The UK’s new Failure to Prevent Fraud offence will come into force on 1 September 2025. This major development means that commercial organisations will be criminally liable if an employee, agent, subsidiary or other “associate” commits a fraud, intending to benefit the organisation or its customers (as opposed to a fraud on the organisation). The offence has a degree of extra-territorial effect and organisations with any exposure to the UK may be within its scope.
Organisations will have a defence if they had “reasonable” fraud prevention procedures in place at the time the fraud was committed. To make sure the defence is available, organisations will need to review and update their anti-fraud compliance programmes to bring them into line with the requirements of the new legislation and guidance.
The new offence has been modelled on the Failure to Prevent Bribery offence under the UK Bribery Act, although there are important differences, including:
i) non-UK organisations may be liable only if the underlying fraud has a UK nexus (whereas under the Bribery Act an organisation that does some business in the UK can be liable for bribery conducted entirely overseas);
ii) “associates” expressly include subsidiaries (whereas under the Bribery Act not all subsidiaries will be caught because associated persons are those who perform services on behalf of the organisation); and
iii) for a parent company to be liable for frauds carried out at a subsidiary, there must have been an intention to benefit the parent.
Despite these differences, we expect most businesses to adopt a broadly similar approach to compliance under the new regime, such as by implementing a global anti-fraud policy.
Overview of the offence
The Failure to Prevent Fraud offence is set out in the Economic Crime and Corporate Transparency Act, which became law on 26 October 2023. It applies to all corporate entities and partnerships, wherever established, provided they meet certain size thresholds.[1]
Organisations in scope will be criminally liable if an “associate” commits a specified fraud offence, intending to benefit (directly or indirectly) the organisation or any person to whom the associate provides services on behalf of the organisation. The corporate offence applies to a wide range of underlying fraud-related offences, including fraud by false misrepresentation, fraud by abuse of position, false accounting, misleading corporate statements, cheating the public revenue (i.e. tax fraud) and several others.
Scenarios that could expose an organisation to liability include, for example, mis-selling or other inaccurate statements to customers or investors; “cooking the books” (e.g. manipulation of accounts, forecasts or targets); false representations, warranties or disclosures in M&A transactions; greenwashing and other inaccurate disclosures to the market; misrepresenting the benefits or uses of AI products; misleading disclosures and applications to regulators or tax authorities; or false insurance claims.
Both UK and non-UK organisations may be liable, but the underlying fraud has to be prosecutable in the UK, which requires there to be a “UK nexus” (i.e. a relevant connection) between the associate’s fraud and the UK (i.e. England, Wales, Scotland or Northern Ireland). For most of the applicable fraud offences, under the law of England & Wales, a nexus will be formed if any element of the fraud took place in England or Wales, including for certain offences if a loss or gain occurred in the jurisdiction. Organisations may be at risk of criminal liability for Failure to Prevent Fraud if any part of their business is exposed to the UK, such as if they have customers, investors, bank accounts, counterparties, employees, offices, subsidiaries, branches or any operations in the UK.
An organisation found to have committed the new offence may be subject to significant financial penalties (including technically unlimited fines, but subject to general sentencing principles), plus reputational and other consequences that may flow from having a criminal conviction or public admission of liability.
Reasonable fraud prevention procedures
As noted above, organisations will have an important defence if they can show that they had “reasonable” fraud prevention procedures in place. The legislation does not specify what this means, but further detail on the Government’s expectations is contained in the statutory guidance to organisations on the offence, which was published on 6 November 2024 (the “Guidance”).
Similar to the statutory guidance for existing “failure to prevent” offences, the Guidance is based around six main principles:
- Top level commitment;
- Risk assessment;
- Proportionate risk-based prevention procedures;
- Due diligence;
- Communication (including training); and
- Monitoring and review.
Organisations will need to be able to demonstrate how their fraud-prevention programmes meet the requirements of each principle. Examples of the sorts of points that organisations will need to consider under each principle are outlined below.
(1) Top level commitment: The highest levels of the organisation should take responsibility for, engage with and endorse the fraud prevention programme. Ensure there is clear governance across the organisation in relation to fraud prevention. Foster an open culture where concerns can be raised.
(2) Risk assessment: Assess and document fraud risks across the organisation. For these purposes, the focus is on outward fraud by the organisation and its associates, not on it by employees or third parties. It can be helpful to classify each risk, such as by likelihood and impact. Fraud risk assessments should be refreshed regularly, probably at least once a year.
(3) Prevention procedures: Have a fraud prevention plan, which is proportionate to the risks and their potential impact. Organisations that already have fraud prevention procedures in place and/or are subject to existing regulations should consider whether existing procedures are sufficient to meet the requirements of the new offence.
(4) Due diligence: Conduct proportionate and risk-based due diligence on all “associates” to mitigate identified fraud risks. Existing diligence may not necessarily be sufficient in all cases.
(5) Communication: Ensure that “prevention policies and procedures are communicated, embedded and understood throughout the organisations, through internal and external communication.” In addition, “[t]raining and maintaining training are key” and the Guidance places particular emphasis on ensuring that whistleblowing policies and procedures are in place and fit for purpose.
(6) Monitoring and review: Fraud prevention procedures need to be monitored and reviewed on an ongoing basis, with improvements identified and implemented as necessary.
Action needed – What organisations need to do now
Organisations should be moving ahead with their response to ensure compliance before September 2025. While different approaches will be suitable for different organisations, it is likely that all organisations will need to consider the following steps in particular:
- Brief/update the board and senior management;
- Prepare a fraud prevention plan and a clear governance structure for fraud prevention;
- Conduct/extend a fraud risk assessment;
- Review any current anti-fraud policies and procedures to assess whether they meet the new requirements and implement any improvements that may be needed;
- Roll-out/update fraud prevention training;
- Update contractual terms with associates, in particular third parties who pose a risk;
- Review whistleblowing arrangements;
- Ensure that internal and external communications adequately convey the organisation’s stance on fraud prevention; and
- Establish a process for ongoing monitoring and review.
Click here to download this article.
[1] I.e. they satisfy at least two of the following criteria: (i) turnover of more than £36 million; (ii) assets on the balance sheet of more than £18 million; and (ii) more than 250 employees.
