A Nine Month Gestation – New Guidance published in anticipation of the latest addition to corporate failure to prevent offences

The Bribery Act 2010 heralded the dawn of a new era in how corporates are held to account for crimes committed on their watch with advent of the "failure to prevent" model. Fast forward to 2025 and organisations now have several of these offences to keep their senior executives up at night. The most recent addition with a due date of 1 September 2025 is the failure to prevent fraud offences ("FTP") for "large organisations". 

The Economic Crime and Corporate Transparency Act 2023 ("ECCTA") created a new corporate criminal offence of failure to prevent fraud. Once in force, large organisations will be criminally liable where both:

• a specified fraud offence is committed by an employee, agent or other "associated person", for the organisation's benefit; and
• the organisation did not have "reasonable" fraud prevention procedures in place.

Are all companies at risk of criminal liability?

The Home Office has now published "Guidance to organisations on the offence of failure to prevent fraud" ("the Guidance") for corporates grappling with how they should be tackling fraud and avoiding coming under scrutiny from law enforcement and regulators. 

The Guidance first sets out what types of organisations (incorporated under statute or formed by other means, such as by Royal Charter) are at risk of incurring liability. The FTP offence only applies to larger organisations that meet at least two of the following criteria in the financial year preceding the year of the fraud offence. To qualify as "large", an organisation must meet two of the following threshold conditions:

• more than 250 employees;
• more than £36 million turnover; and/or
• assets (balance sheet) of more than £18 million. 

These conditions apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located. 

Extraterritoriality

The FTP offence will only apply where the associated person commits a fraud offence under the law of part of the UK. This requires a UK nexus, namely that one of the acts which was part of the underlying fraud took place in the UK, or that the gain or loss occurred in the UK.

If a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based. If an employee or associated person of an overseas-based organisation commits fraud in the UK, or targeting victims in the UK, the organisation could be prosecuted. The offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus. 

What fraud offences are within scope?

The Guidance details all the offences in scope for the FTP fraud offence which include offences under the Fraud Act 2006, the Theft Act 1968, the Companies Act 2006 and cheating the public revenue.  Examples of potential offences include fraud by failure to disclose information, abuse of position, obtaining services dishonestly, participation in a fraudulent business, false accounting, the making of false statements by directors and fraudulent trading. 

The offence does not create individual liability for persons within an organisation who may have failed to prevent fraudulent behaviour. However, a director, employee or agent who committed the fraud, or anyone who encouraged or assisted, could still be prosecuted for their own fraud in addition to the organisation being prosecuted for failing to prevent it.

What is an "associated person"?

An "associated person" must commit the predicate offence for the FTP offence to be engaged. An associated person will normally be an employee, an agent or a subsidiary of the organisation. Whilst employees will normally be easy to identify, agents may prove more challenging. Under the Guidance, they may or may not be under contract to the organisation. Small organisations may be "associated persons" while they provide services for or on behalf of large organisations. Subsidiaries are likely be "associated persons" where there is a parent-subsidiary relationship. 

The FTP offences can only be made out where the associated person commits a base fraud whilst acting in the capacity of a person associated with the organisation. The issue of who is intended to benefit from the underlying fraud is key to determining whether an organisation can be held accountable for the offence of failure to prevent fraud. No actual benefit need be realised; only the intention to benefit the company or its clients is necessary. This intention need not be the sole or dominant motivation for the fraud. Conversely, the company cannot be held liable for a fraud where it is a victim or an intended victim of the fraud carried out by an associated person. An organisation would not be a "victim" only because it suffered indirect harm as a result of the fraud by an associated person (for instance, because revelation of the fraud damaged the organisation's reputation).

What are "reasonable" fraud prevention procedures?

The fraud prevention framework put in place by relevant organisations should be informed by the following six principles:

• top level commitment;
• risk assessment;
• proportionate risk-based prevention procedures;
• due diligence;
• communication (including training); and 
• monitoring and review.

In demonstrating "Top Level Commitment", senior management are expected to have a leadership role in relation to fraud prevention. This is likely to include:

• communication and endorsement of the organisation's stance on preventing fraud, including mission statements;
• ensuring that there is clear governance across the organisation in respect of the fraud prevention framework;
• commitment to training and resourcing; and 
• leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices.

All organisations are expected to assess the nature and extent of their exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. Organisations are encouraged to start with "identifying typologies of associated persons" which might include considering "opportunity, motive and rationalisation". The Guidance encourages organisations to respond in a proportionate and risk-based manner. Organisations are encouraged to avoid duplication of work and determine how existing financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment. Due diligence on associated persons (including new partners) is expected, in particular in relation to mergers and acquisitions.

Once fraud prevention policies and procedures are established, they need bedding in. Communication is key and a "clear articulation and endorsement" is expected.  This should come from all levels within the organisation. Training is also necessary and incorporating fraud prevention training into any existing financial crime training may be necessary. Bespoke training to address specific fraud risks may be appropriate. 

The guidelines state that "to help prevent fraud, organisations should have appropriate whistleblowing arrangements." This is said to include "having board level accountability to oversee whistleblowing" and "overseeing a culture where employees feel able to raise concerns" Reference is made to the Whistleblowing Guidance for Employers and Code of Practice developed by the Department for Business Innovation & Skills in March 2015.

Organisations are expected to have arrangements in place for investigating fraud that is intended to benefit the organisation. Such investigations should be "independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice)". The Global Practitioners Guide to Investigations is footnoted as a useful guide in conducting such investigations.    

Whilst this Guidance is detailed, it does not provide a safe harbour for organisations even if strictly followed, as with all corporate failure to prevent offences, a tailored assessment of the specific risks faced by a business is an essential pillar of an effective compliance framework, to enable organisations  to rely on the statutory defence of having reasonable procedures in place to prevent fraud. 

The Government has delayed the legislation coming into force for a period of nine months to allow organisations to develop and implement their own reasonable fraud prevention procedures. Given the size and potential complexity of the organisations that fall within the scope of the legislation, if preparatory work is not already underway, they would be wise to get cracking.

If you would like to discuss how these new measures may affect your organisation and/or how to minimise any potential risks, including putting in place reasonable fraud prevention procedures, ahead of the September 2025 implementation, please contact Natalie Sherborn or your usual Withers contact and who will be happy to assist.