‘Failure to Prevent Fraud’ and Responses to 15 Questions Businesses Are Asking

At a Glance

• The new ‘failure to prevent fraud’ offence will come into force on 1 September 2025. This is a strict liability offence with extraterritorial reach.  
• Under section 199 of ECCTA, an in-scope organisation will be liable if a person associated with it commits fraud, unless the organisation proves it had reasonable procedures in place to prevent the fraud being committed.
• In this article we address some questions that businesses are asking about the implementation of such procedures.

In our previous article on the Economic Crime and Corporate Transparency Act (ECCTA), we outlined the background to the United Kingdom’s new ‘failure to prevent fraud’ offence, which imposes strict liability on corporate offenders, with potentially unlimited fines and extraterritorial reach. 

In brief, the new offence will be committed where a person associated with a ‘large organisation’ commits a fraud offence intending to (a) benefit the organisation itself, or (b) benefit any person to whom, or to whose subsidiary undertaking, the associated person provides services on behalf of the organisation. 

However, in the event that fraud occurs through the act of the associated person, the organisation will have a defence where: 

(a) it had reasonable prevention procedures in place; or 
(b) it had no reasonable prevention procedures in place, and that was reasonable in the circumstances. 

Understandably, given the potential risks that the legislation introduces, organisations are asking a range of questions about it — in particular: What amounts to ‘reasonable procedures to prevent fraud’ and how to implement them? We set out a sample of those questions below, together with some practical guidance by way of responses. 

The information in this article does not constitute legal advice, and the specific advice of legal counsel is recommended before acting on any matter discussed here. 

Questions and Responses

Q.1 — What is an organisation? 

An organisation is any incorporated body such as a limited liability company, and a partnership whether incorporated or not. 

Q.2 — What is a ‘large organisation’?

A ‘large organisation’ is defined in section 201 of ECCTA as an organisation meeting two or three out of the following criteria:

• more than 250 employees
• more than £36 million turnover
• more than £18 million in total assets

These conditions apply to the financial year that precedes the year of the fraud offence under consideration. 

These criteria apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located. 

Note that a subsidiary of a large organisation, which is not itself a large organisation, can be prosecuted rather than the parent organisation if an employee of the subsidiary commits a fraud intending to benefit the subsidiary, as set out in section 199(2) of ECCTA.

Q.3 — Who bears the burden of proving that the procedures in place are reasonable? 

The burden will be on the organisation to show that its procedures are reasonable, albeit to the civil standard — i.e., on a balance of probabilities. The prosecution must prove beyond all reasonable doubt that an underlying fraud had been committed by the associated person or employee. 

Q.4 — Will it ever be possible to contend that it was reasonable not to have in place any procedures at all? 

It is difficult to see how such a defence could succeed, in particular because it will be raised at a time when it has already been established that an employee or associated person has committed fraud intending to benefit the organisation or its clients. 

Q.5 — Is there guidance available on how to put in place reasonable prevention procedures? 

Yes. The UK government has produced guidance on ‘Offence of “failure to prevent fraud” introduced by ECCTA’ on 6 November 2024, which sets out the general principles for developing or enhancing procedures to prevent fraud. When a court is considering a case, adherence to the guidance principles will be taken into account. Each section in the guidance includes examples of good practice. This is a mixed blessing, in that organisations that fail to comply with what is described as good practice may be vulnerable. 

Q.6 — What is the general approach that the guidance recommends? 

The guidance states that reasonable procedures should be informed by the following six principles: 

• Top-level commitment. Has senior management fostered an appropriate antifraud culture?
• Risk assessment. Is the approach based on a reasoned assessment of the risks the organisation faces and how those risks might be managed and mitigated? 
• Risk-based prevention procedures. Are there procedures in place that make it clear to staff and others what is unacceptable and how they should behave in the difficult circumstances that might arise? 
• Due diligence. Is the organisation acting reasonably to assess who should perform services for it, or otherwise act on its behalf? 
• Communication. Have staff and other agents received appropriate instruction and training? 
• Monitoring and review. Is the effectiveness of fraud detection and prevention procedures monitored? Are lessons learned and improvements made where appropriate? 

Q.7 — Our internal controls are different. Is it possible to have reasonable procedures which don’t follow the suggested principles? 

Yes, it is; although it would be helpful to explain what the particular risks and factors are that justify deviation. As a general rule, it would be best to adopt the approach suggested by the UK government. 

A non-UK company may be justified in not following the UK government’s guidance, but it would be sensible to have regard for the guidance and ensure that the main features of it are addressed. 

Q.8 — Typically, we tend to follow approaches recommended by our trade body. Will that be acceptable in this case? 

It would certainly be helpful to show compliance with guidance produced by trade bodies; but note that there is no mechanism in the legislation for statutory guidance to be issued by representative or membership bodies, and therefore any sector-specific guidance will be advisory only.

Q.9 — We have detailed and documented business rules in place. Therefore, in the event that a fraud is committed by one of our employees, agents, subsidiaries or other ‘associated persons’, I assume that we will be able to rely on the ‘reasonable prevention procedures’ defence? 

You certainly have a decent chance, but business rules are not all that is needed. 

You will need to demonstrate that your organisation is committed at a cultural level to deterring fraud. This can be done by top-level commitment and appropriate training and instruction to staff. Many organisations have impressive internal procedures, but undermine their effectiveness because of a culture that doesn’t appear to take the issue seriously. 

Moreover, procedures should be based on a reasoned risk assessment and tailored to the particularities of your business operations. If not, there is a risk that while they look impressive they will be found to be unreasonable for the company in question. 

Example 1

Company A has a detailed antifraud policy in place. However, it is widely known that anyone who attempts to blow the whistle will be dismissed forthwith. The CEO, on an all-staff Teams call, recently said that he valued loyalty above all else. 

Example 2

A new chief risk officer (CRO) joins Company B — a large organisation — and recommends it should put in place the procedures he implemented at his former employer. The board endorses that recommendation wholeheartedly, and Company B implements it to the letter. However, the CRO’s former employer is a UK bank with only English customers, while his new company is a global chemicals company with a UK subsidiary that has target markets in Africa and Asia. 

Q.10 — We have in place reasonable procedures to avoid bribery and tax evasion. Can we not rely on these to demonstrate reasonable procedures to prevent fraud? 

Not entirely. While your existing procedures will be a useful starting point, they should at least be reviewed and, if necessary, revised, bearing in mind that fraud is wider in scope than bribery and the facilitation of tax evasion.

Q.11 — I was told once that a risk assessment is dangerous because it sets out in writing areas where the company may have internal control weaknesses. If that is correct, wouldn’t it be best not to perform and document a risk assessment? 

It is correct that a risk assessment needs careful thought, but without one there is a real risk that the procedures put in place will be found to be unreasonable because they are not targeted at eliminating or at least mitigating the risks the company is actually facing. A risk assessment is an important measure toward establishing that the procedures are reasonable. 

Q.12 — We use only large and established vendors and suppliers. The problem is that they only contract on their terms and will not agree to the contract terms that our lawyers have advised we should put in place. Does this mean we will not be able to show that we have reasonable prevention procedures in place? 

Not necessarily. It is quite common for companies to have limited bargaining power and not be able to persuade their suppliers to agree to the contract clauses they favour. In such a case, the risk assessment should recognise this situation and identify other ways to ensure that controls are in place to address vendor risks of this nature. 

Q.13 — We are a non-UK company with suppliers and customers in the UK. Our local law doesn’t require us to have in place reasonable fraud prevention procedures. Surely UK law cannot require us to implement such measures? 

The offence applies where the associated person commits an underlying fraud offence under the law of the UK. This requires a UK nexus — i.e., that one of the acts which was part of the underlying fraud took place in the UK, or that the gain or loss occurred in the UK. But if a UK nexus is established, then the company runs the risk of committing the offence at section 199 of ECCTA if reasonable fraud prevention procedures have not been put in place.

Strictly speaking, UK law isn’t imposing requirements upon foreign companies to have reasonable fraud prevention procedures in place. But if such procedures are not in place and an underlying fraud offence is committed by an agent of the foreign company, the company risks committing an offence if it cannot demonstrate that it had in place reasonable procedures to prevent fraud.

Q.14 — Our company is not a ‘large organisation’. Is there any reason why we should put in place reasonable fraud prevention procedures? 

Not being a large organisation, your company cannot be prosecuted under section 199 of ECCTA. However, many such companies will still want to put in place reasonable fraud-prevention procedures for the following reasons: 

• It may be a subsidiary of a large organisation. (See answer to Q.2 above.)
• Large corporate customers or indeed suppliers, looking for assurances about their own procedures, will want to understand whether those with whom they have an association have in place reasonable prevention procedures themselves. In this way the requirements that the legislation imposes are likely to be transmitted down the supply chain irrespective of whether the organisation is a large organisation or not. 
• Section 196 of ECCTA has the effect of determining that an organisation is liable for offences that include fraud where a senior manager commits the offence. It also provides a definition of ‘senior manager’. This section applies to all organisations whether large or not. Reasonable prevention procedures will help an organisation avoid committing an offence under section 196 of ECCTA. 
• There may be relevant sector-specific rules — for example, financial services businesses are generally required to have in place anti-financial crime systems and controls, whether or not they are large organisations. 
• Reasonable prevention procedures are often considered to be essential to promoting staff effectiveness, in that they make it clear to them what is expected in the difficult situations they might encounter at work. 

Q.15 — Realistically, we cannot implement new procedures in August before the 1 September implementation date. What do we do? 

Many businesses find themselves in this position. The best approach is to kick the project off as soon as possible and put the procedures in place when the work is completed. There is a period of possible vulnerability, but the aim is to make that period as short as is possible. Ideally, businesses short of time will at least have completed a risk assessment before the implementation date. 

More to Come Soon!

We hope this, and our briefings to follow, will assist as your company considers the new legislation.