Europe Steps Up Its Fight Against Fraud

European watchdogs have long been focusing on enforcement against corporate crime with a great focus on anti-corruption, economic sanctions and money laundering. In recent years, a new focus is emerging – the fight against fraud is increasingly promoted to the front of enforcement agenda. This change in the enforcement landscape has significant implications on corporations which are active in Europe. As fraud is a wide concept which encompasses a great range of activities, the exposure of each organisation may be unique and so require a bespoke approach in establishing appropriate systems and controls.

In this blogpost, we canvas some recent fraud-related legislative developments across major European jurisdictions. That overview reveals that fraud is becoming a prominent item on the enforcement agenda. Considering those developments, we turn to explore some practical steps corporations active in Europe may consider implementing in preparing for the changing landscape.

Fraud-related legislative developments in Europe

European Union

A major step in the fight against fraud on a European Union level has been the creation of the European Public Prosecutor's Office (EPPO), which started operating in June 2021. EPPO has a mandate to investigate and prosecute directly before the national courts criminal misconduct related to the EU budget. The vast majority of its cases relates to different forms of fraud, including VAT fraud, subsidy fraud and misappropriation of public funds. Ever since its establishment, EPPO has been an active enforcer and in 2023 alone, it opened 1371 investigations, which is a 58 percent increase as compared to 2022. ¹

EPPO's track record of effectiveness, especially in relation to cross-border misconduct, may come from its structure (a single office with decentralised structures in 42 locations in various Member States), as well as from its close cooperation with Europol and national enforcement authorities. EPPO's enforcement efforts are likely to increase even more in the future as may be indicated by a comment by European Chief Prosecutor, Laura Codruța Kövesi, that about 90 percent of fraud in the EU still remains off the enforcement authorities' radar. ²

France

In France, fraud is generally not considered as a separate criminal offence but can rather form a material element of several criminal provisions under the French Criminal Code, including swindling, breach of trust, extortion and falsification. In particular, tax evasion is at the centre of France's fight against fraud and the French authorities take an increasingly rigorous approach when it comes to detecting and prosecuting tax fraud.

The introduction of the 2018 Anti-Fraud Act represented a first step in strengthening France's criminal legal arsenal against tax fraud. The number of suspected tax fraud cases that is on the radar of the public prosecutor is continuously rising as the 2018 Act introduced a duty for the French tax administration to refer significant cases to the public prosecutor.

More recently, new efforts to strengthen the levers for combatting tax fraud in France have been adopted. The French Parliament approved the French Finance Act (FFA) for 2024 (Loi de finances pour 2024) which was published on 30 December 2023 and took effect in January 2024. The FFA created, among other measures, a new and autonomous criminal offense for the provision of instruments that facilitate tax fraud (article 1744 of the French Tax Code). Individuals or legal entities that make available "legal, tax, accounting or financial means, acts or instruments, with the aim of enabling one or more third parties to fraudulently evade the assessment or payment of all or part of taxes" can now be prosecuted and face severe penalties for their complicity in tax fraud.

Germany

Like France, Germany is also focusing heavily on tax fraud and has been at the forefront of criminal investigation and prosecution of tax fraud related to the payment of dividends, also known as 'dividend stripping'. In 2021, Germany's highest court, the Federal Court of Justice, clarified that a dividend stripping scheme, called 'cum-ex' transaction, is considered fraudulent and amounts to criminal tax evasion. The decision prompted a wave of investigations and prosecutions which are continuing.

In the past few years, accounting fraud has also been on German legislative and regulatory agenda. On 3 June 2021, the German legislator has passed the Act to strengthen the Financial Market Integrity (Gesetz zur Stärkung der Finanzmarktintegrität), which fundamentally reformed the accounting control procedure (Bilanzkontrollverfahren), to strengthen the integrity and stability of the German capital market.

Portugal

In Portugal, in December 2021, the Parliament enacted a law which created a General Regime for the Prevention of Corruption and related offences (Regime Geral de Prevenção da Corrupção, RGPC). ⁴ The regime started to apply to large companies in June 2023, and will start to apply to mid-size companies in June 2024 (i.e. companies with 50 or more employees). While the name suggests a focus on corruption, the new regime also covers "related offences", which include fraud-adjacent misconduct, such as embezzlement or subsidy fraud. ⁵ The new piece of legislation obliges large and mid-size companies to conduct risk assessment related to corruption and related offences, and to create and implement a prevention plan.

The implementation of RGPC is being supervised by the National Anti-Corruption Mechanism (Mecanismo Nacional Anticorrupção, MENAC). MENAC will be able to issue administrative penalties for non-compliance with the RGPC. However, its supervision is also likely to result in enhanced detection and criminal enforcement of corruption and related offences, including fraud.

The Netherlands

A recent study conducted in the Netherlands and Belgium revealed that 79 percent of the organisations that participated experienced internal and external fraud (attempts) and that a majority of them suffered actual damage as a result of that. The biggest concerns of organisations regarding fraud and scams are the loss of (online) data and other forms of cybercrime. ⁶ Dutch enforcement authorities, in particular the Dutch Public Prosecution Service (Openbaar Ministerie), are increasingly focusing on cybercrime as a form of fraud and have committed themselves to strengthen enforcement thereof under the Dutch Cybersecurity Strategy for 2022-2028. Recently, joint efforts of enforcement authorities participating in an international taskforce, including Dutch authorities, have led to a significant breakthrough in the fight against cybercrime by taking down the criminal operation of the LockBit ransomware group. ⁷

And similar to its neighbour Germany, the Netherlands is heavily focused on combating large-scale dividend stripping and other forms of tax fraud. The Dutch Public Prosecution Service believes that dozens of people and institutions were involved in dividend stripping that has cost the Dutch Tax Administration (Belastingdienst) EUR 26 billion in missed taxes since 2000. ⁸

United Kingdom

The UK government considers fraud as the most common crime, accounting for over 40 percent of all offences in England and Wales together. ⁹ To respond to this threat, in May 2023, the Home Office launched the Fraud Strategy, which aims to strengthen anti-fraud enforcement and to empower the public to report fraud. ¹⁰

As a part of that effort, UK legislators have recently reformed the rules on corporate liability (to expand this so that companies are found liable for a range of economic offences where these are committed by 'senior managers' – see our article here for more information) and introduced a new criminal offence of 'failure to prevent fraud'. ¹¹This offence is expected to enter into force this year. The failure to prevent fraud offence will make it an offence for a company to fail to prevent fraud committed by its 'associated persons' (which includes employees, subsidiaries and third parties), where the fraud is committed for the benefit of the company or its clients. The only defence will be to show that the company had in place 'reasonable procedures' to prevent fraud. This demonstrates a commitment to combatting fraud, and also emphasises the importance of robust corporate compliance programmes.

The new offence applies to 'large' companies ¹² (although in practice small companies may also be required to implement reasonable fraud prevention procedures, as they may be the 'associated person' of a large company).

Importantly, the jurisdictional reach of the offence is broad. It will apply to non-UK companies where part of the offence takes place in the UK – such as a meeting or communication in the UK – or where there are victims in the UK, which could include investors or counterparties. It will also apply for certain offences where there is a gain in the UK. This means that whether a company is subject to the offence will vary depending on the specific circumstances in which the fraud takes place. Many multinational companies are therefore conducting risk assessments and enhancing fraud procedures on a global basis.
Further information on the offence can be found in our UK team's article here.

Enhancing / implementing a fraud prevention program

In light of this increased focus on combatting fraud, corporations operating in Europe may want to consider revisiting their current internal systems and controls aimed at addressing fraud risks. That risk encompasses at least: (i) active fraud, that is practices in which the company, its employees or those operating on its behalf engage in fraudulent activities for the benefit of the company and / or the individual themselves; as well as (ii) passive fraud, that is incidents when companies themselves are the victim of fraudulent activity. Most companies tend to have compliance programmes targeting passive or 'inward' fraud, but very limited – if any – procedures addressing active or 'outward' fraud. In light of the evolving legislative framework, companies therefore may have some considerable work to do to enhance and / or implement an effective fraud prevention programme.

Steps that corporations may consider implementing in preparing for the growing risk of fraud include the following:

• Tailored fraud risk assessment (prepared in the light of regulatory developments) – fraud risk assessment is an important tool in identifying the most common and serious fraud threats within an organisation. When scoping a risk assessment, the following sources may be useful: scoping interviews with key stakeholders, past fraud issues within the organisation, but also an analysis of fraud related issues involving competitors or similar organisations. Additionally, risk assessments should take into account the local applicable legislative requirements, which differ from one jurisdiction to another. Particularly in light of the new UK failure to prevent fraud offence which effectively requires organisations to conduct a fraud related risk assessment, this is more important now than ever for multinational companies. Our UK team have prepared an article here on how to conduct effective anti-fraud risk assessments.
• Compliance culture survey for employees and associated persons – as fraud covers a very wide range of misconduct, an important way to prevent its various forms may be through reinforcing a culture of honesty. Any culture creation activity starts by measuring the current state of affairs. By better understanding the state of mind and spirit within the organisation.
  
  The culture survey may include questions regarding what employees consider dishonest, what level of exaggeration in statements they consider to be acceptable, but also how comfortable they feel when it comes to reporting misconduct. Cultural differences may play an important role in answers to such questions, and therefore it would be prudent for a company to conduct such a survey locally in every country of its operations.
• Senior level commitment – key to embedding a positive corporate compliance structure is a positive 'tone from the top', and an example set by management that non-compliance is never acceptable. It is expected that the UK failure to prevent fraud offence, for example, will effectively require that senior management / the Board sign off on the risk assessment and fraud procedures in place.
• Updating and / or implementing policies and training s, in particular to include examples of fraud – the output of the fraud risk assessment and culture survey will be important when drafting or updating anti-fraud policies and corresponding training sessions. Given the complexity of potential fraud offences and the variety of different scenarios in which they might occur, policies and training should include examples of fraud and/or case studies. This will make them more engaging and ensure that employees are better placed to spot fraud. The more tailored and varied examples, the better. Companies should also ensure they have in place monitoring processes to ensure continual review of the effectiveness of policies, procedures and to identify any potential instances of non-compliance. One of the most important areas to address are likely to be accounting controls.
  
  At the same time, the company should also make sure that its whistleblowing or speak-up system is accessible and easy to use, and that employees know how to and feel comfortable using it.
• Devising a third party management system which focuses on fraud risks – as mentioned above, in some jurisdictions, companies may be liable for fraud committed by their business partners and other associated persons. Assessing fraud risks and anti-fraud controls of third parties (and monitoring the activity of third parties) should therefore be a key part of their third party engagement process. It is also important to continue such checks on a periodical basis to ensure and encourage business partners to regularly assess and update their anti-fraud programmes. Companies may be able to build on procedures already in place: for example anti-bribery due diligence and monitoring processes.
• Response/investigation plan tailored to specific fraud scenarios – a company should also prepare its response plan (and potentially an investigation plan) in case misconduct is suspected. Having such plans in place allows for a prompt and proportionate response.
  
  While a generic investigation or response plan may be helpful, response plans tailored to specific fraud scenarios (identified, for instance, in the fraud risk assessment), may provide for even more effective guidance.
  
  When devising the response plans, regulatory developments, including those outlined above, should be taken into account. For instance, many fraud offences in the UK have extraterritorial reach. Therefore, to properly scope an investigation, it will be important to check whether there is any UK nexus that could justify the extraterritorial applicability of UK legislation.
  
  Where fraud involves external stakeholders (e.g. victims outside of the company), it will be important for the response plan to include, for instance, a PR strategy and public statements that can be released when necessary.

Conclusion

Fraud is increasingly becoming an area of attention for corporations operating in Europe. In various jurisdictions, legislative changes reflect the increasing attention that enforcement authorities pay to the combat against fraud. Corporations wishing to prepare for the changing landscape should consider the dual risk of fraud – active and passive – for their organisations, taking into account their activity and areas of exposure. Revisiting their own compliance programmes and updating existing systems and controls to meet the growing challenge is essential to mitigate the risks and allow organisations to stay out of trouble.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.