Failure to prevent fraud: Navigating compliance by September 2025

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) has transformed the law in relation to economic crime. The legislation is intended to drive a major shift in corporate culture to help reduce fraud. It places greater emphasis on the accountability of businesses and encourages more organisations to implement or improve fraud prevention procedures.  

Large organisations that fail to prevent fraud will now be criminally liable. From 1 September 2025, these large organisations will be exposed to criminal sanctions if they fail to prevent ‘associated persons’ from committing fraud for the benefit of the organisation. The maximum penalty for a conviction under the offence is an unlimited fine. The only defence is having reasonable fraud prevention procedures in place. 

The main challenge for financial services firms is that this legislation overlays an existing regulatory regime, but with a different focus. This article seeks to explore what would be in scope for the new offence and what firms will need to consider to comply. 

Overview of the ECCTA 

The ECCTA introduces the third ‘failure to prevent’ offence under UK law, and similar to the other offences - failure to prevent bribery and failure to prevent tax evasion - in effect requires organisations to implement reasonable procedures to prevent fraud. Guidance for this in the ECCTA is the most prescriptive to date. 

The ECCTA addresses the so-called ‘identification doctrine’ and removes the narrow ‘directing mind and will’ test for attributing corporate criminal liability, broadening it with a ‘senior manager’ test. This means all organisations, regardless of size, may be held criminally liable more easily than in the past for offences perpetrated by senior managers with decision-making responsibility. This new approach captures a far wider group of individuals who could now attribute liability for fraud and other economic crimes to the organisation.  

Failure to prevent fraud offence – what is in scope? 

Relevant body 

The failure to prevent fraud offence is directed at a ‘relevant body which is a large organisation’.  A ‘relevant body’ is defined as any incorporated company or partnership, which includes offshore corporates (although there must be a UK nexus to the fraud). A ‘large organisation’ is defined as meeting at least two of the following criteria (in the previous financial year): 

• Turnover exceeding £36m.
• Balance sheet total exceeding £18m.
• More than 250 employees.

If the organisation does hit two of the criteria within only part of a financial year, they would be considered in scope for the duration of that financial year. 

It is important that the structure of the ‘large organisation’ is considered. The criteria is on a group-wide basis rather than each individual company, and the guidance makes very clear that subsidiaries are in scope and can also be prosecuted.   

The guidance also specifies that it represents good practice and may be helpful to smaller organisations, though the offence cannot be enforced against them. 

UK nexus 

A breach does not have to occur within UK borders, there simply has to be a connection to the UK (UK nexus). For example, if the offence is committed outside the UK but a component part of the ‘base fraud’ is carried out in the UK, the victims are in the UK or the intended benefit of the fraud is felt in the UK. 

It would be wise to consider seeking legal advice for instances of UK-based companies with offshore subsidiaries or associated persons to consider how this would be managed as part of the reasonable procedure framework.

Associated persons 

If an associated person commits fraud for the organisation’s benefit, the company is liable unless it can demonstrate that, at the time of the offence, it had reasonable fraud prevention procedures in place. An associated person can be anyone performing services for or on behalf of the organisation, such as subsidiaries, employees, contractors or agents, and there is no requirement for a contract to be in place.  

There is no size or geographical restriction to an associated person - any relevant company or individual may find itself in the position of an associated person. Whilst large organisations are directly impacted, small organisations may be ‘associated persons’ while they provide services for or on behalf of large organisations. (Note that organisations supplying goods or services to an organisation, for example lawyers, cleaners, accountants or caterers, are not in scope.)

‘Base fraud’ 

The offence applies to a number of specified fraud offences, referred to as a ‘base fraud’, listed in a schedule to the act. These include legislative offences, such as fraud by false representation and false accounting, and the common law offence of cheating the public revenue. There is no requirement for there to be an actual gain or a loss, but there must be an intention to benefit the organisation. The intent to benefit may also be financial or non-financial.  

Reasonable fraud prevention procedures 

The guidance is more prescriptive, detailed and offers less flexibility than the supporting guidance for the failure to prevent bribery and the failure to prevent tax evasion. For example, it is made absolutely clear that a thorough risk assessment forms the foundation of reasonable and proportionate procedures, and all the other principles - top level commitment, proportionate risk-based prevention procedures, due diligence, communication (including training), and monitoring and review - should be informed by the results of this. 

Criminal liability attributable to senior managers 

Already in force since December 2023, Section 196 of the ECCTA establishes a statutory basis for holding all corporations, regardless of size, criminally liable when a ‘senior manager’ commits fraud or a specified economic crime within the actual or apparent scope of their authority. This broadens and codifies the common law ‘identification doctrine’, which was narrowly applied by requiring proof that the company’s ‘directing mind and will’ (i.e. the board or its directors) led to the commission of the offence.  

What is defined a ‘senior manager’ depends on the actual responsibilities and managerial influence, not the job title; it could include employees, consultants or third parties. In financial services, the definition of this is far broader than the Senior Managers and Certification Regime. 

Actions for financial services firms before September 2025 

The offence can be committed by regulated and unregulated entities if they are relevant bodies, and firms will, firstly, need to take the time to consider whether they could be in scope and, secondly, consider the identity of their associated persons. This may regularly need to be reconsidered with organisational changes, such as growth, mergers or acquisitions.  

For firms to be able to implement proportional, risk-based fraud prevention procedures, robust risk identification and assessment is key. Complying with the current regulatory framework will not be sufficient to automatically qualify as ‘reasonable procedures’ under the ECCTA. Firms that are relevant bodies operating in the financial services industry will need to consider their current regime in light of the new offence because it is likely that, whilst there may be solid mechanisms in place for fraud prevention, the kind of fraud that the offence is seeking to prevent is primarily not fraud against the organisation, which have been the traditional focus. Therefore, existing financial crime and compliance frameworks and supporting policies and procedures may well be inadequate.  

Moreover, whilst there is already a focus on senior managers in financial services, the scope is broader so staff, contractors, agents, subsidiaries (whether regulated or unregulated) whose actions could result in the firm committing the offence will need to be covered by the risk assessment.  When considering the ‘senior manager’ test for attributable criminal liability, firms will need to undertake a gap analysis in the first instance and ensure that their policies and procedures cover the definition provided in the ECCTA.  

It will not be necessary or desirable to duplicate existing work but firms will need to assess the adequacy of the existing compliance frameworks, reporting controls, prevention strategies against the risks that they face in light of the new offence, and enhance and adapt. Inaction will offer no defence.