Uncovering fraud risks in mining company HR records

[Redator]

From September this year, large mining and metals companies with business activities in the UK will be subject to a new “failure to prevent fraud” (FTP) offence.

Introduced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA), FTP applies to fraud committed by persons “associated” with a firm, where that offence is intended to benefit the organisation or its customers.

“Associated persons” can be employees, agents or subsidiaries of a firm, and include those who perform services on behalf of the business. 

The use of local agents and third-party service providers, to perform functions such as investigating opportunities, liaising with government authorities, securing permits and permissions, are particularly common working arrangements for mining companies, especially those with branches or operations in multiple jurisdictions.

As the FTP offence applies to all incorporated entities and partnerships that meet at least two of the three qualifying criteria of having more than 250 employees; turnover exceeding £36 million; and/or assets exceeding £18 million, this will take in a large swathe of UK-based mining and metals companies, as well as international companies with UK offices.

The mining industry has historically been regarded as a high-risk area for fraud, as mining and metal refining operations are often located in jurisdictions or regions where opportunities and incentives to commit fraud are prevalent.

Managing cost is also crucial in the mining sector due to fluctuating demand and prices for metals and minerals, which increases pressure to control costs and meet targets by whatever means necessary.

Additionally, the mining industry’s long, complicated supply chains are typically opaque and can provide opportunities for fraud to occur.

Focus of FTP

The FTP new offence shifts the focus from preventing frauds of which the business is the victim, to fraud committed by employees or associated third parties that benefit the organisation itself.

Examples of fraud committed by companies in the mining and metals sector for their own benefit might include materials not being delivered in the quantity or quality that has been procured; claiming there are employees on the payroll who don’t exist – for example to comply with local employment regulations; or falsification of documents, such as permits, delivery notes or invoices to speed up what can be frustratingly slow projects.

It is important to note that, for the purposes of the new FTP offence, fraud is distinct from corruption, which can include paying bribes, an illegal practice that is dealt with by the UK Bribery Act, which came into force in July 2011.

Like the Bribery Act, the new FTP offence is expected to significantly impact mining and metals companies’ compliance obligations in the UK and internationally.

Preventing fraud

FTP is a strict liability criminal offence, which means that where an underlying fraud can be proven, the organisation will be deemed liable for failing to prevent it. 

Provided the fraud can be (legally and practically) prosecuted in the UK, if convicted, the firm may receive an unlimited fine in addition to significant reputational damage. 

The only defence to the offence is for a firm to show it had reasonable and proportionate controls in place to manage the risk. 

In most mining and metals companies, as in other firms, the biggest risk will be offences committed by employees or people who work for the business in some capacity. 

According to the 2024 Association of Certified Fraud Examiners (ACFE) global Report to the Nations, which covers all types of fraud including those where businesses are the victim of frauds committed by either insiders or third parties, 78% of frauds reported last year were committed by employees (37%) or managers (41%), while the remaining 19% of frauds were committed by owners or executives.

This means mining company HR teams will need to play an important role in helping to build effective control frameworks, providing advice on the people risks inherent in choices made by the business, and using data collected and held on individual workers and the workforce as a whole to help spot where there is a risk of fraud being committed. 

But even where the risks are clear, identifying fraud before it takes place can be tricky – especially for globally spread-out mining companies.

Most mining companies will have designated officers with responsibility for bribery and fraud as part of a wider compliance remit. 

However, many will now need to assess and understand their high-risk areas in relation to the new FTP offence and consider what additional controls need to be put in place.

Fraud red flags

While motivations to commit fraud vary considerably, human pressures – such as personal financial difficulties, demanding sales targets, over-work, discontent with working conditions and performance concerns – are common drivers.

If a mining companies’ reward or bonus structure is weighted in a way that incentivises profit at all costs, this may serve as a business culture motivation for employees to breach fraud rules for their own personal benefit, which may have a knock-on effect that creates corporate criminal liability.

The cyclical nature of mining means that lay-offs and job losses are common, which can also cause employees stress.

HR teams are not always privy to employees’ feelings, but in many cases problems such as work-related stress and performance issues, which are red flag indicators for fraud, will be notified to HR and documented.

ACFE’s 2024 report data showed that almost half of fraud perpetrators (45%) experienced at least one HR-related red flag, with poor performance evaluations (14%), fear of job loss (12%), and being denied a raise or promotion (11%) cited as the most common issues.

However, for most mining companies, these red flag indicators will not make it out of the HR department and no additional safeguarding will be put in place to manage the potential higher risk.

There are good reasons for this, such as restrictions on sharing personal data under the General Data Protection Regulation (GDPR) as well as general expectations of confidentiality by employees who confide personal problems in their HR colleagues. 

Some barriers to sharing information, such as siloed working practices and lack of awareness of how to spot fraud risk and deal with it can be overcome with appropriate training, policies and processes.

Provided the HR team has identified and carefully considered a lawful basis (of which six exist under the GDPR) for sharing an employee’s personal information, this will be allowed under the GDPR. In the case of FTP, the lawful basis is likely to be “legal obligation” – i.e. the data processing is necessary for the organisation to comply with the law.

Even where HR may feel less able to report on individuals, they can take responsibility for mapping patterns and escalating those.

For example, if a number of people complain they cannot hit their targets, HR teams should be able to spot these patterns and query with managers whether those targets are in the right place. 

Other patterns or trends might include parts of the business where has been a lot of “churn” – i.e. people leaving the business and being replaced by new recruits, or there are outstanding vacancies in senior roles; these might mean there is less oversight of particular functions due to instability or lack of people to manage teams, which might give an opportunity for fraud to occur more readily.

For individuals who report feeling stressed or unhappy with their jobs, or who are on performance improvement plans (PIPs), it is sensible to ascertain whether those people have non-essential access to material or assets that give them opportunities to commit fraud, particularly if they have moved roles during their employment and may have historic access to sensitive material.

Mining HR teams should also consider working with senior management and team managers to instill a culture and appropriate channels where employees feel able to speak up, either about their own feelings or concerns about colleagues’ behaviour in relation to fraud.

Government guidance on FTP states that top level commitment from business leaders is required to ensure fraud risk is minimised, detected and prevented.

___________________
Sarah Partridge-Smith is a counsel in the Regulatory and Investigations practice and Alex McGregor is a partner in the Litigation practice at Dentons.