1 September 2025 will see the coming into force of a new offence of failure to prevent fraud under the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”).
The offence has as its focus large organisations. More particularly large organisations which rely on suppliers to make products or services available to their customers must also take steps to prevent fraud in their supply chain or risk falling foul of the new offence given the broad nature of the ECCTA.
A large organisation may be criminally liable where an “associated person” commits a specified fraud offence with the intention of benefitting:
- the organisation,
- a subsidiary of the organisation, or
- a third party to whom services are provided by the associated person on behalf of the organisation, and
- the organisation did not have reasonable fraud prevention procedures in place.
An associated person is a person (whether natural or corporate) who:
- is an agent, employee, or subsidiary of the organisation; or
- performs services for or on behalf of the organisation.
The crucial point here for businesses within supply chains is that they can be guilty by association if an agent, distributor, or provider of services commits a fraud offence to benefit the organisation, any of its subsidiaries, or a business which provides services on behalf of the organisation.
So how do you know if the new offence is a relevant consideration in relation to your supply chain?
Is the business a large organisation?
This is pertinent as the new failure to prevent fraud offence only applies to businesses are “large organisations”. The ECCTA provides that a ‘large organisation’ is a business which satisfies two or more of the following in the financial year proceeding the year in which a relevant fraud offence occurs:
- the business has a turnover of more than £36million.
- the business has a balance sheet totalling more than £18million.
- the business has more than 250 employees.
What are the relevant fraud offences?
ECCTA provides that large organisations must take steps to prevent the following specific fraud offences:
- Fraud by false representation or failing to disclose information or abuse of position
- Participation in a fraudulent business
- Obtaining services dishonestly
- False accounting
- False statements by company directors
- Fraudulent trading
- Cheating the public revenue.
Aiding, abetting, counselling, or procuring the commission of any of the above offences will also qualify as an offence.
How to avoid falling foul of the failure to prevent fraud offence
It is a defence to the new offence if the large organisation can prove that, at the time the fraud offence was committed:
- it had in place such prevention procedures as was reasonable in all the circumstances to expect the organisation to have in place, or
- it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.
However, it is worth noting that this is a defence rather than absolution meaning that any organisation prosecuted for the failure to prevent fraud offence will have to establish its defence to the satisfaction of the court to avoid conviction.
ECCTA defines ‘prevention procedure’ simply as “procedures defined to prevent persons associated with the body from committing fraud offences”.
Finally if the large organisation is or was intended to be the victim of the fraud offence, it is not guilty of the offence of failing to prevent fraud.
What practical steps can we take now to mitigate the risk of falling foul of the offence?
The UK Government’s guidance on the new offence (available here) suggests that the approach to reasonable prevention procedures should take account of the following principles:
- a top-level commitment
- risk assessment
- proportionate risk-based prevention procedures
- due diligence
- communication (including training)
- monitoring and review.
It seems clear that a prudent starting point would be to carry out a risk assessment, resulting in the development of a clear policy aligned to the prevention procedures the organisation considers to be appropriate. It would be possible to roll the fraud prevention policy into an existing policy such as the organisation’s anti-bribery and corruption policy.
When engaging with an ‘associated person’ an individual risk assessment should be undertaken as part of the organisation’s due diligence procedure before binding the ‘associated person’ to robust, enforceable contractual commitments to comply with the law, the aforementioned policy, and any bespoke requirements identified through the due diligence process.
Monitoring at appropriate touchpoints (which could be established in the fraud prevention policy) and reviewing the measures in place would also be prudent where preventative procedures are in place.
In addition, consideration should be given to existing arrangements, especially as to whether current contracts should be remediated (varied) in line with any risk assessment or policy.
Summary
Ultimately, the approach an organisation takes to its supply chain and in turn its agents and distributors and those of its sub-contractors will depend on its internal assessment of the risk and the controls it deems to be reasonable proportionate to the identified risk.
Documenting decision making and the reasons for those decisions, especially where a course of action is decided should also help demonstrate that a reasonable approach to addressing whether prevention procedures are necessary or appropriate has been taken. In turn this may stand the organisation in good stead should it ever need to defend itself against a prosecution for failing to prevent fraud.
For more information see here for an excellent summary of the offence produced by our Employment team.
Authors
Related legal expertise
Connect with us
