Preparing Organisations for the New UK Failure to Prevent Fraud Offence

Key Points

• On 1 September 2025, the new UK Offence of “Failure to Prevent Fraud” will take effect, in accordance with the Economic Crime and Corporate Transparency Act 2023.
• This will impose liability on organisations (including corporates and partnerships) if their employees and other associated persons (broadly defined) commit certain fraud offences with the intention of directly or indirectly benefitting the organisation, or its customers or clients.
• The types of fraud caught are wide-ranging and include misstatements in accounts, inaccuracies in prospectuses, misleading representations and warranties, as well as greenwashing claims.
• As with other similar economic crimes in recent years, including Failure to Prevent Bribery under the Bribery Act 2010 and the Failure to Prevent Facilitation of Tax Evasion under the Criminal Finances Act 2017, this offence will be one of strict liability, subject only to a defence of showing that the organisation had reasonable procedures in place.
• Fund managers will need to be particularly careful in how they conduct the analysis of who may be an associated person. As well as management firms and their subsidiaries with a UK nexus, portfolio companies (or holding companies) with a UK nexus may be in scope. Similarly, parent companies based overseas could also be caught by the regime.
• UK and non-UK organisations subject to the legislation therefore need to have considered, and be able to evidence, reasonable fraud prevention procedures—including having undertaken a risk assessment—in advance of the legislation taking effect.

Overview and the New Offence

Fraud is the most common offence in the UK, amounting to 41% of all crime.¹  On 26 October 2023, the UK’s long-awaited Economic Crime and Corporate Transparency Act 2023²  (the Act) received Royal Assent, setting out significant changes to the corporate criminal liability regime, particularly relating to fraud.³  Nick Ephgrave, Director of the Serious Fraud Office (SFO), has stated that “this is the most significant boost to the [SFO’s] ability to investigate and prosecute serious economic crime in over 10 years.”⁴

The Act introduces a new corporate criminal offence of Failure to Prevent Fraud, which comes into effect on 1 September 2025.⁵  Under this offence, organisations can be held criminally liable where their associates—which includes junior employees—commit fraud offences with the intention of benefitting (i) the organisation, or (ii) those to whom the associated person provides services to, on behalf of the organisation (e.g. the organisation’s clients or customers).⁶

This new offence largely mirrors the existing failure to prevent bribery and tax evasion offences, though there are some important distinctions. Cumulatively, there is a clear and increasing focus on holding corporates to account for the action (or inaction) of employees/associated persons. Organisations can be prosecuted by either the UK’s SFO or the Crown Prosecution Service.

The Act also introduces changes to the ‘identification doctrine,’ which is the UK legal test by which criminal liability is attributed to a company through the actions of it its employees. Previously, organisations could only be held liable through the acts of employees acting as its “directing mind and will,” which was well understood to include only the most senior C-suite executive(s). This has been significantly expanded under the Act to include “senior management.” Therefore, regardless of its size, an organisation can now be prosecuted for a substantive fraud offence (as distinct from the ‘failure to prevent’ offence) if one of its senior managers was involved in the commission of fraud.

To Whom Does it Apply?

The offence can be committed by both UK and non-UK organisations that meet at least two of the following criteria, in the year prior to the fraud offence:⁷  (i) more than GBP 36 million turnover; (ii) more than GBP 18 million balance sheet total; and/or (iii) more than 250 employees. The fraud offence must have been committed under UK law (although not necessarily prosecuted) or target UK victims, even if the organisation and/or associated person are based overseas.

Example 1: A small UK manufacturer sends its appliances to an accredited overseas laboratory based in the US/Middle East (with no UK facilities), for efficiency tests. Knowing that the appliances will not be eligible for UK government grants unless tests demonstrate that the efficiency exceeds a certain threshold, the US/Middle Eastern-based laboratory manager falsifies the test data. As a result, the devices are eligible for grants and the UK manufacturer benefits. Here, the laboratory manager is an associated person and commits fraud by false representation. Because the effect is to cause an unfair gain to an organisation in the UK, this would amount to fraud under domestic law (and the laboratory manager could theoretically be prosecuted in the UK). The overseas laboratory (which meets the criteria listed above)⁸  could be liable for failure to prevent fraud under section 199(1)(b) unless a UK court determines that it had reasonable procedures in place to prevent the fraud.⁹

Although the current focus is on large businesses, the Act does permit the scope to be extended in the future to cover small and medium-sized businesses. In practice, smaller and medium-sized businesses will still be impacted by the Act either where they are part of a wider corporate group that meets the above criteria, or where they are working as associated persons (e.g. agents or contractors) for large businesses, who are likely to require evidence of fraud prevention procedures in procurement processes going forward. In addition, guidance from the Home Office states “Although the offence … applies only to large organisations, the principles outlined in this guidance represent good practice and may be helpful for smaller organisations.”¹⁰

Application to Fund Structures and Jurisdictional Reach

Investment managers will need to be particularly careful in how they conduct the analysis of who may be an associated person. As well as management firms and their subsidiaries with a UK nexus, portfolio companies (or holding companies) with a UK nexus may be in scope.

In addition, there is a risk that a non-UK parent company will still be liable for the offence if a fraud is committed in relation to its UK-based portfolio company, potentially even if the UK-based portfolio company itself would be beneath the size threshold (so long as the size threshold were reached on a group aggregate basis). As such, non-UK funds may end up being liable, even if (in practice) prosecution of the offence against the non-UK parent may be difficult. Fund structures may therefore themselves need to have reasonable procedures in place to ensure that they could avail themselves of the defence if necessary.

Example 2: A non-UK investment fund’s UK portfolio company makes a misleading statement in a prospectus that it will invest in a ‘sustainable’ timber company. The employee responsible for preparing the prospectus is aware that the timber company’s environmental credentials are fabricated. Investors are deceived into making investments with the fund. The base fraud is fraud by false representation and there is an intention to benefit the UK portfolio company. The associated person is the member of staff who knowingly used the false information in the prospectus. The non-UK investment fund (in addition to the UK portfolio company) could be liable under section 199(1)(a) unless a court determines that it had reasonable procedures in place to prevent this fraud. The offence applies even if investment is not actually secured—it is enough that the fraud was intended to benefit the fund.

Who Are “ Associated Persons”?

Associated persons are defined as: (i) employees of the organisation (or its subsidiaries in some cases), agents or subsidiaries of the organisation, or (ii) persons who otherwise perform services (which does not include provision of goods or provision of services to the organisation) for or on behalf of the organisation, as defined by all relevant circumstances and not by the nature of the relationship. Associated persons do not need to be UK persons.

Like the bribery and tax evasion offences, the definition of associated person is broad. The definitions are not identical, with the fraud offence automatically including subsidiaries, which is not explicit in either of the other two offences. Further, it is also clear that the fraud offence applies to employees and agents, whereas this is left to a question of circumstances in the bribery offence.

Guidance from the Home Office helpfully makes clear that companies within a supply chain are not associated persons unless they are providing services for or on behalf the relevant body.¹¹

What Is “ Intending To Benefit”?

The Home Office’s Guidance emphasises that this is intended to be very broad, and would include both financial and non-financial benefits. Indeed, it is not necessary for the organisation to have in fact received a direct benefit, as a fraud that “disadvantaged a competitor would be in scope.”¹²

Whether or not there was an intention to benefit is to be assessed according to the position of the person at the time that they committed the fraud offence, though it does not need to be the “sole or dominant” motivation for the fraud. By way of example, a salesperson trying to increase their commission through fraud, and who thereby increases the company’s sales, would be intending to benefit the company.

What Constitutes a Fraud Offence?

Fraud offences include those listed in Schedule 13 of the Act, which covers a range of offences including under the Fraud Act 2006 and Theft Act 1968. This includes, for example: fraud by false representation; fraud by failing to disclose information or by abuse of position; obtaining services dishonestly; participation in a fraudulent business; false accounting; false statements by company directors; fraudulent trading; and cheating the public revenue. It will also be an offence if an associated person aids, abets, counsels or procures the commission of any of the aforementioned Schedule 13 offences. Although the offence does not reference “encouraging or assisting”, it would be reasonable to assume that the Courts would take these into consideration in light of recent authorities. Money laundering is not in scope at this time, despite being hotly debated, though there remains the power to amend Schedule 13 in future.

What Are the Penalties?

Penalties include an unlimited fine for organisations, who may also be exposed to significant reputational damage and be at risk of civil litigation pursued by third parties. Deferred Prosecution Agreements will however be available and the SFO is currently updating its guidance in this regard, to be published later this year.¹³  There is no provision for individual liability for failing to prevent fraud under the regime, e.g. for senior managers or directors, although individuals can be held personally liable under the relevant fraud offence, where they have themselves committed the underlying fraud.

Regulated Financial Services Firms

In addition to potential criminal prosecution, financial services firms need to be mindful of their regulatory exposure since any shortcomings may open them up to investigation/enforcement by the UK Financial Conduct Authority (FCA) (or Prudential Regulation Authority). Senior managers and conduct rules staff may also be held personally accountable in the event of breaches or deficient policies and procedures. In such circumstances, individuals could face unlimited fines, public censure, and in the most serious cases, risk being prohibited from working in the regulated sector. Firms should also be mindful of the consumer duty/Principle 12 of the FCA’s Principles for Businesses, under which they are required to “act to deliver good outcomes for retail customers.”

The Defence

As a strict liability offence, the most important consideration for in-scope organisations is the defence. It will be a defence for organisations where they had in place reasonable procedures designed to prevent associated persons from committing fraud offences, at the time the fraud offence was committed. The Act also permits a defence where it was not reasonable to have in place such procedures, though we expect this to be relatively rarely available in practice.

The “reasonable procedures” standard is the same as for the tax evasion offence, but is lower than the “adequate procedures” required under the Bribery Act 2010. This notwithstanding, it will still require significant compliance resources to execute.

The Guidance – Key Considerations For Firms

The Home Office Guidance provides that the fraud prevention framework “should be informed” by six principles:

• Top level commitment: Senior management should lead by example and communicate a commitment to preventing fraud. This will include demonstrating a commitment to each of the below listed points, as well as ensuring (i) appropriate training and resourcing for anti-fraud practices, and (ii) that the organisation has in place clear governance policies and procedures.¹⁴
• Risk assessment: Organisations must undertake a risk assessment. In doing so, they should seek to understand the different types of risk presented by associated persons and consider the “fraud triangle”, which consists of (i) opportunity, (ii) motive, and (iii) rationalisation. Organisations should also seek out sources of information about potential risks, including industry guidance, previous audits and data analytics. Risk assessments ought to be “dynamic” and of course kept under review, typically “once every two years.”¹⁵  If an organisation has an existing risk assessment process/procedures, it should document whether and how this needs to be expanded to account for the new offence.
• Proportionate risk-based prevention procedures: Procedures implemented by organisations should be proportionate to the fraud risks faced by them and should take into consideration the complexity of their operations. The Guidance makes clear that organisations should be reviewing current procedures, and it will not be a defence, for example, for an organisation to say that it was adequately complying with regulatory requirements in relation to risk controls, unless it has properly assessed whether those controls in fact meet this new legislative requirement.¹⁶
• Due diligence: Organisations should review existing due diligence procedures to ensure compliance with the Act. This will include, for example, reviewing employee and agent contracts to ensure compliance, consequences for breach and allowing suitable monitoring.¹⁷
• Communication and training: Prevention policies should be well-documented and reinforced at all levels of the organisation. Staff handbooks may need to be updated and clarified and specific training on the importance of anti-fraud procedures is likely to be needed. Organisations will also need to be particularly careful to ensure that there are suitable whistleblowing procedures in place.¹⁸
• Monitoring and review: monitoring procedures will need to be implemented. Organisations will also need to regularly (annually or every two years at a minimum) review the effectiveness of their policies and procedures.¹⁹

These are the same six principles in parallel guidance for the bribery and tax evasion offences.²⁰  Whilst tailored to the different offences, much of the guidance is (unsurprisingly) very similar and motivated by similar concerns.

Next Steps

In advance of the 1 September 2025 implementation date, organisations will need to at the very least have identified whether they are in-scope and if so:

• Considered which persons are or may become “associated persons.”
• Conducted (and documented) a fraud risk assessment.
• Reviewed present policies and procedures, and updated them as necessary.
• Communicated and trained employees and other associated persons (including subsidiaries) on the new requirements.

Whilst organisations are to some extent likely to be able to rely on certain of the same mechanisms they already have in place to ensure compliance with the bribery and tax evasion offences, given the difference in scope of both the underlying fraud offences, as well as the wide range of individuals who may be in a position to commit such offences “with the intention of benefitting the company,” organisations will need to carefully consider their control framework and ensure that they are in a position to evidence the existence of their “reasonable procedures.” Akin can help your organisation scope its risk assessment, update policies/procedures, conduct training and, if necessary, assist in responding to/conducting internal investigations—please get in touch with the authors or your usual firm contact for support.

^{1 https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-bill-2022-factsheets/factsheet-failure-to-prevent-fraud-offence.}

^{2 https://www.legislation.gov.uk/ukpga/2023/56/enacted.}

^{3 The Act also covers significant reforms to Companies House powers, as well as other corporate crime reforms, including in relation to Defence Against Money Laundering Suspicious Activity Reports and crypto-asset confiscation and civil recovery powers. This alert does not address these topics.}

^{4 https://www.gov.uk/government/news/robust-new-laws-to-fight-corruption-money-laundering-and-fraud.}

^{5 Note that the new offence does not have retrospective effect.}

^{6 Parent companies can be liable for acts by employees of their subsidiaries, if the employee committed the act with the intention to benefit the parent company.}

^{7 This will also apply to parent companies where the group (parent and subsidiaries) meet, in aggregate, at least 2 of the criteria.}

^{8 Note, however, that the small UK manufacturer would not be in scope as it does not meet the threshold criteria.}

^{9 https://www.gov.uk/government/publications/offence-of-failure-to-prevent-fraud-introduced-by-eccta/economic-crime-and-corporate-transparency-act-2023-guidance-to-organisations-on-the-offence-of-failure-to-prevent-fraud-accessible-version#chapter-2overview-of-the-offence (the Guidance), section 2.8. Similarly to the UK Bribery Act, the Home Office has published comprehensive Guidance on this new offence, which should be considered alongside any industry-specific guidance published e.g. UK Finance February 2025 Guidance for the Financial Services Sector.}

^{10 Guidance 1.1}

^{11 Guidance, section 2.3.2.}

^{12 Guidance, section 2.4.}

^{13 https://www.gov.uk/government/collections/guidance-for-corporates.}

^{14 Guidance, section 3.1.}

^{15 Guidance, section 3.2.}

^{16 Guidance, section 3.3.}

^{17 Guidance, section 3.4.}

^{18 Guidance, section 3.5.}

^{19 Guidance, section 3.6.}

^{20 https://assets.publishing.service.gov.uk/media/5d80cfc3ed915d51e9aff85a/bribery-act-2010-guidance.pdf and https://assets.publishing.service.gov.uk/media/5a82aaa0e5274a2e8ab58b82/Tackling-tax-evasion-corporate-offences.pdf.}