The new failure to prevent fraud offence took effect on 1 September 2025. This offence (introduced as part of the Economic Crime and Corporate Transparency Act 2023) aims to remove barriers to corporate criminal responsibility by holding ‘relevant bodies’ liable for fraud committed by an ‘associated person’, regardless of whether directors or senior managers knew or ordered the fraud. The Director of the Serious Fraud Office, Nick Ephgrave, has already made it clear that he is "very, very keen to prosecute" companies who haven't sorted themselves out by the time the offence comes into force because "someone needs to feel the bite".
Who is in scope?
To come in scope of the offence, the relevant body must be a 'large organisation', meaning a firm which meets two of the three following criteria: the firm has more than 250 employees, more than £36m turnover, or more than £18m in total assets. These criteria are applicable to the whole organisation including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are.
'Associated persons' automatically includes employees, agents, subsidiaries and may also include third parties (for example, fund managers and custodians) who commit fraud while they are providing services for, or on behalf of, the firm.
The fraud must have been committed with the intention of benefiting the relevant body, although this does not need to have been the primary motivation and the benefit can be indirect. Like the extraterritorial approach taken to breaches of the UK Bribery Act 2010 and the Sanctions and Anti-Money Laundering Act 2018, the offence has extraterritorial reach, potentially applying to a firm anywhere in the world if there is a UK nexus (meaning any part of the fraud took place in the UK or actual gain or loss occurred in the UK).
Although a firm does not need to be regulated to come within the scope of the new offence, regulated firms will need to consider other obligations they may have if a breach occurs. Fraudulent conduct would trigger regulatory notification requirements (for example, to the Financial Conduct Authority or the Prudential Regulatory Authority), a consideration of insurance notifications, and may also involve a breach of other anti-fraud regulations and we may start to see coordinated actions taken by prosecutorial bodies and regulators, reinforcing the importance of getting your anti-fraud control ducks in a row.
Is there a defence?
There is a defence to the offence if the firm can prove that it had reasonable fraud prevention procedures in place, taking into consideration the firm's structure and activities, the control, proximity and supervision of the firm over the associated person acting on its behalf, and the territoriality of the offence.
What can firms be doing now?
As the offence is now in force, firms should have already been considering and implementing, where necessary, uplifts required to their fraud compliance programs to ensure they can point to reasonable fraud prevention procedures as a defence if a prosecution is brought.
These uplifts could include:
- Conducting a thorough risk assessment to identify fraud-related risks. If you are leveraging an existing risk assessment, ensure it covers the types of outward fraud caught by the offence. You should also create a clear, targeted action plan for any gaps identified as a result of the risk assessment (and to avoid duplicating any existing work which has already been done) and document any measures you have decided not to take in response to specific risks;
- When carrying out the risk assessment, firms should consider the entire organisation, evaluating which of their teams and personnel may be at most risk of fraud and which types of fraud to which they may be most vulnerable - remembering this can include subsidiaries and third parties who carry out services for the firm. Firms based overseas or with subsidiaries in the UK should give careful thought to the ways in which the UK nexus may arise in their business activities;
- Ensuring that there are sufficient policies and controls addressing the various ways fraudulent acts may impact your firm, including in respect of third parties (for example, robust due diligence requirements and fraud prevention terms and conditions in third party contracts);
- Demonstrating strong 'tone from the top'. Board and senior managers should be able to demonstrate and document a commitment to a culture of cracking down on fraud. This can be done by making sure financial crime and fraud are regularly discussed at Board meetings (and properly minuted), there is regular proper engagement with MI on fraud and ensure senior managers are properly trained and aware of the firm's fraud controls, and are able to accurately explain these if asked. For FCA- or PRA-regulated firms, SMF Statements of Responsibility and Management Responsibilities Maps should be updated where necessary. There should be clear governance and reporting lines for discussion and escalation of fraudulent incidents and risks, and a designated risk committee with clear Terms of Reference;
- Training should be tailored to specific employees, taking into account the level of risk they face in their role (for example, senior manager fraud training should address risks associated with delegating / overseeing employees) and should be rolled out on an ongoing basis;
- Regular monitoring and measuring of employee understanding of relevant real-world fraud scenarios and case studies, reviewing and analysing data on fraud incidents (and near misses), including what worked and how systems and controls could be improved going forward and ensuring there are adequate auditing processes in place.
With the SFO and CPS having now issued updated guidance for prosecutors on the new offence, and the very clear warning that prosecutors are chomping at the bit to take action against companies, there's no more important time to ensure you have measures in place to avoid getting bitten.
