Failure to prevent fraud: The new corporate offence coming into force on 1 September 2025

Although the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) received Royal assent on 26 October 2023, and most of the provisions of the Act came into force the following year, the new corporate criminal offence of failure to prevent fraud under s.199 does not come into force until 1 September 2025 [SI 2025/349].

On 18 August 2025, with 2 weeks to go before the new offence comes into effect, the CPS and SFO finally published their updated joint Corporate Prosecutions Guidance to include their common approach to the new ECCTA corporate offence [https://www.cps.gov.uk/legal-guidance/corporate-prosecutions]

What is the new offence?

The new corporate offence of failure to prevent fraud is an extension of the principle of criminalising corporate ‘failure to prevent’ offending, akin to that seen previously in s.7 Bribery Act 2010 (failure to prevent bribery by an associated person) and ss.45 and 46 Criminal Finances Act 2017 (failure to prevent tax evasion).

Section 199(1) of ECCTA creates a strict liability either-way offence which is committed by a corporate where an “associate” of that corporate (an employee of the corporate or a subsidiary, or someone performing services for the corporate) commits a fraud offence intended to benefit either the  corporate [s.199(1)(a)] or a third party to whom the associate provides services on behalf of the corporate [s.199(1)(b), although s.199(3) provides a defence to the s.199(1)(b) offence where the corporate was, or was intended to be, the victim of the fraud].

The s.199(1) offence only applies where the corporate is a “large organisation”.  However, s.199(2) provides that a subsidiary (which is not itself a large organisation) can also be guilty of the offence if an employee of that subsidiary commits a fraud offence for the benefit of the subsidiary during a financial year in which the parent company is a large organisation.  The term “large organisation” is defined in s.201 and s.202 as being one which satisfies at least two of the following criteria in its financial year preceding the fraud:

• A turnover of more than £36 million
• A balance sheet valued at more than £18 million
• An average of more than 250 employees across the year

For the purposes of s.199, a “fraud offence” is defined by s.199(6) as being any offence listed in Schedule 13 of ECCTA, or any aiding abetting etc. of such an offence.  The offences listed in Schedule 13 include cheating the public revenue, false accounting, the making of false statements by company directors, fraudulent trading, and the offences under sections 1, 9 and 11 of the Fraud Act 2006.  It is worth noting that there will undoubtedly be a degree of overlap between the s.199 offence and the s.45/46 offences under the Criminal Finances Act 2017, and it remains to be seen which offence will be preferred by prosecutors to deal with tax fraud.  

The strict liability of the s.199 offence is mitigated by the statutory defence under s.199(4), which provides that it is a defence to show that at the time of the fraud:

• the corporate had “such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place“; or
• “it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place“.

Reasonableness of anti-fraud procedures

Given the strict nature of the liability under ECCTA, corporates which are large organisation (or subsidiaries of large organisations) will need to ensure that they have proportionate and reasonable anti-fraud procedures in place in order to be able to rely on the s.199(4) defence.

The SFO/CPS guidance makes clear that, in considering charging decisions and in presenting prosecutions, regard will be had to the published government guidance when assessing whether any anti-fraud procedures are reasonable. 

The government’s guidance to corporates on the offence of failure to prevent fraud was published on 6 November 2024 [https://www.gov.uk/government/publications/offence-of-failure-to-prevent-fraud-introduced-by-eccta/economic-crime-and-corporate-transparency-act-2023-guidance-to-organisations-on-the-offence-of-failure-to-prevent-fraud-accessible-version]. Chapter 3 of that guidance states that fraud prevention procedures put in place by corporates should be informed and assessed by reference to the following six principles:

• Top level commitment:  The guidance makes clear that senior management (including the board) must demonstrate a commitment to anti-fraud processes.  The guidance expects to see clear communication of this commitment (e.g. mission statements), clear governance, commitment to training and adequate resourcing for anti-fraud measures and fostering a whistleblowing culture where staff feel encouraged and empowered to speak up if they encounter fraudulent practices.

• Risk assessment:  This will necessarily depend on the nature of the corporate and the sector (and area) in which they and their subsidiaries operate.  The assessment should have regard to opportunities for fraud (e.g. identifying areas where controls and oversight may be weak), motivation for fraud (e.g. identifying where there might be financial stress or a perceived need to meet targets) and rationalisations for fraud (e.g. identifying areas, and possibly territories, where fraud is prevalent and/or might not be considered harmful and/or where there might be particular resentment).

• Proportionate risk-based prevention measures:  The measures need to be proportionate to the risk and take account of the level of control and supervision the organisation is able to exercise over a particular person acting on its behalf and the relevant body’s proximity to that person (e.g. whilst a corporate is likely to have greater control over the conduct of an employee than that of an outsourced worker performing services on its behalf, appropriate controls should be implemented on outsourced staff via the relevant contract).  Depending on the nature and sector in which the corporate operates, proportionate measures might include: pre-employment/vetting checks of staff/contractors; anti-fraud training; reviews of risks identified in audits; reviewing bonus/performance review models to reduce motivations for fraud; ensuring proper disciplinary and reporting procedures; and testing fraud-prevention measures.

• Due diligence:  Corporates should ensure that proper due-diligence is done on any associated person undertaking work for the corporate.  This should not just involve checks and research on individuals/organisations prior to engagement, but also reviewing contracts with ongoing relationships to ensure that associates have proper anti-fraud measures in place.

• Communication (including training):  Corporates must not only have anti-fraud procedures in place, but also ensure that staff and associates are aware of them (and, where appropriate, trained in them) and are positively encouraged and empowered to report fraud (and there should be proper whistleblowing policies in place).

• Monitoring and review:  Not only should corporates monitor and review their procedures, but also be able to show that improvements are made where necessary (e.g. if fraud is identified from an investigation or whistle-blowing, or if a weakness is identified by an audit).

Observations

On 15 August 2025, whilst announcing the updated SFO/CPS guidance, Nick Ephgrave, the SFO’s director, stated that “Now is the time to take action.  Corporations must get their house in order or be ready to face investigation.”  It might be thought that the time for large corporations to take action was rather earlier than “now”, given that two weeks before the offence comes into force was unlikely to be sufficient time for large corporates to put in place the sorts of procedures and culture necessary to provide a defence under s.199(4).

Fortunately, most of the sorts of large corporates likely to be affected by s.199 will have been preparing for the last two years, and particularly since November 2024 when the government guidance was published.  Furthermore, most of the sort of large organisations affected by the new offence will not be strangers to the sorts of risk-assessments and measures required to protect the corporate from the s.199 offence.  The pre-existing “failure to prevent” offences related to bribery and tax evasion should already have ensured that large organisations have invested time and resource into appropriate compliance and provided at least a template for what is required. 

However, the fact that there is a much wider potential scope for fraud offences than for tax and bribery offences means that procedures pro-actively to combat fraud will necessarily also have to be wider in scope.  This will inevitably necessitate an increase in the resources allocated to compliance to ensure that staff/contractors are adequately vetted, trained and monitored, and that contracts and procedures are properly assessed.

For any corporate who has not yet turned their mind to the risks of failing to have proper anti-fraud measures in place, urgent action really is required.  The SFO and CPS will be anxious to investigate and prosecute cases under the new powers.  Not only will it be necessary to have proper anti-fraud procedures in place from September, but corporates will also need to have self-investigating and self-reporting firmly in mind (given the potential for avoiding prosecution, either entirely or via a deferred prosecution agreement, by doing so).

That said, despite the Criminal Finances Act 2017 offences being in force for the last 8 years, it is only this month that HMRC have brought the first corporate prosecution (against Bennett Verby, a Stockport based accountancy firm, in relation to enabling a £16m R&D tax credit fraud).  The inevitable complexity of corporate offences means that even if investigations into s.199 offences start soon after they come into effect next month, it is likely to be some time before we see charges and prosecutions coming before the Courts.