The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduces a significant new criminal offence: the failure to prevent fraud. This offence takes effect from 1 September 2025 and so it is vital for business to be aware of the new liability and to update their compliance practices and procedures accordingly.
Fraud accounts for a substantial proportion of crime in the UK estimated at up to 40% of all crime. The offence makes it easier to hold organisations to account for fraud and intends to drive a more proactive approach to fraud prevention in England and Wales.
What is the offence?
From 1 September 2025, large organisations may be criminally liable where an employee, agent, subsidiary, or other “associated person”, commits fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place. It does not need to be demonstrated that directors or senior manages ordered or knew about the fraud.
The offence operates alongside existing law: the individual who commits the fraud can be prosecuted personally, while the organisation may now also face liability for failing to prevent it.
Which organisations may be liable?
The offence applies to UK companies, Limited Liability Partnerships (LLPs), partnerships and NHS Trusts and also includes overseas organisations where there is a link to the UK. However, the offence only applies to large organisations which are defined as meeting at least two of the following criteria:
- more than 250 employees;
- more than £36 million turnover; and
- more than £18 million in total assets.
These conditions apply to the financial year of the organisation that precedes the year of the base fraud offence. These thresholds also apply on a group basis and include an organisation’s subsidiaries, regardless of jurisdiction.
What is an associated person?
An associated person includes:
- an employee, agent or subsidiary of the organisation, where the benefit is intended for the organisation, its customers of clients; and
- any person providing services for or on behalf of the organisation while acting in that capacity.
The offence only arises if the fraud is committed in the course of that relationship.
What type of fraud does the offence capture?
The offence applies to the fraud and false accounting offences most likely to be relevant to large organisations.
The scope of conduct caught is wide and may include misleading warranties or disclosures made during a company sale/acquisition, false statements made to shareholders or misrepresentations made by third parties designed to inflate a company’s financial position. As in all cases involving fraud, an offence is only committed if a defendant acted dishonestly.
What is meant by “intending to benefit”?
An organisation need not actually receive a gain; it is enough that it or its clients were meant to benefit. Intent is assessed from the perspective of the associated person at the time. The benefit can be financial or non-financial and need not be the fraudster’s main motive, for example a fraudster who mis-sells to increase personal commission will also increase company sales and therefore the company may be liable. An organisation is not liable if it was the intended victim.
Why it matters?
From a corporate perspective, the offence significantly increases exposure. Penalties include criminal convictions and unlimited fines for businesses and separate convictions for individuals involved in committing the offence. Beyond legal liability, businesses may also find that investors and counterparties view robust compliance frameworks as a prerequisite to ongoing relationships.
Enforcement is likely to focus on whether an organisation can show it has taken genuine, proportionate steps to identify risks and put safeguards in place. Simply pointing to external audits or annual reviews is unlikely to be enough. The test will be whether a business can demonstrate an active culture of prevention, one where fraud risks are regularly assessed and staff at all levels understand their role in maintaining integrity. Those organisations that embrace this cultural shift early will be better prepared for enforcement and better protected against the wider legal and reputational consequences of fraud.
What should businesses do now?
Organisations will have a defence to the offence if they have “reasonable procedures” in place to prevent fraud, or if they can show that it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.
The government’s guidance is principles-based rather than prescriptive, recognising that “reasonable procedures” will vary depending on size, sector, and risk profile. The guidance states that an organisation’s prevention framework should be built around six principles:
- risk assessment;
- proportionate procedures;
- top level commitment;
- training and communication;
- due diligence; and
- monitoring and review.
Conclusion
The failure to prevent fraud offence represents a watershed moment in UK corporate criminal law. It places prevention at the centre of the compliance agenda and compels organisations to take responsibility for misconduct carried out in their name.
This article is the second in our series on the ECCTA, read our first article which looked at what this act means for businesses overall here.
If you have any questions about how this piece of legislation might affect you or your business and what you can do about it, please get in touch with a member of our team here.