Michelmores Michelmores
Michelmores Michelmores
Published May 1st 2025
Home > News & Insights > Article

What should employers be doing to prepare for the new 'failure to prevent fraud' offence, which comes into force on 1 September 2025?

A single silhouetted businessman walking down the stairs of City Hall, a publically owned building which is accessible to the public in London, with the skyscrapers of the modern London skyline, including the walkie talkie building, in the background. The man is backlit and unrecognisable as he heads down the stairs.
Author
James Baker
James Baker

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduces a host of reforms aimed at combatting the exploitation of corporate structures in relation to fraud and money laundering. From 1 September 2025, the ECCTA introduces a new corporate criminal offence of ‘failure to prevent fraud’, which will hold large organisations criminally liable where an employee, agent, subsidiary, or other ‘associated person’, commits a fraud intending to benefit the business (or in some circumstances, its clients). Organisations will have a defence if they are able to demonstrate that they had reasonable fraud prevention measures in place at the time the fraud was committed.

Penalties can include criminal convictions and unlimited fines for organisations, plus convictions for the individuals specifically involved. These risks, in additional to reputational damage, mean that it is vital that businesses take preparatory steps now to ensure appropriate preventative measures are in place.

What is the ‘failure to prevent fraud’ offence?

A large organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’, commits a fraud intending to benefit the organisation (or, in certain circumstances, a client of the organisation) and the organisation did not have reasonable fraud prevention procedures in place. It does not matter if directors or senior managers did not know about the fraud.

It only applies to ‘large’ organisations, which need to meet two or more of the following thresholds:

  • have more than 250 employees;
  • have more than £36 million turnover;
  • have assets of more than £18 million.

The organisations within scope include organisations incorporated or formed by any means, which include those incorporated by the Companies Act 2006, the Limited Liability Partnerships Act 2000, by statue (e.g. NHS Trusts) and bodies corporate or partnerships formed outside the UK but with a UK nexus (e.g. if a UK-based employee commits fraud, or overseas-based employee commits fraud in the UK, or targeting victims in the UK, the employing organisation could be prosecuted wherever it is based).

It covers a range of fraud offences, including fraud by false representation, fraud by abuse of position and false accounting (amongst others).

Employees, agents or subsidiaries of the relevant body will automatically be an associated person, but anyone providing services for, or on behalf of the relevant body, can also be an associated person whilst they are providing those services.

What should employers be doing?

The government has produced helpful guidance on the new offence, which details six guiding principles that organisations should consider when implementing fraud prevention measures. These principles are outlined below, with our comments on what practical steps businesses should be considering:

  • Top level commitment – Responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation, such as the board of directors, partners, and senior management. A zero-tolerance approach to fraud should be fostered and communicated to staff, with clear governance frameworks in place and a commitment to training in this area. The message, with consistent behaviours, must come from the top.
  • Risk assessments– The organisation should assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud. Risk assessments should be dynamic, documented and regularly reviewed. The government guidance provides detailed operational suggestions on how to conduct effective risk assessments.
  • Proportionate risk-based prevention procedures– An organisation’s procedures to prevent fraud by associated persons will need to be proportionate to the fraud risks it faces and to the nature of its activities. Fraud prevention plans should be clear, practical, accessible and effectively enforced. They will need to be tailored to the organisation, the sector and the specific risks faced.
  • Due diligence– Organisations should conduct due diligence on associated persons, including new employees, to mitigate identified fraud risks. This may include using third-party risk management tools, pre-employment screening or vetting, checking regulated status and reviewing contracts with third parties to ensure appropriate anti-fraud contractual obligations are included.
  • Communication (including training) – Organisations should ensure that prevention policies and procedures are communicated, embedded, and understood throughout the organisation, through internal and external communication. Conducting regular, targeted and tailored training is key. In terms of policies, these should be updated to ensure fraud prevention is addressed: for example, a policy related to sales targets could include a statement addressing fraud and the potential consequences. Whistleblowing is one of the most effective ways to uncover corruption, fraud and other wrongdoing, and therefore whistleblowing policies should be reviewed to ensure they are robust and effective. Training is vital. Organisations should consider providing specific training, particularly to those in high-risk positions, on the new offence, the internal policies in place to deal with fraud risk and whistleblowing policies.
  • Monitoring and review – Organisations should monitor and review their fraud detection and prevention procedures and make improvements where identified. This includes learning lessons from investigations and whistleblowing incidents. Adaptions to detection and prevention should be made where fraud risks change, and in any event, reviews of risk assessments should be conducted at regular intervals (e.g. annually).

Many large businesses will already have fraud detection and prevention measures in place, and it will now be a case of strengthening those procedures and raising awareness of them. The specific measures identified above will help employers meet the requirement for having reasonable fraud prevention procedures in place, but action needs to be taken now so that everything is in place by 1 September 2025.

To discuss any of the employment implications of the ECCTA, please do not hesitate to contact James Baker. If you need more general information on the ECCTA and want to better understand how it will impact your business, please visit our hub, which has a range of resources available: Economic Crime & Corporate Transparency Act (ECCTA) – Info Hub.

Author
James Baker
James Baker