The UK’s corporate crime landscape is undergoing its most significant shift in years. On August 18, 2025, the Serious Fraud Office (SFO) and Crown Prosecution Service (CPS) jointly announced an overhaul of their Corporate Prosecutions Guidance, marking a decisive moment for organisations operating in the UK.

With the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act (ECCTA) coming into force in September, and the broadened identification doctrine already in play since December 2023, enforcement agencies are making it clear that they are ready to act, and companies must be prepared.

SFO Director Nick Ephgrave summed it up bluntly when he said, “Now is the time to take action. Corporations must get their house in order.”

What’s changed and why it matters

The most striking change is the introduction of the new failure to prevent fraud offence, which comes into force on September 1, 2025. This applies to large organisations which are those meeting thresholds on turnover, balance sheet, or employee numbers, and makes them automatically liable if an employee, agent or other associated person commits fraud for the organisation’s benefit. The only defence is to show that the company had “reasonable procedures” in place to stop it happening. 

Much like the Bribery Act’s approach, this reform shifts responsibility firmly onto businesses themselves, but with fraud, a crime that lies at the core of most economic misconduct, now in scope. For UK companies, the message is clear: Prevention measures must be real, documented and operational before September or they risk prosecution even if the board had no knowledge of the fraud.

That shift is reinforced by the expanded identification doctrine, which has been in effect since December 2023. Previously, prosecutors had to prove that the “directing mind and will” of a company, which is usually a board-level executive, was involved in wrongdoing. Now, liability can attach to the acts of any senior manager, defined broadly as anyone with significant decision-making authority. In practice, this makes it far easier to prosecute large corporations, where responsibility is often spread across multiple layers of management.

At the same time, the new guidance signals a more assertive prosecutorial strategy. Authorities are making clear that they can pursue multiple offences in parallel. For example, they can charge both failure to prevent fraud and the underlying offence such as false accounting. Prosecutors are also tightening the financial lens on corporations. Before any charges are brought, companies will now be expected to hand over three years’ worth of financial accounts. The aim is to give courts a full picture of what the business can realistically afford if convicted. But there’s a catch: If a company refuses or fails to provide this information, the court will be entitled to assume that it has the means to pay significant fines, regardless of its actual financial position.

Cases may also be escalated more swiftly to the Crown Court for oversight, and multi-agency collaboration, from the SFO and CPS to HMRC, the FCA, and Companies House, will become the norm rather than the exception.

Finally, the guidance underlines the importance of self-reporting. Companies that uncover misconduct and come forward early may still face sanction, but they stand a far better chance of negotiating a Deferred Prosecution Agreement (DPA) instead of a conviction. These agreements are not given lightly. They require companies to share investigation findings, preserve evidence, and make staff available for interviews. Conversely, a failure to report, or only partial cooperation, will weigh heavily against a business when prosecutors decide whether to charge.

Key changes: At a glance 

• Failure to prevent fraud (Sept 2025) – Large companies face automatic liability if staff or agents commit fraud; only defence is having “reasonable prevention procedures.”

• Expanded identification doctrine (Dec 2023) – Liability extends to crimes by any senior manager with decision-making authority, not just the board.

• Prosecutorial strategy – Prosecutors can stack charges, demand three years of accounts (or assume ability to pay fines), fast-track cases to Crown Court, and work closely with other regulators.

• Self-reporting and DPAs – Early, full self-reporting may secure a Deferred Prosecution Agreement; delay or partial cooperation makes prosecution more likely.

Next steps for UK companies

With the new guidance, boards and general counsels have little time to waste. Four priorities stand out:

1. Be ready for September 1, 2025
   • Conduct a fraud risk assessment

   • Identify high-risk associated persons such as subsidiaries, agents and contractors

   • Roll out targeted fraud prevention training and monitoring

   • Keep records of policies and decisions

2. Map liability under both regimes
   • Refresh delegations of authority and escalation processes

   • Train senior managers who fall under the new attribution test

   • Ensure governance structures match reality, not just policy on paper

3. Update investigation playbooks
   • Secure data, maintain privilege and structure interviews around government guidance

   • Document board oversight of compliance and remedial actions

4. Develop a self-reporting strategy
   • Prepare a clear plan for engaging with regulators if misconduct is found

   • Balance reputational, financial and legal consequences before deciding

   • Remember: Timing and transparency will determine whether a DPA is on the table

A new era of enforcement 

This guidance marks a turning point. UK authorities are arming themselves with broader attribution rules, a powerful new failure to prevent fraud offence, and a more coordinated enforcement model. For corporates, the implications are clear:

• The bar has been raised. “Paper compliance” won’t suffice. Prosecutors will test the reality of your fraud prevention culture.

• Boards are in the spotlight. Senior managers’ decisions now bind the company in criminal law and ignorance is no defence.

• Financial transparency is non-negotiable. Fines will be calibrated against proven means, and inability to pay must be credibly evidenced.

For UK businesses, prevention is the only safe strategy. Firms that invest now in risk assessments, training and internal reporting systems will not only strengthen their defence but also demonstrate to prosecutors that they take compliance seriously.

Failure to act could prove far costlier than the investment in prevention. The SFO and CPS have handed organisations a roadmap. Treat it as both a warning and a playbook because enforcement is no longer a distant risk, but an imminent reality.

Vinciworks’ new conversational learning course, Corporate Fraud: Prevention in Conversation, puts you at the centre of corporate fraud prevention, transforming passive training into active engagement. Through multimedia scenarios and guided discussions from our AI experts, you’ll explore what drives fraud, how to spot it, and what the law requires you to do regarding prevention and reporting. Try it now.