Partner Rachael Gregory explains the implications of the new offence of failure to prevent fraud, and how businesses and firms can best prepare prior to it coming into effect in September.

Rachael’s article was published in Business & Accountancy Daily, 15 January 2025.

In the wake of landmark legislation changes on the offence of failure to prevent fraud, companies will need to review and reform their fraud prevention procedures – and the clock is ticking on implementation. Businesses now have less than nine months to put in place processes to counteract fraud within their corporate structure to avoid being held criminally liable.

Scope of the offence

Under the new legislation, an organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’, commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place. ‘Associated person’ has a broad definition: a person who provides services for or on behalf of an organisation classes as an associated person while they are providing those services.

So, for example, if an employee is engaged in dishonest sales practices or deceitful behaviour in financial markets then the company itself could face prosecution. This would also apply if employees were engaged in the practice of hiding significant information from its investors or consumers. Organisations should also be aware that the offence will also be applicable when a fraud has been committed for the benefit of the organisation, even if there has been no actual advantage. So, even if dishonest sales practices did not result in any increase in sales, the organisation may still be liable under the provisions of the new offence.
Individuals who carried out the actual fraud can still be prosecuted under existing laws, but, crucially, the organisation which employs them will now face a prosecution too if investigators can reasonably conclude that the organisation failed to prevent the crime. If an employee or agent has committed a fraud, as a defence to prosecution, the organisation will need to be able to demonstrate that it had adequate policies and procedures in place to prevent fraud.

An organisation can also escape liability if it itself was a victim of, or was intended to be a victim of the fraud. However, where the individual committed the fraud intending to benefit the company, this does not apply (even if in practice the company did not benefit). For example, if an individual engaged in mis-selling practices with the intention of increasing sales for the company, the organisation may be liable for prosecution if it did not have adequate procedures in place to prevent the fraud, even if sales did not increase.

Who does it apply to?

Under rules brought forward in 2023 under the Economic Crime and Corporate Transparency Act (ECCT), this applies to all companies with more than 250 employees, a turnover of more than £36m, or total assets of more than £18m. However, smaller organisations will still need to consider compliance with the legislation because a large organisation will likely require them to have reasonable procedures in place if they fall within the scope of ‘associated person’ of the large organisation. The definition is purposely detailed, leaving no room for ambiguity, so claiming to be unaware that the new rules apply will not be an acceptable defence.

Extra-territorial impact

The new regime will include organisations incorporated outside of the UK, and as such businesses registered in other jurisdictions may find themselves liable for actions of employees or associates carried out within the UK. It will apply to organisations where part of the offence takes place in the UK. This would include situations where part of the fraud takes place in the UK but could also apply where there are victims in the UK or, for certain offences, where there is a gain in the UK. Even if an organisation is based outside of the UK and doesn’t have any nexus here, it could still be liable for actions of a third-party service provider operating within the UK.

Accordingly, both UK and non-UK companies will need to assess whether the acts of their employees, subsidiaries, or agents are likely to give rise to liability for the company under the new offence.

Action businesses should take to prepare

With only nine months to go until the landmark ECCT legislative reforms come into force, companies should be encouraged to implement stronger fraud prevention procedures without delay.

The SFO’s director Nick Ephgrave recently warned that “time is now running short for corporations to get their house in order”. He reiterated the regulator’s determination to “act swiftly and send a strong signal to companies profiting from malpractice” and insisted that any behaviour proven to be fraud will not be tolerated by the watchdog.

Organisations should act now to consider whether the organisation or its associates fall within the scope of the legislation and, if so, take steps to have the right protections and policies in place ahead of the 1 September 2025 deadline to avoid being held criminally liable if one of their employees, agents or associates acts fraudulently in the future.

Ahead of the September deadline, businesses should review their processes to identify risks of fraud within the business and then review the appropriate policies and procedures to consider whether there is adequate fraud protection. For areas of the business identified as being particularly high risk of fraud, businesses may want to consider obtaining professional advice on their policies and procedures to ascertain whether there are sufficient checks and balances in place and to obtain advice as to additional checks, balances and safeguards which could be introduced. The fact that an organisation has obtained professional advice may assist in the event of a prosecution. Whilst it may not prevent fraud, it does show investigators that the organisations have taken proper steps to consider its policies, procedures and safeguards.

The onus will lie with organisations to demonstrate they have taken steps to prevent fraud and organisations will no longer be able to turn a blind eye to actions of its employees and associates.