ARTICLE
28 August 2025

The UK Failure To Prevent Fraud Regime Takes Effect On 1 September: Here's What You Need To Know

TS
Travers Smith LLP

Contributor

Travers Smith LLP logo
It’s not just law at Travers Smith. Our clients’ business is our business. Independent and bound only by our clients’ ambitions, we are wherever they need us to be. We focus on key areas of work where we are genuinely market leading. If it’s hard – ask Travers Smith.
Explore Firm Details
In 2023, the UK brought the Economic Crime and Corporate Transparency Act (the "ECCTA") into law, which introduced a new and wide-ranging corporate offence...
United Kingdom Corporate/Commercial Law
John Buttanshaw,Harrie Narain,Emma Young
+5 Authors
 Your Author LinkedIn Connections

In 2023, the UK brought the Economic Crime and Corporate Transparency Act (the "ECCTA") into law, which introduced a new and wide-ranging corporate offence for failure to prevent fraud (the "FTPF Offence"), to take effect on 1 September 2025. That deadline is now upon us. The Serious Fraud Office ("SFO") and the Crown Prosecution Service ("CPS") released revised joint prosecution guidance last week specifically covering the FTPF Offence, demonstrating that the prosecuting authorities are themselves getting ready for this significant new route for corporate criminal liability.

In-scope entities should take steps now (to the extent they have not already done so) to ensure that they have 'reasonable procedures' in place not only to prevent fraud by their associated persons arising, but also potentially to avail themselves of a defence to liability under the FTPF regime where fraud does nevertheless occur. This will likely require (among other things) specific risk assessments and implementing tailored fraud prevention policies and procedures.

This briefing focuses on some of the most frequently asked questions we've had from corporate organisations on the new regime. For more detailed background information on the FTPF Offence, please see our detailed FTPF Offence briefing available here. For information relating to the new ECCTA identity verification regime (which is entirely separate to the FTPF Offence, but also part of the government's current focus on integrity and transparency within businesses), see here.

1 How has ECCTA expanded the ways in which corporates can be criminally liable for fraud?

Prior to ECCTA, a corporate organisation could only be criminally liable under UK laws for fraud committed by it as an organisation, i.e. where the corporate itself could be shown to have the requisite dishonest intent (or 'mens rea') for criminality of this nature to arise. Historically, that meant that the fraud would have to have been committed with the involvement or knowledge of individuals representing the 'directing mind and will' of the particular organisation. This was a very high bar, effectively requiring board-level complicity for corporate criminal liability to arise but, as the high-profile failed prosecution of Barclays arising out of the global financial crisis showed, even alleged complicity by the CEO and CFO was not enough.

ECCTA changes this in two ways:

  1. Entirely separately to the FTPF Offence (and so not the primary focus of this article) it expands the test for attribution of criminal liability. As of 26 December 2023, criminal liability may be attributed to corporates for fraud (and certain other economic offences, including bribery) which is committed by a 'senior manager' (broadly defined to include persons playing a significant role in the relevant decision making of the organisation or the management of its relevant activities). This provides an expanded scope for corporates to be treated as having committed fraud themselves - as distinct to being liable for the fraud of others, which is the focus of the FTPF Offence. There is no 'reasonable procedures' defence available at law for this type of liability, making training and controls around senior managers critical.

  2. It introduces the FTPF Offence, as summarised below. This is not a case of a corporate being treated as having itself committed fraud; rather it is liable for not preventing others closely associated with it (including employees) from themselves committing frauds which benefit the business. It is a strict liability offence, in the sense that the corporate can be liable regardless of its 'state of mind' / complicity in that fraud (albeit the associated person will need to have the requisite dishonest intent). This – and the broad nature of 'fraud' offences (which can capture a wide range of dishonest behaviour) – makes the new regime a very significant expansion in the risk of criminal liability of corporate entities.

2 How does the FTPF Offence arise, and who is in scope of it?

Under the FTPF Offence, an in-scope corporate entity can be held criminally liable where an 'associated person' (such as an employee, agent, subsidiary or another person who performs services for or on behalf of the entity), commits a 'specified fraud offence' (which encompasses various offences, with some degree of intentional deception being the common thread to them) intending directly or indirectly to benefit either: (i) that entity, or (ii) any person to whom, or to whose subsidiary undertaking, the associated person provides services on its behalf (i.e. a client), and the in-scope entity is not a victim of that fraud.

An in-scope entity is a large organisation which meets at least two of the following three criteria (in the financial year of the organisation that precedes the year of the FTPF Offence – note that similar, albeit higher criteria, can apply at an aggregate group level):

  1. more than £36 million turnover;
  2. more than £18 million in total assets;
  3. more than 250 employees.

A subsidiary of a large organisation, which is not itself a large organisation, can also be held liable if it fails to prevent fraud committed by an employee of the subsidiary (where the fraud was intended to benefit the subsidiary).

There is a full defence to the FTPF Offence where an organisation can demonstrate that: (i) it had reasonable fraud prevention measures in place at the time the offence took place; or (ii) it would have been unreasonable to expect the organisation to have any prevention procedures in place (which we expect will be a more difficult defence to prove in practice, particularly for more sophisticated corporate organisations).

It is important to note that a 'large' organisation (and its subsidiaries) will be within the scope of the FTPF Offence regardless of where they are incorporated (i.e. it is not only UK incorporated organisations who can be prosecuted under the new regime). For liability to arise there does however need to be an underlying fraud offence which is triable under UK law – which could arise in respect of fraudulent activity which takes place overseas, if there were an impact on / harm to persons in the UK.

For more detail on the mechanics of the FTPF Offence, please see our original FTPF Offence briefing available here.

3 Is this the same as the 'failure to prevent' regimes for bribery and tax evasion?

Yes and no.

The overall approach of the FTPF Offence very much follows the playbook the UK government established for tax evasion and bribery: i.e. that organisations may be liable for these economic crimes where committed for their benefit by persons associated with them, unless they can show they made reasonable efforts to prevent the same. That said, there are a number of technical differences in the regimes. For example: only the FTPF Offence has a qualification threshold of 'large' organisations, it has (in some ways) a broader jurisdictional nexus, and it employs a subtly wider construction of 'associated persons (which, for example, captures subsidiaries).

However most importantly, 'fraud' is a significantly broader concept of criminal liability as compared to the existing regimes. It captures a wide spectrum of dishonest acts – which will in many cases encompass, or arise alongside, bribery and/or tax evasion offences. This overlap is discussed in the recently updated 'Joint SFO-CPS Corporate Prosecution Guidance'. And so, whilst the impact (in enforcement terms) of the tax evasion1 and bribery regimes has not been significant, beyond a limited number of high-profile bribery cases, the fraud regime does have the potential for higher levels of enforcement. This also means that it is important that organisations consider their approach to fraud prevention procedures alongside, and in a way which is consistent with, their approach to these similar regimes.

It remains to be seen whether the UK government has the appetite to roll-out the 'failure to prevent' concept of liability to other areas, and particularly beyond economic crimes. The idea of statutory liability for 'failure to prevent' human rights breaches is, for example, frequently raised by various committees and back-benchers, but has not as yet progressed as a serious policy proposal.2

4 What are some general examples of high-risk situations for corporate entities?

Examples of higher-risk situations for businesses include:

  • Employees working in parts of the business where they are more likely to encounter fraud (or the opportunity to commit fraud), such as those involved in sales, marketing, financing, providing services to clients directly or invoicing and payroll. Contractors, part-time and flexible workers may also pose similar risks, particularly if they are not adequately trained before starting their role.

    • In-scope organisations do not technically need to receive any actual benefit for the FTPF Offence to apply (and, even if they do, the benefit does not need to be financial in nature). Being the intended beneficiary is sufficient and the same applies if the intention was to benefit the clients to whom the associated person provides services for or on behalf of the relevant organisation.

Example: An organisation is seeking a further round of investment to fund research and development in relation to their new product, which they hope to launch the following year. In order to appear more attractive to investors, someone in the marketing team overstates how energy efficient the product will be. Ultimately, the company decides (for unrelated reasons) not to pursue further funding and therefore the additional investment was not made. However, an FTPF Offence may still have taken place – as there was a dishonest act with the intention to benefit the organisation by an associated person.

  • It should also be emphasised that UK Government guidance suggests that the intention to benefit the organisation does not need to be the primary reason for the fraud being committed (although we may need to await court action for the boundaries of this to be properly tested, given the law is not clear on the point). If correct, this would mean the FTPF Offence could arise where the associated person's primary reason for committing (or attempting to commit) fraud is to benefit themselves, but a secondary consequence of benefiting the organisation at the same time was known.

    • This means that employees and other associated persons who receive additional pay (or bonuses) based on how well the company is performing (or where their remuneration is otherwise tied to meeting specific company performance metrics, such as product launches) may be considered higher risk from an FTPF Offence perspective.

Example: a sales rep who receives additional compensation via commission may engage in fraudulent mis-selling to increase their own reward package, but in doing so, they may also increase the organisation's sales, and the organisation may be liable for the FTPF Offence as a result.

  • Companies that have outsourced parts of their business to be performed for or on behalf of the organisation (e.g. generating sales leads, providing support services) to other countries where either (i) the organisation has less oversight and control and/or (ii) the business environment means fraud may be more commonplace.

    • Outsourcing services may generally be higher risk from an FTPF Offence perspective – 'providing services' (the general test for who is an associated person, beyond employees, agents and subsidiaries) does not include providing goods and it also does not include situations where services are being provided to the organisation (such as an accountant or lawyer providing a service to a company). 

Example: A company outsources recruitment to a third party, as a result of shortages in the sector, which includes certain candidate right to work checks. An employee of the company colludes with the third-party recruitment agency to falsify documents saying these document checks have been undertaken and, as a result of this, some candidates are supplied to the company without being legally able to work. The company could be liable for the FTPF Offence in this situation.

5 Can a parent be liable for fraud committed by its subsidiary?

Yes. A corporate parent company may be prosecuted for acts of its subsidiary where:

  1. The base fraud offence is committed 'corporately' by a subsidiary (as discussed above, this means a senior manager must have been culpable in it);

  2. The beneficiary of that offence is (in whole or in part) the parent organisation or its clients and the subsidiary intended to benefit either the parent company (and it is suggested that in this instance that benefit needs to be relatively direct, i.e. the parent company benefitting from an accretion in the value of the subsidiary business is unlikely to suffice) or its clients;

  3. The parent company is not a victim or intended victim of the fraud (noting that an organisation is not considered a victim only because it suffered indirect harm); and

  4. The parent company did not have reasonable fraud prevention procedures in place, or it was not reasonable to have any procedures at the time.

Whilst the above presents a relatively limited scenario, it is nonetheless critical that organisations – and larger and more complex groups with multiple trading entities in particular – carefully consider their governance arrangements and ensure that liability is managed and isolated appropriately

1670856a.jpg

Examples

Subsidiary 1

An employee, who is a senior manager of Subsidiary 1, commits fraud by covertly diverting the funds which should be paid to employees as part of their bonus scheme to fund a new project, with the intention to benefit Subsidiary 1 (which is not a large organisation) and the Parent Company (which is a large organisation).

Various fraud-related offences which could arise in this situation:

  • Clearly, the employee who diverted the funds may be held liable for fraud.

  • Additionally, Subsidiary 1 may be held corporately liable for fraud (as the fraud is committed by a senior manager of Subsidiary 1) and also may be liable for the FTPF Offence, even though it is not itself a 'large organisation' (as it is the subsidiary of a large parent organisation, it may be liable for the acts of its employees).

  • Additionally, the Parent Company could be held liable for the FTPF Offence in Subsidiary 1 (as the senior manager of Subsidiary 1 also intended some of the benefit of their activity to help the Parent Company and the fraud was committed corporately).

Subsidiary 2.

A similar incident occurs with Subsidiary 2, however the fraud was not committed by a senior manager and the individual was only intending to benefit Subsidiary 2: 

  • As above, the employee who diverted the funds may be held liable for fraud. 

  • Additionally, Subsidiary 2 may be liable for the FTPF Offence, even though it is not itself a 'large organisation' (as it is the subsidiary of a large parent organisation and the employee was intending to benefit Subsidiary 2) – however it would not be considered corporately liable for fraud (as it was not undertaken by a senior manager).

  • The Parent Company would not be liable – as the fraud was not intended to benefit the parent organisation and the fraud was not committed corporately.

Subsidiary 3

Finally, a third incident occurs with Subsidiary 3, however this time the employee of Subsidiary 3, who is a manager, was only intending to benefit the Parent Company (with the hope of securing a promotion to the Parent Company). In this situation:

  • The employee could be prosecuted for fraud.

  • Subsidiary 3 would not be liable, as the fraud was not committed to benefit Subsidiary 3.

  • The Parent Company could be held liable for the FTPF Offence – as the actions of the employee were intended to benefit the Parent Company.

6 What represents 'reasonable' prevention procedures?

It is a defence to liability for the FTPF Offence if an organisation had reasonable prevention procedures in place to prevent fraud (or it was reasonable not to have any fraud prevention procedures in place) at the time the underlying offence took place.

The UK Government guidance sets out expectations for reasonable fraud prevention procedures, focusing on:

  1. Top level commitment;
  2. Risk assessment;
  3. Robust but proportionate risk-based prevention procedures;
  4. Due diligence;
  5. Communication (including training); and
  6. Monitoring and review.

A robust corporate compliance package should therefore address all of the above (in a proportionate manner) including an internal fraud prevention plan, a policy, the implementation of internal controls, supporting documents (e.g. employee onboarding procedures and enhanced supplier checks), senior management buy-in, training and regular reviews and monitoring.

The good news is that many organisations will already have many of these systems, policies and controls in place to tackle fraud and/or other related financial crime regimes. However, these will need to be updated (to the extent they have not already been) to ensure that they are sufficient from an FTPF Offence perspective. This can be structured in different ways. We have worked with many organisations to integrate new fraud policies and procedures into existing bribery and/or financial crime procedures. However, many prefer to adopt a standalone fraud policy and approach, to sit alongside the others. Ultimately, the decision of what an organisation's FTPF Offence compliance framework should look like will need to be based on a risk assessment tailored to that specific organisation (including input from internal stakeholders in different areas of the business, and a holistic overview of the operations of the business – including areas where fraud is more likely to take place), and in a way which is coherent with, and does not undercut, its wider governance approach.

Challenges for International Organisations

Larger international groups, particularly where headquartered outside of the UK, need to give particularly close consideration to how they structure their reasonable fraud prevention procedures. They may not feel it necessary or appropriate to adopt a full global compliance package, at group level, aimed at UK legislation, if much of their international business is relatively remote from the risk of an FTPF Offence.

In those cases, there may be a preference to adopt a 'hybrid' model of more detailed measures at the level of the UK business / subsidiary, and the establishment (or confirmation) of higher-level controls globally. Whilst this will often be sensible, in those circumstances careful consideration should be given (via, ideally, a documented risk assessment) to the exposure of the rest of the international business to liability under the FTPF Offence and to sufficiency of controls – for example, liability can arise for the acts of the UK subsidiary (noting the concept of parent liability discussed at (5) above), for international employees working in or seconded to the UK, and/or for other overseas business conducted outside of the UK subsidiary that could impact UK persons and trigger liability.  

We have worked with a large number of international organisations on various compliance models and would be happy to discuss our experiences of this further with you.

7 What now?

Earlier this year, the SFO published their annual business plan, which set out their strategy for 2025-2026, which stated specifically that the "deployment of the failure to prevent fraud offence in September will be a landmark moment which will widen the reach and breadth of prosecutions".

This has recently been followed up by the SFO and CPS publishing 'Joint SFO-CPS Corporate Prosecution Guidance', setting out "the common approach" of the CPS and the SFO to the prosecution of corporate offending, including in relation to the FTPF Offence. Whilst the information in this prosecution guidance does not materially differ from earlier guidance that has already been released by the Government, it suggests that the new FTPF Offence clearly remains on the radar of prosecuting authorities. It also emphasises that corporates should be following Government guidance (see 6 above) in terms of what reasonable fraud prevention procedures should look like if they wish to have a potential defence to the FTPF Offence.

While we anticipate that it will take some time before enforcement in this area gets going, given the potential for an unlimited fine (and associated material investigation and reputational costs), this is something businesses should be preparing for in advance.

Impact on investigations

Whilst in the immediate term, we recommend that businesses (who have not already done so) ensure they have suitable compliance packages in places to prevent fraud arising, it is also vital that all businesses operating in the UK are more generally aware of the breadth of the new FTPF Offence, and take it into account in their response to misconduct concerns and issues that arise within their business. For example, whereas previously many types of employee misconduct or wrongdoing could – at least from a criminal law perspective - be treated as a matter of their individual culpability (rather than a corporate criminal liability), the FTPF Offence will change that where the employee has been dishonest.

It is critical in these cases to establish at the outset whether there could be a corporate criminal liability under the FTPF Offence - considering, amongst other things, whether the corporate has benefitted from the employee misconduct, or was rather a victim of it – which will often not be a straightforward matter. If there is a risk of liability, then this will need to be factored into the investigation strategy and self-reporting to the SFO should be considered. The SFO guidance on self-reporting – issued in April this year – marked a shift in tone from previous guidance and emphasises that if a corporate self-reports promptly to the SFO and cooperates fully, it will be invited to negotiate a deferred prosecution agreement – or DPA – rather than be prosecuted, unless exceptional circumstances apply.  Conversely, a failure to self-report is a factor in favour of prosecution and may result in a more severe penalty. The guidance also comments on the need for particular care to be taken in how initial investigations are conducted in order to preserve evidence. Our investigations team have considerable experience in helping clients deal with these types of issues, and would be happy to discuss further.

Footnotes

1. For example, HMRC has only recently initiated its first corporate prosecution for the "failure to prevent the facilitation of tax evasion" offence introduced by the Criminal Finances Act in 2017.

2. Save for the duty to take "reasonable steps to prevent sexual harassment" implemented in October 2024 through an amendment to the Equality Act 2010 which, inter alia, enables the Equality and Human Rights Commission to take enforcement action against employers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of John Buttanshaw
John Buttanshaw
Photo of Harrie Narain
Harrie Narain
Photo of Fergus Crutchley
Fergus Crutchley
Person photo placeholder
Emma Young
Photo of Flora McAlister
Flora McAlister
Photo of Stephanie Lee
Stephanie Lee
Photo of Toby Robinson
Toby Robinson
Photo of Emma Calder
Emma Calder
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More