What is the offence?
The offence of "failure to prevent fraud" raises the prospect of an organisation being found criminally liable if someone linked to the organisation, such as an employee, agent, subsidiary or other "associated person", commits fraud (or specifically one of the fraud offences prescribed by the Act, being fraudulent trading, fraud, uttering or embezzlement for Scotland) intending to benefit the organisation or any person to whom the organisation or its subsidiary provides services. This applies unless the organisation is able to show that, at the time the fraud was committed:
(i) it had reasonable procedures in place to prevent such fraud, or
(ii) it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.
Organisations do not need to prove that their directors or senior managers were aware of or authorised the fraud. Liability can arise even if senior leadership was unaware of the wrongdoing.
Organisations found guilty of an offence can be subject to an unlimited fine.
Which organisations may be caught?
The offence only applies to "large" organisations. Large organisations are those that satisfy two out of three of the following criteria in the financial year preceding the year of the offence:
- turnover is more than £36 million
- total balance sheet is more than £18 million
- the organisation has more than 250 employees
These criteria can also be applied to all companies within a corporate group structure.
Despite this, smaller organisations should still be aware of best practices in fraud prevention to maintain and protect their reputation.
Extra-territorial effect
The offence also has extra-territorial effect, which means it can be committed by any organisation wherever they are based. For example, an associated organisation could be located outside the UK and commit an act of fraud under UK law.
Who is an "associated person"?
The term “associated person” is broad, covering a range of individuals and entities connected to the organisation, including:
- employees
- agents
- subsidiaries or employees of subsidiaries
- any individual or business providing services for or on behalf of the organisation
The offence only applies when the associated individual or business is acting in their official capacity related to the organisation. For instance, if an employee commits fraud in their personal life unrelated to their work, this does not trigger corporate liability.
Smaller organisations should also be aware that they may be classed as an "associated person" if they provide services for or on behalf of large organisations. If this is the case, smaller organisations may be subject to contractual or other requirements imposed by large organisations in respect of the offence of failure to prevent fraud.
Benefit intention
Another notable aspect of the offence is that the organisation does not have to receive any benefit from the fraudulent act for the offence to apply. The mere intention by the associated person to benefit the organisation is sufficient, as fraud can be complete before any gain is actually received.
Intention to benefit does not need to be the main or dominant motivation behind the fraud. The offence can apply where an associated person's primary motivation was to benefit themselves, or even a client. The benefit can be financial or non-financial.
What are reasonable fraud prevention procedures?
An organisation should be ready to show that it has reasonable fraud prevention procedures in place. The Home Office issued new guidance on the offence in November 2024 and, while what counts as “reasonable” will depend on the organisation’s size, industry and risk profile, the Home Office has advised that a fraud prevention framework should be put in place having regard to the following six principles:
Top-level commitment: Effective fraud prevention starts at the top. Organisations are expected to foster a strong anti-fraud culture led by senior management. This includes:
- Clearly communicating the organisation’s stance against fraud to all employees
- Clear governance
- Leading by example and reinforcing ethical behaviour
- Ensuring ongoing training for staff
Risk assessment: Organisations need to regularly assess their exposure to fraud risks. This means identifying which parts of the organisation or which roles are most vulnerable to fraud.
Proportionate risk-based prevention procedures: Organisations should develop and regularly review fraud prevention measures. Such measures can include:
- Reducing opportunities for fraud
- Reducing the motive for fraud
- Putting in place consequences for committing fraud
Due diligence: Due diligence is key to managing fraudulent risks. Best practices include:
- Employing technology-based screening tools to detect suspicious activities
- Regularly reviewing contractual arrangements to include anti-fraud clauses
- Monitoring the well-being of employees to detect potential fraud triggers
Strong communication: Policies and procedures designed to prevent fraud must be communicated clearly and embedded throughout the organisation. Employees should understand their roles in fraud prevention and know how to report suspicious behaviour. Regular training will help maintain awareness and ensure everyone is up to date on emerging fraud risks and prevention techniques.
Monitoring and review: Organisations should continuously monitor their fraud detection mechanisms and prevention procedures. This involves:
- Tracking fraud incidents and analysing root causes
- Evaluating the effectiveness of existing controls
- Making necessary improvements based on lessons learned or changes in the risk environment
Organisations may recognise these principles from the Ministry of Justice's guidance on the Bribery Act 2010. While the principles may be the same, the Home Office guidance is different as it is specific to the failure to prevent fraud offence.
Final thoughts
The introduction of the failure to prevent fraud offence marks a shift in corporate responsibility. Large organisations must take proactive steps to implement strong fraud prevention frameworks to avoid criminal liability. While smaller organisations may not be directly liable, they should still strive to adopt best practices to reduce risks and meet contractual expectations from larger clients.
Preventing fraud is not only a matter of compliance, but it also protects an organisation’s reputation, financial health and stakeholder trust. By fostering the correct culture and conducting thorough risk assessments, organisations can position themselves strongly to meet the challenges posed by this new offence.
To the extent that organisations are not yet prepared for the new offence, they should seek to identify those areas considered to be of greater risk as a matter of priority (including identifying who might be considered to be associated persons) and focus their fraud prevention framework on those areas first.
Should you require assistance with complying with the relevant provisions of the Economic Crime and Corporate Transparency Act 2023 or wish to update your contract terms to take account of the Act, please contact David Gourlay or another member of the Commercial Team.
This article was co-authored by Sasha Fothergill, Trainee Solicitor in MFMac's Commercial team.
