UK 'failure to prevent fraud' offence comes into force

In brief, the purpose of the offence is to ensure businesses take proactive measures to prevent and deter fraudulent activities. The new corporate criminal offence of ‘failure to prevent fraud’, is designed to drive an anti-fraud culture and improve business confidence, and forms part of the UK's broader reforms to corporate criminal enforcement and economic crime prevention. For further background, please refer to our previous alert from June 2025.

Scope and Key Provisions of the Offence

The new offence applies to large organisations, defined as those meeting at least two out of the following three criteria (measured on a group basis, where relevant):

• More than 250 employees
• Turnover exceeding GBP 36 million
• Assets greater than GBP 18 million

The ECCTA sets out an exhaustive list of fraudulent activities which are in scope of the offence. This means that activities which are not expressly mentioned will not attract criminal liability if an organisation fails to prevent such out of scope activities. Examples of fraudulent activities which are covered include: 

• dishonest sales practices
• hiding important information from consumers or investors
• dishonest practices in financial markets  

A full list is provided in Schedule 13 of the ECCTA. It is worth noting, however, that the offence list can be updated through secondary legislation in future, although any new offences added would be limited to activities considered 'economic crimes'.

Who Can Trigger Liability: Associated Persons

Organisations subject to the ECCTA can be held criminally liable where an employee, agent, subsidiary, or other ‘associated person’ commits a fraud intending to benefit the organisation. 

The concept of "associated persons" is broad, capturing not only employees but also agents, subsidiaries, and anyone who performs services for or on behalf of the organisation. This has significant implications for parent companies and those with extended supply chains, as liability can potentially be triggered by conduct across groups and third parties.

It is important to note that parent companies may be held liable for fraud committed by subsidiaries, even where the relevant conduct takes place outside the UK, provided there is a UK nexus (such as a part of the fraudulent activity occurring in the UK or a gain/loss arising in the UK). This underscores the need for robust fraud prevention procedures throughout corporate groups and supply chains.

Unlike the similar offence under the UK Bribery Act 2010, the ECCTA establishes a presumption that subsidiaries are associated persons, unless it is clear that there was no intention to benefit the parent or its clients. There is also increased focus on supply chain risk where services are delivered for the organisation's benefit.

Recent enforcement activity in related fields, such as the first prosecution by HM Revenue & Customs under the failure to prevent facilitation of tax evasion offences (as established by the Criminal Finances Act 2017) in August 2025, demonstrates a willingness by authorities to pursue corporate accountability in this area. The Crown Proseuction Service ("CPS") and Serious Fraud Office ("SFO") have also signalled their intent to take action against non-compliant companies through their Joint Corporate Prosecution Guidance published on 18 August 2025. These developments reinforce the need for robust compliance with the 'failure to prevent fraud' offence.

The 'Reasonable Procedures' Defence

Organisations can defend themselves against liability by showing they had 'reasonable procedures' in place to prevent fraud at the relevant time. The government has issued guidance (Home Office, November 2024) on how the concept of 'reasonable procedures' should be interpreted, structured around six key principles (readers will note the similarity to the UK Bribery Act principles):

1. Top-level commitment: Clear leadership from senior management.
2. Risk assessment: Regular identification and assessment of fraud risks.
3. Proportionate risk-based procedures: Measures tailored to the organisation's risk profile.
4. Due diligence: Vetting of associated persons and business partners.
5. Communication and training: Policies disseminated and regularly reinforced through training.
6. Ongoing monitoring and review: Continued evaluation and improvement of procedures.

The Home Office Guidance is advisory and sets out recommended practices, but it is ultimately for the courts to determine whether an organisation's procedures were reasonable in the circumstances.

Practical Implications for In-Scope Organisations

To minimise exposure to fraudulent activities and establish a robust defence against the new offence, organisations should ensure that all fraud prevention steps are properly documented and that procedures are kept under regular review to take account of emerging risks.

In practice, this means that organisations should upgrade their internal risk assessments and take preventive measures to:

• Ensure a clear commitment and oversight from the board and senior managers;
• Conduct and update comprehensive fraud risk assessments;
• Design, implement and test policies and procedures specifically aimed at preventing fraud;
• Strengthen controls over third parties, subsidiaries and supply chain partners;
• Train all relevant staff and establish effective, confidential reporting channels.

Practical steps and compliance checklists are outlined in our previous alert from June 2025 and can be supplemented with reference to the latest official guidance.