The new ‘failure to prevent fraud’ offence, introduced in the UK by the Economic Crime and Corporate Transparency Act 2023 (“ECCTA“)[AC1], comes into effect on 1 September 2025. Given its extra-territorial reach, the web of “associates” whose conduct can potentially trigger corporate liability, the possibility of unlimited fines on conviction and very significant associated reputational risk, both domestic and international organisations need to ensure that they take the necessary steps now to maximise their prospects of being able to avail themselves of the only defence to this strict liability offence. Our interactive flowchart walks through the various elements of the offence, with a particular focus on extra-territoriality and enforcement risks.
Theme 1: Extra-territoriality
The FTPF offence has extraterritorial reach. Unlike the failure to prevent bribery offence, relevant organisations are in-scope regardless of where they are incorporated or whether they have a subsidiary, branch or carry on business in the UK. Additionally, relevant employees or associates are not limited to those with a connection to the UK.
The only limit to the territorial scope of the FTPF offence is whether the specified base fraud offence is triable in the UK, creating the necessary UK nexus. This is another point of difference to the failure to prevent bribery offence where the question of whether the UK has jurisdiction to prosecute the associated person in respect of the underlying bribery offences is irrelevant.
The specified base fraud offences generally have a wide jurisdictional scope which allows for some acts forming part of the offence to take place overseas. Under sections 1 and 2 of the Criminal Justice Act 1993 (the “CJA”), an associate can be guilty of the base fraud offences (save for fraudulent trading) provided that a “relevant event” – an act or omission that is part of the underlying fraud – occurs in England and Wales, i.e. even where other parts of the criminal conduct take place outside England and Wales. The CJA also confirms that as regards offences under section 1 of the Fraud Act 2006, a “relevant event” can include the occurrence of the gain or loss in the UK. The offence of fraudulent trading under s.993 of the Companies Act can only be committed in respect of a business which is registered, or carrying out business in, the UK.
As a result, all organisations, both domestic and overseas, should be reviewing their worldwide policies in light of the FTPF offence. Multi-national organisations with existing fraud prevention measures in place globally are likely to want to identify and focus on areas of their business which are exposed to a risk of fraud with a UK nexus. Depending on the jurisdictions in which such organisations operate, and any comparable offences in those jurisdictions imposing criminal responsibility for acts committed by an employee or agent while acting on the company’s behalf and within the scope of their employment or agency, at least some of this work may already have been done, in which case it will be more a question of leveraging and adapting existing policies and procedures.
An “Associate”
Irrespective of their place of incorporation or location, an employee, agent, subsidiary undertaking (including its respective employees) and/or any other person who performs services for or on behalf of the relevant body (s199(7) and (8) ECCTA).
Large organisations
A relevant body which meets two or more of the following conditions in the financial year before the year of the fraud offence (s201(1)):
Turnover*: More than £36 million
Balance sheet total: More than £18 million
Number of employees**: More than 250 on average.
Or, If the relevant body is a parent undertaking, the group meets two or more of the following conditions in aggregate in the financial year before the year of the fraud offence (s202(1)):
Turnover: More than £36 million net*** (or £43.2 million gross)
Balance sheet total: More than £18 million net (or £21.6 million gross)
Number of employees: More than 250 on average.
* “Turnover” means the amount derived from the provision of goods and services after deduction of (a) trade discounts, (b) value added tax and (c) any other taxes based on the amounts so derived.
** Number of employees should be determined for a relevant year by (i) finding for each month in the year the number of persons employed under contracts of service by the entity/group (as applicable) in that month (regardless of whether this is throughout the month); (ii) adding together the monthly totals; and (iii) dividing by the number of months in the year.
*** For these purposes, “net” means after any set-offs and other adjustments made to eliminate group transactions and “gross” means without those set-offs and other adjustments.
Theme 2: Beyond FTPF: the broader impact of ECCTA on corporate criminal liability
While FTPF is not the first of these “failure to prevent” offences under English law, with offences under the Bribery Act 2010 and the Criminal Finances Act 2017 (“CFA”) having already been in force for some time, the impact of ECCTA on the scope of corporate criminal liability is felt beyond the introduction of this new offence.
Crucially, the FTPF offence was introduced alongside reform of the common law identification doctrine, which governs the attribution of acts and intentions to a company for the purpose of corporate criminal liability. The identification doctrine allows a corporate to be prosecuted for a criminal offence committed by a person acting on its behalf where the natural person who committed the offence represented the corporate’s directing mind and will at the time at which the offence was committed. Under the doctrine, it has proven difficult to prosecute large multinational companies for corporate criminal offences, given decision-making in such organisations is often de-centralised, making it challenging for prosecutors to marry up the conduct in question with the natural person(s) properly said to be the directing mind and will of the organisation.
For the economic crime offences listed in Schedule 12 of ECCTA – which is much wider than the FTPF specified base fraud offences – the identification doctrine has been widened such that an organisation will now be criminally responsible if a “senior manager” acting within the actual or apparent scope of that person’s authority commits the offence. This change is already in force. The definition of senior manager in ECCTA – not to be confused with the FCA/PRA senior managers regime – is lifted from the Corporate Manslaughter and Corporate Homicide Act 2007 and defined in s.196(4) of ECCTA as: individual who plays a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or (as the case may be) partnership are to be managed or organised; or (b) the actual managing or organising of the whole or a substantial part of those activities. The explanatory notes to the legislation explain that the definition of senior managers covers “both those in the direct chain of management as well as those in, for example, strategic or regulatory compliance roles“. As such, ECCTA has significantly widened the potential pool of people within an organisation that can trigger corporate criminal liability.
Specified Offences
In England and Wales, the specified offences are:
- Fraud offences under section 1 of the Fraud Act 2006 including:
- Fraud by false representation (section 2 Fraud Act 2006)
- Fraud by failing to disclose information (section 3 Fraud Act 2006)
- Fraud by abuse of position (section 4 Fraud Act 2006)
- Participation in a fraudulent business carried on by a sole trader (section 9 Fraud Act 2006)
- Obtaining services dishonestly (section 11 Fraud Act 2006)
- Cheating the public revenue (common law)
- False accounting (section 17 Theft Act 1968)
- False statements by company directors etc. (Section 19 Theft Act 1968)
- Fraudulent trading (section 993 Companies Act 2006)
Failure to prevent fraud can also be made out where the associate aids, abets, counsels or procures the commission of the offences listed above (s199(6)(b)).
It is possible for offences to be added to or removed from this list. No conviction for the underlying fraud offence is required for an offence to form the basis of failure to prevent fraud, but where there is no conviction, the prosecution would be required to prove to a criminal standard that the underlying fraud offence has been committed.
… intended to benefit …
Intention is all that is required, i.e. the benefit does not have to be realised. The benefit can be financial or non-financial – acts that are intended to confer a business advantage or disadvantage over a competitor will be in scope. The benefit does not have to be the sole or primary motivation for the fraud (e.g. an associate can be primarily motivated by personal gain). Recent (non-statutory) sector-specific guidance from UK Finance suggests that intention can be inferred where the benefit is virtually certain and known to the associate.
Theme 3: Enforcement
The introduction of the FTPF offence, the latest in the relatively recent line of “failure to prevent” offences, is part of a broader shift in approach to corporate criminal liability which, together with changes to the old “directing mind and will” test for corporate attribution (as to which, see below), is essentially aimed at making it easier to prosecute organisations for criminal conduct.
The Crown Prosecution Service (for England and Wales) and the Serious Fraud Office (for England, Wales and Northern Ireland) are the entities with the power to prosecute the FTPF offence. That said, there is recognition in the Home Office guidance that regulators, including the FCA, could choose to prosecute themselves and there is an expectation that prosecutorial bodies and regulators will work together to deliver “coordinated resolutions”, taking public interest considerations into account.
The appetite for enforcement is certainly there with fraud identified as a significant problem in the UK and a government priority. The SFO’s business plan for 25/26 emphasises the importance of the offence in the SFO’s upcoming agenda and Nick Ephgrave, Director of the SFO, has not been shy about saying how keen he is for the SFO to prosecute this particular offence.
If convicted, an organisation can receive an unlimited fine (s.199(12) ECCTA), although courts will take account of all the circumstances in deciding the appropriate level of fine for a particular case. Regulated firms also face regulatory investigations and penalties if procedures are considered inadequate. The fine itself is of course only part of the picture: regardless of ultimate outcome, the significant time, expense and reputational risk of being investigated should alone be sufficient a deterrent for organisations to invest in putting their best food forward now.
Despite the appetite for enforcement, we do not expect the impact of this new offence to be measured by a material increase in court cases and convictions. That is consistent with lessons learned from the failure to prevent bribery offence some 15 years on. The architects of the new legislation have themselves been quite open in saying that their hope is that the threat of criminal liability will encourage organisations to put the necessary fraud prevention measures in place to reduce fraud, such that the real change is felt most acutely now in this period prior to implementation. Where organisations do fall short, the Home Office’s own impact assessment says corporate prosecutions are likely to be dealt with by deferred prosecution agreements (DPAs). Accordingly, once the offence is in force, we expect there will be an increase in the number of investigations by SFO into fraud related offences, organisations entering into DPAs in respect of fraud and private prosecutions being brought by victims of fraud.
Reasonable fraud prevention procedures
It is a defence where:
- the relevant body had in place “reasonable” fraud prevention procedures; or
- it was not reasonable in all the circumstances to expect the body to have such procedures (s199(4))
The standard of proof to be met by the organisation is the balance of probabilities.
Guidance from the Home Office outlines six key principles: top level commitment; risk assessment, proportionate risk-based fraud prevention procedures; due diligence; communication; and monitoring and review. These are meant to be flexible to allow for a tailored approach, enabling organisations to focus efforts where they are most needed and adopt measures which are reasonable in all the circumstances having regard to that particular organisation’s own risks and areas of exposure.
The Home Office guidance on the FTPF offence provides that while there may be “synergies” between the reasonable procedures required under the FTPF offence and the processes that organisations already have in place to comply with other regulations, such as the Bribery Act and the CFA (addressed below), organisations cannot assume that their existing procedures automatically qualify as reasonable procedures for the purposes of the FTPF offence. As such, organisations which have existing procedures in place may use those procedures as helpful foundations, but they will need to reassess their internal processes in light of the new FTPF offence, as well as the extension of the identification doctrine (discussed in more detail below).”
See our previous article which sets out further guidance on what is considered “reasonable”.
