It has never been more important for organisations to invest in technology to combat against cyber-crime and fraud. However, are organisations expected to do more to protect their customers against corporate fraud? The UK government has made it clear that its answer to this question is yes. Relevantly, on 1 September 2025, the "failure to prevent fraud" offence came into force in the UK, placing additional obligations on large organisations to prevent fraud in the UK. Failure to comply could result in significant fines. We can expect Australian governments to closely monitor enforcement outcomes and the extent to which organisations improve their fraud prevention procedures in the UK, to determine if an equivalent offence should be introduced in Australia.

Current state of the law

Under the current state of the law in Australia, an organisation can be held liable for fraud in the following circumstances:

Vicarious liability: Its employee commits fraud "in the course of their employment". Given that intentional wrongful acts such as fraud would not ordinarily be committed in the course of employment, the High Court in Prince Alfred College Inc v ADC (2016) 258 CLR 134 have said that vicarious liability might be established for criminal wrongs if the employee's role gave "occasion" for the wrongful act (not merely the opportunity). This will turn on the specific facts of the case, including any special role assigned to the employee. Attribution of criminal liability: Its employee commits criminal fraud whilst "acting within the actual or apparent scope of his or her employment", save for where the offence provision precludes the application of section 12 of the Criminal Code as a means of attributing liability to an organisation. Like vicarious liability, the fact that fraud is an intentional wrongful act does not remove it from the scope of an employee's actual or apparent authority. The fault element of intention, knowledge or recklessness will be attributed to the company if it can be shown that the company permitted the commission of the offence (whether expressly, tacitly or impliedly). Accessorial liability: The organisation knowingly receives a benefit or participates in a breach. Accessorial liability can arise where the offence is committed by an employee, customer or third party. It is a necessary precondition to liability that the person who committed the fraud be found liable for the fraud.

Failure to prevent fraud offence in the UK

On 1 September 2025, a new offence of "failure to prevent fraud" was introduced in the UK, under section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA). It is a strict liability offence which applies if an "associate" of an "in scope" organisation commits one of the specified fraud offences for the direct or indirect benefit of the organisation.

A body corporate or limited partnership is "in-scope" if it is a "large organisation". That is, if the organisation meets two of the following criteria: (i) more than 250 employees; (ii) more than £36 million annual turnover; or (iii) more than £18 million in total assets. An "associate" is defined broadly to include employees, agents, subsidiaries or persons who perform services for, or on behalf of the organisation. The list of relevant fraud offences is extensive and includes:

offences under the Fraud Act 2006 (UK), including fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, obtaining services dishonestly and participation in a fraudulent business;

false statements by company directors under section 19 of the Theft Act 1968 (UK);

fraudulent trading under section 993 of the Companies Act 2006 (UK); and

aiding, abetting, counselling or procuring any of the above.

If the key components of the underlying offence are made out, the onus falls upon the defendant organisation to prove that it had reasonable fraud prevention procedures in place, or that it was unreasonable to expect it to have such procedures. Statutory Guidance provides for examples of good practice, including a commitment by the Board/senior management to preventing fraud, conducting risk assessments, implementing proportionate risk-based prevention measures and undertaking due diligence on associated persons to mitigate fraud risks, communication of fraud prevention policies (including training), and regular monitoring and review.

The maximum penalty for an organisation's failure to prevent fraud is an unlimited fine.

There is no equivalent offence to the failure to prevent fraud offence in Australia at present. However, there are close similarities between the new offence and the offence of "failure to prevent foreign bribery" under section 70.5A of the Criminal Code Act 1995 (Cth), which was based on the UK equivalent. We expect Australian governments and regulators to monitor the outcomes from the "failure to prevent fraud" offence closely and to consider if an equivalent offence should be introduced here. Notably, ASIC's enduring priorities include scam disruption, systemic compliance failures by large financial institutions which result in widespread consumer harm.

Potential risks

The new "failure to prevent fraud" offence expands the scope of liability for organisations with a nexus to the UK. The wrongdoing of an employee, agent or contractor will automatically be attributed to an organisation where it was undertaken for the benefit or gain of the organisation (irrespective of whether any such gain or benefit materialised). It will not matter whether the conduct was sufficiently connected to the scope of employment or authority. The strict liability nature of this offence places the burden on organisations to implement (and be able to demonstrate) "reasonable" fraud prevention procedures or explain why such procedures were unreasonable.

Further, the introduction of the failure to prevent fraud offence might encourage plaintiffs to seek to hold organisations liable for the fraud of its employees through vicarious liability claims, or for the fraud of others via accessorial liability claims. Cases arising out of the UK which establish the steps that an organisation ought to take for fraud prevention might also influence the development of the law and policy in Australia. One such case is Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363 which established the "Quincecare duty", requiring banks to refrain from executing payment instructions if they have reasonable grounds to suspect fraud by an agent of the customer. Importing such concepts to Australia might result in greater obligations on organisations to have systems in place to detect and act upon suspicious transactions or instructions.

