New offence of failure to prevent fraud to come into force on 1 September 2025

Since our last update in July 2024, the Government has confirmed the new corporate criminal offence of failure to prevent fraud, set out in the Economic Crime and Corporate Transparency Act 2023 (ECCTA), will come into force on 1 September 2025. The Government published detailed guidance on 6 November 2024, clarifying the expectations on business.

The offence is intended to hold organisations to account if they profit from fraud committed by their employees. Employees of companies and other organisations can commit fraud in a wide variety of ways including by dishonest sales practices, hiding important information from consumers or investors, or dishonest practices in financial markets.

Under the new offence, an organisation will be liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place.

Which organisations will be in scope?

The offence applies to large, incorporated bodies and partnerships across all sectors of the economy. The offence applies to organisations incorporated or formed by any means. This includes, but is not limited to incorporation by:

• The Companies Act 2006

• Royal Charter

• Statute (for example NHS Trusts)

• The Limited Liability Partnerships Act 2000,or

• The Co-operative and Community Benefit Societies Act 2014.

A “large organisation” is defined as one meeting at least two of the following three criteria:

• More than 250 employees

• More than £36 million turnover

• More than £18 million in total assets.

These conditions apply to the financial year of the organisation that precedes the year of the base fraud offence.

If resources held across a parent company and its subsidiaries cumulatively meet the size threshold, that group of companies will be in scope of the failure to prevent fraud offence.

Liability can be attached to whichever individual entity within the group was directly responsible for failing to prevent the fraud. Liability can alternatively be attached to the parent company, if a fraud was committed by a subsidiary employee, for the benefit of the parent company, and the parent company did not take reasonable steps to prevent it.

What is the penalty if convicted?

An organisation can receive an unlimited fine. The courts will take account of all the circumstances in deciding the appropriate level for a particular case.

Senior management will not be held individually liable and prosecuted for failure to prevent fraud. However, it should be noted that individuals within companies can already be prosecuted for committing, encouraging or assisting fraud.

What do organisations need to do?

The Government guidance confirms the expectations on business. Notably, the fraud prevention framework put in place by relevant organisations should be informed by the following six principles:

Top level commitment

Responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation. The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud. They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud.

Risk assessment

The organisation should assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The risk assessment needs to be dynamic, documented and kept under regular review.

Proportionate risk-based prevention procedures

An organisation’s procedures to prevent fraud by persons associated with it should be proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities. The procedures also need to be clear, practical, accessible, effectively implemented and enforced.

Due diligence

The organisation should apply due diligence procedures. These should take a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.

Communication (including training)

The organisation should ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Training and maintaining training are key.

Monitoring and review

The organisation should monitor and review its fraud detection and prevention procedures and make improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.

The key point is that organisations will be able to avoid prosecution if they have reasonable procedures in place to prevent fraud.

Contact us

For further information on how we can support you with the new corporate criminal offence of failure to prevent fraud, please contact a member of the team or submit an enquiry form, below.