The new offence of failure to prevent fraud: how businesses must prepare

With the creation of a new offence of failure to prevent fraud, which comes into force on 1 September 2025, major corporations will be held more strictly to account for fraud committed by their employees, agents and associates who provide services on behalf of the organisation. Under the new offence, directors or senior managers can be considered criminally liable for fraudulent conduct of others which may benefit the organisation regardless of whether they were aware of the fraud. 

The new offence, brought into law by the Economic Crime and Corporate Transparency Act 2023 (ECCT), is one of various steps being taken by the Serious Fraud Office (SFO), which is part of the Home Office, to tackle fraud, which currently accounts for over 40 percent of crime in England and Wales. 

The terms of the offence shifts the emphasis in such prosecutions from individual knowledge of fraudulent activity to businesses having the right safeguards in place to prevent wrongdoing in the first place.

Scope of the offence 

According to Home Office guidance, an organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’, commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place. A person who provides services for or on behalf of an organisation classes as an associated person while they are providing those services. 

So, for example, if an employee is engaged in dishonest sales practices or deceitful behaviour in financial markets then the company itself could face prosecution. This would also apply if employees were engaged in the practice of hiding significant information from its investors or consumers. Organisations should also be aware that the offence will also be applicable when a fraud has been committed for the benefit of the organisation, even if there has been no actual advantage. So, even if dishonest sales practices did not result in any increase in sales, the organisation may still be liable under the provisions of the new offence. 

Who does the offence apply to?

Size of company 

The guidance applies to all companies with more than 250 employees, a turnover of more than £36m, or total assets of more than £18m. Any firm which falls within these criteria will not be able to claim ignorance of the SFO measures, because the precise definition leaves no room for misinterpretation. 

Smaller organisations will still need to consider compliance with the legislation, not just for good practice, but because a large organisation will likely require them to have reasonable procedures in place if they fall within the scope of ‘associated person’ of the large organisation. The Guidance states that if an employee of a subsidiary of a large organisation commits fraud that is intended to benefit the subsidiary, the subsidiary may be prosected for failure to prevent fraud even though it does not itself fall within the definition of a large organisation.

Extra-territorial impact 

The new regime will include organisations incorporated outside of the UK, and as such businesses registered in other jurisdictions may find themselves liable for actions of employees or associates carried out within the UK. It will apply to organisations where part of the offence takes place in the UK. This would include situations where part of the fraud takes place in the UK but could also apply where there are victims in the UK or, for certain offences, where there is a gain in the UK. Even if an organisation is based outside of the UK and doesn’t have any nexus here, it could still be liable for actions of a third party service provider operating within the UK.

Accordingly, both UK and non UK companies will need to assess whether the acts of their employees, subsidiaries, or agents are likely to give rise to liability for the company under the new offence. 

Change from the current position 

Where the new rules differ from the status quo is in the assumption of corporate responsibility. As some experts have commented, the new guidance marks a major shift in tone, with affirmative corporate governance at its core designed to ensure large corporations are properly held to account for committing serious crimes. 

The offence constitutes a significant departure from the current common law ‘directing mind and will’ test, the legal test -known as the identification doctrine- currently used to attribute criminal conduct to corporations.  At present, the prosecution must identify a specific individual or individuals whom it can be said have the sufficient involvement, knowledge and seniority such that it can be said that they are the directing mind and will of the company. The way the identification doctrine operates means that seniority alone is not sufficient and the prosecution must evidence the scope of any delegated authority to do the acts in question before they can assert that the individual in question represented the directing mind and will of a company.

Individuals who carried out the actual fraud can still be prosecuted under existing laws, but, crucially, the organisation which employs them will now face a prosecution too if investigators can reasonably conclude that the organisation failed to prevent the crime. If an employee or agent has committed a fraud, as a defence to prosecution, the organisation will need to be able to demonstrate that it had adequate policies and procedures in place to prevent fraud. 

An organisation can also escape liability if it itself was a victim of, or was intended to be a victim of the fraud. However, where the individual committed the fraud intending to benefit the company, this does not apply (even if in practice the company did not benefit). For example, if an individual engaged in mis selling practices with the intention of increasing sales for the company, the organisation may be liable for prosecution, even if sales did not increase. 

Action businesses should take to prepare 

With only nine months to go until the landmark ECCT legislative reforms come into force, companies should be encouraged to implement stronger fraud prevention procedures without delay.

Organisations should act now to consider whether the organisation or its associates fall within the scope of the legislation and, if so, take steps to have the right protections and policies in place ahead of the 1 September 1 2025 deadline to avoid being held criminally liable if one of their employees, agents or associates acts fraudulently in the future. 

The SFO’s director Nick Ephgrave recently warned that “time is now running short for corporations to get their house in order”. He reiterated the regulator’s determination to “act swiftly and send a strong signal to companies profiting from malpractice” and insisted that any behaviour proven to be fraud will not be tolerated by the watchdog. 

Ahead of the September deadline, businesses should review their processes to identify risks of fraud within the business and then review the appropriate policies and procedures to consider whether there is adequate fraud protection. For areas of the business identified as being particularly high risk of fraud, businesses may want to consider obtaining professional advice on their policies and procedures to ascertain whether there are sufficient checks and balances in place. The fact that an organisation has obtained professional advice may assist in the event of a prosecution. Whilst it may not prevent fraud, it does show investigators that the organisations have taken proper steps to consider its policies, procedures and safeguards. 

With a law which assumes overarching corporate responsibility for the fraudulent behaviour of a single employee, organisations will have to be far more stringent.