The speed read
The UK Government has created a new criminal offence for the corporate failure to prevent fraud under the Economic Crime and Corporate Transparency Act 2023 (“ECCTA“), which will come into effect on 1 September 2025.
We explore certain practical preparatory actions that organisations may wish to take and our key takeaways of the introduction of the new offence.
Organisations must formalise and update their existing fraud prevention framework, including training and new written policies and procedures to ensure compliance with ECCTA.
They may also wish to address the new offence by engaging specialists to carry out a risk assessment and implementing the recommendations, which could include, inter alia, appointing a nominated person responsible for fraud prevention, arranging mandatory regular training for all staff, regularly engaging with fraud prevention specialists and updating fraud prevention measures.
In an M&A context, buyers will undoubtedly be seeking warranty or indemnity protection in a share purchase agreement to protect against any failure or non-compliance with the failure to prevent fraud offence.
The enforcement of the new offence and the behavioural changes it may drive will be seen in the years ahead. Will it motivate organisations to seek meaningful cultural change, or will it simply develop into a box-ticking exercise where organisations do the bare minimum? That said, its introduction will at the very least spark important fraud prevention discussions, which could lead to a steady shift in corporate attitudes towards economic crime. It will be fascinating to see how enforcement bodies, the courts and organisations navigate this new landscape.
Read on below for more detail and watch this space!
————————————————————————
The offence for the failure to prevent fraud
The UK Government has created a new criminal offence for the corporate failure to prevent fraud. This offence is set out in ss. 199 to 206 and Schedule 13 of ECCTA.
The new offence will hold large organisations criminally liable for fraud committed by their employees, agents, subsidiaries or other associated persons, where the fraud was committed with the intention of benefiting the organisation or their clients, unless that organisation is able to demonstrate reasonable fraud prevention measures were in place at the time the fraud was committed.
The offence will come into effect on 1 September 2025 to allow sufficient time for organisations to develop and implement an anti-fraud culture and reasonable fraud prevention measures and to allow for the issuance of guidance, as was done when the Bribery Act 2010 came into force. The onus is on the relevant organisation, where it seeks to rely on the defence, to prove, to a court, that it had reasonable fraud prevention measures in place.
Fraud
The offence applies to a number of fraud offences listed in Schedule 13 of ECCTA and extends to aiding, abetting, counselling, or procuring the commission of a listed offence (s. 199(6) of ECCTA). The offence list can be amended through secondary legislation (s. 200 ECCTA).
Fraud offences in England and Wales include:
| Offence: | Statutory reference or common law: |
| fraud by false representation | s. 2 Fraud Act 2006 |
| fraud by failing to disclose information | s. 3 Fraud Act 2006 |
| fraud by abuse of position | s. 4 Fraud Act 2006 |
| participation in a fraudulent business | s.9 Fraud Act 2006 |
| obtaining services dishonestly | s. 11 Fraud Act 2006 |
| cheating the public revenue | common law |
| false accounting | s. 17 Theft Act 1968 |
| false statements by company directors | s. 19 Theft Act 1968 |
| fraudulent trading | s. 993 Companies Act 2006 |
Territoriality
The offence could have extra-territorial effect in circumstances where there is a UK nexus i.e. the fraudulent act takes place in the UK or targets UK victims, even where the organisation and fraudster are based in another jurisdiction.
Intention to benefit
The offence can apply notwithstanding that (i) the intention to benefit is not the sole or dominant motivation; (ii) the organisation does not actually receive any benefit; or (iii) the benefit is not financial. However, it is to be noted that an organisation would not be liable when it is the actual or intended victim of the fraud (s. 199(3) ECCTA).
Accordingly, an organisation may be accountable if, for example, an employee committed a fraud for personal gain and in doing so indirectly benefits the organisation; the organisation does not actually receive any benefit as the fraud offence was complete before the gain was actually received; and the benefit would have been non-financial in nature, such as a fraud intended to confer an unfair business advantage or disadvantage a competitor. There are various example set out in the guidance to organisations on the offence of failure to prevent fraud (“Guidance“).
Defence of reasonable fraud prevention
An organisation will have a defence if it can demonstrate that reasonable fraud prevention measures were in place at the time the fraud was committed, the satisfaction of which shall be determined by the court having regard to the facts and circumstances of the case.
The standard of proof for the defence is the balance of probabilities. However, in most cases, the fact that the fraud did happen would demonstrate that internal processes were inadequate and therefore it may be difficult to use the defence in practice.
Developing fraud prevention measures
Chapter 3 of the Guidance sets out six principles organisations should consider including: (i) top level commitment, (ii) risk assessment, (iii) proportionate risk-based prevention procedures, (iv) due diligence, (v) communication (including training) and (vi) monitoring and review.
The Guidance emphasises that the principles are intended to be flexible and outcome-focussed and that the fraud prevention measures should be tailored to the relevant organisation, its structure and the sector in which it operates.
Principle 1: Top level commitment
The top level commitment to preventing fraud lies with the board, senior management and those involved with governance and they are responsible for implementing an anti-fraud culture and ensuring the organisation has clear governance structures to manage the risk of fraud. This includes leading by example, endorsing and encouraging anti-fraud policies, allocating resources for prevention efforts, putting in place sufficient mechanisms to detect, investigate and address fraud and ensuring staff are well trained and empowered to report any concerns they may have.
Principle 2: Risk Assessment
An organisation should regularly assess and document its exposure to fraud risk and evaluate fraud risks based on the fraud triangle: opportunity, motive, and rationalisation. The risk assessments should consider certain matters with respect to opportunity (e.g. whether associates operate with minimal oversight), motive (e.g. whether there are financial pressures or incentive systems) and rationalisation (e.g. organisational culture and tolerance for fraud).
Risk assessments should be regularly reviewed and updated in accordance with certain sources of information, such as data analytics, audits and sector specific information. Fraud risks may increase during emergencies and therefore the risk assessment should be comprehensive to cover a relevant potential emergency scenario meanwhile recognising that it is not possible to foresee every emergency.
Principle 3: Proportionate risk-based fraud prevention procedures
An organisation should supplement the existing regulatory landscape with additional in-house fraud prevention measures which are clear, practical and proportionate to the identified fraud risks, considering the size, complexity and activities of the organisation.
Procedures should be proportionate to reflect the level of control the organisation has over associated persons (e.g. employees and contractors) and an organisation may wish to consider reducing fraud opportunities (e.g. through vetting and training) and addressing rationalisation of fraudulent behaviour (e.g. ethical fading).
Principle 4: Due Diligence
Organisations should implement a risk-based approach to any due diligence measures and ensure that these measures are specifically designed to mitigate the risk of fraud. Any due diligence measures should be proportionate to evolving fraud risks; it is clear that there is not an expectation for organisations to carry out enhanced due diligence to each of its suppliers, customers or employees.
An organisation may wish to use appropriate technology (e.g. third-party risk management and screening tools, internet searches, trading history and vetting checks), review its contracts with service providers to include appropriate obligations requiring compliance and the ability to terminate for breach and monitoring the well-being of staff and agents to identify potential fraud risks linked to stress or workload pressures.
Principle 5: Communication
Organisations should ensure their fraud prevention measures are communicated, embedded and understood throughout the organisation, both internally and externally. These measures should be communicated from all levels within an organisation, not just senior management, to encourage the anti-fraud culture and deter fraudulent behaviour.
Regular training sessions are key. Training should cover the nature of fraud and prevention and whistleblowing procedures. Whistleblowing is key in fraud prevention as it helps to uncover corruption, fraud, mismanagement and other wrongdoing. Organisations should have appropriate, accessible and independent whistleblowing procedures with clear board level accountability. Staff should be trained to recognise and report fraud and an organisation should foster a culture where concerns can be effectively raised without fear of retaliation.
Principle 6: Monitoring and Review
Organisations should regularly monitor and review their fraud prevention and detection procedures.
Monitoring involves three key elements including (i) fraud detection: organisations should use various measures to detect fraud attempts, such as data analytics, procurement analysis and AI tools. Encouraging early reporting and having clear whistleblowing procedures are critical; (ii) investigation: organisations should have clearly defined criteria for when to investigate, who authorises investigations and how results are reported and acted upon. Investigations should strive to be fair, clearly designed, independent and legally compliant; and (iii) monitoring the effectiveness of existing measures through financial controls, data analysis on fraud prevention participation and updates to procedures and contracts.
Review is essential to adapt to changes in risk, whether internally within the organisation or externally. The frequency of review should be assessed and tailored to the relevant organisation, but risk assessments are typically conducted at standard annual or bi-annual intervals. Reviews should asses fraud detection analysis, investigations and feedback.
Investigations and penalties
The new offence can be prosecuted by the Crown Prosecution Service and the Serious Fraud Office in England. If convicted, an organisation can receive an unlimited fine to be determined by the courts having regard to all of the circumstances.
Summary
Organisations must formalise and update their existing fraud prevention framework, including training and new written policies and procedures to ensure compliance with ECCTA.
Organisations may wish to address the new offence by engaging specialists to carry out a risk assessment and implementing the recommendations, which could include, inter alia, appointing a nominated person responsible for fraud prevention, arranging mandatory regular training for all staff, regularly engaging with fraud prevention specialists and updating fraud prevention measures.
In an M&A context, buyers will undoubtedly be seeking warranty or indemnity protection in a share purchase agreement to protect against any failure or non-compliance with the failure to prevent fraud offence.
The enforcement of the new offence and the behavioural changes it may drive will be seen in the years ahead. Will it motivate organisations to seek meaningful cultural change, or will it simply develop into a box-ticking exercise where organisations do the bare minimum? That said, its introduction will at the very least spark important fraud prevention discussions, which could lead to a steady shift in corporate attitudes towards economic crime. It will be fascinating to see how enforcement bodies, the courts and organisations navigate this new landscape.