Failure to prevent fraud: a new era of corporate fraud accountability

On 1 September 2025, the new failure to prevent fraud offence introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA) came into force.  

Enforcement agencies will now have greater powers to hold companies accountable for fraud committed by their employees or representatives. If the company gains any benefit from the fraudulent conduct – whether directly or indirectly – it may be liable under the new offence. A conviction could result in an unlimited fine, regardless of whether the individual responsible is prosecuted.

It is more important than ever that organisations take steps to put in place procedures to prevent fraud. This article sets out a practical roadmap for companies navigating the new offence.

Why has the offence been introduced now?

The introduction of the new failure to prevent fraud offence is rooted in a broader effort to strengthen the UK’s resilience against economic crime. In the wake of the Covid-19 pandemic, many businesses found themselves operating with reduced financial and operational reserves. Liquidity pressures, coupled with high inflation and the cost-of-living crisis, created an environment where shortcuts became more tempting and internal controls were often stretched.

At the same time, public trust in corporate governance was shaken by high-profile scandals, such as the misuse of public funds during the PPE procurement process. These events underscored the need for greater transparency and accountability in organisations.

The failure to prevent fraud offence is designed to hold large organisations to account by placing the onus on companies to proactively prevent fraud, recognising that fraud is often perpetrated by individuals who understand internal processes and exploit weaknesses in oversight.

What is the failure to prevent fraud offence?

See our previous briefing for a comprehensive analysis of the scope of the offence: Navigating the failure to prevent fraud offence: guidance for organisations.

The offence applies to large organisations, defined as those meeting at least two of the following criteria:

• More than £36 million in turnover
• More than £18 million in total assets
• More than 250 employees

It captures fraudulent conduct carried out by “associated persons,” which includes employees, agents and subsidiaries acting for or on behalf of the organisation. The fraud must be committed with the intention of benefitting the organisation or their clients (directly or indirectly).

Notably, the offence does not require the individual perpetrator to be prosecuted for the company to be held liable. Nor does the intention to benefit the organisation need to be the sole or dominant motive behind the fraud.

This is a strict liability offence. If fraud occurs and the company did not have reasonable prevention procedures in place (see below), it may be found guilty – even if senior management was unaware of the conduct.

Companies found guilty of failing to prevent fraud face unlimited fines, reputational damage, and increased scrutiny from regulators and business partners. In an environment where integrity and transparency are increasingly valued, failing to act could also result in lost opportunities and diminished trust in a company's industry.

The defence: reasonable prevention procedures

The only defence available to companies is to demonstrate that either: (1) they had reasonable procedures in place to prevent fraud; or (2) they can show a court that it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.

Government guidance outlines six principles that companies should follow when designing and implementing their fraud prevention framework. Procedures must always be tailored to the organisation’s specific risks and operations:

1. Top level commitment

Senior leadership must take ownership of fraud prevention. This means fostering a culture within the organisation in which fraud is never acceptable, visibly supporting anti-fraud initiatives, integrating them into governance structures, and ensuring that fraud risk is a standing item on board agendas.

2. Risk assessment

Companies must regularly assess where fraud risks lie within their business. This should be a dynamic process, informed by input from across the business. For multinational organisations, it is important to consider how fraud risks manifest in different jurisdictions.

3. Proportionate procedures

To effectively prevent fraud, an organisation’s procedures must be proportionate to the specific risks it faces and the nature of its operations. Developing a clear and practical fraud prevention plan is essential – one that sets out procedures that are not only well-designed but also properly implemented across the business. Ultimately, the goal is to ensure that the procedures in place are both realistic and capable of addressing the fraud risks identified through a thorough assessment.

4. Due diligence

Organisations must conduct thorough due diligence on individuals and entities that pose a fraud risk. This includes employees in high-risk roles, such as finance and procurement, as well as third-party agents and suppliers. Due diligence should be ongoing, not limited to onboarding.

5. Communication and training

Employees must understand the procedures and their role in preventing fraud. Training should be mandatory for relevant staff and refreshed regularly. Policies should be accessible, and reporting channels clearly communicated.

6. Monitoring and review

Fraud prevention procedures must be monitored and reviewed on a regular basis. This includes conducting internal audits, tracking incidents, and feeding lessons learned back into the risk assessment process.

Action plan for compliance

It is essential that companies tailor anti-fraud measures to the specific risks and needs of the organisation, rather than relying on a simple tick-box approach.

The government guidance provides principles, rather than a list of rules. Therefore, it is not possible to provide a simple checklist that will guarantee that an organisation will not be subject to any enforcement action. The steps an organisation will need to take will depend on many factors, including: (i) taking appropriate legal advice; (ii) the risk profile of the company and its industry; (iii) the company’s geographical reach; and (iv) industry guidance.

For companies looking to implement a robust fraud prevention framework, the following steps provide a useful starting point:

• Begin by conducting a comprehensive fraud risk assessment. Engage with desk heads and operational leads to identify areas of vulnerability.
• If your organisation is headquartered outside the UK, consider how to align your global policies with UK requirements. Communication is key - ensure that your international headquarters understand the importance of compliance and support the necessary changes.
• Revise existing policies and procedures, ensuring they reflect current risks and business practices.
• Review your top customers and suppliers to identify potential weaknesses in the supply chain. Map out high-risk roles within the organisation and ensure that appropriate controls and oversight are in place.
• Update your compliance handbook, contracts, and training materials. Establish clear whistleblowing and reporting channels.
• Schedule regular reviews and audits to ensure that procedures remain effective and relevant.

The failure to prevent fraud offence is now in force, and companies must move swiftly to ensure compliance.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, September 2025