The fraud landscape in the UK is changing, and it will become much easier to prosecute organisations for fraudulent offences.
In September 2025, the UK’s new corporate “failure to prevent fraud” offence introduced under the Economic Crime and Corporate Transparency Act 2023 (Act), will come into force. This marks a key step in the UK government’s intention to bring about a corporate-culture shift around fraud prevention, encouraging organisations to take proactive measures to prevent fraud.
Under this new offence, large organisations may be held liable if they “fail to prevent” the commission of a specific, wide-ranging fraud offence by those associated with them. The offence applies to UK-based organisations and, those based abroad, so long as there are UK touchpoints. Organisations found liable of this new offence can be subject to an unlimited fine. It will be a defence if an organisation can show that it had in place “reasonable fraud prevention procedures,” and the UK Home Office has issued government guidance on what constitutes such procedures.
This new offence, together with changes to the identification principle (the test applied to determine where there is corporate criminal liability for actions of individuals), as well to the definition of “dishonesty” (a key element of most fraud offences) under English law, means that prosecuting large corporates for fraud offences will be much easier in the UK.
Key Elements of the “Failure To Prevent Fraud” Offence
Large Organisations
It applies to all organisations, incorporated or formed by whatever means (i.e., including both corporates and partnerships). Such organisations must also meet two of the three following criteria:
- more than 250 employees
- more than £36 million turnover
- more than £18 million in total assets
The above criteria apply to each organisation as a whole, including subsidiaries.
Associated Persons
The scope of this offence is broad, and an organisation may be held criminally liable where an employee, agent, subsidiary, or other “associated person” commits a fraud intending to benefit the organisation or its clients. “Associated person(s)” can include an individual, as well as smaller organisation that would not necessarily satisfy the criteria mentioned above, if they are providing services for or on behalf of a large organisation.
Similarly, employees of subsidiaries or a parent company that is a large organisation can bring the parent company within the scope of the offence.
Intending to Benefit the Large Organisation
The fraud has to be committed with the intention of benefitting the organisation or its clients.
Interestingly, the guidance makes clear that the organisation or its clients need not actually receive any benefit for the offence to have occurred; it is sufficient that they were the intended beneficiary. The benefit does not need to be financial.
Furthermore, the intention to benefit the organisation does not need to be the sole or dominant motivation for the fraud. The intention could be secondary to the associated person’s primary motive to benefit themselves.
Extra-Territorial Application and UK Touchpoints
The offence has extraterritorial application, meaning the organisation does not need to be incorporated or conduct business in the UK for the offence to apply. It will be sufficient to establish jurisdiction if any act or omission —that needs to be proved as part of the fraud — occurs in the UK (see further below) or the intended loss or gain was due to take place in the UK.
The “Base” Fraud Offences
The “failure to prevent fraud” offence applies where an associated person commits a specific fraud offence. These are contained in Schedule 13 of the Act. They include:
- cheating the public revenue
- fraud by false representation
- fraud by failing to disclose information
- fraud by abuse of position
- participation in a fraudulent business
- obtaining services dishonestly
- false accounting
- false statements by company directors
- fraudulent trading
- fraud, uttering, embezzlement (in Scotland)
- aiding, abetting, counselling or procuring the commission of any of the above
Money-laundering offences under the UK Proceeds of Crime Act 2002 are not included in the list.
The list of fraud offences may be expanded upon further secondary legislation.
Changes to “Dishonesty” Under English Law
All of the above offences require “dishonesty,” the test for which has recently changed in England for criminal cases. Rather than considering whether the defendant’s conduct was dishonest by the standards of ordinary people (objective limb) and then whether the defendant knew that this conduct was dishonest by those standards (subjective limb, which meant that a defendant with a “warped” sense of dishonesty was less likely to be convicted), the criminal test has now changed to align with the civil test. It requires consideration of what the defendant’s actual state of knowledge of the relevant facts was and whether, based on those facts, the conduct was dishonest by the standards of ordinary people (objective limb). This test means that there is likely to be a heightened chance of conviction.
The Defence
To avoid criminal liability under this new offence, organisations must demonstrate that they had reasonable fraud prevention procedures in place to prevent such a fraud taking place. The government guidance sets out six principles that should inform these fraud prevention frameworks — top-level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication (including training), and ongoing monitoring and review.
Key Practical Takeaways
The “failure to prevent fraud” offence will come into force on 1 September 2025, so there is a short implementation period for organisations to review and tailor their fraud prevention procedures to meet the specific needs and risks of the business. We set out below a number of key practical points that organisations should consider.
- Risk Assessments —Although the guidance makes clear that even strict compliance with its terms will not be a “safe harbour,” it will “rarely be considered reasonable not even to have conducted a risk assessment”. Each organisations must put reasonable procedures in place to address the particular risks it faces arising from the unique facts of its own business. This will require careful, comprehensive, and regular risk assessment, which considers the potential for the relevant economic frauds to be committed by any person who may be considered the corporate’s associated person or agent. This assessment should consider whether the company’s existing policies are sufficient to address the threat of fraudulent conduct within the organisation, for example, whether the company has measures in place to identify individuals who (due to personal circumstances or workplace pressures) may be at a higher risk of committing fraud.
- Revision of Compliance Policies — Companies should implement the findings of the risk assessment into company policies and procedures. When considering the proportionality of fraud prevention procedures, companies are encouraged to consider, for example, how emerging risks are addressed, whether the existing compensation framework encourages fraudulent behaviour, and the nature of internal consequences for fraud within the company.
- Training — Disseminating the company’s fraud prevention policies is as important as implementing them. As such, companies should ensure that a robust communication network is in place. Further, management should arrange training for staff and other prospective “agents ” to explain the scope of and risks associated with the “failure to prevent fraud” offence.
- Understand the Law — The onus will remain on the organisation, if it seeks to rely on the defence, to prove that it had reasonable fraud prevention measures in place at the time of the fraud. The courts will determine this on the basis of the balance of probabilities. The guidance is merely advisory in this regard and is not a substitute for reading the legislation and seeking professional legal advice.
Attorney Advertising—Sidley Austin LLP is a global law firm. Our addresses and contact information can be found at www.sidley.com/en/locations/offices.
Sidley provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP