Emma Carr
Partner
Commercial Litigation Partner and
Co-Chair of ThinkHouse
Article
9
On 1 September 2025, the new corporate offence of failure to prevent fraud will come into force - under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). The implementation of this offence marks a significant step change in corporate accountability, shifting the focus from reacting to fraud, to proactively preventing it. There are potentially serious consequences for organisations that fall short and do not take preventative action as required.
While many businesses may already have some level of financial crime prevention in place, this new offence requires detailed scrutiny of the processes and procedures relied upon. In this article, part of our Understanding ECCTA series, our fraud and asset recovery experts highlight what organisations need to know – regardless of whether or not the organisation meets the statutory threshold.
For more information about ECCTA, read our first Understanding ECCTA article, which provides a summary of the key provisions.
At its core, the new offence imposes criminal liability on a relevant body (a large organisation) if they fail to prevent fraud committed by an associated person for their benefit.
Under Section 199 of ECCTA, an organisation will commit the offence where:
The offence is a strict liability one — meaning there is no need to show complicity or even knowledge of senior management. The only available defence will be if the relevant body has reasonable procedures in place to prevent fraud, at the time the fraud took place. Proactive risk management and governance is therefore essential.
The offence applies to a relevant body, which is a "large organisation" that satisfies two or more of the following conditions:
It applies to UK and overseas companies and partnerships that carry on business in the UK. Notably, this includes parent companies, subsidiaries, and third parties, wherever located, if there is a UK connection.
A parent company can be a "large organisation" if, on an aggregate basis, the criteria apply to its subsidiaries, and a subsidiary will be capable of committing the offence if its parent company satisfies the large organisation test.
If a business does not fit the large organisation criteria it will not currently be in scope — but that does not mean the offence can be ignored. The Government in its Guidance (on the offence of failure to prevent fraud – issued in November 2024) has hinted that the scope of the failure to prevent fraud offence could be widened in future and - in any event - the principles to be adopted by large organisations represent good practice and could prove helpful to small and medium-sized organisations in any event. In addition, small and medium-sized organisations may be affected contractually. Larger businesses may begin imposing anti-fraud controls on their partners, requiring partners to have reasonable fraud prevention procedures in place before they can work together.
The fraud must be committed by an associated person in order for the relevant body to be guilty of the failure to prevent fraud offence.
Essentially, anyone providing services for or on behalf of the relevant body can be an associated person, including:
Those providing services to the relevant body – rather than for or on behalf of – will not be an associated person. The Guidance lists those likely to provide services to the relevant body (and therefore are not an associated person) as including external auditors, valuers, lawyers and engineers.
To be guilty of an offence the associated person must commit a specified fraud. In accordance with Schedule 13 of ECCTA a specified fraud includes the following:
The fraud must be intended to benefit the relevant body or the relevant body's customers or clients. Organisations will have accountability for fraudulent activities that benefit them directly, and for those that indirectly benefit them. If there is no intention to benefit the relevant body (or its customers or clients) there will be no offence. For example, if the offence is for personal gain the relevant body will not be liable.
The benefit does not need to be financial in nature and neither is it necessary for the fraud to succeed in conferring a benefit – it will be enough that the associated person intended that it would benefit the relevant body (or its customers or clients).
In addition, the benefit does not have to be the sole or primary purpose – for example, if a rogue employee manipulates results to boost bonus eligibility and to make the company look more profitable, the company can still be liable.
Organisations can avoid liability if they can prove they had reasonable fraud prevention procedures in place at the time of the offence.
What is considered reasonable will vary depending on the size, structure and risk profile of the organisation, and the size and complexity of its operations. The greater the risk of fraud, the stronger controls to prevent it will need to be. There is no rigid checklist or definition of what counts as "reasonable" fraud prevention, and the ECCTA does not proscribe what companies must do in order to prevent fraud.
Instead, the Guidance outlines six core principles that organisations should consider when designing their fraud prevention framework.
Leaders must foster a culture of integrity; they must be engaged and proactive with the organisation's fraud prevention measures. This means visible endorsement of anti-fraud policies, clear communication, a budget for compliance, and senior oversight.
Tip: Appoint 'fraud champions' or a senior risk owner and make fraud a regular board agenda item.
Conduct a fraud risk assessment that is tailored to your business. You must identify where fraud might occur, why it might occur, and how those who are involved might justify their actions. Document decisions, even if the risk is low and ensure risk assessments are up to date.
Tip: Look beyond finance — sales targets, procurement processes, and third-party relationships often pose hidden risks.
Tailor prevention procedures to the risks identified in your risk assessment. This might include strengthened contracts, dual authorisation processes, fraud-focused internal audits, and updated whistleblowing channels.
Tip: Make sure fraud prevention is built into supplier and agency contracts.
Know who you're dealing with — and document it. That means enhanced onboarding, risk background checks, and regular monitoring for key suppliers and partners.
Tip: Conduct media, legal, and reputational screening for key partners, assess whether existing verification tools are robust enough and whether improved systems are required to provide earlier warning signs and help highlight issues.
Employees must know how to spot, prevent, and report fraud. Training should be practical and tailored — and regular – to ensure everyone understands their role in preventing fraud.
Tip: Include fraud scenarios in compliance training and onboarding and use internal surveys to check employees' understanding of fraud and reporting procedures.
Fraud risks change over time. Keep your prevention procedures under review and update them as needed.
Tip: Schedule annual (or more frequent) fraud risk assessment reviews, and maintain a log of fraud incidents, whistleblowing reports, and responses. Ensure diverse reporting channels are available to all employees.
While there is no legal requirement under the Act to introduce new fraud prevention measures or procedures, doing nothing is unlikely to be enough to prove an organisation had reasonable protections in place if fraud subsequently occurs. Proactively taking steps now is key.
If an organisation already has robust anti-bribery or financial crime controls, reviewing and refining them may well be enough – but it will be essential to review them and document that a review has been undertaken.
At the very least organisations should:
Unlimited fines, reputational damage and regulatory scrutiny await those who fail to ensure their organisation has reasonable measures in place to prevent fraud.For those who prepare and ensure that procedures and processes in place (or implemented) are proportionate and tailored to their business - the risks can at least be managed and reduced.
If you have any questions about the issues raised in this article, please get in touch with Emma Carr, Catherine Naylor or David Lowe. To receive future articles in our Understanding ECCTA series and related insights, sign up to our mailing list.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.