Corporate criminal liability: new failure to prevent fraud offence
Implementation status: Coming into force 1 September 2025
Overview
The Act introduces a new corporate offence of “failure to prevent fraud”. The new offence, which comes into effect on 1 September 2025, will make it easier for companies to be criminally prosecuted.
In-scope organisations will be criminally liable if an “associate” commits a specified fraud offence in order to benefit the organisation or its clients, and the organisation does not have reasonable fraud prevention procedures in place.
The Government has recently published guidance (Guidance) on the new offence, outlining its key elements and offering practical advice on implementing fraud prevention procedures.
Background
In June 2022, the Law Commission published a paper examining options to improve the law to ensure that corporations are effectively held to account for committing serious crimes. One of the options considered was the creation of a new offence of failure to prevent fraud.
The new offence was introduced by the Act but will not come into force until 1 September 2025. It is modelled on the “failure to prevent” offences previously introduced in the UK, including failure to prevent bribery and the facilitation of tax evasion.
The new offence is intended to encourage more organisations to implement or improve their prevention procedures, driving a major shift in corporate culture to help prevent fraud.
What is the new offence?
Under the new offence, a relevant organisation will be criminally liable where:
- a person associated with the organisation (such as an employee, agent, subsidiary or other person who performs services on its behalf) (the associate) commits a specified “fraud offence”;
- the fraud is intended to benefit the organisation or its clients; and
- the organisation did not have reasonable procedures in place to prevent the fraud.
The specified “fraud offences” are listed in Schedule 13 of the Act. They include offences under the Fraud Act 2006 (e.g. fraud by false representation or by failing to disclose information), the Theft Act 1968 (e.g. false accounting and false statements by company directors) and fraudulent trading (under the Companies Act 2006). A “fraud offence” also includes aiding, abetting, counselling or procuring the commission of any of these offences.
The new failure to prevent offence is, effectively, one of strict liability for the organisation as it will not be necessary to prove that its senior management knew about or sanctioned the fraud.
Importantly, an organisation will not be considered criminally liable where it is a victim of a fraud intended to benefit the organisation’s clients. However, the Guidance states that an organisation will not be considered a victim where it only suffers indirect harm as a result of the fraud (for example, because exposing the fraud damages the organisation’s reputation).
Who does the new offence apply to?
The new offence will apply to “large organisations” wherever incorporated or formed, provided that the relevant fraud involves a link to the UK – a “UK nexus” (see below).
“Large organisations” are defined as corporates and partnerships that meet at least two of the following criteria in the financial year preceding the year in which the fraud is alleged to have taken place:
- more than 250 employees;
- more than £36 million turnover; and
- more than £18 million in total assets.
The above criteria applies to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located. For example, if an employee of a subsidiary of a large organisation (where the subsidiary is not itself a large organisation) commits a fraud that is intended to benefit the subsidiary, the subsidiary may be prosecuted. Similarly, if that employee commits a fraud that is intended to benefit the parent company, that parent company may be prosecuted.
The Guidance states that the new offence will only apply where the associate commits the fraud offence under the law of part of the UK. This requires a “UK nexus" – i.e. one of the acts which was part of the underlying fraud took place in the UK, or the gain or loss occurred in the UK. If a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based. Also, if an associate of an overseas-based organisation commits fraud in the UK, the organisation could be prosecuted. The offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus.
Are there any defences to the new offence?
It will be a defence for an organisation to prove that, at the time that the fraud offence was committed, it had reasonable procedures in place to prevent fraud, or it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.
The Guidance sets out procedures that organisations should consider when designing and implementing “reasonable procedures”. The procedures are based on the following six principles (which are intended to be flexible and outcome-focussed):
- Top level commitment – senior management should lead by example and foster a culture in which fraud is never acceptable;
- Risk assessment – fraud risk assessments should be dynamic, documented and kept under regular review;
- Proportionate risk-based prevention procedures – prevention procedures should be proportionate to the risks faced by each specific organisation (considering the nature and complexity of its activities), and should be clear, accessible and effectively implemented and enforced;
- Due diligence – proportionate due diligence should be undertaken in relation to persons performing services for or on behalf of the organisation, and existing due diligence processes may not be sufficient to tackle the risk of fraud;
- Communication – the organisation should ensure that its fraud policy is clearly communicated, embedded and understood throughout the organisation. Regular training is key; and
- Monitoring and review – organisations should monitor their fraud prevention procedures and regularly review and improve them in the light of events and as risks change.
As confirmed in the Guidance, departing from the suggested procedures will not automatically mean that an organisation does not have reasonable fraud prevention procedures. Equally, strict compliance with the Guidance will not guarantee that the organisation does have reasonable procedures in place (for example, where it has not addressed particular risks unique to its own business).
What are the penalties for committing the Offence?
If an organisation is found guilty of failure to prevent fraud it is punishable by an unlimited fine.
The offence does not impose individual liability on directors or other persons within the organisation who may have failed to prevent the fraudulent behaviour. However, the employee or agent who committed the fraud may still be prosecuted individually for that fraud, whilst the organisation may be prosecuted for failing to prevent it.
Practical steps
The new offence will make it easier to prosecute organisations for fraud as it will no longer be necessary to prove that a “directing mind and will” of the organisation was directly involved in the offence.
Businesses should take steps now to ensure that they have reasonable fraud prevention procedures in place before September 2025. It is vital that each organisation assesses its own specific fraud risks, and this will include understanding who its associates are and what might motivate them to commit fraud.
Once relevant risks have been identified, tailored policies and procedures should be put in place to address them. Communication of procedures to all levels of the organisation, and relevant training, should follow.
Organisations should note that compliance procedures under other regulations will not automatically qualify as “reasonable procedures” for the new failure to prevent offence, but they may be a useful starting point.
Although the new offence applies only to large organisations, the principles outlined in the Guidance should also be considered good practice for smaller organisations.
Also in this section
- Registered office address (in force from 4 March 2024)
- Registered email address (in force from 4 March 2024)
- The role and powers of the registrar (in force from 4 March 2024)
- Statement of lawful purposes and confirmation statements (in force 4 March 2024)
- Company and business names (in force from 4 March 2024)
- Companies House fees (in force from 1 May 2024) and new financial penalties (in force from 2 May 2024)
- Identity verification (expected by spring 2025)
- Company registers and filings (not yet in force)
- Directors’ disqualification (in force from 4 March 2024) and corporate directors (not yet in force)
- Protecting personal information on the register (to be implemented in phases – expected to commence by January 2025)
- Accounts and audit exemption (not yet in force)
- Implications for limited liability partnerships (to be implemented in phases starting 4 March 2024)
- Corporate criminal liability: new failure to prevent fraud offence (coming into force 1 September 2025)