Failure to prevent fraud

Failure to prevent fraud

A new era of corporate accountability under the ECCTA 2023

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduces a new corporate offence of Failure to Prevent Fraud. ECCTA comes into force from 1 September 2025 and imposes a proactive duty on large organisations to prevent any fraud that is committed with the intention of benefitting the organisation.

The new legislation sits within the context of wider reforms of corporate criminal liability under UK law and expands the scope of the identification doctrine by which, under common law, an organisation could be held criminally liable for the actions of an individual considered to be the ‘directing mind and will’ of the organisation. S196 of ECCTA now provides that if a senior manager of a body corporate or partnership acting within the actual or apparent scope of their authority, commits, conspires or attempts to commit a relevant offence as listed with Schedule 12 of ECCTA, the organisation is also guilty of the offence

A ’senior manager”, means an individual who plays a significant role in the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or actually manages or organises those activities.

Preventing fraud in all its aspects in order to protect the UK economy remains a key focus for government. These new provisions introduce a fundamental shift which places a significantly greater burden upon organisations, who under ECCTA will no longer only be considered as potential victims of fraud but also become part of the fight against fraud taking place.

This article outlines

• the scope of the offence, 

• the statutory defence, and; 

• practical steps organisations must take to comply.

Understanding the offence

Organisations can be held criminally liable under ECCTA if a “person associated” with them commits a base fraud offence intending to benefit the organisation or any person services are provided to on behalf of the organisation. The definition of associated person includes:

• Employees

• Agents

• Subsidiaries

• Or any other person acting whilst providing service for or on behalf of the organisation, for example contractors and, in some cases, franchisees.

Organisations should carefully assess their level of control over third parties. While franchisees and subcontractors may not always be associated persons, they can come within the definition if they provide services on behalf of the organisation. When assessing the risks involved it is important to note that for an offence to be made out under the legislation it does not need to be demonstrated that directors or senior managers within the organisation ordered or knew about the fraud. This means that those managing organisations need to proactively guard against others seeking to commit fraud, in circumstances where their own organisation is the intended beneficiary.

The potential penalties for failing to do so are significant; prosecutions may be brought by the CPS, SFO, or their devolved equivalents. Upon conviction, organisations face unlimited fines and the Sentencing Guidelines stress that fines must have a real economic impact in order to drive compliance. 

Who Is in Scope?

The offence itself applies only to large organisations, defined as meeting at least two of the following criteria:

• More than 250 employees

• More than £36 million turnover

• More than £18 million in total assets

It applies across all sectors and includes incorporated bodies and partnerships. Given that large organisations who come within those criteria are likely to seek to impose contractual obligations upon other businesses acting on their behalf, the provisions are likely to have a knock-on effect across the wider economy beyond the strict definition of large organisations.

What are the Base Fraud Offences?

Schedule 13 of the ECCTA lists the relevant offences, which include the following provisions:

• Fraud Act 2006: fraud by false representation, failure to disclose information or abuse of position

• Theft Act 1968: false accounting, false statements by directors

• Companies Act 2006: fraudulent trading

• Common law: cheating the public revenue

• And by aiding, abetting, counselling, or procuring the commission of any of the listed offences  

Organisations may be prosecuted even if the associated person is not charged or is charged with a different offence.

Jurisdictional reach

The offence requires a UK nexus but can have extra-territorial effect. Liability may arise if either a UK-based employee commits fraud, regardless of where the organisation is based or an overseas employee or associated person commits fraud in the UK or targeting UK victims.

The Statutory Defence: reasonable procedures

As can be seen from above, there are many ways in which an organisation could be caught by the provisions of ECCTA, even in situations where senior management of the organisation were unaware of the base fraud being committed.  In order to guard against serious criminal liability in such circumstances organisations can defend themselves by proving either that they had reasonable procedures in place to prevent fraud, or that it was not reasonable in all the circumstances to expect such procedures to be in place.

The Government has issued guidance which outlines six key principles to help organisations establish that they do in fact have in place reasonable procedures. These are:

1. Top-Level Commitment
   Leadership must foster a culture of integrity, ensure effective governance structures are in place, and lead by example.

2. Risk Assessment
   Organisations must identify who their associated persons are and assess the fraud risks they pose.

3. Proportionate Procedures
   Controls must be tailored to the organisation’s size, complexity, and risk profile. Documentation and enforcement of controls are essential.

4. Due Diligence
   A risk-based approach to vetting associated persons, especially during mergers, acquisitions, and high-risk engagements should be adopted.

5. Communication and Training
   Fraud policies must be embedded through effective communication and tailored training. This includes a strong focus on whistleblowing.

6. Monitoring and Review
   Fraud prevention procedures should be continuously reviewed to ensure they remain fit for purpose and up to date.

Whistleblowing: a cornerstone of fraud prevention

Whistleblowing is identified as one of the most effective tools for detecting and preventing fraud. The guidance emphasises that staff and associated persons must be familiar with whistleblowing processes.

These processes should be regularly reviewed and updated to ensure they are effective and well understood across the organisation.

More broadly organisations should consider the following measures as indications of best practice:

• Board-level oversight of whistleblowing.

• Promoting a culture that supports speaking up

• Ensuring independent and clearly signposted channels

• Training staff on how to access and use the process

• Timely investigation of reports and feedback to whistleblowers

• Learning from issues raised and updating procedures accordingly

Whistleblowing systems must be accessible, trusted, and effective. They are not just a compliance tool; they are a cultural indicator of an organisation’s commitment to integrity.

Monitoring and review

As noted above one of the key elements in establishing reasonable procedures to prevent fraud is continuing to monitor and review the processes in place. It will not be sufficient simply to put in place procedures once the legislation comes into force and presume that they will continue to be appropriate and sufficient over time. An effective review process will include assessing whether the provisions put in place are effective in the following areas:

• Detecting and investigating fraud - Investigations must be independent, well-resourced, and clearly defined in scope

• Monitoring the effectiveness of controls – do they accurately identify and engage with the identified areas of risk

• Learning from whistleblowing reports and investigations – the development of policies and procedures should be iterative and learnings from incidents should be embedded back into the organisation’s processes.

Overlap with other legislation

Whilst ECCTA creates a new area of criminal liability for organisations there are a number of existing provisions which cover related areas. All these applicable laws should ideally be considered in the round when an organisation is deciding how best to manage and mitigate its legal compliance risks. Relevant overlapping legislation includes:

• Criminal Finances Act 2017: the offence of failure to prevent tax evasion applies to all organisations.

• Companies Act 2006: Audits are mandatory for organisations in scope.

• UK Corporate Governance Code: Encourages robust risk assessments and control monitoring.

Organisations should ensure that their existing compliance frameworks are updated to meet the higher threshold required under the ECCTA and seek to integrate the new obligations into their existing systems of control. It will generally be more effective to combine the various overlapping regulatory risk regimes rather than create an entirely separate ECCTA compliance framework as in practical terms the necessary steps to prevent offences such as tax evasion, bribery and money laundering will have many common features and are best approached holistically.

Protecting your business

ECCTA represents a significant evolution in corporate liability. It shifts the burden onto organisations to proactively prevent fraud, not just respond to it. With the offence taking effect in September 2025, businesses must act now to:

• Review and update policies

• Conduct risk assessments

• Embed fraud prevention into corporate culture

• Strengthen whistleblowing systems

Failure to act could expose organisations to prosecution, reputational damage, and significant financial penalties.