training was not just delivered but received.

Communication should be proportionate to role and risk. Employees in high-risk functions may need more detailed and role-specific training than those in low-risk support functions. Associated persons — agents, contractors, and supply-chain participants — may need targeted communications explaining which of the organisation's anti-fraud policies apply to their work and what is expected of them. Records of those communications, including dates and the version of the policy communicated, should be maintained alongside due diligence records.

Principle 6 requires the organisation to monitor whether its fraud prevention procedures are working and to review and update them in response to what it finds. This is the principle that most clearly distinguishes a genuine compliance programme from a paper one. A programme that has been in place for three years without a monitoring report, without any review, and without any update following changes in the organisation's risk profile is difficult to characterise as reasonable.

Monitoring covers both the procedures themselves and the compliance function. Are controls operating as designed? Are training completion rates acceptable? Are associated-person due-diligence reviews being conducted on schedule? Are there patterns in the monitoring data that suggest a particular risk area needs more attention? These are questions a genuine monitoring programme answers; the absence of answers is evidence that monitoring was not occurring.

Review and update should be triggered both periodically and by events — a material change in the business, a near-miss, an external enforcement action in the sector, or an update to official guidance. Documenting the trigger for a review, the findings, and the changes made as a result creates a compliance narrative that demonstrates continuous improvement rather than static documentation.