New Anti-fraud Laws Come Into Force In The UK On 1 September 2025

The Bribery Act 2010 heralded the dawn of a new era in how corporates are held to account for crimes committed on their watch with advent of the "failure to prevent" model. Fast forward to 2025 and organizations now have several of these offences to keep their senior executives up at night. The most recent addition comes into force on 1 September 2025, namely failure to prevent fraud offences ("FTP") for "large organizations".

Corporate criminal liability for failure to prevent fraud

The Economic Crime and Corporate Transparency Act 2023 ("ECCTA") created a new corporate criminal offence of failure to prevent fraud. Once in force, large organizations will be criminally liable where both:

• a specified fraud offence is committed by an employee, agent or other "associated person", for the organization's benefit; and
• the organization did not have "reasonable" fraud prevention procedures in place.

Are all companies at risk of criminal liability?

The Home Office has published "Guidance to organizations on the offence of failure to prevent fraud" ("the Guidance") for corporates grappling with how they should be tackling fraud and avoiding coming under scrutiny from law enforcement and regulators.

The Guidance first sets out what types of organizations (incorporated under statute or formed by other means, such as by Royal Charter) are at risk of incurring liability. The FTP offence only applies to larger organizations that meet at least two of the following criteria in the financial year preceding the year of the fraud offence. To qualify as "large", an organization must meet two of the following threshold conditions:

• more than 250 employees;
• more than £36 million turnover; and/or
• assets (balance sheet) of more than £18 million.

These conditions apply to the whole organization, including subsidiaries, regardless of where the organization is headquartered or where its subsidiaries are located.

Extraterritoriality

The FTP offence will only apply where the associated person commits a fraud offence under the law of part of the UK. This requires a UK nexus, namely that one of the acts which was part of the underlying fraud took place in the UK, or that the gain or loss occurred in the UK.

If a UK-based employee commits fraud, the employing organization could be prosecuted, wherever it is based. If an employee or associated person of an overseas-based organization commits fraud in the UK, or targeting victims in the UK, the organization could be prosecuted. The offence will not apply to UK organizations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus.

What fraud offences are within scope?

The Guidance details all the offences in scope for the FTP fraud offence which include offences under the Fraud Act 2006, the Theft Act 1968, the Companies Act 2006 and cheating the public revenue. Examples of potential offences include fraud by failure to disclose information, abuse of position, obtaining services dishonestly, participation in a fraudulent business, false accounting, the making of false statements by directors and fraudulent trading.

The offence does not create individual liability for persons within an organization who may have failed to prevent fraudulent behavior. However, a director, employee or agent who committed the fraud, or anyone who encouraged or assisted, could still be prosecuted for their own fraud in addition to the organization being prosecuted for failing to prevent it.

What is an "associated person"?

An "associated person" must commit the predicate offence for the FTP offence to be engaged. An associated person will normally be an employee, an agent or a subsidiary of the organization. Whilst employees will normally be easy to identify, agents may prove more challenging. Under the Guidance, they may or may not be under contract to the organization. Small organizations may be "associated persons" while they provide services for or on behalf of large organizations. Subsidiaries are likely be "associated persons" where there is a parent-subsidiary relationship.

The FTP offences can only be made out where the associated person commits a base fraud whilst acting in the capacity of a person associated with the organization. The issue of who is intended to benefit from the underlying fraud is key to determining whether an organization can be held accountable for the offence of failure to prevent fraud. No actual benefit need be realized; only the intention to benefit the company or its clients is necessary. This intention need not be the sole or dominant motivation for the fraud. Conversely, the company cannot be held liable for a fraud where it is a victim or an intended victim of the fraud carried out by an associated person. An organization would not be a "victim" only because it suffered indirect harm as a result of the fraud by an associated person (for instance, because revelation of the fraud damaged the organization's reputation).

What are "reasonable" fraud prevention procedures?

The fraud prevention framework put in place by relevant organizations should be informed by the following six principles:

• top level commitment;
• risk assessment;
• proportionate risk-based prevention procedures;
• due diligence;
• communication (including training); and
• monitoring and review.

In demonstrating "Top Level Commitment", senior management are expected to have a leadership role in relation to fraud prevention. This is likely to include:

• communication and endorsement of the organization's stance on preventing fraud, including mission statements;
• ensuring that there is clear governance across the organization in respect of the fraud prevention framework;
• commitment to training and resourcing; and
• leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices.

All organizations are expected to assess the nature and extent of their exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. Organizations are encouraged to start with "identifying typologies of associated persons" which might include considering "opportunity, motive and rationalization". The Guidance encourages organizations to respond in a proportionate and risk-based manner. Organizations are encouraged to avoid duplication of work and determine how existing financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment. Due diligence on associated persons (including new partners) is expected, in particular in relation to mergers and acquisitions.

Once fraud prevention policies and procedures are established, they need bedding in. Communication is key and a "clear articulation and endorsement" is expected. This should come from all levels within the organization. Training is also necessary and incorporating fraud prevention training into any existing financial crime training may be necessary. Bespoke training to address specific fraud risks may be appropriate.

The guidelines state that "to help prevent fraud, organizations should have appropriate whistleblowing arrangements". This is said to include "having board level accountability to oversee whistleblowing" and "overseeing a culture where employees feel able to raise concerns". Reference is made to the Whistleblowing Guidance for Employers and Code of Practice developed by the Department for Business Innovation & Skills in March 2015.

Organizations are expected to have arrangements in place for investigating fraud that is intended to benefit the organization. Such investigations should be "independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice)". The Global Practitioners Guide to Investigations is footnoted as a useful guide in conducting such investigations.

Whilst this Guidance is detailed, it does not provide a safe harbor for organizations even if strictly followed, as with all corporate failure to prevent offences, a tailored assessment of the specific risks faced by a business is an essential pillar of an effective compliance framework, to enable organizations to rely on the statutory defense of having reasonable procedures in place to prevent fraud.

The Government delayed the legislation coming into force for a period of nine months to allow organizations to develop and implement their own reasonable fraud prevention procedures. If this has not been addressed, we strongly advise that organizations do so without further delay.

Corporate criminal liability for economic crime committed by senior managers

The Crown Prosecution Service and the Serious Fraud Office jointly updated their Corporate Prosecution Guidance on 18 August 2025 to reflect other provisions in ECCTA that redefine corporate criminal liability for economic crime committed by senior managers.

Prior to the new provisions, companies could only be held accountable for the actions of individuals who were "the directing mind and will of the company". This presented substantial evidential hurdles for prosecutors to overcome in establishing who were the directing mind and will in larger organizations with complex structures involving several layers of management.

The newly updated guidance is a reminder that under the new ECCTA provisions, financial crime committed by senior managers will trigger corporate criminal liability where the individual:

• Plays a significant role in either making decisions about how the whole or a substantial part of an organization's activities are managed or organized, or
• The actual managing or organizing of the whole or a substantial part of those activities.

Reasonable prevention procedures do not provide a defense if a senior manager commits a criminal offence. However, proper fraud prevention procedures encourage better corporate behavior. This will be relevant to companies when assessing exposure to liability in relation to the conduct of their senior managers, and may be weighed in the balance by prosecting authorities when deciding whether it is appropriate to bring proceedings against a corporate as well as an individual in the event that wrongdoing is discovered.

Corporate criminal liability for failure to prevent fraud

The Economic Crime and Corporate Transparency Act 2023 ("ECCTA") created a new corporate criminal offence of failure to prevent fraud. Once in force, large organizations will be criminally liable where both:

• a specified fraud offence is committed by an employee, agent or other "associated person", for the organization's benefit; and
• the organization did not have "reasonable" fraud prevention procedures in place.

Are all companies at risk of criminal liability?

The Home Office has published "Guidance to organizations on the offence of failure to prevent fraud" ("the Guidance") for corporates grappling with how they should be tackling fraud and avoiding coming under scrutiny from law enforcement and regulators.

The Guidance first sets out what types of organizations (incorporated under statute or formed by other means, such as by Royal Charter) are at risk of incurring liability. The FTP offence only applies to larger organizations that meet at least two of the following criteria in the financial year preceding the year of the fraud offence. To qualify as "large", an organization must meet two of the following threshold conditions:

• more than 250 employees;
• more than £36 million turnover; and/or
• assets (balance sheet) of more than £18 million.

These conditions apply to the whole organization, including subsidiaries, regardless of where the organization is headquartered or where its subsidiaries are located.

Extraterritoriality

The FTP offence will only apply where the associated person commits a fraud offence under the law of part of the UK. This requires a UK nexus, namely that one of the acts which was part of the underlying fraud took place in the UK, or that the gain or loss occurred in the UK.

If a UK-based employee commits fraud, the employing organization could be prosecuted, wherever it is based. If an employee or associated person of an overseas-based organization commits fraud in the UK, or targeting victims in the UK, the organization could be prosecuted. The offence will not apply to UK organizations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus.

What fraud offences are within scope?

The Guidance details all the offences in scope for the FTP fraud offence which include offences under the Fraud Act 2006, the Theft Act 1968, the Companies Act 2006 and cheating the public revenue. Examples of potential offences include fraud by failure to disclose information, abuse of position, obtaining services dishonestly, participation in a fraudulent business, false accounting, the making of false statements by directors and fraudulent trading.

The offence does not create individual liability for persons within an organization who may have failed to prevent fraudulent behavior. However, a director, employee or agent who committed the fraud, or anyone who encouraged or assisted, could still be prosecuted for their own fraud in addition to the organization being prosecuted for failing to prevent it.

What is an "associated person"?

An "associated person" must commit the predicate offence for the FTP offence to be engaged. An associated person will normally be an employee, an agent or a subsidiary of the organization. Whilst employees will normally be easy to identify, agents may prove more challenging. Under the Guidance, they may or may not be under contract to the organization. Small organizations may be "associated persons" while they provide services for or on behalf of large organizations. Subsidiaries are likely be "associated persons" where there is a parent-subsidiary relationship.

The FTP offences can only be made out where the associated person commits a base fraud whilst acting in the capacity of a person associated with the organization. The issue of who is intended to benefit from the underlying fraud is key to determining whether an organization can be held accountable for the offence of failure to prevent fraud. No actual benefit need be realized; only the intention to benefit the company or its clients is necessary. This intention need not be the sole or dominant motivation for the fraud. Conversely, the company cannot be held liable for a fraud where it is a victim or an intended victim of the fraud carried out by an associated person. An organization would not be a "victim" only because it suffered indirect harm as a result of the fraud by an associated person (for instance, because revelation of the fraud damaged the organization's reputation).

What are "reasonable" fraud prevention procedures?

The fraud prevention framework put in place by relevant organizations should be informed by the following six principles:

• top level commitment;
• risk assessment;
• proportionate risk-based prevention procedures;
• due diligence;
• communication (including training); and
• monitoring and review.

In demonstrating "Top Level Commitment", senior management are expected to have a leadership role in relation to fraud prevention. This is likely to include:

• communication and endorsement of the organization's stance on preventing fraud, including mission statements;
• ensuring that there is clear governance across the organization in respect of the fraud prevention framework;
• commitment to training and resourcing; and
• leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices.

All organizations are expected to assess the nature and extent of their exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. Organizations are encouraged to start with "identifying typologies of associated persons" which might include considering "opportunity, motive and rationalization". The Guidance encourages organizations to respond in a proportionate and risk-based manner. Organizations are encouraged to avoid duplication of work and determine how existing financial reporting controls and fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment. Due diligence on associated persons (including new partners) is expected, in particular in relation to mergers and acquisitions.

Once fraud prevention policies and procedures are established, they need bedding in. Communication is key and a "clear articulation and endorsement" is expected. This should come from all levels within the organization. Training is also necessary and incorporating fraud prevention training into any existing financial crime training may be necessary. Bespoke training to address specific fraud risks may be appropriate.

The guidelines state that "to help prevent fraud, organizations should have appropriate whistleblowing arrangements". This is said to include "having board level accountability to oversee whistleblowing" and "overseeing a culture where employees feel able to raise concerns". Reference is made to the Whistleblowing Guidance for Employers and Code of Practice developed by the Department for Business Innovation & Skills in March 2015.

Organizations are expected to have arrangements in place for investigating fraud that is intended to benefit the organization. Such investigations should be "independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice)". The Global Practitioners Guide to Investigations is footnoted as a useful guide in conducting such investigations.

Whilst this Guidance is detailed, it does not provide a safe harbor for organizations even if strictly followed, as with all corporate failure to prevent offences, a tailored assessment of the specific risks faced by a business is an essential pillar of an effective compliance framework, to enable organizations to rely on the statutory defense of having reasonable procedures in place to prevent fraud.

The Government delayed the legislation coming into force for a period of nine months to allow organizations to develop and implement their own reasonable fraud prevention procedures. If this has not been addressed, we strongly advise that organizations do so without further delay.

Corporate criminal liability for economic crime committed by senior managers

The Crown Prosecution Service and the Serious Fraud Office jointly updated their Corporate Prosecution Guidance on 18 August 2025 to reflect other provisions in ECCTA that redefine corporate criminal liability for economic crime committed by senior managers.

Prior to the new provisions, companies could only be held accountable for the actions of individuals who were "the directing mind and will of the company". This presented substantial evidential hurdles for prosecutors to overcome in establishing who were the directing mind and will in larger organizations with complex structures involving several layers of management.

The newly updated guidance is a reminder that under the new ECCTA provisions, financial crime committed by senior managers will trigger corporate criminal liability where the individual:

• Plays a significant role in either making decisions about how the whole or a substantial part of an organization's activities are managed or organized, or
• The actual managing or organizing of the whole or a substantial part of those activities.

Reasonable prevention procedures do not provide a defense if a senior manager commits a criminal offence. However, proper fraud prevention procedures encourage better corporate behavior. This will be relevant to companies when assessing exposure to liability in relation to the conduct of their senior managers, and may be weighed in the balance by prosecting authorities when deciding whether it is appropriate to bring proceedings against a corporate as well as an individual in the event that wrongdoing is discovered.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.