Corporate fraud costs the UK economy billions each year.
In 2020, the Government asked the Law Commission to review how the law on corporate criminal liability could be improved to make sure that organisations are held accountable for serious crimes. In 2022, the Law Commission published a paper outlining various recommendations, one of which was the introduction of a new offence: ‘failure to prevent fraud’.
Following this, the UK Government introduced the offence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). We previously published a blog on ECCTA you can read here.
In this blog, we explore the key aspects of the new offence, who it applies to, available defences and what steps businesses should take to comply with the ECCTA.
The offence of failure to prevent fraud
This new offence will come into effect on 1 September 2025.
Under the ECCTA, an organisation may be held criminally liable if an employee, agent, subsidiary or other ‘associated person’ commits fraud intending to benefit the organisation or, in certain circumstances, its client(s) and the organisation did not have reasonable fraud prevention procedures in place.
The aim is to encourage organisations to improve their internal fraud prevention measures.
The Government has issued guidance to help organisations understand what constitutes reasonable procedures, though this guidance is not legally binding. Courts may assess what is “reasonable” depending on each organisation’s unique circumstances.
Compliance with the guidance does not automatically guarantee protection from liability and organisations should seek legal advice tailored to their specific circumstances rather than solely relying on the guidance.
Note that this offence is in addition to existing fraud offences. Companies and individuals can still be prosecuted under these existing fraud offences.
Which organisations fall within the scope of the offence
The offence applies only to large organisations defined in section 201 of the ECCTA. A large organisation is one that meets two or more of the following criteria in the financial year preceding the year in which the fraud offence occurred:
- Turnover exceeding £36 million
- Total assets exceeding £18 million
- More than 250 employees
The above thresholds apply to the organisation as a whole, including subsidiaries, regardless of where those subsidiaries are located.
Turnover refers to income from the organisation’s usual business activities after deductions of trade discounts, VAT and other applicable taxes. The turnover also includes the turnover of all relevant subsidiaries.
A subsidiary can fall within the scope if it meets the large organisation test independently or even if it does not, where one of its employees commits fraud intended to benefit that subsidiary.
Territorial scope
The offence applies to large organisations based in the UK or organisations based overseas, but with a UK connection.
An organisation may be prosecuted if:
- one of the acts which was part of the fraud took place in the UK, or
- the actual gain or actual loss occurred in the UK (not just intended gain or loss)
“Actual gain” means a benefit was actually obtained through fraud. “Actual loss” means real, measurable financial loss suffered by a victim in the UK.
The focus is on outcomes rather than plans or attempts to commit fraud.
While only large organisations fall directly in scope, the principles of fraud prevention applicable to it represent good practice for smaller organisations as well and can help future-proof medium-sized organisations that may grow and fall within the scope in the future.
Fraud offences
The offence of failure to prevent fraud applies to specific fraud offences, which are listed in Schedule 13 of the ECCTA.
Offences include:
In England and Wales and Northern Ireland:
- Fraud by false representation
- Fraud by failing to disclose information
- Fraud by abuse of position
- Participation in a fraudulent business
- Obtaining services dishonestly
- False accounting
- False statements by company directors
- Fraudulent trading
In Scotland:
Embezzlement (common law)
Fraud (common law)
Uttering (common law)
Who is an ‘associated person’?
An associated person is someone who performs services for or on behalf of the organisation. This includes employees, agents and subsidiaries, but it can also extend to contractors, consultants or intermediaries.
For an organisation to be held liable under this offence, the fraud must be committed while the associated person is acting in the course of their role (while carrying on their duties for the organisation). If the person commits fraud purely in personal capacity with no connection to their work for the organisation, then this will not give rise to the corporate liability of the organisation.
It is important to note that small organisations can be treated as associated persons when providing services for or on behalf of large organisations. In such cases, large organisations may require these small organisations to comply with specific requirements in respect of the offence of failure to prevent fraud.
What does ‘intending to benefit’ mean?
The intention to benefit from the fraud is a key component of the offence. The fraud must be committed with the intention of benefiting either the organisation or its client.
The benefit does not have to be realised. Even if the fraud is detected before any gain is obtained, corporate liability can still arise.
The intention to benefit does not need to be the sole or primary reason for the fraud. For example, if a salesperson commits fraud to increase their commission, but in doing so also increases organisation’s profits, corporate liability can still arise.
The benefit can be financial or non-financial, such as gaining an unfair business advantage or disadvantaging a competitor.
However, an organisation is not liable if it is a victim or intended victim of the fraud, for example, if an employee defrauds their own employer. That said, indirect consequences of the fraud, such as reputational harm, do not classify the organisation as a victim for the purposes of this offence.
Defence: reasonable fraud prevention procedures
An organisation would have a defence if it can demonstrate that, at the time of the fraud, it had reasonable procedures in place to prevent fraud or it was not reasonable, in all the circumstances, to expect it to have any such procedures in place.
Where it seeks to rely on a defence, the burden of proof is on the organisation.
Where a decision is made not to implement fraud prevention procedures, this should be recorded in a risk assessment, including the rationale and name/position of the decision-maker.
The Government guidance sets out six principles for developing and maintaining effective fraud prevention measures:
1. Top level commitment
Senior leadership must promote a culture that rejects fraud and reinforces the importance of ethical conduct.
2. Risk assessment
Organisations should regularly assess fraud risks, especially where individuals have opportunities or motives to commit fraud or where oversight is minimal.
The guidance suggests considering the following 3 elements:
- Opportunity: Do the associated persons have an opportunity to commit fraud? Which roles or departments pose the highest opportunity to commit fraud? Do some associated persons operate with minimal oversight? How likely is detection of any fraud?
- Motive: Does the reward system incentive fraud? Are there any particular financial pressures on the company, for example by way of financial targets? Do time pressures encourage staff to cut corners potentially fraudulently?
- Rationalisation: Is the organisation’s culture quietly tolerant of fraud? Is fraud prevalent in this business sector?
3. Proportionate risk-based fraud prevention procedures
Fraud prevention measures should be proportionate to the risks and to the nature, scale and complexity of the organisation’s activities. The organisation should prepare a fraud prevention plan to comply with this principle.
The risk factors that should be considered include:
- Reducing opportunities for fraud
- Reducing motives for fraud
- Putting in place consequences for committing fraud
- Reducing the rationalisation of fraudulent behaviour
4. Due diligence
To mitigate risks, an organisation should carry out proportionate and risk-based due diligence in respect of persons who perform services for the relevant body or on its behalf.
5. Communication
Organisation’s policies against fraud should be communicated, embedded and understood throughout the organisation. This may involve regular training and implementing whistleblowing processes.
6. Monitoring and review
Organisation should keep its fraud detection and prevention procedures under regular review and update them in response to changes in risk or organisation structure.
Enforcement
The offence of failure to prevent fraud can be prosecuted by the Crown Prosecution Service (England and Wales), the Crown Office and Procurator Fiscal Service (Scotland), the Public Prosecution Service for Northern Ireland and the Serious Fraud Office (England, Wales and Northern Ireland).
The organisation’s willingness to cooperate and to make full disclosure will be taken into account in any subsequent decision as to whether criminal proceedings will begin against it.
The sanctions are set out in s. 199(12) of the ECCTA and are the following:
(a) on conviction on indictment, a fine
(b) on summary conviction in England and Wales, a fine
(c) on summary conviction in Scotland or Northern Ireland, a fine not exceeding the statutory maximum
Conclusion
The ‘failure to prevent fraud’ offence under the ECCTA is a major development in the UK’s approach to tackling corporate fraud. It places clear responsibility on organisations to take proactive steps to prevent fraud within their operations.
Given the potential sanctions, it is vital for organisations to begin reviewing and strengthening their fraud prevention measures now, well before the offence takes effect in September 2025.
If you are unsure whether your organisation is compliant or you need assistance with developing or reviewing your anti-fraud policies and procedures, do not hesitate to contact us here.
