The new ‘Failure to Prevent Fraud’ offence – Should you be concerned?

Introduction

On 1 September 2025, the UK’s new “Failure to Prevent Fraud” offence came into force under the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

While the law was designed with big corporates in mind, SMEs won’t be able to easily dismiss it.

Why?  Because it targets fraud committed by “associated persons” – employees, agents, subsidiaries – acting for or on behalf of your organisation.

If they commit fraud to benefit your business (directly or indirectly), your company could be exposed.

What is the “Failure to Prevent Fraud” offence?

In simple terms, if someone connected to your business (an associated person) commits fraud and you didn’t have “reasonable procedures” in place to prevent it, your organisation can be held criminally liable.

This is a strict liability offence meaning you can be guilty even if management knew nothing about the fraud. Examples could include:

• Massaging the numbers to make the business look stronger
• Overpromising on a product to hit sales bonuses
• Misleading statements in transaction documents

There has to be dishonest intent but the “failure to prevent” focus will make it easier for prosecuting authorities as they will no longer need to prove direct involvement of senior managers or directors. If you failed to prevent fraud, that’s enough.

Who does the law apply to?

Currently, the offence only applies to large organisations (as defined in the ECCTA Act 2023) meeting two of the following criteria:

• Turnover of more than £36 million
• Balance sheet total of more than £18 million
• More than 250 employees

Most SMEs are exempt for now, but it will impact them in practice because:

• SMEs likely do business with large organisations who will care about anti-fraud measures and may impose due diligence checks before starting a business relationship or continuing one
• SMEs have fewer controls and fewer resources so are potentially more vulnerable to internal fraud
• A fraud incident can still cost your reputation, time and money

Legal defence

Under the law, you have a defence if you can show:

• You had reasonable procedures in place to prevent fraud, or
• It wasn’t reasonable in all the circumstances to expect the organisation to have any prevention procedures in place

What are the penalties?

A company could be prosecuted by the Serious Fraud Office or the Crown Prosecution Service. If convicted, the company can be subject to unlimited fines because there’s no statutory cap. In addition, there are the collateral risks of regulatory scrutiny, reputational damage, civil claims, a higher compliance burden and even personal liability for directors.

Government guidance – 6 key principles

In November 2024, the government published guidance to help businesses prepare. The key principles are:

• Top-level commitment – leadership must visibly champion fraud prevention by fostering a culture where fraud is never acceptable, visibly supporting anti-fraud initiatives, integrating them into the business and keep anti-fraud measures on the board’s agenda
• Risk assessment – regularly assess where the risk of fraud lies and document these assessments. Factor in fraud risk in different jurisdictions if you do business overseas
• Proportionate procedures – tailor your fraud prevention measures to the risks your assessments have identified
• Due diligence – conduct due diligence on individuals and entities that could pose a fraud risk. This includes those in high-risk roles, such as finance and procurement, as well as third-party agents and suppliers. Due diligence should be ongoing
• Communication & training – employees should understand their role in preventing fraud. Seek to ensure that fraud prevention policies (including whistleblowing policies) are communicated, embedded and understood throughout the company. Training should be mandatory for relevant staff and refreshed regularly
• Monitoring & review – review and improve procedures over time, using audits and lessons learned

Practical steps to take now

Whilst the government guidance are principles rather than rules, and even if you’re exempt, it makes sense to get ahead. You could start with the following:

• Fraud risk assessment – do a risk assessment
• Supply chain and key roles – map out key customers, suppliers, and high-risk roles to help identify potential weak spots
• Controls and oversight – put reasonable system controls in place to minimise potential risk
• Policies and contracts – update/prepare your anti-fraud policy (including whistleblowing) based on what your risk assessment uncovers. Update relevant contracts and deliver training so everyone in your business gets it
• Schedule regular reviews – document everything you’ve done, and build reviews into your calendar, including by adding to the board’s agenda

Final Thought

Fraud prevention isn’t just about compliance, it’s about protecting your business, your people, and your reputation.

If you’re unsure whether you’re covered or need to strengthen your fraud prevention measures, My Inhouse Lawyer is here to guide you through it. Please free to get in touch