Africa

Morocco

South Africa

Asia Pacific

Australia

China

Hong Kong SAR China

Japan

Korea

New Zealand

Singapore

Thailand

Europe

Austria

Belgium

Czech Republic

Denmark

Finland

France

Germany

Hungary

Ireland

Italy

Luxembourg

Netherlands

Norway

Poland

Portugal

Romania

Slovak Republic

Spain

Sweden

United Kingdom

Latin America

Argentina

Brazil

Chile

Mexico

Peru

Puerto Rico

Middle East

Bahrain

Oman

Qatar

UAE

North America

Canada

Puerto Rico

United States

OtherForMigration

21 January 2025 • 9 minute read

Failure to prevent fraud

Written by:Laura Ford Andrew Sackey Harriet Campbell Jack Colvin

Introduction

From 1 September 2025, the UK’s new corporate criminal offence of failure to prevent fraud will be enforced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Now is the time for companies to familiarise themselves with the official guidance and implement “reasonable procedures” to prevent fraud.

While savvy compliance operators will be familiar with the six principles set out in the Guidance (they're the same as for the UK's bribery and failure to prevent the criminal facilitation of tax evasion offences), in many ways this latest iteration goes further, is more comprehensive (the FT labelled it "remarkably prescriptive¹"), and sets higher expectations for organisations expecting to rely on reasonable prevention procedures as a defence.

In fact, for those operators who are hoping to rely on their existing anti-fraud procedures, the Guidance has a stark warning: "It would not be a suitable defence to state that because the organisation is regulated its compliance processes under existing regulations would automatically qualify as ‘reasonable procedures’ under [ECCTA].".

In this article from DLA Piper's Corporate Crime, Investigations & Compliance practice in the UK, we'll take a look at what's new in the Guidance and what relevant organisations should be paying close attention to as they prepare for the introduction of the Offence in September.

Background to the offence

The Offence applies to 'large organisations', or entities whose parent undertakings are large organisations. Large organisations under ECCTA are those satisfying two or more of the following conditions: (i) more than 250 employees, (ii) more than GBP36 million turnover, and (iii) more than GBP18 million in total assets. However, smaller organisations may also need to consider their anti-fraud procedures if they are an associated person or subsidiary of a large organisation.

Organisations will be guilty of an offence where: (i) an associated person commits a fraud offence intending to benefit that organisation, or any person to whom the associated person provides services on behalf of that organisation, or (ii) where an employee of an organisation commits a fraud offence intending to benefit that organisation, where that organisations' parent undertaking is a large organisation. Please see DLA Piper's comparative guide to the UK’s failure to prevent offences for more detail.

What's new?

While it's important to note that the Guidance is advisory and not legally binding, it sets out the expectations that the UK Government has for organisations to install reasonable fraud prevention procedures.

Internal investigations

Under the principle of 'Monitoring and Review', the Guidance notes that relevant organisations are likely to have procedures for investigating attempted frauds against the organisations, but these may need to be extended to cover frauds intended to benefit the organisation. This is not surprising, and echoes Ministry of Justice Guidance on the Bribery Act, that organisations set up systems to "deter, detect and investigate bribery".

However, where the Guidance extends this concept is by stipulating that: "Investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice), and legally compliant". The requirement for a prompt and comprehensive internal investigation is not new (the CPS' DPA Code of Practice refers to internal investigations in public interest factors against prosecution), however the Guidance asks organisations to consider questions such as – Who authorises the investigations? Are decisions to investigate documented? What factors determine whether the investigation is internal or whether an external investigator is appointed?

The term ‘reasonable prevention procedures’ in relation to internal investigations appears therefore to extend not just to the manner in which the internal investigation into the baseline fraud in question is carried out, but also to the compliance framework for carrying out such investigations. In effect, these prevention procedures will be considered not only at the point at which the fraud offence (or possible fraud offence) is committed, but also in respect of how organisations address a possible offence.

This post-event guidance is indicative of a similar shift in compliance regulation globally, and can be seen, for example, in the EU's 2019 Whistleblowing Directive, which mandates step-by-step procedures of processing, investigating, and providing feedback on whistleblowing reports.

Whistleblowing

While the UK's whistleblowing legislation is now out of step with the EU in legislating for the process of receiving and investigating whistleblowing reports, the Guidance asks organisations to consider: (i) what are the organisation's whistleblowing procedures, (ii) what action is taken after whistleblowing, and (iii) are staff or other associated persons directed to external whistleblowing sites.

Compliance operators without an EU presence or who have yet to update their compliance procedures for the EU Whistleblowing Directive (see DLA Piper's Implementation Guide here) may be unfamiliar with the need to have clear procedures in place for managing reports outside of the need to protect whistleblowers from retribution.

As a third iteration of the six principles (following those published in respect of adequate/reasonable procedures to prevent bribery and facilitation of tax evasion), the Guidance includes a nod to the increasing use of AI tools in the detection and prevention of fraud. Organisations are asked to consider what data analytics tools they use, and whether there is scope to use AI to identify potential fraud. Organisations may already be familiar with the use of AI to prevent scams being perpetrated against them, but they will now be asked to consider how to use AI to prevent fraud being committed for their benefit.

Understanding fraud

Understanding and curbing the motivations for the commission of fraud offences is a key tenet of the Guidance and covered in detail under the heading of ‘Risk Assessment’. Where offences under the UK Bribery Act 2010 may be more clearly motivated by individual greed, fraud acts committed on behalf of organisations can be trickier to understand.

To assist, the Guidance sets out the "Fraud Triangle", made up of the three limbs of: Opportunity – weak controls and inadequate oversight; Motivation – financial stress and meeting targets; and Rationalisation – no harm and resentment. Organisations should pay heed to the motivation for fraud, as financial stressors are often seen as a commercial, rather than compliance issue. To illustrate the triangle, the Guidance includes the example of an accounting department over-stating profits to make the organisation seem more attractive to investors. The base fraud is fraud by false accounting, the associated person is the relevant employee in the accounting department, and the organisation could be prosecuted for the Offence unless it could prove it had reasonable prevention procedures. This would be so even if the investment was not secured, as the fraud was committed with an intention to benefit the organisation.

In this case, applying the fraud triangle model, best practice would be to consider why the relevant employee felt the need to commit the offence – Personal benefit (perhaps indexed to a bonus)? Pressure from superiors to secure the investment? A culture where casual manipulation of numbers is seen as standard?

Each of these motivations should be at the forefront of a risk assessment for fraud, and compliance operators should be seeking to get to grips with opportunities, facilitators, and now motivations for the commission of fraud offences.

Individual responsibility

Organisations hoping to skate through preparedness for the Offence off the back of their existing anti-fraud controls should pay heed to the Guidance's focus on calling out individuals by name where such decisions are made.

This is so in relation to carrying out a risk assessment, the foundation to any compliance framework, where the Guidance notes: "Any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision." The Guidance allows that it may be deemed reasonable not to introduce measures in response to a particular risk in "limited circumstances", however, there is clear emphasis on taking individual responsibility for this decision.

The Guidance demonstrates a clear interest by UK prosecutors in understanding how prevention procedures are practically addressed at an individual and team level, with best practice suggestions including a need for senior managers to commit to sustaining anti-fraud practices "when key members of staff are on annual leave, or off work with illness, or when they leave the organisation". Organisations looking to rely on the defence will need to show that their procedures are not just pieces of paper, but living and adaptive organisms within the compliance environment of the organisation.

Commenting on the publication of the Guidance, SFO Director Nick Ephgrave QPM said: "The publication of this guidance means that time is running short for corporations to get their house in order or face criminal investigation", and the Guidance's focus on individuals shows a clear desire for that time pressure to be felt personally by those in compliance roles, even where they are part of a large organisation with an already sophisticated compliance function.

A further change to corporate criminal liability

Organisations should be conscious of the fact that ECCTA also brought in changes to the test for corporate criminal attribution, extending this to acts committed by senior managers, not just the "directing mind and will" of the organisation. This landmark change to corporate criminal liability, including offences such as bribery, false accounting, money laundering, and trade sanctions infringements, was ushered in by ECCTA in December 2024 and may even be more impactful than the Offence in changing the corporate fraud landscape. Businesses should have regard to this whilst undertaking its preparatory work for the Offence as, for example, a broader category of staff may require more focussed anti-corporate crime training.

Conclusion

The offence of 'failure to prevent fraud' comes into effect on 1 September 2025. Large organisations should use this time to review and refresh their anti-fraud controls to ensure they have the greatest chance to rely on the defence of having reasonable fraud prevention procedures. Smaller businesses should consider the extent to which they will be impacted through their relationships with others.

If you or your organisation wish to learn more about the ECCTA, the Offence, or the Guidance, please contact:

¹Govt’s failure to prevent fraud guidance ‘remarkably prescriptive’.