On 1 September 2025, the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) came into force across the UK. For organisations, this marks the latest expansion of the corporate liability landscape that already includes failure to prevent bribery and failure to prevent facilitation of tax evasion. But while the offence applies across all UK jurisdictions, the way it is enforced will differ depending on whether a business falls under the jurisdiction of prosecutors in England and Wales or in Scotland.
In England and Wales, there is now a well-established assumption that large corporate cases will be resolved through a Deferred Prosecution Agreement (DPA). The Serious Fraud Office (SFO) and Crown Prosecution Service (CPS) default to DPAs as the primary mechanism for settlement, subject to judicial approval. These agreements are highly public, often impose substantial fines and monitoring conditions, and send a strong deterrent message to the market.
In Scotland, however, no such mechanism exists. The Crown Office and Procurator Fiscal Service (COPFS) instead operates a civil settlement model. This has now been expanded to cover all three failure to prevent corporate offences. North of the border, there is no judicially approved DPA process. Instead, businesses that self-report can be referred to the Civil Recovery Unit (CRU) for settlement, with the fine calculated based on the benefit derived from the misconduct. This approach is often seen as more pragmatic and less punitive, but it is also less predictable because the Fiscal retains full discretion on whether a case should be resolved civilly or pursued through prosecution.
For Scottish businesses, the lesson is clear: do not assume the availability of a DPA-style resolution. The Procurator Fiscal expects organisations to take the lead in investigating suspected misconduct, to disclose fully, and to show evidence of robust remedial action. Only then might a civil settlement be on the table.
Scotland’s differing approach: Expansion of the self-report policy
With the introduction of failure to prevent fraud, the Procurator Fiscal has now significantly broadened its self-reporting policy, which since 2011 had been confined exclusively to bribery offences under the Bribery Act. As of September 2025, the policy now covers the full suite of corporate failure to prevent offences: bribery, facilitation of tax evasion, and fraud, as well as offences committed by senior managers that can be attributed to the business. This marks a fundamental shift in prosecutorial practice in Scotland: instead of a narrow, bribery-focused mechanism, companies now have a formal pathway to self-disclose a much wider range of economic crimes, opening the door to civil settlement where the Procurator Fiscal considers it in the public interest.
Key features of the Scottish regime:
Eligibility: Companies, LLPs, and partnerships may self-report.
Submission: Reports must be made via a solicitor to COPFS’s Serious Organised Crime Unit (SOCU).
Investigation Standard: Businesses must carry out thorough internal investigations, typically with forensic accountants, and disclose the full extent of wrongdoing.
Remediation: Organisations must show remedial steps and strengthened compliance controls.
Evaluation: COPFS assesses seriousness, harm, culpability, remedial action, and public interest.
Settlement: If accepted, cases go to CRU for civil recovery under Proceeds of Crime Act 2002 (POCA) principles.
This expansion recognises that failure to prevent offences are not just legal risks but touch directly on corporate governance, culture, and ethics.
Corporate liability in Scotland vs. England and Wales
England & Wales: Deferred Prosecution Agreements (DPAs)
In England and Wales, corporate failure to prevent offences (bribery, facilitation of tax evasion, and now fraud) are primarily managed through the Serious Fraud Office and Crown Prosecution Service. These authorities may offer DPAs, subject to judicial approval, allowing companies to avoid conviction if they cooperate, pay a fine, and improve compliance frameworks.
DPAs are punitive in nature: fines are significant, reputational damage is unavoidable due to judicial oversight and publicity, and companies cede control of the investigative process to the authorities.
Scotland: Civil Settlements via COPFS
Scotland does not have DPAs. Instead, the PF operates a civil recovery model, where self-reporting companies may negotiate a civil settlement through the Scottish Government’s Civil Recovery Unit (CRU). In these cases:
- The business itself conducts the initial investigation (with solicitors and forensic accountants).
- COPFS evaluates whether a civil settlement is in the public interest.
- Settlements are calculated on a profit-based model, i.e. the benefit derived from wrongdoing, without additional penalties.
- If COPFS accepts the report, the matter is referred to CRU for quantification and resolution.
This model is widely regarded as more lenient than the English DPA regime. Businesses retain more control, settlements may be less financially punitive, and reputational damage can be mitigated by demonstrating proactive governance. Nevertheless, the PF still expects prompt self-reporting and a willingness to engage in the process.
The new failure to prevent fraud offence under ECCTA
The failure to prevent fraud offence (ECCTA s.199) applies to “large organisations” across the UK. To fall within scope, a company must meet at least two of the following criteria:
- Over 250 employees
- Turnover exceeding £36 million
- Assets exceeding £18 million
It applies to fraud committed by “associated persons,” employees, subsidiaries, agents, or contractors, where the organisation did not have reasonable prevention procedures.
Alongside fraud, businesses must also consider:
- Bribery Act 2010 (s.7) – failure to prevent bribery.
- Criminal Finances Act 2017 (ss.45–46) – failure to prevent the facilitation of tax evasion.
- ECCTA 2023 (s.196) – offences committed by senior managers attributable to the business.
All of these offences are strict liability, meaning an organisation can be charged regardless of senior leadership knowledge or intent.
Who falls within the scope in Scotland?
Failure to Prevent Bribery
Since the Bribery Act 2010 came into force, all commercial organisations that “carry on business” in Scotland fall within scope of the corporate offence of failing to prevent bribery. This includes not just Scottish-registered companies but also overseas organisations with operations or subsidiaries in Scotland. The standard is strict: if an employee, subsidiary, or third-party agent pays a bribe, the organisation can be liable unless it can demonstrate that it had “adequate procedures” in place. With the PF now extending its self-reporting initiative, Scottish businesses that uncover bribery internally have a defined pathway to disclosure and potential civil settlement, rather than automatic criminal prosecution.
Failure to Prevent Facilitation of Tax Evasion
The Criminal Finances Act 2017 added another layer of liability, making organisations responsible if their associated persons criminally facilitate tax evasion. Unlike bribery, the tax evasion offence has a global reach. Any company, partnership, or LLP that does business in the UK, or with a sufficient UK nexus, can be caught, even if the underlying tax evasion occurs overseas. For example, a Scottish-headquartered firm whose overseas agent assists a client in hiding income from a foreign tax authority may still be liable in Scotland if the business has not implemented “reasonable prevention procedures.”
Failure to Prevent Fraud (ECCTA 2023)
The new failure to prevent fraud offence under ECCTA is narrower in scope. It applies only to large organisations. This limitation means smaller businesses are exempt from direct liability for failing to prevent fraud, but they may still face prosecution for underlying fraud offences. Large organisations, by contrast, are under clear statutory pressure to implement anti-fraud frameworks. In Scotland, the expansion of the PF’s self-reporting policy means these organisations now face a choice: disclose and resolve issues through civil settlement, or risk public prosecution.
Senior Manager Attribution (s.196 ECCTA)
Alongside the failure to prevent offences, the ECCTA introduces a “senior manager test” for corporate attribution. If a senior manager commits a listed economic crime within the actual or apparent scope of their authority, liability can attach directly to the organisation. This is a departure from the restrictive “directing mind and will” test that previously made corporate prosecutions difficult in the UK. For Scottish businesses, this raises the stakes: misconduct by someone in senior leadership is more likely than ever to land the organisation in the Fiscal’s sights.
Cross-Border Coordination
Many businesses straddle both Scottish and English operations. To avoid conflicts, the Procurator Fiscal, the SFO, and the CPS have agreed on referral mechanisms: cases with a predominantly Scottish nexus (such as headquarters, registered office, or location of wrongdoing) will be handled by the PF, while those centred in England or Wales will go to the SFO or CPS. For multinationals, this means compliance teams must consider both regimes, ensuring readiness to self-report in Scotland while understanding the different consequences of a DPA in England.
Practical implications for Scottish businesses
For companies operating in Scotland, the expansion of the Procurator Fiscal’s self-reporting policy requires some immediate action. If a company fails to act promptly, investigates poorly, or tries to conceal misconduct, the PF can—and will—prosecute. Unlike England, there is no judicially approved DPA process that allows organisations to negotiate with the safety net of court oversight. In Scotland, the decision rests with the Fiscal, and once the opportunity for civil settlement is lost, the path leads straight to criminal prosecution.
This places a heavy responsibility on boards and compliance teams. They must ensure robust reasonable procedures are in place for fraud, bribery, and tax evasion. They must also have clear internal escalation routes so that if misconduct is suspected, the business can investigate thoroughly, involve external advisors, and prepare for the possibility of self-reporting.
For compliance officers, the practical reality is stark: inaction is not an option. The Procurator Fiscal’s approach means organisations that fail to self-report risk harsher treatment than those that act transparently. In effect, Scotland’s regime creates a compliance environment where preparedness to self-report is just as important as having procedures to prevent crime in the first place.
Failure to prevent checklist for Scottish compliance teams
Governance & leadership
- Ensure board-level commitment to preventing fraud, bribery, and tax evasion.
- Designate a senior compliance officer with authority and resources.
Risk assessment
- Conduct enterprise-wide fraud and bribery risk assessments annually.
- Map “associated persons” including contractors, subsidiaries, and agents.
- Review cross-border risks, especially where Scottish and English jurisdiction overlap.
Policies & procedures
- Maintain documented anti-fraud, anti-bribery, and tax evasion prevention policies.
- Tailor procedures to sector-specific risks.
- Integrate whistleblowing and internal reporting systems.
Training & culture
- Deliver targeted training on fraud, bribery, and tax evasion offences.
- Reinforce a culture of ethical conduct through leadership messaging.
- Keep records of training completion and policy acknowledgements.
Due diligence & monitoring
- Implement enhanced due diligence for high-risk third parties.
- Monitor transactions and contracts for fraud indicators.
- Use data analytics where proportionate.
Self-reporting readiness
- Establish protocols for internal investigation, including external forensic accountants.
- Have clear criteria for when to escalate issues to the Fiscal.
- Pre-identify legal advisers experienced in self-reporting to the Fiscal.
Remediation & review
- Document remedial steps taken after incidents.
- Regularly review and update compliance frameworks.
- Engage with auditors and stakeholders transparently about prevention efforts.
