Skip to main content
Subscribe
27.08.2025

ECCTA Incoming….The New Failure to Prevent Fraud Offence

In the latest in our series looking at the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) today we consider the new offence of “failure to prevent fraud” which is introduced on 1 September 2025.

This reform, part of a broader drive to modernise and strengthen corporate criminal liability, signals both heightened accountability for organisations and a recalibration of how criminal responsibility is allocated within the realm of economic crime. For businesses operating in England and Wales, the new offence has profound implications for governance, compliance, and risk management.

In this article, we analyse the origins, scope, and impacts of this new offence, considering both the criminal law angle and the practical implications for corporations.

Rationale for Reform

Economic crime, and fraud in particular, has long posed a challenge for law enforcement and regulators. Complex and often opaque corporate structures, globalised operations, and sophisticated methods of deception have made it difficult to attribute criminal liability - including questions around the “identification principle” which traditionally requires proof that senior management or “directing minds” were personally involved in wrongdoing and which we discussed in one of our previous ECCTA articles

As a result, many large organisations have escaped criminal sanction even where fraud has occurred within their ranks.

The introduction of the “failure to prevent fraud” offence is intended to close these loopholes and align the UK’s approach with other jurisdictions that have adopted corporate criminal liability based on failures to prevent wrongdoing, rather than direct participation.

Key Features

At its core, the new offence, which is set out at section 199 of ECCTA, makes it unlawful for a relevant organisation to fail to prevent fraud by an associated person acting on its behalf. 

The elements of the offence can be summarised as follows:

  • Relevant organisation: This includes companies, partnerships, and other entities carrying out business in the UK.
  • Associated person: Defined broadly to cover employees, agents, subsidiaries, and others performing services for or on behalf of the organisation.
  • Fraud offence: Covers a range of conduct which is set out at Schedule 13 of ECCTA and includes, by way of example, false representation, failure to disclose information, abuse of position as well as other specified fraud-related offences. 
  • Failure to prevent: The organisation will be liable if an associated person commits a fraud offence intending to benefit the organisation, unless the organisation had “reasonable procedures” in place to prevent such conduct.

This approach shifts the burden: rather than requiring proof of complicity by senior management, the prosecution need only prove that fraud was committed by an associated person and that the organisation failed to have reasonable controls in place.

It is important to note that in accordance with section 199 (6) of ECCTA a fraud offence, for the purposes of ECCTA, includes “aiding, abetting, counselling or procuring the commission of a listed offence”.

The Crown Prosecution Service (“CPS”) and the Serious Fraud Office (“SFO”) announced on 18 August 2025 they had published joint guidance on the failure to prevent fraud offence for large organisations, defined as those meeting at least two of the following criteria:

  • More than 250 employees
  • Annual turnover exceeding £36 million
  • Balance sheet total exceeding £18 million

Vicarious Liability and Corporate Culpability

Where previous prosecutions required the identification of a “directing mind”, a legal test which was established in the case of Tesco Supermarkets Ltd v Nattrass [1971] 2 All ER 127, the new regime adopts a form of vicarious liability. 

Under ECCTA, organisations will be held criminally responsible for acts carried out by associated persons, regardless of the involvement of senior officers, if proper preventative procedures are deemed to be lacking.

This can be seen as both a lowering of the threshold for corporate culpability and an increase in the reach of criminal law to address the realities of modern business. 

Prosecutors will now be able to charge corporations for failing to prevent fraud without the evidential difficulties inherent in tracing acts and intentions up to the boardroom level.

The Defence: Reasonable Procedures

The offence is not absolute. 

An organisation can defend itself by proving that, at the time the fraud occurred, it had reasonable procedures designed to prevent such conduct. 

Such procedures include:

  • top level commitment
  • risk assessment
  • proportionate risk-based prevention procedures
  • due diligence
  • communication (including training)
  • monitoring and review

Penalties and Sentencing

Under Section 199 (12) of ECCTA conviction for failure to prevent fraud can result in substantial fines for organisations, reflecting the gravity of the offence and the harm caused. Unlike offences targeting individuals, this is not an imprisonable offence, but individuals may still face personal liability if they are complicit or have conspired in the underlying fraud.

Compliance Burden and Procedural Reform

Corporations will need to take proactive steps to assess their exposure to fraud risk and implement robust procedures to prevent, detect, and respond to fraudulent conduct by employees, agents, and other associated persons. This may involve:

  • Conducting fraud risk assessments at regular intervals
  • Designing and implementing clear policies on anti-fraud measures
  • Training staff and agents on fraud prevention and ethical conduct
  • Monitoring transactions and business relationships for suspicious activity
  • Establishing whistleblowing mechanisms and effective channels for reporting concerns
  • Reviewing commercial arrangements with third parties

The defence of “reasonable procedures” will only be available to organisations that can demonstrate active engagement with these requirements.

Boardroom Accountability and Culture Change

While the failure to prevent fraud offence does not require senior management to be personally involved in fraud, it nonetheless raises the stakes for boards and executives. 

Regulators, shareholders, and the public will expect directors to set the tone from the top and ensure that anti-fraud measures are embedded throughout the organisation.

This may require a shift in corporate culture, with greater emphasis on transparency, ethical behaviour, and zero tolerance for wrongdoing. Failure to act could result not only in legal liability but also reputational harm and loss of trust.

Third-Party Risk and Global Operations

Given the broad definition of “associated persons,” organisations will need to scrutinise relationships with contractors, suppliers, consultants, and subsidiaries. For multinational businesses, this will mean the imposition of UK standards across global operations—a challenge that will require careful coordination and oversight.

Investigations and Enforcement

The new offence creates incentives for organisations to cooperate with law enforcement and regulators. Self-reporting of suspected fraud, prompt remediation, and voluntary improvements to procedures may mitigate penalties and demonstrate a commitment to compliance.

Clearly it remains to be seen how aggressively the authorities will pursue prosecutions under the new law once it is in force, but early enforcement actions will likely set important precedents for the scope and interpretation of the offence.

Potential Challenges

Despite its promise, the new offence raises several questions:

  • Proportionality: Small and medium-sized organisations may struggle to implement the same level of procedures as large corporations. Guidance will need to be sufficiently flexible to account for differences in resources and risk profiles.
  • Legal Uncertainty: Until the courts have interpreted the new offence there may be uncertainty over what constitutes “reasonable procedures.”
  • Impact on Business: There is the potential for the increased compliance burden to stifle innovation or deter investment, especially in sectors where fraud risk is perceived as high.

Comment

Colette Kelly, Partner in our Regulatory and Criminal Group comments:

“The new failure to prevent fraud offence marks a watershed moment for corporate criminal liability in England and Wales. 

“By shifting the focus from individual culpability to organisational responsibility, the law aims to drive better prevention, detection, and response to economic crime. 

“For criminal lawyers, the offence offers new avenues for prosecution and a more realistic chance of holding organisations to account. 

“For businesses, it demands a cultural and procedural transformation, with robust controls and genuine commitment to ethical conduct.

“What is clear is that the days of passive compliance are numbered: the absolute requirement to prevent fraud – and to prove that you have put in place robust procedures to ensure this prevention – will now be at the heart of doing business in England and Wales.”

 

 

Cyber security team conducting cyber surveillance and threat detection in a governmental agency. Hackers working on cybercrime and malware prevention, data breach protection.

Key Contact

Colette Kelly
Colette Kelly
Jane Anderson
Jane Anderson

Tags

fraud eccta corporate fraud white colllar fraud governance

Related Articles