Avoiding criminal liability for the new failure to prevent fraud offence: FAQs ahead of implementation on 1 September 2025

Section 199 of the Economic Crime and Corporate Transparency Act 2023, also known as the “Failure to Prevent Fraud Offence”, is coming into force on 1 September 2025 and will place important new obligations on employers who are large organisations to take steps to prevent fraud. The consequences of getting it wrong could result in your organisation receiving an unlimited fine.

Government guidance to organisations on the new Failure to Prevent Fraud Offence was published in November 2024 with the aim of giving organisations information ahead of the new law becoming effective on 1 September 2025. It is fair to say that the Government guidance expects organisations that are within scope of the legislation to do a lot if they want to avoid prosecution.

You would be forgiven for missing this since attention over the past year has been mainly focussed on the proposals contained within the new Employment Rights Bill.

Here are the answers to some Frequently Asked Questions about the Act to help you to comply with the new law.

1. What is the new “failure to prevent” offence in a nutshell?

From 1 September 2025, a large organisation may be criminally liable where an “associated person” commits a specified fraud offence with the intention of benefitting the organisation and the organisation did not have reasonable fraud prevention procedures in place.

2. Will my organisation be covered by the scope of the offence? What is a large organisation?

An organisation is a “large organisation” if it meets at least two of the following three criteria:

• turnover of more than £36 million
• balance sheet total of more than £18 million
• more than 250 employees.

If your organisation is not a large organisation but you provide services for or on behalf of them, you may still be asked to comply with the legislation by the large organisation so the large organisation can show that it has introduced reasonable procedures to prevent fraud.

3. What about if my organisation is part of a group of companies and the parent company may qualify as a large organisation?

Subsidiaries of large organisations are “associated persons” for the purpose of the offence. Subsidiaries may be grouped together so as to fall within the definition of a “large organisation” and a subsidiary which is not a large organisation may itself be liable for prosecution if its parent undertaking is a large organisation.   Therefore, you will need to check the specific details relevant to your corporate group. See section 2.3.1 of the Government guidance for more information on subsidiaries.

4. What does “fraud” include for the purposes of the new legislation?

The legislation identifies the specific fraud offences that it is an offence to fail to prevent. These are:

• Fraud by: false representation, failing to disclose information, abuse of position
• Participation in a fraudulent business
• Obtaining services dishonestly
• False accounting
• False statements by company directors
• Fraudulent trading
• Cheating the public revenue.

Aiding, abetting, counselling, or procuring the commission of any of the listed offences would also qualify as an offence.

5. How far does the fraudulent activity need to go to fall into scope?

An organisation does not need to actually receive any benefit from the fraudulent activity. A fraud offence is committed even if no gain is made or loss avoided. The failure to prevent fraud offence is committed in the same way.

6. How about if our senior managers were not aware of any fraud?

The offence is one of strict liability. It does not need to be demonstrated that the organisation’s senior managers or directors ordered or knew about the fraud for the organisation to be charged with the offence.   There is a statutory defence that the organisation took reasonable steps to prevent fraud being committed.

7. Might I be charged with the offence personally?

The offence does not create individual liability for persons within the organisations who may have failed to prevent the fraudulent behaviour. However, an employee or agent who committed fraud, or anyone who encouraged or assisted them, may be prosecuted for the fraud offence.

8. What about fraud that takes place abroad?

The offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad and there is no connection to the UK. However, if a relevant act or acts in the fraud took place in the UK, or the gain or loss occurs in the UK, the offence may be treated as having been committed here.

9. What about instances where employees are in the UK but the employing organisation is abroad?

If a UK-based employee or other associated person commits a fraud offence intending to benefit the overseas organisation the employing organisation could be prosecuted, wherever it is based.

10. What should I do first to ensure my organisation take steps to prevent fraud?

To provide a successful defence an organisation will need to demonstrate, at the time the fraud offence was committed, that it had procedures in place designed to prevent fraud offences being committed. Such procedures will need to have been “reasonable” in all the circumstances.

In summary, an organisation should develop and document tailored prevention measures proportionate to the risk to the organisation in line with six principles:

• Top-level commitment
• Risk assessment
• Proportionate risk-based prevention procedures
• Due diligence
• Communication (including training) 
• Monitoring and review.

If your organisation has a fraud prevention policy, it is unlikely that this policy on its own will be sufficient to demonstrate that you had reasonable fraud prevention procedures in place.

What does “tailored prevention measures” include in practice?

A. The board and senior management should send a clear, formal statement or communication to all staff providing the following:

• Endorsement of the organisation’s stance on preventing fraud. Setting out anti-fraud policy wording, illustrating clear governance across the organisation in respect of the fraud prevention framework, confirming designated responsibilities for detection, reporting and risk assessments;
• Acknowledgement of their responsibility to lead by example and create an anti-fraud culture;
• Commitment to: training of staff; ensuring individuals are empowered to report any concerns they may have; and associated resource allocation including measures to be implemented in relation to fraud prevention over the long term.

B. Draft a risk assessment (RA) document that considers the fraud triangle: (i) opportunity (e.g. whether employees operate with sufficient supervision and have scope to commit fraud), (ii) motive (e.g. whether there are financial stresses to meet targets) and (iii) rationalisation (e.g. organisational quiet tolerance for potential wrong-doing or culture of adverse consequences for speaking up?).

Identify those parts of your organisation that are considered to present risks of fraud from which the organisation could benefit and identify and implement the measures that are designed to reduce those risks.

Review and update the RA as relevant information becomes available. A yearly review can be timetabled but consideration should be given as to whether other factors may trigger an earlier review.  The RA should also note that fraud risks may increase during unforeseen, or non-standard, emergency-type situations (including but not limited to, financial distress, health pandemics, cyber security incidents, restructuring etc).

C. Consider and document the answers to the following questions:

• What are the opportunities for reducing fraud in addition to current measures and policies in place?
• How can any motive to commit fraud be reduced? Consider reforming any incentives or incentive structures that might encourage dishonest activity.
• Which steps can be taken to ensure staff reduce the rationalisation of fraudulent behaviour such as alleged justifications of “one offs” or “other businesses do it”.

D. Consider all due diligence measures that the organisation can take such as:

• Ensure appropriate technology is in place to carry out suitable due diligence of engagements of staff and contractors. For example, third-party risk management tools, screening tools, internet searches, checking trading history or professional or regulated status if relevant, or vetting checks if appropriate.
• Review contracts with those providing services and/or agents, to include appropriate obligations and the ability to terminate in the event of a breach where appropriate.
• Monitor the well-being of staff and agents to identify who may be more likely to commit fraud because of stress, targets or workload.
• Carry out appropriate due diligence in the event of mergers and acquisitions.

E. Ensure clear articulation and endorsement of the organisation’s prevention policies (from all levels of staff) via maintained training. Ensure that staff are familiar with whistleblowing policies.

F. Document the organisation’s procedures of the following:

• Detection of fraud and attempted fraud;
• Investigations of suspected fraud; and
• Monitoring the effectiveness of fraud prevention measures.

Review the nature of the risks faced by your organisation as they will change over time. As such, the fraud detection and prevention procedures will also need to evolve and adapt as required.

Examples of ways that organisations can review fraud detection and prevention procedures include:

• Seeking internal feedback from staff members
• Reviewing fraud detection analysis
• Examining any investigations or relevant whistleblowing cases and the subsequent action taken
• Examining other financial crime prevention procedures
• Conducting formalised periodic review with documented findings
• Working with other organisations, such as trade bodies or other organisations facing similar risks
• Following advice from professional organisations
• Examining any relevant prosecutions or deferred prosecution agreements
• Collating and verifying management information on the effectiveness of the fraud prevention measures and flagging to the board.

11. What is the summary “need to know” take away? 

An organisation will be liable where a fraud offence has been committed unless it can demonstrate that it had reasonable fraud prevention procedures. Clearly documented management commitment and risk assessments evidencing all steps taken to prevent fraud is absolutely crucial to avoid prosecution.

Further detailed information

For further detailed information see Chapt 3 Govt guidance: Reasonable fraud prevention procedures

Also, please see our previous Financial Services Team Fox Williams article on the Govt. guidance and our HRLaw webinar  from 9^th July 2025: David Butler – (12mins in) HRLaw webinar: employment and immigration issues for employers in 2025 so far – Law Firm – Fox Williams

This overview is general guidance. It should not be relied upon without first taking separate legal advice. Neither the author nor Fox Williams LLP accepts any responsibility for any consequences resulting from reliance on the contents of this document.