New UK legislation on corporate fraud prevention

The legislation aims to make it easier for organisations to be held accountable for failure to prevent fraud, demonstrating government’s intention to target economic crime and increase corporate transparency.

The failure to prevent fraud offence will come into force on 1 September 2025, following the UK Home Office publishing the long-awaited guidance on 6 November 2024.  The guidance provides advice for organisations on taking action to prevent fraud, as well as setting out the scope of organisations captured, the types of fraud covered by the offence and what is meant by an ‘associated person’.

The failure to prevent fraud offence, is particularly unusual, and also significant, as it is a strict liability criminal offence.  It builds on both the existing offence of failure to prevent bribery under the Bribery Act 2010 and a failure to prevent the facilitation of tax evasion under the Criminal Finances Act 2017.  Organisations found guilty of such an offence could receive a fine but would likely also suffer significant reputational damage.

Under the Act, an organisation will be liable if it fails to prevent a specified fraud where:

• an ‘associated person’ of the organisation commits the fraud; and
• the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation.

The offence will not only apply to large corporates, subsidiaries, and partnerships.  This means that large not-for-profit organisations such as charities are also in scope, as well as incorporated public bodies.  The definition for large, means meeting two out of three of the following:

• More than 250 employees
• More than £36 million turnover net (or £43.2 million gross)
• More than £18 million total assets (or £21.6 million gross)

These criteria will apply in respect of the financial year preceding the alleged fraud.

The Companies Act 2006 size thresholds were amended by a Statutory Instrument (SI 2024/1303), published in December 2024, for accounting periods commencing on or after 6 April 2025. However, it appears that the thresholds within section 201 of the ECCTA were not amended for this change to company law.  This may mean that organisations who would have been large under the ’old’ Companies Act 2006 size criteria will still need to comply with the failure to prevent fraud guidance, even if they become medium size under the increased thresholds as it stands.

If resources held across a parent and its subsidiaries cumulatively meet the threshold, that group will be in scope.  Liability can be attached either to the specific group company or the parent company, if the fraud was committed by a subsidiary employee for the benefit of the parent company and the parent did not take reasonable steps to prevent it.

The offence is not just confined to the UK.  If an associated person commits fraud under UK law, the organisation can be prosecuted even when the organisation and associated person are based overseas.

An organisation will have a defence where it can show it had either ‘reasonable procedures’ in place to prevent fraud, or that it was not reasonable in the circumstances to expect such procedures to be in place.

The Home Office guidance sets out what organisations should consider when designing and implementing reasonable procedures, with six basic principles:

• Top level commitment – senior management should lead by example and foster a culture where fraud is never deemed acceptable
• Risk assessment – this should be kept under review
• Proportionate risk-based prevention procedures – procedures should be proportionate to the potential fraud risks of the specific organisation
• Due diligence – organisations should reconsider existing due diligence procedures and ensure these adequately address risks
• Communication (including training) – prevention policies should be reinforced at all levels of the organisation.  Regular training is key and should be specific to the risks of different roles
• Monitoring and review – procedures should be reviewed regularly to ensure they are sufficient.

The offence comes into effect on 1 September 2025.  Large organisations should use this time to review and update their anti-fraud controls to ensure they can rely on the defence of having reasonable prevention procedures.

If you would like further information as to how the ECCTA 2023 will impact your company or organisation, please contact a member of the tax team at Old Mill.