‘Failure to Prevent Fraud’ and Exposure for Non-UK Businesses

At a Glance

• The United Kingdom has enacted a new corporate criminal offence. It affects companies of a certain size where an employee, agent or subsidiary commits a relevant fraud offence with the intention of benefitting that organisation.
• This is a strict liability offence — there is no requirement for the company actually to benefit from the fraud.
• The offence has extraterritorial reach — companies based outside the UK could find themselves within scope if there is sufficient UK nexus to the underlying fraud. 
• A company found guilty of the offence can receive an unlimited fine.
• UK authorities may begin taking a more proactive enforcement stance, even as enforcement policy in the United States and other countries may be moving in the opposite direction. 
• The UK government has offered a practical and flexible framework that businesses should adopt with a view to establishing reasonable procedures to prevent fraud.

Background

A new offence of “failure to prevent fraud” — specifically targeted at companies — will come into force in the United Kingdom on 1 September 2025. While we wouldn’t typically flag a UK-only law development to non-UK businesses, there are reasons to be cautious. This new law has extraterritorial reach, and it may well be that the shifting political landscape leaves businesses with any form of UK interest with an exposure. The good news is that there are things that can be done to manage and mitigate that exposure.

You may wonder why the United Kingdom — a venerable jurisdiction — requires a new fraud law in 2025! The answer is that existing UK law does not perform well when attempts are made to prosecute companies for serious criminal offences. This is why the UK brought in its Bribery Act legislation in 2010, something which caused U.S. businesses to take notice. It also — through the Criminal Finances Act 2017 — brought in a law that makes companies criminally liable if they fail to implement reasonable procedures to prevent their associated persons (employees, agents, etc.) from facilitating tax evasion by others. This issue — how to identify when companies should be criminally liable for the conduct of their human agents — is known as ‘attribution’. 

In the United States for example, the law has pretty much resolved the issue of attribution, with well-established principles making it relatively straightforward to hold companies liable where the individual involved was the directing mind of the business, acted within the scope of their authority and was not acting entirely in fraud of the company but at least in part for its benefit. By contrast, the United Kingdom has struggled to impose corporate liability where misconduct involves anything short of board-level participation. That gap is what the new ‘failure to prevent fraud’ offence is designed to address — and why it marks a significant shift in UK corporate criminal law. 

The New UK Offence: Failure to Prevent Fraud

The UK’s new “failure to prevent fraud” offence is set out in the Economic Crime and Corporate Transparency Act 2023 (ECCTA). It is aimed squarely at large organisations (companies and partnerships) — including those headquartered outside the UK such as multinationals, provided there is a relevant UK nexus. 

And for those in scope, it’s potentially a game-changer: A company found guilty of the failure to prevent fraud offence can receive an unlimited fine, albeit the UK courts will take account of all the circumstances in deciding the appropriate fine in any particular case.

At its core, the new law imposes strict liability on a body corporate or partnership (referred to for simplicity as a company) where a person “associated” with the company commits a relevant fraud offence and does so with the intention of directly or indirectly benefiting the company, or a client or subsidiary to whom that person provides services on the company’s behalf. “Associated persons” include employees, agents and subsidiaries — effectively anyone performing services for or on behalf of the company. 

The list of qualifying fraud offences is broad. It includes fraud under the Fraud Act 2006, false accounting and false statements by company directors under the Theft Act 1968, fraudulent trading under the Companies Act 2006 and even cheating the public revenue. The offence captures fraud committed during the financial year of the company, provided it meets the threshold for a “large organisation”, being a company that meets at least two of the following thresholds: 

• more than GBP 36 million in turnover, 
• more than GBP 18 million in assets, or 
• more than 250 employees. 

Importantly, these criteria apply to the organisation as a whole — group-wide — and regardless of whether the company is UK-based. 

What makes this law particularly impactful is that there is no requirement for the company to actually benefit from the fraud. It is enough that the fraudster intended the company — or related client or subsidiary — to benefit, even if their main goal was personal advantage. 

This is a strict liability offence, which means that the company is guilty regardless of whether it knew about or approved the fraud — unless it can be shown that it had reasonable procedures in place to prevent it. The “reasonable procedures” defence echoes the familiar structure from the UK Bribery Act and the Criminal Finances Act and will be a key area of focus for compliance teams in the run-up to the law’s commencement.

Smaller companies are not subject to the offence, but many will still feel commercial pressure to align with the new expectations. Just as with the Bribery Act 2010 and the facilitation of tax evasion offence, clauses will no doubt be introduced into commercial contracts by large organisations, so obligations will be passed down the supply chain meaning that smaller companies will face contractual liability even if not vulnerable to criminal liability. 

Territorial Impacts Beyond the UK

While the new offence is grounded in UK law, its impact is not limited to UK-registered or -headquartered companies. The legislation has an explicitly extraterritorial element, meaning that a company based outside the UK could find itself within scope if there’s a sufficient UK nexus to the underlying fraud.

For nexus to be established, at least one element of the fraudulent conduct must occur in the UK, or the intended gain or loss must arise in the UK. So if a non-UK-based employee targets UK customers, or if part of a fraudulent scheme is carried out from a UK branch or subsidiary, the new law could apply. 

On the other hand, fraud that takes place entirely outside the UK, with no UK involvement and no UK victims, will fall outside the scope of the offence — even where the organisation has UK operations. A fraud carried out by an overseas subsidiary with no connection to the UK would not be caught, nor would one committed by an overseas employee unless there’s a UK impact. 

Scenario 1: U.S. Tech Firm With UK Client Base

A California-based software-as-a-service (SaaS) provider sells data analytics tools to global corporate clients, including several based in the United Kingdom. A senior sales executive based in Chicago, eager to hit year-end targets and secure a bonus, knowingly misrepresents the platform’s capabilities to a major UK bank, falsely claiming it meets certain regulatory compliance standards. The sale goes through, and the bank integrates the product — only to discover after an audit that the tool does not meet the required benchmarks. This could constitute fraud by false representation under the Fraud Act 2006, a listed offence under the ECCTA. The sales executive is an “associated person” of the U.S. parent company. There is a clear UK nexus because the fraudulent misrepresentation resulted in loss to a UK client. Even though the fraudulent act occurred entirely inside the United States, the U.S. company may face liability under the “failure to prevent fraud” offence — unless it had reasonable procedures in place to prevent such misconduct. 

Scenario 2: UK Subsidiary of U.S. Private Equity Firm

A U.S. private equity firm owns a UK-based health care company. Pressured to improve the financial performance ahead of an anticipated initial public offering, the UK entity’s chief financial officer (CFO) directs junior staff to defer liabilities and inflate revenues in the annual accounts. These accounts are then consolidated into group-level filings by the U.S. parent. The CFO is acting as an “associated person” of the UK company, and the conduct may amount to false accounting under the Theft Act 1968. The act occurred in the UK and was intended to benefit the UK business — and indirectly, the U.S. parent — so both entities could be in scope for prosecution. The U.S. parent might argue distance from the conduct, but its consolidated use of the financials and corporate control could bring it within enforcement crosshairs — again unless it has reasonable preventative procedures in place. 

The Impact of the Political Environment: Whistleblowing

The global enforcement landscape is not static — and recent political shifts on both sides of the Atlantic may have significant implications for how the new UK “failure to prevent fraud” offence plays out in practice. 

While the United Kingdom has long been regarded as a robust — if sometimes slow-moving — jurisdiction for corporate crime enforcement, it has lagged behind the United States in one key area: whistleblowing and whistleblower protection. UK regulators such as the Serious Fraud Office and the Financial Conduct Authority strongly encourage internal reporting, but whistleblowers face real risks with limited institutional support. There has been historical resistance to the idea of financially rewarding those who come forward. 

By contrast, in the US, whistleblower incentives have become a cornerstone of enforcement strategy. Since 2011, the SEC’s whistleblower programme has paid out over $2 billion in rewards, including a record $279 million in 2023. These rewards, combined with legal protections and a well-established network of lawyers operating on conditional fee arrangements, have created a clear pathway for insiders to report misconduct. The UK offers less legal certainty and no financial incentives — a gap that has seen more than 700 UK-based whistleblowers approach U.S. agencies in the last decade. 

That may now be changing. Under its new leadership, the UK’s Serious Fraud Office (SFO) has signaled a clear shift in approach. Director Nick Ephgrave has called whistleblowers the “key holders” inside organisations and is actively pushing for change. A recent proposal advocates a “payment by results” scheme — where financial rewards would only be triggered after a successful conviction or sanction. The proposed Office of the Whistleblower — currently working its way through Parliament in a private member’s bill — could be tasked with administering such a scheme and strengthening protections for those who speak out. 

Ironically, this evolution in UK-thinking comes just as enforcement policy in the U.S. may be moving in the opposite direction. In early 2025, the Trump administration issued an executive order pausing all Foreign Corrupt Practices Act (FCPA) investigations and prosecutions for at least 180 days — with the possibility of an extension. The stated aim was to “restore American competitiveness”, but the practical effect is a significant softening of a law that has long served as a model for global anticorruption efforts. Enforcement is not frozen indefinitely, but the message is clear: U.S. businesses may face a lighter touch from Washington for the time being. 

That creates an interesting paradox. U.S. companies with UK exposure may find that enforcement risk is no longer driven by what happens in Washington — but by what happens in London. With the UK introducing new strict liability offences, expanding its toolkit of Deferred Prosecution Agreements, and now rethinking its whistleblower regime, this may mark the start of a genuine transatlantic trend reversal. 

Steps to Take

Businesses should turn their attention from theory to implementation. Liability is strict — if a person associated with a company commits a qualifying fraud for its benefit, the company will be guilty unless it can show it had reasonable procedures in place to prevent fraud. The onus is on the company to prove this, and the courts will assess compliance on the balance of probabilities.

The UK government has indicated that the six principles used to guide bribery prevention under the Bribery Act 2010 also apply here. These offer a practical and flexible framework that companies — particularly large organisations — should adopt urgently in light of the ECCTA. 

1. Proportionate Procedures

Fraud prevention measures must be proportionate to the risks the company faces. Effective procedures must reflect the company’s size, structure, sector and exposure to fraud risk. Businesses should actively incorporate risk findings into policies and systems, addressing issues like incentive structures that could promote misconduct, or the adequacy of disciplinary measures for fraud. 

2. Top-Level Commitment

Leadership must visibly support antifraud efforts. This includes allocating resources, setting the right tone from the top and embedding a culture where fraud is clearly unacceptable. 

3. Risk Assessment

Robust risk assessments are the foundation of effective fraud prevention. These must be documented, regularly updated and specific to the business’s circumstances — covering both internal and external threats. They should also examine whether particular individuals, roles or geographies present higher fraud risk and what controls are needed to mitigate it. 

4. Due Diligence

Understanding who the company does business with — and how they operate — is key. Due diligence processes should be risk-based and applied not just to third-parties but to employees and contractors performing high-risk functions. This is particularly important where individuals may be acting on the company’s behalf and could qualify as “associated persons” under the legislation. 

5. Communication (and Training)

Fraud prevention policies must be clearly communicated — internally and externally. It’s not enough to have policies that sit on a shelf. 

6. Monitoring and Review

Prevention efforts must be dynamic. Companies need to regularly evaluate the effectiveness of their procedures, adjusting for emerging risks and tracking developments. Audits, scenario testing and whistleblower feedback mechanisms can all support this process. 

But be careful! Procedures should mitigate risk, but they can also exacerbate it. Any gap between what is documented and what is actually done will be seized on by prosecutors. The control measures identified as necessary by risk assessments, audits and whistleblower disclosures must be implemented, otherwise these documents risk becoming the prosecution’s first exhibit. The adequacy of procedures may be judged in the white heat of a criminal trial. They will need to bear scrutiny — producing boilerplate will do more harm than good.

More to Come Soon!

We hope this, and our briefings to follow, will assist as your company considers the new legislation.