The failure to prevent fraud offence, coming into force on 1 September 2025, places a clear responsibility on large organisations to proactively prevent fraud by associated persons. The offence does not require knowledge or involvement by senior management; it is enough that fraud was committed with an intent to benefit the organisation or its clients. Compliance teams must ensure reasonable fraud prevention procedures are implemented.
Meanwhile the Serious Fraud Office has revealed new guidance for Deferred Prosecution Agreements (DPAs). In plain terms, the SFO is now offering a clearer pathway for corporates that act responsibly when wrongdoing is uncovered. If a company promptly self-reports suspected criminal conduct and then fully co-operates with the SFO’s investigation, the agency will invite it to enter DPA negotiations. But without self reporting, a DPA will be much harder to negotiate.
Check if your firm is ready for compliance by reviewing and answering the key questions before the offence comes into force on 1 September 2025.
Who owns fraud prevention at the executive level?
Fraud prevention starts at the top. Under the guidance, senior management, including the board and partners, are responsible for setting the tone and ownership of fraud prevention. They must:
- Communicate a zero-tolerance approach to fraud, even if this results in missed opportunities or short-term losses.
- Approve and oversee the fraud prevention framework.
- Allocate sufficient resources, including training and technology budgets.
- Appoint clear lines of responsibility for fraud prevention, such as a Head of Ethics and Compliance, who should have access to the board if needed.
- Foster a culture of openness where employees feel empowered to raise fraud concerns without fear of retaliation.
This top-level commitment is essential and will be considered by prosecutors or courts when assessing whether your organisation had reasonable procedures.
Have we conducted a comprehensive risk assessment?
A robust risk assessment is the backbone of fraud prevention. Organisations must identify the fraud risks from their employees, agents, subsidiaries, and others providing services on their behalf.
The risk assessment should:
- Consider the fraud triangle: opportunity, motive, and rationalisation.
- Identify high-risk roles and departments (e.g., sales, procurement, finance).
- Address fraud risks from third-party agents or contractors, including those overseas.
- Evaluate how changes in regulation, business models, or technology (such as AI) might create new fraud opportunities.
- Consider emergency scenarios, which often increase fraud risks.
Risk assessments must be documented, regularly reviewed (at least every two years or when there is a major change), and updated in light of emerging risks. Courts will not look favourably on outdated or unreviewed risk assessments.
Have key staff received robust anti-fraud training?
Training is central to reasonable procedures. Organisations must ensure staff, especially those in higher-risk roles, receive regular, tailored fraud training that covers:
- The legal obligations under the new failure to prevent fraud offence.
- How to recognise fraud risks, including sector-specific typologies.
- Their personal responsibilities to prevent and report fraud.
- How to escalate concerns.
Training records should be maintained, and compliance should be monitored. Senior managers are expected to champion these training efforts, reinforcing a culture where fraud is never acceptable.
Do our people understand their obligations?
Training alone is not enough, you must also test understanding. This means:
- Communicating clear policies, codes of conduct, and mission statements explaining fraud prevention standards.
- Reinforcing those messages regularly through refreshers, onboarding, newsletters, or workshops.
- Checking that staff know how to report suspicions of fraud (anonymously if necessary).
- Explaining consequences of non-compliance, including disciplinary action and potential contractual penalties.
The Home Office guidance strongly encourages organisations to foster an “open culture” where staff challenge fraud and do not rationalise it as “victimless” or “industry standard”.
Is our supply chain compliant?
Your organisation is liable if an associated person, including a supplier acting “for or on behalf of” you, commits fraud that benefits your organisation or your clients. That means you must:
- Map your supply chain and identify associated persons.
- Apply risk-based due diligence to suppliers, intermediaries, and other contractors.
- Include fraud prevention clauses in contracts, requiring counterparties to adopt similar prevention measures.
- Periodically review those third-party controls.
Organisations cannot assume supply chain compliance. Proactively checking and evidencing supply chain controls will be vital in demonstrating reasonable procedures.
Are our controls effective? Have they been tested?
Policies on paper are meaningless if they do not work. Controls must be:
- Proportionate to your organisation’s risk profile, size, and complexity.
- Clear, practical, and accessible to staff and third parties.
- Tested, ideally by people independent of their design, to confirm they genuinely prevent and detect fraud.
Controls should also be reviewed after incidents, audits, or enforcement action in your sector to address weaknesses. Under the UK Corporate Governance Code, from 2026 premium-listed companies will also have to make declarations about the effectiveness of their controls, a good benchmark for others to consider.
How do we report and investigate incidents?
Fraud incidents, suspicions, or breaches of policy must be reported promptly, and procedures for handling these reports must be clear. You should:
- Have a whistleblowing or speak-up channel that protects confidentiality.
- Investigate incidents consistently and document them thoroughly.
- Cooperate fully with enforcement authorities (for example, the Serious Fraud Office encourages self-reporting).
- Consider whether deferred prosecution arrangements may apply if a failure is identified.
The guidance notes that early self-reporting and full cooperation are important factors prosecutors will consider in any charging decisions.
Looking for more support? Train your entire organisation with VinciWorks’ anti-fraud eLearning.
