New offence of ‘Failure to Prevent Fraud’ — how businesses must prepare

Name: Extreme Creations
Address: 7.23 Windsor House, Cornwall Road, Harrogate, North Yorkshire, HG12PW, GB
Telephone: +441423396959
Price range: $

AuthorsDan Stowers Lucy Ryczany

17 June 2025

11 min read

Corporate Defence & Compliance

The Economic Crime and Corporate Transparency Act 2023 introduced a new corporate criminal offence — Failure to Prevent Fraud. The introduction of the offence has been long anticipated and — following guidance issued by the Home Office in November 2024 — will come into force on 1 September 2025.

As a consequence, time is running out for firms to “get their house in order or face criminal investigation”. Here, Dan Stowers and Lucy Ryczany outline what the new offence is, how it works and what organisations must do to stay compliant.

What is Failure to Prevent Fraud?

From 1 September 2025, large organisations will be criminally liable if they fail to prevent fraudulent behaviour committed by an ‘associated person’. This will expose businesses to the risk of investigation for the criminal actions of others.

An organisation is considered to be ‘large’ and in scope for the offence if it satisfies two of the following criteria:

Turnover that exceeds £36m.
Balance sheet in excess of £18m.
More than 250 employees.

Under the new offence of failing to prevent fraud, a corporate may be held criminally liable if it fails to prevent a person associated with the organisation from committing a ‘base’ fraud offence.

As it stands, in England and Wales, such offences include:

Fraud offences under section 1 of the Fraud Act 2006 including:
- Fraud by false representation (section 2 Fraud Act 2006).
- Fraud by failing to disclose information (section 3 Fraud Act 2006).
- Fraud by abuse of position (section 4 Fraud Act 2006).
Participation in a fraudulent business (section 9, Fraud Act 2006).
Obtaining services dishonestly (section 11 Fraud Act 2006).
Cheating the public revenue (common law).
False accounting (section 17 Theft Act 1968).
False statements by company directors (section 19 Theft Act 1968).
Fraudulent trading (section 993 Companies Act 2006).

Notwithstanding the above, it has always been envisioned that (where appropriate) the relevant offences could be amended by statutory instrument. However — while the legislation is currently focused on fraud — given the development of earlier failure to prevent offences (including the failure to prevent bribery and the failure to prevent the facilitation of tax evasion) as well as the clear legislative shift towards holding corporates to account for the actions of their ‘associated persons’, there may be further developments and expansion of the new offence.

In fact, the Crime & Policing bill (currently before Parliament) could — if left unamended — see the extension of corporate criminal liability to all offences in circumstances where the predicate offence is committed by a senior manager of the organisation.

What is an ‘associated person’?

A relevant organisation must consider who (within the organisation) may be capable of binding the corporate with criminal liability. Their roles and remits within the organisation must then be carefully defined.

It’s important to be aware that the interpretation of ‘associated persons’ is (and will continue to be) far reaching. As a consequence, the actions of individuals (together with employees and agents) working within a corporate’s supply chain or partnering firm (and who are deemed to be providing a service for or on behalf of the business) may be capable of binding a company with criminal liability.

The legislation defines an associated person as either:

an employee, agent or subsidiary undertaking of the relevant body
a person who otherwise performs services for or on behalf of the body.

Notably, the associated person must also be acting in the capacity of a person associated with the organisation at the time that the fraud is committed. An organisation should therefore have a clear policy relating to the scope of an individual’s duties and use of company equipment for personal purposes to ensure that parameters are clear and defined.

Since the definition of an associated person is deliberately wide reaching — and there’s no definitive list of such persons — when conducting a financial crime risk assessment, an organisation must consider and identify any and all persons who perform services for or on behalf of the organisation. This may include franchisees or sub-contractors.

Where the relationship between the individual and the organisation is unclear, the question as to whether the individual is an associated person will be determined by all ‘relevant circumstances.’ This is a factual determination and when considering this question, a court will consider the reality of the relationships between an organisation and an individual on the ground. For example, the existence of a contract or express agreement in itself won’t be determinative of a relationship.

Reasonable procedures

Section 199(4) of the Economic Crime and Corporate Transparency Act 2023 provides a defence to an organisation in circumstances where — at the time that the fraud was committed — it had in place ‘reasonable procedures’ to prevent the commission of the predicate offence.

So, what are ‘reasonable procedures’ and how can you protect your business?

In November 2024, the Home Office issued guidance aimed at assisting organisations in implementing reasonable procedures to prevent fraud with the aim of “encouraging organisations to build an anti-fraud culture”.

It should be emphasised that there’s no one-size-fits-all policy that’ll ensure a defence for every organisation. The guidance recognises that every industry is exposed to specific risks and that “individual sectors of the economy may choose to develop sector-specific guidance to provide more detail on prevention measures commensurate to the specific risks in that sector”.

Is your business at risk?

While there’s no precedent risk assessment and every organisation will be required to tailor a risk assessment that’s specific to the operation of their business, guidance issued by the Home Office suggests that organisations should consider the following when assessing risk:

Opportunity for fraud to take place — are internal controls sufficient? Is there adequate oversight from senior management? Does the individual have the opportunity to commit fraud (i.e., do they have access to financial resources)?
Motivation — is there pressure to meet targets? How about economical pressure? Does the individual seek rewards or recognition?
Rationalisation — an individual may seek to justify their actions based on, for example, there being ‘no harm’, the organisation benefitting from the act or feelings of entitlement or resentment.

When implementing or amending existing compliance policies, the first step should be to risk-assess the business — identifying areas where the company may be exposed to fraud in light of the specific base offences that are in scope of the new fraud offence. This risk assessment should not only include the organisation itself but also any subsidiaries, franchises or other organisations like sub-contractors — specifically, those that may be considered to be performing a service on behalf of the organisation.

Organisations should also consider and assess the risk of fraud posed to the organisation based on the various roles and responsibilities held by individuals and identify where there may be greater opportunities for fraud to occur. This may also extend to risk-assessing prospective employees and contractors.

Even though the legislation acknowledges that — in some circumstances — it may not be reasonable for an organisation to have in place any fraud prevention procedures, such a decision may be difficult to justify if the organisation was unable to demonstrate that it had conducted a thorough and comprehensive risk assessment.

A risk assessment should be reviewed periodically to ensure that it continues to meet the needs of an evolving business — particularly where there are any changes to business operations.

Leading by example — a zero-tolerance approach

One theme that runs through all the guidance on the failure to prevent offences is that of “top level commitment”. Any anti-fraud policy should be endorsed at board level to illustrate the active commitment of senior management to compliance.

Directors and senior management should foster an ethical compliance culture where employees and those considered to be associated persons are able to report allegations of fraud without fear of repercussion.

An organisation’s zero-tolerance to fraud must be clear, endorsed and promoted at all levels. The mere existence of anti-fraud policy won’t be sufficient to provide a defence to an organisation accused of failing to prevent fraud and must be implemented in the day-to-day running of the business.

This means that senior management must lead by example and be actively engaged in promoting internal policy. This includes sending out a clear stance on the organisation’s tolerance of fraud and unethical behaviour and making clear the consequences for those who fail to adhere to the policy.

Policies & procedures

An organisation’s fraud prevention policy should document and implement internal controls to both minimise the risk of fraud occurring and detect occurrences of fraud within the business.

What those policies and procedures look like — and how they’re implemented — will depend on (among other things) the corporate’s size, jurisdiction and the sectors it operates in. It’s important to understand that a fraud prevention policy is likely to form part of a wider suite of policies and procedures that engender the ethical and responsible behaviours of a robust compliance culture.

Subject to the issues identified following the risk assessment, an anti-fraud policy may typically include the segregation of duties, regular audits and real-time monitoring of transactions. Where appropriate, this may also extend to include robust measures to monitor the organisation’s supply chain. The policy should also identify a clear reporting and/or whistleblowing procedure for employees and other associated persons to report instances of fraud without fear of repercussion.

Due diligence

In a generic financial crime context, due diligence refers to the steps that are taken to inform an organisation of the risk associated with dealing with persons or organisations that perform (or will perform) services on its behalf to identify and mitigate the risks associated with that relationship.

It’s particularly important to undertake due diligence given the wide scope of those who might be considered ‘associated persons’ and render the organisation liable for their criminal activity.

Due diligence may necessitate the use of technology (such as screening programmes) or conducting internet searches prior to any recruitment or procurement process so that an organisation understands who it’s doing business with.

The due diligence will of course vary depending on the risk associated with the relevant activity — in higher risk situations, due diligence and monitoring may be extensive.

Monitoring & review

Business is rarely static. Businesses change and evolve and risks ebb and flow. As such, the guidance recommends that compliance programmes be monitored and reviewed to identify any necessary changes.

Monitoring can take many forms — both internal and external — and can include:

Internal and external audits.
Staff questionnaires.
Periodic ‘at seat’ risk assessments.
Reporting to board (consideration and approval).

Training & awareness

It won’t be sufficient for an organisation to simply demonstrate that a fraud policy exists. Organisations should actively implement their procedures and provide training to employees and others who may be considered associated persons as to the risks of fraud — endorsing ethical and proper practice and emphasizing a zero tolerance to fraud.

Having a full suite of policies and procedures won’t help a corporate if its people (including those associated with it) are unaware of their obligations, responsibilities and the ways in which their behaviour can impact the business.

Guidance relating to each of the failure to prevent offences suggests that businesses should deliver anti-financial crime and unethical conduct messages clearly and develop training programmes to ensure that the right training is given to the right staff to ensure compliance with the financial crime compliance programme.

This training should commence at the point of onboarding new staff members and continue throughout their employment with periodic updates and reviews. Given the new failure to prevent fraud offence, businesses with existing training regimes should revisit the nature and scope of their training.

Talk to us

Preventing fraud requires a comprehensive approach that combines top-level commitment, robust risk assessments, enhanced internal controls and a culture of integrity.

By implementing this counter-fraud guidance and strategy, organisations can protect themselves from the significant risks associated with fraud and ensure the safety and reliability of their operations.

If you need advice on how the new offence could affect your organisation, our corporate defence and compliance team can assist.

We advocate the ethos that ‘prevention is better than cure’ and have been instructed to advise corporates on the strength of their existing compliance regimes, as well as adopting suitably risk-assessed policies to protect against prosecution.

Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.