Failure to prevent fraud: Compliance changes by 1 September 2025

Introduction

From 1 September 2025, many organisations will face strict criminal liability if they fail to prevent fraud being committed for their, or their customers’, benefit. That offence (section 199) was introduced as part of a suite of revisions to UK criminal law through the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”).

Early this month, the UK Government published statutory guidance on this corporate offence (the “Guidance”). The Guidance provides welcome clarity for in-scope organisations about how they may commit that offence. Most importantly, the Guidance describes principles and measures that businesses need to show they have reasonable prevention procedures in place regarding the s199 offence – they provide the benchmark against which, ultimately, the criminal courts will assess the steps taken by organisations to prevent fraud. 

Taken together, this offence and section 196 of ECCTA are major changes for corporate criminality under UK law. We have tracked these reforms throughout their journey into law. For details of how it has come about and key concepts, please see our previous briefing Putting a full stop to fraud: UK failure to prevent fraud offence passed into new law and the glossary box below.

Glossary

Associated person or associate	a person who is an employee or an agent of the relevant body, or a person who otherwise performs services for or on behalf of the body (Section 199(7)). A subsidiary of the relevant body may also be an associated person. However, an individual employee of a subsidiary is not an associated person of the parent organisation unless they commit a fraud intending to benefit the parent organisation (section 199(8)).
Base fraud offence	a fraud offence listed in Schedule 13 of ECCTA or the aiding, abetting, counselling or procuring the commission of an offence in Schedule 13 of ECCTA. These include, but are not limited to, fraud, false accounting and cheating the revenue.
Identification principle	a method of establishing corporate liability for offences committed by the ‘directing mind and will’ of the company.
Large organisation	an incorporated body or partnership that meets the criteria in section 201 of ECCTA.
Reasonable prevention procedures	procedures that a corporate organisation can put in place and may provide a defence under the new offence. The guidance states that the fraud prevention framework should be informed by these six principles: top level commitment; risk assessment; proportionate risk based prevention procedures; due diligence; communication (including training); and, monitoring and review.
Senior manager	in relation to a body corporate or partnership, means an individual who plays a significant role in: 1. the making of decisions about how the whole or a substantial part of the activities of the body corporate or (as the case may be) partnership are to be managed or organised, or 2. the actual managing or organising of the whole or a substantial part of those activities (Section 196(4)).

When might corporate organisations commit the offence?

The Guidance provides some high-level illustrative examples of how corporate organisations may commit the offence. For example, a fraud by abuse of position (by diversion of employee pension contributions for other projects), and fraud by way of indirect benefit (by sending false river discharge data to the Environment Agency).

Helpfully, the Guidance also confirms expressly that corporate organisations will not commit the new offence simply through involvement as part of their supply chain with other parties involved in fraud, unless that third party provides services for or on behalf of the organisation. The Guidance reiterates, at several points throughout, that a corporate will only be liable for failing to prevent fraud (s199 ECCTA) where that fraud was intended to benefit that corporate organisation.

What this means in practice will vary considerably. However, it is possible to identify some risks associated with particular types of interactions or relationships in particular sectors, for example:

• Financial Services - exaggerating ESG credentials of retail products
• Defence - making false statements as to efficiency of equipment or technology
• Automotive - profit manipulation by dealer branches
• Education - falsifying exam results
• Life sciences - falsifying clinical trial data

Why does the new offence matter for parent companies or other group entities?

The new offence blurs significantly the dividing lines within corporate group structures. The Guidance confirms that prosecutors will be able to pursue parent entities for failing to prevent fraud from occurring within subsidiaries.

It is particularly significant to see explicit confirmation that a subsidiary of a corporate organisation that has been found to have committed a fraud offence as a corporate (including through the operation of the “senior manager” provisions in ECCTA – on which see more detail below) may be an “associate” of the parent entity in the corporate structure.

This is a technical legal point that has significant real world implications. In many instances, parent companies, such as those outside the UK and/or those whose subsidiaries are not “large organisations”, may regard themselves as distant and incubated from the new offence. However, the Guidance makes plain that ECCTA enables prosecutors: (i) to more easily attribute criminal conduct by individuals within subsidiaries to those subsidiaries; and (ii) to then look up the corporate chain and hold parent entities criminally liable for the same underlying criminal conduct in appropriate cases.

This is consistent with the enforcement trend preceding ECCTA. Several UK bribery and fraud cases, including some resulting in deferred prosecution agreements, amply demonstrate that prosecutors do not regard corporate group structures as sacrosanct. In several cases, parent entities have paid or contributed significantly to substantial financial penalties imposed for misconduct of subsidiaries within the corporate group structure chart (including, in some cases, where that misconduct occurred prior to their acquisition of the relevant entity). Robust and targeted due diligence prior to acquisitions, effective embedding of group wide anti-fraud measures and effective monitoring across corporate groups are key.

What should corporate organisations do if they are not (yet) within scope of section 199?

Corporate organisations should not automatically assume that the fact that they are not a “large organisation” means that the new offence is irrelevant. First, even if they are currently below the thresholds, their activities may trigger criminal liability for their parent companies.

Secondly, entities currently falling below the “large organisation” thresholds may wish to keep under review whether they cross these thresholds during the course of a financial year, which will result in criminal liability for them in subsequent financial years. For example, M&A activity or restructuring within groups may well change the characteristics of an entity such that it becomes a large organisation. Seemingly unconnected processes such as the payment of dividends or inter-company loans by one group entity to another could tip asset levels over the £18 million threshold. Organic growth or the successful execution of business plans could also lead to turnover surpassing £36 million.

By the time annual accounting processes have been completed, time for making necessary changes to compliance arrangements to manage the risks of committing the new offence may be short. Putting these arrangements in place can take time. The statute recognises this by providing that entities will only commit the offence if they were a “large organisation” during the financial year preceding the date of the commission of the alleged underlying fraud offence. Entities with assets, turnover and/or workforces approaching the “large organisation” thresholds may wish to consider factoring in the reasonable steps to comply with ECCTA into their business planning processes now.

This “large organisation” threshold was not used by earlier failure to prevent offences (Bribery Act 2010 and the Criminal Finances Act 2017). As such, there are no benchmark cases which can be used to predict how investigating authorities will deal with situations where companies “grew into” the scope of the new corporate offence. In our view, this will form part of the defendant firm’s representations on the reasonableness of procedures in the context of the relevant facts. However, what is clear, is that firms that already meet the criteria of a “large organisation” are expected to have implemented reasonable fraud prevention procedures by 1 September 2025

Even smaller organisations that clearly fall outside the “large organisation” threshold may well consider it good practice to put fraud prevention procedures in place. Indeed, they will likely become contractually required to do so if considered to be an “associate” of a large organisation.

Do “reasonable prevention procedures” need to comprehensively cover all aspects of commercial operations?

The new offence does not necessarily require corporate organisations to put in place new “reasonable prevention procedures” comprehensively covering every aspect of their commercial operations.

However, as the Guidance now confirms, large organisations are now expected to conduct risk assessments across all of their operations, make decisions about adjustments that may be required to enhance existing anti-fraud controls and other compliance arrangements and put these changes in place in good time for the new offence coming into force.

Organisations may decide that their current arrangements are sufficient to address the risk of criminal liability under the new offence. There will be some situations in which this is a valid conclusion. However, organisations must exercise caution before deciding that no changes are required, and clearly document that they have considered specific commercial situations and the rationale for decisions not to make adjustments.

In reality, it is unlikely in most cases that existing anti-fraud and other financial crime compliance arrangements, which will have been designed for different purposes (principally to address potential fraud against the corporate organisation), will amount to “reasonable prevention procedures” for the purposes of the new offence. It is more likely that these existing arrangements will act as a foundation for updated and supplemented policies, procedures and processes addressing the ways in which fraud may be committed for the benefit of that organisation.

The Guidance does not set out exactly what corporate organisations across different sectors should be doing in terms of specific “reasonable prevention procedures”. However, it clearly confirms that corporate organisations seeking to establish that they have in place “reasonable prevention procedures” cannot rely merely on compliance with regulatory requirements or the fact that anti-fraud arrangements may have been covered by an audit.

Corporate organisations must make their own decisions about what they need to do to bolster and adapt existing anti-fraud and other financial crime compliance arrangements. Refinement and enhancement of these arrangements (rather than overhaul) may be sufficient in many cases. However, it is crucial for corporates to demonstrate that they actively considered the risks arising from their interactions with customers and relationships with “associates” across the full range of their business activities. Comprehensive, properly documented and regularly maintained risk assessments will be fundamental to corporates being able to defend themselves.

What about the other changes to corporate criminal liability under ECCTA?

The new corporate offence (s199) has preoccupied commentators and corporate entities to a much greater extent than the other significant reform to corporate criminal liability under ECCTA, which has been in force since 26 December 2023.

Under s196, corporate organisations (regardless of size) can commit a range of economic offences (a wider range than for underlying conduct in relation to the new failure to prevent fraud offence) through the conduct of their “senior managers”. This new offence is a statutory extension of the existing common law identification principle (whereby criminal conduct of the ‘directing mind of will’ of the company can be attributed to the company itself) to ‘’senior managers’’, therefore lowering the threshold and widening the scope of when a corporate can be prosecuted for economic crimes.

We are already seeing examples of cases in which corporate entities’ potential liability is substantially increased because of alleged criminal conduct on the part of “senior managers”. Nonetheless, identification of who may be a “senior manager” and what should be done to mitigate the risks associated with their conduct is typically receiving less management attention than preparations for the new corporate offence (s199).

We may well see prosecutors use this route (s196) before we see concluded cases concerning the new corporate offence of failing to prevent fraud (s199).

How and when are enforcement authorities planning to take action in respect of the new offence (and other changes under ECCTA)?

We expect the authorities will pursue cases under ECCTA in the near future. Indeed, the Director of the Serious Fraud Office has previously confirmed that he is already looking for the first cases to pursue.

What should corporate organisations be doing now?

Now is the time for corporates to be looking across their whole organisation and commercial operations to seek to identify (and mitigate) situations in which their interactions with others (whether customers, contractors, counterparties or other third parties) may involve the commission of fraud or other economic offences.

We are discussing this Guidance with clients from various sectors already. For advice on preparing your organisation, please call us or your usual Eversheds Sutherland contact.