Failure to Prevent Fraud: What the New Corporate Offence Means for UK Businesses

The introduction of the Failure to Prevent Fraud offence under the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) represents one of the most significant developments in UK corporate criminal liability for many years.

Although the offence came into force on 1 September 2025, many organisations have yet to appreciate the practical implications of the legislation or assess whether their existing compliance frameworks provide adequate protection.

For large organisations, the legislation fundamentally changes the way fraud risk should be managed. The emphasis is no longer simply on identifying wrongdoing after it has occurred. Instead, businesses are expected to demonstrate that they have taken reasonable and proportionate steps to prevent fraud before it happens.

This article considers the scope of the new offence, the organisations affected by it and the practical measures businesses should now be taking.

Why Has the Government Introduced This Offence?

Economic crime remains one of the most significant threats to the UK economy. Fraud alone is estimated to cost businesses and consumers billions of pounds each year, while wider economic crime—including bribery, money laundering and sanctions breaches—continues to undermine confidence in UK markets.

Historically, prosecuting large companies for economic crime has often proved difficult. Prosecutors were generally required to demonstrate that individuals who represented the “directing mind and will” of a company were personally involved in, or aware of, the criminal conduct. In practice, this was often a substantial evidential hurdle.

The Government’s objective in introducing the Failure to Prevent Fraud offence is to encourage organisations to adopt stronger governance, improve internal controls and foster a culture in which fraud prevention is treated as a core business responsibility rather than merely a regulatory requirement.

The legislation follows the approach already adopted under the Bribery Act 2010 and the Criminal Finances Act 2017, both of which introduced similar “failure to prevent” offences in relation to bribery and the facilitation of tax evasion.

What Is the Failure to Prevent Fraud Offence?

Under ECCTA, a large organisation may commit a criminal offence where:

  • an associated person commits a specified fraud offence;
  • the fraud is intended to benefit the organisation or a person to whom services are provided on its behalf; and
  • the organisation cannot demonstrate that it had reasonable fraud prevention procedures in place at the time the fraud was committed.

Unlike traditional corporate criminal liability, prosecutors do not need to establish that the company’s directors or senior management authorised, encouraged or even knew about the fraudulent conduct. The focus instead is on the adequacy of the organisation’s systems and controls.

This represents a significant shift in corporate criminal law. The question is no longer simply “Who committed the fraud?” but also “What did the organisation do to prevent it?”

Which Organisations Are Affected?

The offence currently applies to organisations meeting at least two of the following statutory thresholds:

  • annual turnover exceeding £36 million;
  • total assets exceeding £18 million; or
  • more than 250 employees.

Although smaller organisations are currently outside the scope of the offence, many are choosing to adopt similar compliance measures. Commercial clients, lenders, insurers and regulators increasingly expect businesses of all sizes to demonstrate effective governance and fraud prevention procedures.

For businesses operating within supply chains or regulated sectors, adopting appropriate fraud controls is becoming a commercial necessity rather than simply a legal obligation.

Who is an “Associated Person”?

One of the most important aspects of the legislation is the broad definition of an associated person. Many organisations assume that the offence is limited to misconduct by employees. That is not the case.

An associated person may include:

  • employees;
  • directors and officers;
  • agents;
  • contractors;
  • consultants;
  • subsidiary companies and their employees;
  • intermediaries; and
  • any other person performing services for or on behalf of the organisation.

This wider definition reflects the reality that modern businesses often operate through complex corporate structures and outsourced service providers. Consequently, organisations should consider fraud risks arising not only within their own workforce but also throughout their wider commercial relationships.

Why Does This Matter?

Many organisations already have anti-fraud policies or financial controls in place. However, simply having written policies is unlikely to be sufficient.

If a prosecution follows a fraud committed by an associated person, investigators will expect to see evidence that fraud prevention was embedded within the organisation’s governance arrangements. Questions are likely to include:

  • Was an appropriate fraud risk assessment undertaken?
  • Were policies tailored to the organisation’s business?
  • Did senior management actively promote an anti-fraud culture?
  • Were employees adequately trained?
  • Was appropriate due diligence undertaken before engaging third parties?
  • Were compliance procedures regularly reviewed and updated?

Businesses that cannot answer these questions convincingly may struggle to establish the statutory defence.

The Potential Consequences

A conviction under the legislation can have significant commercial consequences.

Financial Penalties

The legislation provides for an unlimited financial penalty. The level of any fine will depend upon factors such as the seriousness of the offending, the organisation’s financial position and the overall circumstances of the case.

Reputational Harm

For many organisations, reputational damage may prove far more costly than the financial penalty itself.

Customers, investors, banks, insurers and regulators increasingly place significant emphasis on corporate governance and ethical business practices. A criminal conviction may affect future investment, contractual relationships and public confidence for many years.

Regulatory Consequences

Depending upon the sector involved, a conviction may also trigger increased regulatory scrutiny, enhanced reporting obligations or difficulties in obtaining licences, regulatory approvals or public sector contracts.

For professional services firms and regulated businesses, these wider consequences may be particularly significant.

What Are “Reasonable Fraud Prevention Procedures”?

The legislation does not prescribe a single compliance framework that every organisation must adopt. Instead, organisations are expected to implement procedures that are reasonable and
proportionate to their particular circumstances. Government guidance identifies six key principles.

Risk Assessment

Every organisation should understand where fraud risks arise within its business. This assessment should consider operational activities, financial processes, procurement,mthird-party relationships and any areas where opportunities for dishonest conduct may exist.

A risk assessment should not simply be prepared and filed away. It should be reviewed regularly and updated whenever the business changes.

Proportionate Procedures

Fraud prevention measures should reflect the size, complexity and nature of the organisation. For some businesses, this may involve sophisticated compliance systems.

For others, well-documented financial controls, clear reporting procedures and effective management oversight may be entirely appropriate. The emphasis is on proportionality rather than perfection.

Commitment from Senior Management

Fraud prevention cannot simply be delegated to the compliance department. Senior management should actively demonstrate that ethical conduct forms part of the organisation’s culture.

Employees are far more likely to comply with internal procedures where leadership consistently reinforces their importance.

Due Diligence

Businesses should carry out appropriate due diligence before appointing agents, consultants, contractors and other third parties. The extent of that due diligence should reflect the level of risk presented.

In higher-risk sectors or overseas operations, enhanced checks may be appropriate.

Communication and Training

Policies are of limited value if employees do not understand them. Regular training should explain:

  • what constitutes fraud;
  • how concerns should be reported;
  • the organisation’s internal procedures; and
  • the potential consequences of non-compliance.

Training should be refreshed periodically and tailored to the responsibilities of different members of staff.

Monitoring and Review

Fraud risks evolve over time. Businesses should therefore review their procedures periodically to ensure they remain effective. Monitoring should include internal audits, compliance reviews, investigation of incidents and lessons learned from previous issues.

Documentation is Critical

One of the most overlooked aspects of compliance is record keeping. If an organisation later seeks to rely upon the statutory defence, it will need to demonstrate not merely that policies existed, but that they were actively implemented.

Documentary evidence may include:

  • fraud risk assessments;
  • board minutes;
  • compliance reports;
  • staff training records;
  • due diligence documentation;
  • internal audit reports; and
  • policy review records.

Without appropriate evidence, it may be difficult to establish that reasonable procedures were genuinely operating in practice.

Looking Ahead

The Failure to Prevent Fraud offence forms part of a broader shift towards greater corporate accountability.

Recent Government policy demonstrates an increasingly proactive approach to economic crime, corporate governance and regulatory compliance.

Businesses should therefore view this legislation not as an isolated development, but as part of a wider regulatory environment in which governance standards continue to rise.

Organisations that invest in robust compliance procedures today are likely to be better placed to manage both legal risk and commercial expectations in the years ahead.

How KTS Legal Can Assist

Every organisation is different. A fraud prevention framework that is appropriate for one business may be wholly inadequate for another.

At KTS Legal, we advise businesses on the practical implementation of governance and compliance measures that are proportionate to their size, structure and commercial activities. Our Commercial and Corporate team can assist with:

  • fraud risk assessments;
  • governance and compliance reviews;
  • drafting and reviewing anti-fraud policies;
  • due diligence procedures;
  • commercial contracts and third-party risk management;
  • regulatory compliance; and
  • board and senior management advice on corporate governance.

Obtaining legal advice before problems arise is invariably more effective—and considerably less costly—than attempting to deal with the consequences of a criminal investigation or regulatory enforcement action.

If you would like advice on the Failure to Prevent Fraud offence or wider corporate compliance obligations, please contact a member of our Commercial and Corporate team. We would be pleased to discuss how we can help your organisation develop practical and proportionate fraud prevention procedures.