Fail to prepare, prepare to fail (to prevent fraud)!

Posted: 27/08/2025

The new corporate offence of failure to prevent fraud comes into force from 1 September 2025. Businesses now face not only the adverse effects of fraud itself but also the regulatory consequences - including unlimited fines and reputational damage - of having failed to prevent it. The new legislation only applies to 'large' organisations but compliance is good practice for all organisations. 

This article looks at the elements of the new offence, the defence of putting reasonable procedures in place and the steps companies can now take to mitigate the risk of falling foul of their new obligations.

What is a failure to prevent fraud?

The new offence is created by s199 of the Economic Crime and Corporate Transparency Act 2023 (the Act). It is similar in structure to the failure to prevent bribery and facilitation of tax evasion offences. The offence creates strict liability for organisations if an 'associated person' commits fraud intended to benefit the organisation and, crucially, the organisation cannot show it had reasonable procedures in place to prevent it.

Who is at risk?

The offence applies to organisations (wherever incorporated or formed) that meet at least two of the following thresholds in their previous financial year:

• turnover greater than £36 million;
• balance sheet/total assets greater than £18 million; and
• employee headcount greater than 250.

These criteria will apply in respect of the preceding financial year to the alleged fraud.

The relevant organisation will be guilty of an offence if its employees, agents or subsidiaries (associated persons) commits a fraud offence intending to benefit the organisation. It does not matter whether the organisation actually benefits from the offence. 

The Act does not just apply to UK-based organisations. It is enough for an organisation to be caught by the Act if any of the elements which are part of the underlying fraud or any gain or loss occurred in the UK. For example, if an employee commits fraud and the relevant events occurred in the UK, their employer can be prosecuted even if the employee and the organisation are based overseas (ECCTA 2023, 199(13)).

Who is an associated person?

An 'associated person' is broadly defined and includes:

• employees (including junior level);
• agents and professional service providers; and
• subsidiaries and entities providing services for or on behalf of the organisation (note this does not include entities providing services to an organisation. So it would not include, for example, lawyers and accountants providing services to a business.)

What are reasonable procedures?

To establish this defence, organisations must implement and evidence reasonable fraud prevention procedures based on the six core principles identified in the government guidance:

• top-level commitment;
• risk assessment;
• proportionate, risk-based procedures;
• due diligence;
• communication and training; and
• monitoring and review.

These are the same principles in place for the failure to prevent bribery and facilitation of tax-evasion offences but in a different order. We consider each one in turn and the key steps to take for compliance.

Secure top-level commitment

The first principle is now top-level commitment. This means that at board level (from the CEO down), organisations must clearly demonstrate the seriousness of the issue and gravity with which any non-compliance (both internally and externally) will be viewed. Avoid any communication seen as diminishing the need for compliance and ensure that a culture of open and transparent communication and endorsement of fraud prevention policies prevails.

As part of the top-level commitment, maintain annual reports and formal documents outlining the policy, records and regular review of the compliance landscape and fraud risk.

Conduct a comprehensive risk assessment

While it is not necessary to duplicate existing compliance systems, it is not enough to simply rely on them without an adequate review. The focus should be tailored to the risks assessed as relevant to the business - for example, for some industries this may be greenwashing and misrepresentation. ESG-related crimes are notably used as examples in the government guidance and it may therefore indicate an increased focus in this area. 

For other sectors, the focus may be false accounting and tax fraud. It will also be important to evaluate the risk from other jurisdictions and overseas operations. Could employees outside the UK be at more or different risk? 

Design proportionate procedures

Policies and processes must match specific business needs. Generic compliance templates are unlikely to provide a sufficient defence in the event of a failure to prevent fraud. In particular, consider what internal controls are necessary and why. For example, where sales incentives are strong, risk-based policies may need to have tighter controls. Wherever a decision is taken, ensure the reasons behind it are appropriately documented.

Contract audit and due diligence

In addition to appropriate screening and background checks for employees and third parties, consider reviewing contracts to ensure third parties are obliged to comply with the new legislation and guidance and to grant termination for breach.

Training, communication and review

In addition to training on the new offence and policies, it is crucial to ensure employees feel that they can safely use whistle-blowing procedures. Create clear pathways and demonstrate adequate support for those raising awareness of issues. Implement regular monitoring and review the risk assessments to ensure they meet the primary risks for the business.

How will the offence be enforced?

The offence will be enforced by the Serious Fraud Office (SFO) and the Crown Prosecution Service (CPS). It is anticipated that, as with the Bribery Act, there will be an increased use of deferred prosecution agreements to incentivise co-operation and compliance in investigations. 

What does this mean for global compliance strategies?

Economic crime is a major target for many governments and agencies across the world. The new offence marks a significant expansion in the UK of corporate liability for employee fraud. In particular, the wide definition of 'associated person' combined with the extra-territorial scope of the legislation means that businesses need to undertake a comprehensive review of their fraud risk. 

As well as implementing robust policies to address fraud, it seems likely that the focus of the first investigations of this new offence will be on the culture of the business and the effectiveness of the top-down failure to prevent fraud strategy. With just a few months remaining before the offence comes into force, it is crucial to make preparations now to minimise risk.

For more information, including to request a copy of our client guide and podcast or to discuss the needs of your business, contact the authors or your usual Penningtons Manches Cooper contact.

Return to news headlines