Skip to main content

Failure to prevent fraud offence requires new perspective on risk

The new offence of “failure to prevent fraud” could be a game-changer for fraud resilience.

We now know when the Failure to Prevent (“FTP”) fraud offence will come into force: 1 September 2025. It was established by the Economic Crime and Corporate Transparency Act (“ECCTA”) in 2023 and the Government has now published guidance on how it will interpret the legislation, setting out for the first time, the standards it expects from in-scope organisations.

What is the failure to prevent fraud offence?

Heralded as the biggest shake up of anti-fraud law in decades, the FTP fraud legislation seeks to hold organisations accountable for fraud committed by their employees, agents, subsidiaries or other “associated persons”, with the intention of benefitting the organisation or their clients.

The legislation forces organisations to look at fraud from a new perspective. In our experience, most fraud prevention frameworks focus on the fraud risks to the organisation (i.e., where the organisation, or its customers, are the victim) but the ECCTA requires them to address fraud where they are the intended beneficiary. This shift in focus means they will need to consider risks and prevention matters that may not have been considered previously.

The wide scope of the FTP legislation means a broad range of parties can commit an offence, including associated persons – for instance, international distributors, overseas branches and contractors providing services to customers or clients – as well as direct employees of in-scope organisations. This means that, for the first time, organisations must consider their own liability for fraud risks arising from other parties’ actions.

Under the new Act, in-scope organisations can face fines for failing to implement “reasonable fraud prevention procedures” designed to stop fraud occurring. On the other hand, proof that “reasonable” measures were in place provides a defence against FTP if a case reaches court. Management decisions around fraud defences – including any assessment that further measures are unnecessary – must be documented and approved by a named individual.

The guidance was released on 6 November 2024, further to the ECCTA gaining Royal Assent in October 2023. It gives in-scope entities an approximately nine-month implementation period to review and improve fraud prevention frameworks before the FTP offence comes into effect, meaning prosecutions will be possible from Autumn 2025 onwards.

Intention to benefit


The ECCTA targets fraud committed with the intention to benefit in-scope entities, their clients, or subsidiaries of their clients. It does not need to be demonstrated that the organisation’s senior executives or directors ordered or knew about the fraud. The guidance states:

“An organisation does not need to actually receive any benefit for the offence to apply – since the fraud offence can be complete before any gain is received. It is enough that the organisation was intended to be the beneficiary […] The intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud. The offence can apply where a fraudster’s primary motivation was to benefit themselves, but where their actions will also benefit the organisation.”

Scenarios where entities could be secondary beneficiaries include:

  • Intentional misstatements relating to green or sustainability credentials to secure an advantage (e.g. increase sales or secure investment);
  • Intentional misrepresentation during a procurement process to win a tender or, if in the context of procuring services for the organisation, to secure an advantage for the organisation in the procurement, such as lower costs.

No FTP offence occurs where the entity is a victim rather than a beneficiary, though it would be possible for an organisation to be both – for instance, if a fraud increases short-term revenue but the company suffers negative publicity and loses longer-term business as a result. In such a scenario, the entity could still be prosecuted for FTP.

The FTP offence will only apply where an employee or associated person commits a specified or ‘base’ fraud offence under the law of part of the UK. There must be an existing fraud offence before the entity can be prosecuted for FTP.

Base fraud offences include:

  • Fraud by false representation, failing to disclose information or abuse of position;
  • Participation in a fraudulent business;Obtaining services dishonestly;
  • Cheating the public revenue;
  • False accounting;
  • False statements by company directors; and
  • Fraudulent trading.

Who is in-scope for FTP?


The FTP offence applies to all incorporated bodies and partnerships that meet two or more of the following Companies Act 2006 ‘large organisation’ criteria in the financial year preceding the fraud:

  • More than 250 employees
  • More than £36mn turnover
  • More than £18mn in total assets

The criteria apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located. Supply chain companies and franchises are not included in this calculation, but in practice they may need to review their fraud defences anyway if they wish to supply larger entities that are in-scope.

Guiding principles


The guidance is not prescriptive but it establishes six principles that in-scope entities should consider when designing and implementing reasonable fraud prevention procedures. If an FTP case reaches court, the onus will be on the organisation to prove that it had reasonable procedures in place to prevent fraud at the time the fraud was committed.

The principles, reflected in Deloitte’s fraud prevention framework (below) apply to in-scope entities and any business that serves them – meaning, in effect, that many smaller entities should take steps to protect themselves against FTP even though they may not independently qualify as large corporates. The Government has also indicated that it will keep the threshold under review and may amend it in future, potentially bringing smaller entities directly in scope of the FTP fraud offence.

The challenges ahead
 

While the new legislation is a welcome step in the right direction, it remains to be seen how robustly the FTP offence will be enforced. Authorities must be sufficiently resourced and empowered to take action and we may see the interpretation of “reasonable” procedures further clarified in the coming years as cases reach court.

There is no one-size-fits-all approach to fraud prevention and organisations should seek advice and tailor their approaches to fit their specific circumstances. The guidance acknowledges that some entities will already be taking steps to comply with other legislative and regulatory requirements, but notes that they may be insufficient to mount a defence against FTP. 

FTP will also require emphasis on a strong anti-fraud control environment, with appropriate controls identification and assurance. Of note is that the guidance states that “an audit alone cannot constitute sufficient defence against an accusation of failure to prevent fraud”.

The guidance places a particular emphasis on training, stating that “training and maintaining training are key”. It suggests that the fraud prevention plan is tested by members of the organisation who were not involved in writing it, and recommends that in-scope entities review their fraud prevention framework and whistleblowing systems with external support “if appropriate”. Indeed, the Government’s impact assessment suggested that organisations should expect to deploy a team to focus on FTP.

With the publication of the official guidance the stage is set for FTP enforcement to begin. Time will tell whether it proves to be the landmark legislation many had hoped for.

To discuss how failure to prevent may impact your organisation, please reach out to one of our team of fraud experts.