From September 2025, large organisations in the UK will face a new corporate criminal offence: failure to prevent fraud. Introduced by the Economic Crime and Corporate Transparency Act 2023, this offence follows in the footsteps of earlier ‘failure to prevent’ laws targeting bribery and tax evasion. While the principle may be familiar, the new fraud offence brings significant challenges. With new prosecutions for failure to prevent breaches, plus updated SFO guidance mandating early self-reporting for a chance at a Deferred Prosecution Agreement, compliance teams should start preparing now.
Understanding the new offence of failure to prevent fraud
Failure to prevent fraud is modelled on existing laws under the Bribery Act 2010 and Criminal Finances Act 2017. Like those, it applies when an associated person, such as an employee, agent or contractor, commits a specific offence intending to benefit the company. If the company had no ‘reasonable procedures’ in place to prevent it, or a jury finds those procedures were not good enough, it can be held criminally liable.
However, this new offence has a narrower scope. It only applies to ‘large organisations’ – those meeting at least two of the following: more than 250 employees, over £36 million in turnover, or over £18 million in assets. This threshold was introduced to avoid burdening smaller businesses, although many may still be impacted indirectly through commercial relationships.
The law covers a specific set of fraud-related offences, including fraud by false representation, abuse of position, false accounting, and cheating the public revenue. It’s not a blanket fraud offence but tightly scoped. Nevertheless, it is highly relevant for most large businesses.
What counts as ‘reasonable procedures’?
Reasonable procedures aren’t rigidly defined in the legislation but government guidance (and experience from bribery and tax evasion laws) offers a clear framework. Companies must take proportionate steps based on their risk profile. A ‘tick-box’ policy won’t suffice; regulators expect meaningful, embedded controls.
Government guidance lays out six key areas where there should be procedures in place. Essentially a compliance team needs to explain their approach to each of these six principles.
- Fraud risk assessment – A written risk assessment that understands where fraud could occur in your business, who could commit it, and what it might look like.
- Top-level commitment – Leadership must own and visibly support fraud prevention efforts. This should include communications and policy statements from leadership.
- Practical policies and controls – Translate risk into action through effective policies, internal controls, and oversight which all staff have sight of.
- Training and communication – Educate staff on fraud risks, ethical standards and how to speak up. Ensure that training on fraud is part and parcel of training plans.
- Whistleblowing mechanisms – There should be clear reporting channels through accessible, confidential whistleblowing procedures that are tested regularly.
- Ongoing monitoring and review – Regularly test, audit, and evolve your approach as risks change, and keep everything documented.
Lessons from bribery prosecutions: prevention is key
Prosecutors’ handling of bribery cases offers a glimpse into how it might treat failure to prevent fraud. The Skansen Interiors case, for example, proved that even small companies need clear, active procedures. Skansen had basic ethical principles but no targeted anti-bribery programme, and it wasn’t enough to convince a jury.
In the UIBL case from 2025, the SFO announced a prosecution of a UK firm for failure to prevent bribery in connection with deals involving Ecuadorian officials. It marked a return to active enforcement and shows the SFO’s willingness to pursue corporate offences where they believe controls are weak or absent.
Crucially, self-reporting alone won’t save a company. The SFO have released new guidance outlining that they expect full cooperation, robust remediation, and evidence that compliance was taken seriously before and after wrongdoing. This mindset will likely carry over into fraud enforcement.
What compliance teams should do now
1. Conduct a comprehensive fraud risk assessment
If you haven’t started preparing for the new offence, now is the time. Start with a thorough fraud risk assessment. This should begin by gathering stakeholders from finance, sales, compliance and legal, and map out possible fraud scenarios. Consider different business units, geographical operations, and third-party relationships. Understanding these risks is crucial for developing targeted prevention strategies.
2. Develop and implement reasonable prevention procedures
Based on the risk assessment, establish proportionate and effective procedures to mitigate identified fraud risks. These should be tailored to your organisation’s specific context and may include:
- Clear policies and codes of conduct outlining acceptable behaviours.
- Robust internal controls such as segregation of duties and approval processes.
- Due diligence processes for third parties and high-risk transactions.
- Whistleblowing mechanisms to encourage reporting of suspicious activities.
3. Engage senior leadership
Leadership commitment is vital. Ensure that senior management understands the importance of fraud prevention and actively promotes a culture of integrity. Customise your training sessions and communications to reinforce this commitment throughout the organisation.
4. Train employees and associated persons
Provide comprehensive training to employees and associated persons on fraud risks, detection methods, and reporting procedures. Tailor the training to different roles and responsibilities to ensure relevance and effectiveness.
5. Monitor, review, and update procedures regularly
Establish mechanisms to monitor the effectiveness of your fraud prevention procedures. Regular reviews and updates are essential to adapt to new threats and changes in the business environment.
6. Prepare for potential enforcement actions
The SFO has indicated a proactive approach to enforcement, including the use of Deferred Prosecution Agreements (DPAs) for organisations that self-report and cooperate fully. However, reliance on DPAs should not replace robust prevention measures.
