Final Report of the COVID-19 Counter-Fraud Commissioner: takeaways for public bodies and corporates

Context – a rapid response with slow-burn consequences

Hayhoe was appointed to review COVID-era schemes, with a particular focus on PPE procurement, furlough, small business grants and the Bounce Back Loan Scheme. His remit was to quantify losses, test the effectiveness of recovery efforts, and draw together lessons from an already crowded field of inquiries and select committee reports.

The report is explicit about what it does not cover. Allegations of cronyism and the PPE “VIP lane” are left to the COVID-19 Inquiry and parallel proceedings. Instead, Hayhoe concentrates on system design, data and governance – the factors that made it “easy” for fraudsters and opportunists to exploit hurriedly constructed schemes, often more than once.

Across the board, he finds that fraud controls were weakest at the point where they mattered most: in the early design and rollout of new schemes, when ministers were consciously trading off fraud risk against speed and the breadth of support. We consider three key themes emerging from the report below.

Fraud prevention is still not embedded

The first theme is institutional. Despite the creation of the Public Sector Fraud Authority and a growing body of guidance, fraud prevention remains insufficiently embedded in government thinking and practice. Counter-fraud capability varies widely between departments and arm’s-length bodies; data is fragmented; and accountability for fraud risk is often dispersed.

Hayhoe’s recommendations push towards a clearer statutory footing. He calls for fraud prevention to become a legal duty for public bodies, backed by clear lines of responsibility for senior officials and automatic reporting of higher-value or sensitive cases. He also urges a shift to “promote a culture of innovation in fraud prevention” – fraud must be treated as a primary design risk, not an afterthought once money has flowed.

There is an important read-across for business. Hayhoe highlights the scope for modern technology – including AI-driven analytics – to identify suspicious patterns across multiple schemes and data sets. The government’s Anti-Corruption Strategy 2025 makes a similar point from the enforcement side, flagging AI and machine learning as a lever for faster investigations and testing an AI “corruption investigation assistant”. But both documents land on the same practical reality: tools only deliver if data quality, governance and clear accountability are in place.

Ambitious crisis schemes demand stronger scrutiny

The second lesson is about emergency decision-making. The report is unambiguous that large, rapidly deployed schemes are intrinsically high-risk from a fraud perspective. The pressure to act at pace, coupled with intense political scrutiny, created the conditions in which the “opportunity” leg of the fraud triangle widened dramatically.

Hayhoe recommends that core guidance – including Managing Public Money – be updated so that fraud and error risk, and the likely cost of any future “clean-up”, are explicitly factored into business cases and ministerial directions. In practice, that means challenging assumptions early and asking the correct questions: are self-certification by applicants and 100% government guarantees to lenders really the only viable options; what is the enforcement model; how will data be used to spot anomalies in real time; and who owns the downside risk if red flags are ignored?

For corporates, this is a reminder that emergency and crisis conditions tend to be high-risk in the private sector too: fast-moving decisions, stretched controls and heightened incentives can create the same fraud pressures seen in government schemes. That is reflected in the Home Office guidance on the new failure to prevent fraud offence, which warns that “fraud risks may increase during emergencies” and that failing to assess relevant emergency scenarios may mean an organisation is not regarded as having reasonable fraud prevention measures in place.

Lenders, outsourcers and major suppliers that deliver government programmes can expect closer scrutiny of how they assessed fraud risk, what controls they operated, and whether those controls were adjusted as risks evolved.

Enablers, transparency and data

A third strand concerns professional enablers and transparency. Hayhoe notes instances where advisers helped clients to exploit public schemes, and he emphasises the deterrent value of visible enforcement and communications – making it clear that COVID-19 fraud is not a victimless crime, but one that directly affects public services. This emphasis on the role of advisers echoes the government’s recently launched Anti-Corruption Strategy, which commits to scaling capability to pursue professional enablers and to tightening oversight of the professional services sector – including by consolidating the UK’s fragmented AML supervisory model.

The report is critical of opaque grant, loan and contracting processes, especially where awards were made to smaller or newly-formed entities. Better data on beneficial ownership, connected parties and cross-scheme exposure is presented as essential to preventing abuse. The Anti-Corruption Strategy reinforces this in the procurement context, committing to better data quality under the Procurement Act 2023 transparency regime, and improved access to procurement data for public reporting. Here the report explicitly links to wider reforms under the Economic Crime and Corporate Transparency Act, suggesting that improved Companies House data and new transparency obligations should be harnessed to strengthen public-sector due diligence on all counterparties, not just larger corporates.

Hayhoe also proposes an HM Treasury-convened scrutiny panel to review high-risk schemes, bringing together counter-fraud, commercial and law-enforcement expertise. That is likely to translate into deeper questioning of counterparties’ own controls, particularly where private firms are administering or marketing public support.

What businesses should do now

• Build crisis scenarios into fraud risk assessments. Treat emergencies as foreseeable: ensure that your fraud risk assessment considers relevant emergency scenarios, and stress-test controls for fast-moving decisions, stretched teams and high volumes.
• Strengthen data, governance and analytics. Invest in data quality, access controls and auditability so that analytics (including AI) can actually spot anomalies.
• Tighten counterparty and supply-chain scrutiny for public money flows. Use Companies House and other transparency data to understand ownership and connections, and apply enhanced diligence where entities are newly formed, thinly capitalised, or appear across multiple awards.
• Revisit the role of advisers and intermediaries. Treat third parties who help access or distribute public funds as higher-risk relationships with active oversight.
• Prepare for recovery activity and thematic reviews. Expect further enforcement, litigation and data-led reviews in areas seen as high-risk.

Conclusion

Hayhoe’s report is, inevitably, an exercise in looking back at a unique crisis. But its recommendations are firmly forward-looking. They anticipate a world in which fraud is treated as a core strategic risk in the design of public programmes, where data is used more systematically, and where private-sector participants are expected to carry a greater share of the compliance burden. In that sense, Hayhoe’s findings sit comfortably alongside the government’s broader economic crime agenda – including its Anti-Corruption Strategy and the promised Fraud Strategy.

If there is one key lesson for organisations, it is this: treat emergencies as foreseeable, and make sure your controls will hold when faced with a crisis situation.

Authored by Reuben Vandercruyssen, Olga Tocewicz and Alex Cumming.