Failure to prevent fraud – investigating new corporate criminal offences

On 1 September 2025, a new corporate criminal offence of “failing to prevent” fraud was introduced by the Economic Crime and Corporate Transparency Act 2023 (the “ECCTA”) which fundamentally changes the way in which companies can be prosecuted for economic crime.

How does a company commit the offence of failure to prevent offence?

Under s 199(1) of the ECCTA, a “relevant body” (meaning a body corporate or a partnership, wherever incorporated or formed) commits a failure to prevent offence if:

  1. it is a large organisation (discussed further below);
  2. a fraud offence is committed by a person associated with the organisation (i.e. an employee, agent, or other “associated person”);
  3. the fraud is intended to benefit (whether directly or indirectly), the organisation itself, a subsidiary, or a person to whom services are provided on the organisation’s behalf (intention is what matters here, not actual benefit); and
  4. the organisation did not have reasonable prevention measures in place at the time the fraud was committed (or it was not reasonable to have such prevention measures in place). 

The offence is sometimes called a “quasi-strict liability” offence in the sense that once the first three of the above elements are proved, the company will be liable unless it can avail itself of the “reasonable prevention measures” defence.

What types of companies can be held liable for “failing to prevent” fraud?

The failure to prevent offence only applies to “large organisations”.

“Large organisations” are defined as those meeting any two of the following three criteria:

  1. more than 250 employees;
  2. more than £36 million turnover; and
  3. more than £18 million in total assets.

The offence also applies to:

  1. large parent organisations which meet two of the above three criteria in aggregate (when consolidated with their subsidiaries); and
  2. some non-UK organisations with a UK connection.

The historic offence of failing to prevent the offence of bribery

The term “failure to prevent” is of course a familiar one. Section 7 of the Bribery Act 2010 introduced the corporate offence “Failure to prevent bribery”. This was introduced in recognition of the fact that in large companies with complex structures and devolved decision-making authority, it is common to find no direct evidential connection between those committing bribery predicate offences, and those with requisite seniority to bind the company itself with the bribery. It recognised that corporate structures can be set up so that the most senior individuals within the organisation are insulated from the wrongdoing.

The SFO has been the main beneficiary of the failure to prevent bribery offence and having worked on two significant corruption cases at the SFO – Rolls Royce[1] and Standard Bank[2] – the writer has seen the challenges and advantages of proving both predicate offences and the ‘failure to prevent’ offence.

Extension of the failure to prevent offence beyond bribery – the implications

Section 199 of ECCTA extends the concept of failing to prevent an offence from bribery to a range of other core fraud and dishonesty offences listed in Schedule 13 of ECCTA.

These predicate fraud offences are:

  1.  An offence under any of the following provisions of the Theft Act 1968:
  • section 17 (false accounting); and section 19 (false statements by company directors etc).
  • An offence under any of the following provisions of the Fraud Act 2006:
  • section 1 (fraud);
  • section 9 (participating in fraudulent business carried on by sole trader); and
  • section 11 (obtaining services dishonestly).
  • An offence of “fraudulent trading” under section 993 of the Companies Act 2006.
  • The common law offence of “cheating the public revenue”; and
  • Aiding and abetting any of the above offences.

This extension provides new opportunities for investigation teams and the option of a ‘failure to prevent’ offence should be at the forefront of the minds of those representing victims.

From an investigative standpoint there is nothing new here. The predicate fraud offences are tried and tested. A “failure to prevent” offence becomes relevant if the predicate offence cannot be attributed to the corporate. Section 196 explains that corporate attribution must be through a “senior manager”, defined as:

…an individual who plays a significant role in—

  • the making of decisions about how the whole or a substantial part of the activities of the body corporate or (as the case may be) partnership are to be managed or organised, or
  • the actual managing or organising of the whole or a substantial part of those activities.

It should be noted that this lowers the bar for attribution from that in the Bribery Act, where attribution was through an employee with a directing will and mind, generally considered to be Board level seniority.  

What is the defence to failing to prevent a relevant offence?

Section 199(4) ECCTA provides a statutory defence to the “failure to prevent” offence where (i) an organisation had fraud prevention procedures in place at the time the fraud was committed; or (ii) if it did not have such procedures in place, that was because it was not reasonable to have them in place.

This is similar to the defence that applies under the Bribery Act. It remains to be seen how both defences will operate in a contested case – there have been no cases where fraud prevention procedures have been tested. When such a case occurs it will inevitably set future parameters for prevention procedures.

Government guidance relating to ECCTA identifies six principles[3] for such procedures which closely mirror the compliance framework used in the failure to prevent bribery offence under the Bribery Act. These are:

  1. top-level commitment by senior management;
  2. risk assessment for fraud;
  3. proportionate procedures which reflect the risk level within the organisation;
  4. due diligence checks on employees, agents and partners;
  5. communication and training for staff; and
  6. monitoring and review procedures.

It is crucial that any team evaluating a “failure to prevent” allegation contains the skills required to evaluate fraud prevention procedures.

The point at which that evaluation takes place will depend on who is investigating the case. Someone advising a company pursuant to an investigation by a public authority, will want to undertake that evaluation early – it would be in the best interests of a company under investigation by a public authority to present fraud prevention procedures early, perhaps at the point of self-referral (if there is one). The public authority will, at least initially, be less interested in that evaluation because their priority will be to determine if the company can be charged with a predicate offence.

In the private sphere, if you are representing the victim of the fraudulent conduct you will need to devise a victim-specific investigation strategy based on the likely scenario that the corporate concerned will not be co-operating.  

Moving forward these offences should be in the forefront of an investigator’s mind and specifically if there is a corporate co-suspect that can form part of the investigation strategy. 

What are the criminal penalties for failing to prevent a fraud?

A conviction for failing to prevent a fraud can have very significant financial and reputational consequences for a qualifying organisation.

In particular, organisations could face:

  1. unlimited fines;
  2. a criminal corporate conviction;
  3. reputational damage; and
  4. possible regulatory investigation.

Why is the failure to prevent offence so significant?

The new offence is significant for the following main reasons:

  1. First, it will undoubtedly make it easier to prosecute large corporations. This is because the offence does not require a prosecuting body to prove that the “directing mind and will” of the organisation committed the offence. This “identification doctrine”, as it is commonly known, has historically been very difficult to prove. But it is not a requirement of the new failure to prevent offence under ECCTA. The required seniority has been lowered to senior manager. That is a very significant change in the legal approach to fixing corporations with criminal liability.
  • The new offence should help to bring about a major cultural shift in corporate governance, compliance and responsibilities. All large organisations will have to implement robust fraud compliance systems or face potentially very serious financial and reputational consequences.

If you have an enquiry relating to the new failure to prevent offence, then please contact Mike Jackson on mikejackson@emmlegal.com.

failure to prevent fraud

‘Failure to prevent fraud’ by Mike Jackson

[1] https://www.gov.uk/government/publications/sfo-deferred-prosecution-agreement-with-rolls-royce

[2] https://www.gov.uk/government/publications/sfo-deferred-prosecution-agreement-with-standard-bank

[3] https://www.gov.uk/government/publications/offence-of-failure-to-prevent-fraud-introduced-by-eccta/economic-crime-and-corporate-transparency-act-2023-guidance-to-organisations-on-the-offence-of-failure-to-prevent-fraud-accessible-version#chapter-3-reasonable-fraud-prevention-procedures