On 1 September 2025, the new failure to prevent fraud offence (FTP Fraud Offence) will come into force under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). As outlined in our July briefing on the key points to note about the new offence, the FTP Fraud Offence will be applicable to large organisations that fall within scope and is being enacted as part of a wider reform of corporate criminal liability. Under the new legislation, an organisation can be liable if a person associated with it commits a fraud offence with the intention of benefiting the organisation, or any person to whom the associated person provides services on behalf of the organisation.

In this update on the new offence, we summarise the guidance and the steps that 'in scope' large organisations can take to help comply with the new offence.

How will the new offence bring changes in fraud prevention?

An organisation can avoid liability for the FTP Fraud Offence if it can prove it had reasonable prevention procedures in place or is able to demonstrate - to the court's satisfaction - that it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.

ECCTA stipulates that the FTP Fraud Offence will not take effect until at least nine months after guidance on what represents reasonable fraud prevention procedures is published. On 6 November, the Government published this awaited guidance, outlining what constitutes reasonable procedures for organisations to put in place to prevent fraud arising on the part of the business and its associates. It also confirmed that the date the offence will come into effect is 1 September 2025.

Looking at the details, the guidance provides a full overview of the offence, including what organisations are in scope, the types of fraud covered, and who might be defined as an associated person for the purposes of ECCTA. It also gives a number of helpful examples to illustrate how the offence will be implemented - two of which are set out below:

Example of intended benefits: A large company is seeking investments. The accounting department deliberately manipulates the accounts to overstate the profits. The intent of the fraud is to benefit the company by making it appear more attractive to investors. In this circumstance, the base fraud is fraud by false accounting and the associated person is the relevant employee (or employees) in the accounts department.

Example of an indirect benefit: A company has an environmental permit from the Environment Agency for limited discharges into a river. As a condition of that permit, the company must provide the discharge data to the Environment Agency. The head of the technical department of that company deliberately falsifies the company’s discharge monitoring system. As a result, the company discharges more pollution than it is allowed to under the terms of the environmental permit. The company provides false data to the Environment Agency, with the intention of avoiding the financial penalties that the Environment Agency can impose. The associated person in this case is the head of the technical department and the base fraud is fraud by false representation.

What are considered 'reasonable procedures'?

The guidance makes it clear that any assessment of what are "reasonable procedures" will be fact-specific.  Departures from suggested procedures within the guidance will not automatically mean that an organisation does not have reasonable fraud prevention procedures, as different prevention procedures may also be considered reasonable by a court. Equally, even strict compliance with the guidance will not necessarily amount to having reasonable procedures where the company faces particular risks arising from the unique facts of its own business that have not been addressed.

Establishing a fraud prevention framework

Chapter three of the guidance identifies six principles that should be used to establish a fraud prevention framework, which are similar to those set out in government guidance on the failure to prevent bribery offence under the Bribery Act 2010. The following is a high-level overview of the principles:

Top level commitment

Top level commitment is critical to achieving good governance, and organisations should be able to demonstrate that senior managers are committed to preventing fraud from being committed within, or using, their business. The guidance contains numerous examples of how this commitment can be demonstrated, including:

  • Communication and endorsement of the organisation’s stance on preventing fraud. The organisation's policy document should include a clear anti-fraud message, code of practice and key fraud prevention procedures.
  • Creating a clear governance structure across the organisation, with defined roles and responsibilities for fraud prevention measures, reporting obligations, and regular review.
  • Commitment to training and resourcing.
  • Fostering an open culture, where staff feel empowered to speak up if they have ethical concerns, however minor.

Risk assessment

The organisation must carry out a risk assessment and classify identified risks by 'likelihood' and 'impact,' with explanations for each classification. The guidance suggests that the assessments are approached through a "fraud triangle", which looks at:

  • Opportunity - Which teams have the greatest opportunity to commit fraud? Are there risks with agents/contractors? Are there individuals operating with minimal oversight?.. etc.
  • Motive - Does the reward and recognition system incentivise fraud? Are there particular financial or operating pressures on the organisation?... etc.
  • Rationalisation - Is the organisation's culture quietly tolerant of fraud? Is it difficult for staff to speak up?... etc.

Importantly, risk assessments should be reviewed regularly to show that the procedures in place at the time of the fraud are reasonable.

Proportionate risk-based fraud prevention procedures

The organisation should draw up a fraud prevention plan, with procedures that are proportionate to the risks identified by the risk assessment. The procedures should be based on reducing the opportunity, motive and means for committing fraud, and should take into account the level of control and supervision the organisation may exercise over particular persons acting on its behalf.

Many large organisations will already be subject to existing regulations that require controls to mitigate the risk of fraud, so existing regulatory compliance mechanisms, financial reporting controls and fraud prevention measures may be taken into account.  Even if the existing controls are considered sufficient, organisations should be able to demonstrate that they have reviewed their policies and procedures.

The guidance also recommends that the fraud prevention plan is tested by members of the organisation who were not involved in writing it.

Due diligence

Organisations should undertake due diligence, either internally or externally, on persons who perform services for or on behalf of the organisation. The due diligence should be proportionate to the identified risk; so, applying existing procedures will not necessarily be adequate to address the specific risk of fraud.

Companies are also expected to conduct due diligence in relation to M&A targets, with fraud prevention measures being integrated post transaction.

Communication

Communication and training is key to ensuring that fraud prevention measures are embedded and understood throughout the organisation. The training should, in particular, be targeted at those in the highest risk posts, and cover the nature of the offence as well as the procedures to address it.

The guidance emphasises the importance of whistleblowing as part of the compliance programme. If this is not already a requirement for the organisation, then the guidance sets out some detailed measures the company may wish to consider.

Monitoring and review

The organisation will need to monitor and review its fraud detection and prevention procedures - for example, monitoring financial controls and monitoring updates to procedures. Although measures may already be in place for detecting frauds against the organisation, consideration will need to be given as to how these might be extended to frauds that might be intended to benefit the organisation or its clients.

Reviews should be conducted at consistent intervals, but the organisation should also be aware of the need for an earlier or partial review, and possible amendment to its procedures in response to external factors.

What are your next steps in readiness for the offence coming into force?

Organisations that are in scope of the new offence under the ECCTA now have nine months in which to consider how the various fraud offences pose a risk to them, and to put the necessary procedures in place to afford them a defence to the new FTP fraud offence.

Responsibility for putting the necessary framework in place should be established early, with thought given to how senior managers can demonstrate their commitment to preventing fraud.

A specific risk assessment is a crucial starting point, irrespective of whether similar assessments are already carried out. This will enable the organisation to identify whether existing procedures are adequate or need to be amended or supplemented.

To explore how your current policies and procedures align with the new requirements and what areas you might need to consider to provide a stronger defence against fraud risks, please contact Catherine Naylor, Sharon Ayres or Caroline Williams.