FRAUD PREVENTION New failure to prevent fraud offence: what you need to know

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) created a new corporate criminal offence of ‘failure to prevent fraud’. The offence is one of a number of measures introduced under ECCTA, which are designed to encourage organisations to implement or improve fraud prevention procedures, helping to elevate fraud prevention in corporate culture, and encourage responsible business. 

Overview of the offence 

Under the offence, which came into force on 1 September 2025, a large organisation will be criminally liable for failing to prevent fraud where: 

1. a specified fraud offence is committed by an employee, agent or subsidiary or other associated person with the intention of benefitting the organisation; and 

2. it did not have reasonable fraud prevention procedures in place. 

If an organisation is found to be liable for failing to prevent fraud, it will have a defence if it can demonstrate that it had reasonable fraud prevention procedures in place, or if it can demonstrate that it was not reasonable to expect the organisation to have any prevention procedures in place. 

The new offence is a strict liability offence, and it is not necessary to demonstrate that the organisation’s senior managers or directors ordered or knew about the fraud. This will increase the likelihood of successful convictions. The benefit intended by the organisation may be financial or non-financial, and it does not matter whether the benefit is in fact realised, only that the fraud was committed, with the intention of benefiting the organisation. 

If an organisation is convicted, it is punishable by an unlimited fine. However, there is no individual liability attached to the offence as the government did not consider it proportionate to prosecute an individual who did not consent to or know about the offence. 

Who does the offence apply to? 

The offence applies to any relevant body which is a large organisation. 

A relevant body is broadly defined and includes incorporated bodies (including not-for-profit organisations and corporate public bodies) and partnerships. A large organisation is defined as one which has at least two of the following: 

• more than 250 employees 

• a turnover of more than £36 million 

• total assets of more than £18 million. 

Although these criteria relate to large organisations, their application is much broader as they can also be applied on a group basis (including to all subsidiaries) in addition to each separate entity within a group. This means that where an employee of a subsidiary (which itself is not a large organisation) commits fraud intended to benefit the subsidiary, the subsidiary may be prosecuted. If the fraud committed by the employee is intended to benefit the parent organisation, then the parent organisation may be prosecuted. 

It should be noted that the offence does not only apply to UK based organisations and UK business activities. The extra territorial scope of the offence means that it can apply to overseas organisations if the fraud offence is committed in the UK or targets victims in the UK. Likewise, if a UK-based employee commits fraud, their overseas employer could be prosecuted. 

Who counts as an “associated person”? 

A person is associated with a relevant body if the person is an employee, agent or subsidiary of the relevant body or performs or provides services for or on behalf of the relevant body. The courts will take all relevant circumstances into account in determining whether a person meets the associated person criteria. 

Providing services for or on behalf of the relevant body does not include providing services to the relevant body (such as suppliers of professional services), and providing services does not include providing goods. 

What is a fraud offence? 

A fraud offence consists of the offences listed under ECCTA and includes common law offences, such as cheating the public revenue, and statutory offences such as fraud, fraudulent trading, obtaining services dishonestly, false accounting and false statement by company directors. In addition, a fraud offence includes aiding, abetting, counselling or procuring of any of the underlying fraud offences. Examples in practice may include falsifying reports or valuations, making false statements in accounts or contracts or misrepresenting the condition or quality of assets. 

What are “reasonable prevention procedures”? 

Organisations found guilty of failing to prevent fraud may have a defence if it can be successfully demonstrated that the organisation had reasonable prevention procedures in place to prevent fraud. 

In November 2024, the Home Office published guidance which sets out what organisations should consider when implementing reasonable fraud prevention procedures. It sets out six principles: 

1. Top level commitment: senior management should lead by example and foster a culture where fraud is never acceptable 

2. Risk assessment: organisations should adopt a dynamic approach to the assessment of risk, which must be kept regularly under review 

3. Proportionate risk-based fraud prevention procedures: fraud prevention procedures should be proportionate to the risk faced and the nature of an organisation’s operations 

4. Due diligence: due diligence proportionate to the fraud risk should be undertaken on associated persons 

5. Communication: fraud prevention policies and procedures should be clearly communicated across the organisation to encourage compliance, along with regular training 

6. Monitoring and review: regular monitoring and review of fraud detection and prevention procedures should be undertaken and improvements made where necessary. 

The guidance makes it clear that there is not a one-size-fits-all approach to reasonable procedures, and following the guidance does not guarantee a safe harbour for organisations if it is not appropriate to that organisation’s circumstances. Organisations will therefore need to create procedures which are appropriate to the nature of their operations, employees, agents and supply chains. 

How does this impact public sector organisations? 

The broad reach of this new offence is likely to capture many public sector organisations, including local and housing authorities, NHS trusts and charities. These organisations are also likely to meet the criteria for large organisations, given its group-wide application which extends the reach of the legislation once the activities of group companies are taken into account. 

Organisations need to understand who their associated persons are. Employees, agents and subsidiaries are automatically included, and property surveyors and managers will be well placed to help identify other associated persons providing services for, or on behalf of, the relevant body. 

Many of the public sector organisations likely to be affected by the new offence will not be strangers to the sort of risk assessments and measures required to protect the organisation from it, and existing compliance procedures may form the basis for preparing reasonable fraud prevention procedures. 

For any organisations that have yet to start reviewing their fraud prevention procedures, urgent action is required, and they should consider implementing (or reviewing and enhancing) the following: 

Fraud risk mapping: identify areas in the property and estates functions where fraud could occur, including the likelihood and impact of the fraud on the organisation. In addition, consider the internal and external associated persons (including contractors, agents, sub-contractors, surveyors and consultants) who work for or on behalf of the organisation. 

Policies and procedures: there should be clear anti-fraud policies applicable to the relevant teams, including mechanisms for reporting concerns easily and safely. Procedures must not be static, and the organisation must review and adapt them, including in response to market conditions, the regulatory environment, property market changes and supply chain issues. 

Training and awareness: all new and existing staff (including employees and contractors) should be trained on the fraud offences and their consequences to the organisation. Further training may be appropriate for surveyors and property managers with key responsibilities (e.g. relating to contract management and payment approvals). 

Supply chain analysis: existing processes should be checked to ensure satisfactory checking of credentials, potential conflicts of interest, and financial and quality checks. Contract terms for external suppliers should include obligations to comply with anti-fraud statements and ensure accurate reporting. 

Oversight, monitoring, audit: organisations should implement regular audits of contracts, maintenance works, valuations and consider carrying out spot checks and surprise inspections. Anti-fraud measures should be coordinated across the relevant teams (which could include finance, legal, procurement, compliance and property and estates teams). 

Record keeping: keeping records of risk assessments, decisions not to mitigate certain risks, approvals, contract clauses, training delivered, audit and investigation findings will be critical to evidence that reasonable steps are being taken. 

The Birketts view – next steps 

The offence of failure to prevent fraud was introduced on 1 September 2025 and marks a step change for corporate criminal liability in England and Wales, by shifting the focus from individual to organisational liability. The offence will make it easier to hold large organisations to account for fraud committed by associated persons, which may benefit the organisation, and the onus is now on them to put in place robust fraud prevention procedures. 

Public sector organisations that are potentially caught by this new offence should therefore take the opportunity now to consider their potential exposure under ECCTA and review, develop and enhance existing procedures to prevent fraud and promote responsible business practices.