Caroline Black (Consultant, Gherson Solicitors) reviews the UK’s new corporate offence under the Economic Crime and Corporate Transparency Act. Large organisations must now show they have reasonable procedures in place or face unlimited fines.
The much-heralded new corporate offence of Failure to Prevent Fraud came into force on 1 September 2025 (Economic Crime and Corporate Transparency Act (ECCTA) 2023 ss 199-206). Failure to Prevent Fraud makes it an offence for large organisations to fail to prevent the fraudulent behaviour of individuals and entities acting for or on their behalf, in circumstances where the fraud is intended to benefit the organisation or its clients.
The UK courts have jurisdiction if there is a UK nexus to the fraud, meaning the fraud:
- must include an act that occurs in the UK; or
- results in a gain or loss in the UK.
In a joint statement issued by the Fraud Minister, the Solicitor General, the Serious Fraud Office and the Crown Prosecution Service, the British authorities have made it clear that they are keen to pursue offenders using this new tool. The Solicitor General Lucy Rigby KC MP said:
‘Fraud undermines our British values of fairness and playing by the rules. It hurts individuals and businesses, and harms business confidence. This new legislation sends a clear message that large organisations must take responsibility for preventing fraud, and those that fail to do so will be prosecuted with the full force of the law… We’re determined that those who don’t play by the rules will be brought to book.’
On conviction, a company will be liable to an unlimited fine. The only defence available to a large organisation is to prove that it had reasonable fraud prevention procedures in place.
Large organisations
Under ECCTA 2023 s 201, large organisations include those which meet two or more of the following criteria during the financial year prior to the year of the base offence:
- more than 250 employees;
- more than £36 million in turnover (the amount derived from the provision of goods and services falling within the ordinary activities of the commercial organisation or subsidiary undertaking, after deduction of trade discounts, value added tax and any other taxes based on the amounts so derived); and
- more than £18 million in total assets.
The government’s ‘Guidance to organisations on the offence of failure to prevent fraud’ (November 2004) makes it clear that the criteria for large organisations ‘apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located’. Accordingly, organisations with only a small presence or customer base in the UK could be caught by the Failure to Prevent Fraud offence.
What is ‘fraud’?
The base conduct covered by the Failure to Prevent Fraud offence is listed in ECCTA 2023 Sch 13. Offences include but are not limited to: fraud by false representation (Fraud Act 2006 s 2); fraud by failing to disclose information (Fraud Act 2006 s 3); cheating the public revenue (common law); and false accounting (Theft Act 1968 s 17). Broadly speaking, the most typical offences are likely to be fraud by positive misrepresentation (or omission), false accounting and tax fraud.
There is no de minimus amount of gain set out in the legislation and there is no requirement for the underlying conduct to be prosecuted.
Whose fraudulent conduct must be prevented?
The action of individuals and entities will attribute liability to the organisation where the associated person is acting for or on behalf of the organisation in the course of their duties (not in a personal capacity), and where the fraud is intended to benefit the organisation. This will include the actions of employees (wherever they sit within an organisation), agents and other third parties.
For multinational organisations, it is important to determine for whose corporate benefit an individual, agent or subsidiary was acting when committing the fraud. The entity which is intended to benefit has the corresponding liability and must have reasonable procedures to prevent the fraud.
The benefit to the organisation does not need to be the sole or dominant motivation for the fraud; it suffices that the organisation was intended to be a beneficiary. Accordingly, a sales agent who misleads customers in order to achieve higher personal commissions will also attribute liability to his employer company where that entity will also benefit from his or her actions.
Location of fraudulent conduct, loss or benefit
It is the location of the conduct, loss or benefit which is important for UK jurisdiction, not the location of the corporate seat.
Any entity which is a large organisation should undertake a review of its operations to assess if the UK courts could have jurisdiction for Failure to Prevent Fraud. The following factors should form part of that determination:
- Are there any operations in the UK?
These include UK based offices, employees, subsidiaries and associated persons who act for the benefit of the organisation. - Are there potential victims in the UK (i.e. customers, shareholders or others)?
- Is there a vehicle for corporate benefit in the UK (bank accounts, etc)?
If the answer to any of the above is ‘yes’, the organisation should consider further steps to design and implement reasonable fraud prevention procedures, as this is the only defence available to the otherwise strict liability offence (ECCTA 2023 ss 199(4) and (5)).
Compliance defence: reasonable procedures
What is considered reasonable in any particular case will depend on how much control and supervision the large organisation has over the relevant offender. The guidance sets out that policies and procedures should be designed and implemented in accordance with the following well versed compliance principles:
- Top level commitment: The board of directors, partners and senior management should be committed to preventing associated persons from committing fraud. They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud.
- Risk assessment: The organisation should assess the extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The assessment should be dynamic, documented and kept under regular review.
- Proportionate risk-based prevention: An organisation’s procedures should be clear, practical, accessible, effectively implemented and enforced. It should draw up a fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment.
- Due diligence: The organisation should undertake due diligence procedures, taking a proportionate and risk-based approach, in respect of people who perform services for or on behalf of the organisation. Those with exposure to the greatest risk may choose to clearly articulate their due diligence procedures specifically in relation to the corporate offence.
- Communication, including training: The organisation should seek to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation. Training and maintaining training are key.
- Ongoing monitoring and review: The organisation should monitor and review its fraud detection and prevention procedures and make improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.
The first step is ensuring that there is commitment, at the highest level, to combatting fraud by the company, not merely against the company. This can be shown in a variety of ways by the board and senior management, not least through clear statements on zero tolerance for financial crime and the allocation of sufficient practical resources to compliance in this area.
A well thought through and documented risk assessment, setting out the areas of risk is appropriate in almost all circumstances. Even where risks are assessed as low, the fact and records of the assessment will be essential evidence in any compliance defence.
Once complete, the risk assessment will identify areas which require mitigation by way of enhanced policies, procedures and controls. This could include thorough due diligence on employees, officers or third parties, communication by way of contractual terms and training, and ongoing monitoring and review by way of sophisticated AI tools or corporate whistleblowing procedures.
Any incidents uncovered must be investigated swiftly with appropriate remediation measures put into place, including consequential management. Careful consideration should also be given to the need to report significant failures to regulators or others such as the Serious Fraud Office.
Will there be a flood of cases?
The Failure to Prevent Fraud is the third ‘failure to prevent’ offence on the UK statute books, attributing strict liability to companies for financial misconduct by their employees, agents and those acting on their behalf.
A key aim of such legislation is to shift the compliance and crime prevention burden onto companies – and to make it easier for prosecutions to be successfully brought by the authorities once issues come to light. Nick Emphgrave, the Director of the Serious Fraud Office, has stated that he will be ‘out hunting’ for cases as soon as the new law becomes effective.
However, as with any deception-type offence, there is likely to be some considerable time lag from detection to prosecution. This means that cases are unlikely to be before the courts for several years. Indeed, we are only now seeing the first contested case of failure to prevent bribery under the Bribery Act 2010 (R v United Insurance Brokers Ltd); and the first case of failure to prevent the facilitation of tax evasion under the Criminal Finances Act 2017 (R v Bennett Verby Ltd) coming before the courts.
Nevertheless, the authorities are keen to use their new tools and companies falling within the remit of the new offence should ensure that compliance policies and processes are amended to provide a defence should the worst happen.
Practical examples
UK jurisdiction: A large US based financial services firm has a strong client base in the UK. An employee operating out of New York (acting for or on behalf of the US firm) fraudulently mis-sells investments in a US fund. The victims of the fraud are in the UK.
The US financial services firm can be prosecuted in the UK for a failure to prevent fraud.
Non-UK jurisdiction: A UK headquartered conglomerate has global operations. An employee of an overseas subsidiary commits fraud intending for it to benefit the overseas subsidiary.
The UK authorities cannot prosecute the fraud as there is no UK nexus to the conduct.
The risk assessment will identify areas which require mitigation by way of enhanced policies, procedures and controls.
Caroline Black, Consultant, Gherson Solicitors
