Failure to Prevent Fraud: How Prepared is Your Organisation?
Have you got a question?
Introduction
In a decisive move to combat corporate fraud, the UK government has enacted the Economic Crime and Corporate Transparency Act 2023 (the ECCT Act), which became law on 26 October 2023. The ECCT Act has now introduced the “Failure to Prevent Fraud” (FTPF) offence, and from September 2025, UK companies will face increased scrutiny under this new offence designed to embed a culture of proactive fraud prevention within businesses. The Act targets organisations benefiting from fraudulent activities perpetrated by their employees or agents, especially in the absence of sufficient fraud prevention measures. The wide scope of the offence covers various fraudulent activities, making it imperative for businesses to assess and reinforce their fraud prevention frameworks.
The ECCT Act interacts with and builds upon existing corporate accountability legislation. Businesses should already be aware of their requirement to comply with the UK Bribery Act 2010, prevent the facilitation of tax evasion offences under the Criminal Finances Act 2017, and adhere to the UK Corporate Governance Code, but must recognise that these do not automatically satisfy the specific requirements of the ECCT Act. Therefore, it is crucial for organisations to review and enhance their fraud prevention measures to ensure they are explicitly addressing the new obligations imposed by this legislation, rather than relying solely on their existing compliance frameworks.
This article provides an in-depth analysis of the implications of the ECCT Act, outlining key components of the new offence, potential risks for businesses, and the necessary steps for organisations to implement strong fraud prevention measures.
Understanding the Failure to Prevent Fraud Offence
The FTPF offence aims to ensure businesses are held accountable for fraudulent actions undertaken by their employees, agents, subsidiaries, or other “associated persons” who provide services on the organisation’s behalf, where the fraud was
committed with the intention of benefiting the organisation or its clients. Critically, it is not necessary to prove that the organisation’s senior management or directors were involved or aware of the fraud. Under the ECCT Act, an organisation can be held liable even if it did not directly profit from the fraud, as long as there was an intention to benefit the business or its clients. It is important to note that the FTPF offence does not extend to individual liability for persons within the organisations who may have failed to prevent fraudulent behaviour. However, this does not prevent the employee or agent who committed the original fraud, or anyone who encouraged or assisted them, from being prosecuted for that underlying fraud in addition to the organisation being prosecuted for failing to prevent it.
Which Organisations are in Scope?
The FTPF offence applies to large, incorporated bodies and partnerships across all sectors of the economy. A “large organisation” is defined by the ECCT Act as meeting at least two of the following criteria:
- More than 250 employees
- Over £36 million in turnover
- More than £18 million total in assets
These conditions apply to the financial year of the organisation that precedes the year when the fraud took place.
The ECCT Act applies to UK-based businesses and UK subsidiaries of international entities regardless of where the organisation is headquartered. Moreover, the subsidiary of a large organisation, which is not itself a large organisation, can be prosecuted rather than the parent organisation if an employee of the subsidiary commits fraud intending to benefit the subsidiary.
Relevant Fraud Offences
The ECCT Act covers a broad range of fraud-related crimes, including:
· Fraud by false representation |
· False accounting |
|---|---|
|
· Fraud by failing to disclose information |
· Fraudulent trading |
|
· Fraud by abuse of position |
· Misstatements in financial documents |
|
· Participation in a fraudulent business |
· Obtaining services dishonestly |
Intention to Benefit
The issue of who is intended to benefit from the underlying fraud is key to determining whether a relevant organisation can be held accountable for the FTPF offence. An organisation does not need to receive any benefit for the offence to apply — since the fraud offence can be completed before any gain is received. It is enough that the organisation was intended to be the beneficiary. The same applies if the intention was to benefit the clients to whom the associated person provides services for or on behalf of the relevant organisation. Therefore, the determination of an organisation’s liability for failure to prevent fraud hinges on the crucial aspect of who was intended to benefit from the underlying fraudulent activities. The ECCT Act does not require that an organisation actually receive any tangible benefit. Instead, liability arises if the organisation was the intended beneficiary of the fraud. This intended benefit can be either financial or non-financial. This focus on “intention” acknowledges that fraudulent acts can be completed before any gains are realised.
An organisation is exempt from liability if it is a direct victim or intended victim of fraud. This exemption applies when the fraud, while aimed at benefiting clients, results in direct financial loss or intentional harm to the organisation itself. Indirect harm, such as reputational damage stemming from the exposure of fraud
committed by an associated person, does not qualify the organisation as a victim under this provision. Furthermore, the legal consequences of being charged with the FTPF offence do not, in themselves, constitute victimhood. To be considered a victim and thus exempt from liability, the organisation must demonstrate that it suffered direct financial loss or was the intended target of direct harm from the fraudulent activity, even if that activity was ultimately aimed at benefiting its clients.
Territorial Connection
The FTPF offence in the UK applies only when an associated person commits an FTPF offence under UK law, requiring a UK nexus, which means either the fraud, gain or loss occurred within the UK. Overseas organisations can be prosecuted if their UK-based employees commit fraud, or if their employees or associated persons commit fraud in the UK or target UK victims, but UK organisations are not liable for overseas fraud without a UK nexus. If no part of the FTPF offence occurred in the UK, a UK nexus exists only if actual, not intended, gain or loss occurs within the UK.
Reasonable Fraud Prevention Procedures
Organisations can defend themselves against prosecution and escape liability if they demonstrate they have reasonable procedures in place to prevent fraud. Failure to implement effective anti-fraud measures could expose businesses to significant legal and financial penalties.
- 1. Top-Level Commitment: Senior leadership must play a critical role in setting the tone for fraud prevention. Effective governance and ethical business practices should be embedded into corporate culture. Top executives must establish clear fraud prevention policies, leading by example in fostering transparency and accountability within the organisation, and ensure sufficient resources are allocated for anti-fraud measures.
- 2. Comprehensive Risk Assessment: Organisations must implement thorough and continuous fraud risk assessments to identify operational weaknesses. A robust assessment framework should incorporate the "fraud triangle," which encompasses opportunity (weak internal controls enabling fraud), motive (financial pressures or incentives driving fraud), and rationalisation (justifications used by individuals to commit fraud). These assessments should be updated consistently to reflect organisational changes, new threats, and evolving regulations.
- 3. Proportionate Risk-Based Fraud Prevention Procedures: Organisations should develop tailored fraud prevention strategies based on their risk assessments. Effective fraud prevention plans encompass several key elements: implementing robust internal controls to minimise fraud opportunities, establishing clear policies and consequences for fraudulent activities, strengthening financial monitoring systems to detect anomalies, and fostering a culture of ethical behaviour and integrity.
- 4. Due Diligence on Employees and Third Parties: To effectively minimise fraud risks, organisations must prioritise thorough vetting of employees, third-party partners, and suppliers. This involves conducting comprehensive background checks on all new hires and business partners. Furthermore, implementing clear contractual clauses that explicitly outline fraud prevention expectations is essential. Ongoing monitoring of third-party transactions and engagements is also crucial for the timely detection of any suspicious activities.
- 5. Training and Communication: Fraud prevention policies must be clearly communicated across all levels of the organisation. Regular training should educate employees about fraud risks and red flags, reinforce whistleblowing policies and reporting procedures, and encourage ethical decision-making in daily operations. Training is a key element in demonstrating that an organisation has taken appropriate steps to mitigate fraud risks.
- 6. Monitoring and Review: To maintain robust defences against fraud, organisations must engage in continuous monitoring and evaluation of their fraud prevention frameworks. This necessitates the implementation of internal audits, designed to rigorously assess the efficacy of existing anti-fraud measures. Furthermore, regular reviews of fraud prevention procedures are essential to identify and rectify any weaknesses that may emerge over time. Crucially, organisations must establish clear and efficient mechanisms for the reporting and subsequent response to suspected fraud incidents, ensuring that potential threats are addressed promptly and effectively.
Consequences of Non-Compliance
Businesses could face unlimited financial penalties, and while individual liability for the failure itself does not extend to senior managers or directors, they can be held accountable for any underlying fraudulent activities they personally commit. Beyond the threat of substantial fines, the damage to a company’s reputation and brand can be severe, leading to loss of business and investor confidence. Regulatory bodies will likely subject the organisation to intense scrutiny, potentially triggering legal action from enforcement agencies.
Preparing for the Deadline
With the 1st of September 2025 enforcement date rapidly approaching, now is the perfect time to review your fraud prevention framework and take the necessary steps to protect your organisation from fraud risks. By prioritising fraud prevention, businesses can effectively reduce both financial and legal exposures, while simultaneously fostering a culture of accountability and integrity.
For further details and sector-specific guidance, organisations should consult the full guidance document and seek professional legal advice as needed. If you have any questions or need further details on how to prepare your organisation, please contact Saurabh Bhagotra, Head of Dispute Resolution at Oracle Law Global.
-
Holborn Gate, 330 High Holborn
LONDON WC1V 7QH
United Kingdom
- (+44) 020-3051-5060
Book a call back
Share this article
Got a question?
Please complete this form to send an enquiry. Your message will be sent to one member of our team.
Related posts
Global Sanctions Update: The U.S. Shifts Focus While the EU Prepares 16th Sanctions Package
The evolving sanctions landscape has seen significant shifts in both the United States and the European Union as they refine their responses to
Albanian Parliament Approves Law on Personal Data Protection: A Step Toward GDPR Compliance
On December 19, 2024, the Albanian Parliament officially passed the Law on Personal Data Protection, which marks a significant leap forward in aligning
STELLANTIS
A never ending Italian story enters a new chapter with Tavares’s Resignation. The announcement of Carlos Tavares’ resignation as CEO of Stellantis, set
BITCOIN SURPASSES $100,000: RISES AND FALLS OF THE MOST FAMOUS CRYPTOCURRENCY
A Few Numbers In December 2024, the value of Bitcoin surpassed the record figure of $100,000 for the first time. On December 5,