Guidance for charity trustees about serious incidents: how to spot them and how to report.
Trustees’ reporting responsibilities
This guidance helps trustees identify serious incidents and ensure that they are reported to the Charity Commission. It also explains how to report them.
The Commission requires charities to report serious incidents. A serious incident is an adverse event, whether actual or alleged, which results in or risks significant:
- loss of your charity’s money or assets
- damage to your charity’s property
- harm to your charity’s work, beneficiaries or reputation
The most common type of incidents are frauds, thefts, significant financial losses, criminal breaches, terrorism or extremism allegations, and safeguarding issues.
If a serious incident takes place, you need to report what happened and explain how you are dealing with it, even if you have reported it to the police, donors or another regulator.
Who should report?
The responsibility for reporting serious incidents rests with the charity’s trustees. In practice, this may be delegated to someone else within the charity, such as an employee or the charity’s professional advisers.
However, all trustees hold ultimate responsibility for ensuring their charity makes a report, and does so in a timely manner.
If you’re reporting the incident as a trustee, you need to confirm that you have authority to report on behalf of the trustee body. If it’s someone other than a trustee, they should declare who they are, their relationship with the charity and confirm that they have the authority of trustees to report it.
The serious incident reporting framework and this guidance is for trustees. If you are an employee of a charity and you suspect serious wrongdoing within the organisation, for example criminal offences or health and safety breaches, or you discover that the charity has deliberately hidden serious incidents, you can speak out safely and report this to the Commission.
To find out more, go to whistleblowing: guidance for charity employees.
If you are an auditor or independent examiner of charity accounts, there are separate whistleblowing duties and protections. Refer to the Commission’s guidance for auditors and independent examiners of charities.
Why must you tell the Commission?
Given the challenging nature of the work undertaken and the difficult context faced by many charities, it is likely that serious incidents will occur. Where this is the case, it is the Commission’s regulatory role to ensure that trustees comply with their legal duties and that the charity manages the incident responsibly, taking steps to limit its immediate impact and where possible, prevent it from happening again.
Most problems can be resolved by trustees themselves, in some cases with timely advice from professional advisers. Taking action quickly will help protect your charity from further harm and ensure that confidence is maintained in it, as well as benefiting other charities by improving public confidence in the sector as a whole.
In more detail
The Commission needs to ensure trustees comply with their duties:
By reporting a serious incident, you demonstrate that you have identified a risk to the charity and that the trustees are taking appropriate action to deal with it. This is very important because protecting the assets, reputation and beneficiaries of the charity are essential trustee responsibilities.
The potential for reputational damage can be lessened, however, if you can show that the incident has been handled well; this will also allow the Commission, if asked by the media, Parliament or the public, to state that the trustees acted responsibly.
Trustees should always put appropriate safeguards in place and take reasonable steps to ensure their charity is not exposed to undue risk. Otherwise it can be vulnerable to fraud, theft or other kinds of abuse and trustees may be in breach of their duties.
The Commission may need to offer regulatory advice or guidance:
Timely reporting allows the Commission to identify problems in charities at an early stage, and where appropriate, to provide regulatory advice and guidance to trustees to ensure they meet their legal duties.
In more serious cases, where charities’ assets, reputation, services or beneficiaries have been harmed, or are at significant risk, the Commission may need to intervene by using its temporary or protective powers in order to safeguard charity assets and put it back on track.
The Commission can assess the risk to other charities:
Serious incident reporting helps the Commission to gauge the volume and impact of incidents within charities and to understand the risks facing the sector as a whole. This insight will inform the Commission’s approach as regulator and may lead it to issue timely advice, guidance or alerts to warn other charities of identified risks and how to manage them.
The Commission’s Risk Framework explains how it assess risk and when it may become involved in charities. For detailed guidance on trustee duties, see the essential trustee: what you need to know, what you need to do (CC3).
When to report
You should report an actual or suspected incident promptly. This means as soon as is reasonably possible after it happens, or immediately after you become aware of it.
How to report
This section explains how to report an actual or suspected serious incident in your charity. You can also find out what types of incident the Commission expects you to report and how to recognise these.
Actions you need to take
If something does go wrong, you should take immediate action to:
- prevent or minimise any further harm, loss or damage
- report it to the Commission as a serious incident, email RSI@charitycommission.gsi.gov.uk
- report it to the police, if you suspect a crime has been committed, and to any other regulators the charity is accountable to
- plan what to say to your staff, volunteers, members, the public and the media
- review what happened and prevent it from happening again - this may include strengthening internal controls and procedures, and/or seeking appropriate help from professional advisers.
You should report what happened and explain how you’re dealing with it, even if you have already reported it to the police or another regulator.
The Commission does not itself investigate criminal offences, safeguarding or health and safety incidents - lead responsibility rests with other statutory agencies and regulators. However, the Commission may need to make contact with the police or other regulators and follow up on their investigations.
You may find it helpful to refer to the reporting checklist below.
When making a serious incident report, you should provide details of:
- who you are and your connection to the charity
- the authority you have to report on behalf of the charity’s trustees
- who in the trustee body is aware of the incident, for example all or only the Chair
- what happened and when the charity first became aware of it
- action being taken to deal with the incident and prevent future problems
- whether and when it was reported to the police or another regulator/ statutory agency (including official reference numbers)
- media handling lines you may have prepared
If, having read this guidance, you’re unsure whether the incident should be reported, it’s best to report it anyway - the Commission can then decide what to advise you and what action, if any, is appropriate.
It’s important that you provide enough detail in your report to give the Commission a clear picture of what happened and when, the extent of any loss, how you’re dealing with it and the possible next steps. There is no minimum loss figure that should be reported.
You should always report any actual or suspected criminal activity - do not wait until someone is arrested, charged or convicted before reporting the incident.
You should report incidents of fraud to Action Fraud, ensuring you get a crime reference number and making clear that you’re representing a charity. Action Fraud is a national reporting centre specifically for reporting frauds and has an online fraud reporting service, available 24 hours a day. The website includes an A to Z of fraud types.
You should report theft (or suspected theft) to the police and obtain a crime reference number. If you’ve already reported a serious incident to the police or another regulator, you should still make a report direct to the Commission, as its regulatory interest is different from that of other agencies.
In areas of high risk, the Commission cannot rely on other agencies to engage proactively - they may be prohibited from doing so because legal processes are underway. Therefore it is important that charities take the initiative and report the incident promptly to the Commission.
To minimise work, if you prefer, you can simply forward the Commission a copy of your report made to another agency. Where regulatory interests overlap, the Commission will identify this and ensure that work is not duplicated and burdens on you increased. It may engage with the relevant agency and agree that they will take the lead on the issue, without the Commission needing to take further action.
Remember - If reporting to the police or to Action Fraud, you should also make a serious incident report to the Commission, following the advice above.
Reporting multiple incidents
Some incidents may occur more frequently within certain charities due to the scope or nature of their activities - for instance, a charity may be more vulnerable to fraud if it undertakes a lot of complex financial trading. Where charities are in regular contact with the public and vulnerable beneficiaries, the likelihood of allegations being made and incidents occurring can be higher.
Where charities work overseas (particularly in high risk areas), they may be more vulnerable to harm and loss. The Commission recognises the valuable work charities do internationally, often in difficult circumstances - in such contexts, if trustees are acting responsibly in dealing with incidents, periodic/multiple reporting is acceptable, provided that particularly serious or significant incidents are reported straight away.
If your charity is likely to make regular multiple reports, you can submit periodic reports (‘bulk’ reports) rather than separate (‘single’) reports for each incident. Many larger and well established charities have accounting and audit systems in place for periodic reporting to their own boards. These reports can be used or adapted for the Commission rather than formatting a new one, so long as they include the information outlined in the reporting checklist above.
If you choose to submit a bulk report in this way, you should be confident that each incident listed is reportable and worthy of inclusion; you should also provide sufficient detail regarding each incident, or the Commission may have to contact you for more information. However, where an incident is particularly serious for the charity or likely to attract significant media attention, this should be reported straight away and not saved for a bulk report.
If, due to the nature of its activities, your charity is likely to report more than 50 incidents a year, in order to ensure an effective reporting solution, you can submit a discussion request to the Commission by emailing firstname.lastname@example.org
Declaration in the Annual Return
As a matter of good practice, all charities, regardless of size or income, should report serious incidents to the Commission promptly.
If your charity’s income is over £25,000, you must, as part of the Annual Return, sign a declaration confirming there were no serious incidents during the previous financial year that should have been reported to the Commission but were not. If incidents did occur, but weren’t reported at the time, you should submit these before you file your charity’s Annual Return, so you can make the declaration.
Until all serious incidents have been reported, you will not be able to make this declaration, or complete the Annual Return, which is a statutory requirement under section 169 of the Charities Act 2011. Be aware also that it’s an offence under section 60 of the Charities Act 2011 to provide false or misleading information to the Commission.
If you fail to report a serious incident that subsequently comes to light, the Commission may consider this to be mismanagement, for example, where the trustees have failed to manage the risks properly and breached their legal duties. This could prompt regulatory action, particularly if further abuse or damage has arisen following the initial incident.
What happens next?
The Commission will let you know that it has received your report. It will assess the risk and look at how you’re dealing with the incident, and may take steps to verify the details, for example by contacting the police. The Commission will need to correspond with your further if it:
- needs more information about the incident
- considers your charity needs regulatory advice and guidance
- has to use its legal powers to protect your charity
- requires you to provide future, timely updates
- needs to monitor your progress in dealing with it
As part of the Commission’s digitalisation programme, in future, trustees will be able to report serious incidents through our online services. Different information prompts will be triggered depending on the type of incident being reported, helping to ensure the right basic information is provided. This will make it easier for trustees to submit timely and accurate reports direct to the Commission.
What to report
This section tells you what types of incident the Commission expects you to report and outlines the different authorities or agencies that may be involved. Remember, when making your report, to follow the advice and checklist included in the ‘how to report’ section of this guidance.
You should report an incident if it results in, or risks, significant loss of your charity’s money or assets, damage to your charity’s property or harm to your charity’s work, beneficiaries or reputation.
The main categories of reportable incidents are:
- financial crimes - fraud, theft and money laundering
- large donations from an unknown or unverifiable source, or suspicious financial activity using the charity’s funds
- other significant financial loss
- links to terrorism or extremism, including ‘proscribed’ organisations, individuals subject to an asset freeze, or kidnapping of staff
- suspicions, allegations or incidents of abuse involving beneficiaries
- other significant incidents, such as - insolvency, forced withdrawal of banking services or actual/ suspected criminal activity
Examples table: deciding what to report (PDF, 282KB, 6 pages)
Fraud and theft information checklist (PDF, 145KB, 2 pages)
Financial Crime: Fraud, theft and money laundering
Fraud and theft are different criminal offences. They may relate not just to a charity’s funds and financial assets, but also to other assets, such as databases and confidential or sensitive information held. The impact on a charity can be significant, going beyond financial loss. These crimes cause distress to trustees, staff, volunteers and beneficiaries; they may also bring adverse publicity to the charity and damage its good reputation with donors, beneficiaries and the public, as well as that of the charity sector more generally.
Fraud is dishonesty, involving either false representation (such as identity fraud), failing to disclose information, or abuse of position, undertaken in order to make a gain or cause loss to another.
The risks to your charity from cyber-fraud are increasing all the time. Over 70% of all fraud is now committed online and it has been described as ‘the crime of our times’. These crimes can be quite complex and difficult to detect, often involving data breaches or identity fraud.
It’s important to consider how best to protect your charity from harm online. You can read detailed advice from government on improving cyber security and how to become accredited under the Cyber Essentials Scheme.
Theft is dishonestly taking property belonging to another with the intention of permanently depriving the other of it.
Money laundering is where criminals turn the proceeds of crime (‘dirty’ money) into property or money (‘clean’ funds) so that they appear lawful and legitimate - this avoids suspicion or detection. Unfortunately, the good reputation and public confidence enjoyed by a charity can also make it a target for criminals looking for a safe hiding place for illegitimate funds.
You can substantially reduce the risks of your charity being used as a vehicle for money laundering by following the due diligence ’know your donor’ principles set out in Chapter 2 of the Commission’s Compliance Toolkit.
Remember, there is no minimum loss figure that should be reported - you need to decide whether incidents are serious enough to report, in the context of your charity and its income, taking account of the actual harm and potential risks posed.
However, the higher the value of the loss, the more serious the incident is likely to be, indicating it should be reported. Other factors that are likely to indicate seriousness include:
- where the person accused of taking the funds/ assets is involved in the charity, particularly if he/she holds a senior position or has responsibility for financial management, such as the CEO or Treasurer on the board of trustees
- where the person accused is involved with other charities
- numerous incidents have taken place that appear connected
- a single incident has been committed over a long period of time
- a number of separate incidents have occurred over a short period
- the funds lost/at risk are from a public appeal, collection or grant
- if there’s public interest, such as significant media reporting
- where the charity has taken serious action against an individual, such as disciplinary procedures or suspension
Be aware that ‘low value’ incidents can pose serious risks - they may be a sign that individuals are trying to avoid detection. Repeated or frequent incidents can be symptomatic of weak financial controls and poor governance, leaving a charity more vulnerable to fraud or theft. Therefore, if there have been repeated incidents of low value fraud or theft in your charity, the Commission would expect you to report this.
For some charities, due to the nature of their activities (for example, shops or trading outlets), the risk of incurring loss or being the victim of crime is higher. If your charity relies on cash-based fund raising, it may be more vulnerable to organised fraudsters, who can take advantage of the trust and honesty shown by trustees or volunteers. For advice on protecting your charity from fraud and financial crime, see Chapter 3 of the Commission’s Compliance Toolkit.
If you decide that an incident is not serious enough to report, it’s still important that you handle the situation appropriately and take reasonable steps, perhaps by tightening financial controls and procedures, to ensure it doesn’t happen again. For further advice on improving your charity’s financial controls see Internal financial controls for charities (CC8).
Unverified or suspicious donations
You should act with ‘due diligence’ and be mindful of donations to your charity from sources that cannot be verified, or you may be in breach of your duties under the Finance Act 2011. This means you need to keep records of substantial donors and transactions, in order to avoid a tax liability.
Be alert to unusual donor activity, such as a large, one-off donation or a series of smaller donations from an unfamiliar, unverified or anonymous source; donations may take forms other than money, for example shares or goods.
As a guide, trustees should report, via email, unverified or suspicious donations totalling £25,000 or more, providing the assurance detail outlined above.
However, remember that in the case of ‘low value’ incidents, you should use your own judgement to decide whether it’s serious enough to report, taking into account all the relevant factors.
For more information on donations and verification, see Chapter 2 of the Commission’s Compliance Toolkit: Due diligence, monitoring and verifying the end use of charitable funds.
You should also report if you are concerned about any other suspicious financial activity connected to the charity’s funds. This might include requests from third parties to:
- cash a cheque for a large sum of money
- convert large quantities of cash into another currency
- pay a fee to release funds to be donated to the charity
Other significant financial loss
Report any significant financial loss due to other causes; where this threatens the charity’s ability to operate and serve its beneficiaries, or where the charity’s financial reserves are not sufficient to cover the loss. For example:
- significant fire, flood or storm damage destroying or seriously damaging the charity’s main premises
- having to abandon property, for example in a war zone overseas
- losing a court case and having to pay substantial legal fees or damages out of charity funds; charities incurring costs through routine litigation, undertaken in line with charitable aims and on behalf of beneficiaries, are not expected to report
- losing significant institutional donors, public funding or key delivery contracts and being unable to replace these in order to ensure the charity’s survival
- significant financial penalties for breaches or non-compliance imposed by HMRC, Financial Conduct Authority, Health and Safety Executive, Information Commissioners Office, Fundraising Regulator or other regulators
In the most serious cases, the loss could mean your charity cannot continue to operate and may need to ‘wind up’. For further guidance on how to protect your charity, see CC12 Managing Financial Difficulty and 15 questions on financial distress.
As a guide for this type of incident, the Commission would expect you to report any loss of funds or property with a value in excess of 20% of the charity’s income, or totalling over £25,000. For amounts lower than that, you should decide if they are significant and should be reported, taking the charity’s income, work and other factors into account.
You don’t need to report financial loss such as a decrease in the value of investment funds, impairments, asset write-downs, pension deficits and bad debts, unless they pose a significant threat to the solvency of the charity. Remember, when reporting to the Commission, you should state what happened, the nature of the risk and the steps you’re taking to deal with the incident.
Links to terrorism and extremism
These types of incidents include discovering that someone within or connected to the charity does business with, or has links to, terrorist groups, or is subject to an asset freeze; also, where property has been stolen by terrorist groups, or charity money, personnel or other assets have been used to support terrorist activities.
You should report to the Commission if you become aware of allegations being made, or have evidence to suspect that:
- your charity (including trustees, members of staff, volunteers or anyone connected with the charity) has known or alleged links to a proscribed organisation or other terrorist/ unlawful activity
- someone within or closely connected to the charity, or one of your delivery partners, is placed on a UK or international terrorist list or is subject to an asset freeze
- charity funds or assets have been used to pay bribes, protection money or ransoms
- charity funds or assets have been used/ diverted (perhaps via a delivery partner) to support a terrorist group or terrorist activity
- the charity has been used to circumvent asset freezing measures
- charity personnel have been kidnapped or harmed by terrorist groups, including if overseas on charity work/ operations
You must also report your concerns or suspicions to the police immediately. If you don’t, you may be committing a criminal offence under Section 19 of the Terrorism Act 2000.
You can report an incident to the police in the following ways:
- via the National Crime Agency website
- calling the Metropolitan police anti-terrorist hotline on 0800 789 321
- call 101 or report it at a local police station
For more information about how to protect your charity from terrorist activity, see chapter 1 of the Commission’s Compliance Toolkit, Protecting charities from harm.
You can find a list of proscribed (banned) organisations on GOV.UK
You should also be aware of the risks to your charity of being abused for extremist purposes; for example, when carrying out activities and events involving guest speakers or when promoting literature and educational materials, perhaps via the charity’s website and on social media. You should report to us if:
- you know or suspect that your charity’s premises or activities have been misused as a platform for the expression or promotion of extremist views, or the distribution of extremist materials
- you become aware of media reports alleging that your charity has been misused for such purposes, particularly if you believe these could damage your charity’s reputation
For detailed advice about protecting your charity from extremism, see chapter 5 of the Commission’s Compliance Toolkit
You should make a report if any of the following things occur:
- beneficiaries of your charity (adults or children) have been, or alleged to have been, abused or mistreated while under the care of the charity, or by someone connected with the charity, for example a trustee, staff member or volunteer
- there has been an incident where someone has been abused or mistreated (alleged or actual) and this is connected with the activities of the charity
- there has been a breach of procedures or policies at the charity which has put beneficiaries at risk, including failure to carry out checks which would have identified that a person is disqualified in law, under safeguarding legislation, from working with children or adults.
Safeguarding involves both children and adults at risk. An incident of abuse or mistreatment includes neglect. If you have grounds to suspect that such incidents may have occurred, it is important to take action promptly: As well as reporting to the Commission, depending on the incident, you should also notify the police, local authority and the relevant regulator or statutory agency.
The Commission is not responsible for dealing with incidents of actual abuse or mistreatment and it does not administer safeguarding legislation. It cannot prosecute or bring criminal proceedings, although it may refer concerns on to ‘lead agencies’, such as the police, local authorities and the Disclosure and Barring Service (DBS), as well as to specialist bodies responsible for designated areas, such as education or health and social care.
The Commission’s role is to ensure the charity’s trustees are handling the incident responsibly, and where necessary, putting in place improved governance and internal controls, in order to protect the charity and its beneficiaries from further harm.
Sometimes charities that carry out particular activities, such as care or education services, will also be regulated by other agencies and required to report safeguarding incidents to them. It is important that these charities know what the different requirements are for each regulator and ensure they comply with them. You should let the Commission know which other agencies you have reported an incident to.
Charities that undertake specialist, safeguarding work (in line with their charitable aims) and, as a result, deal routinely with safeguarding incidents, are not expected to report these matters to the Commission as regulator.
For further guidance on safeguarding, see strategy for dealing with safeguarding issues in charities.
Other Significant incidents including disqualified trustees, insolvency, forced withdrawal of banking services, or actual/ suspected criminal activity
You should make a report to the Commission if:
- you discover that one of the trustees is disqualified in law, under s178 of the Charities Act 2011, from acting as a trustee; for example, due to an unspent conviction for fraud or theft, being an undischarged bankrupt, or being disqualified as a director under company law
- something has happened to force your charity into insolvency (if a company or CIO) or to wind up, for example unmanageable debts or reduced income streams
- your charity’s operations are threatened by the combined impact of forced withdrawal of banking services (usually the charity’s primary or sole account) and difficulties in securing alternative accounts from within the regulated banking sector
- your charity is subject to a police investigation or a significant investigation by another agency/ regulator. You do not need to report routine inspections by, for example, Ofsted or Care Quality Commission, unless they have resulted in significant adverse findings or are likely to attract negative media attention
- major governance issues, such as mass resignation of staff or trustees, or other events, leaving the charity unable to operate
- the charity’s trustees or employees are the subject of criminal proceedings, in connection with the charity or their role in it
For further guidance on when a person may be disqualified in law from being a trustee, see finding new trustees: what charities need to know (CC30)
Data protection and confidentiality
When trustees report serious incidents, some of the information provided may be of a sensitive nature. The Commission will handle this responsibly and with care - information is required only to carry out its statutory functions.
As a public authority and a ‘data controller’, the Commission is subject to the Freedom of Information Act 2000 and the Data Protection Act 1998.
The Commission will not disclose personal data to others unless:
- you have given consent to release
- the Commission is legally bound to disclose the information
- the Commission regards disclosure as necessary in order to properly carry out its statutory functions
The Commission may also disclose information or personal data to another relevant public authority, but only where lawful to do so; and where for the purposes of national security, law enforcement, or other issues of overriding public interest, such disclosure is necessary.
In short, any such disclosure will be lawful, fair and made only to serve the Commission’s statutory objectives as regulator.
For more information on media handling, trustees can refer to the Commission’s guidance public statements about investigations and other regulatory work.
Published: 2 June 2014
Updated: 22 September 2017
- Updated guidance, based on feedback from a public consultation.
- Added detailed guidance on reporting different types of incidents.
- First published.