On 1 September 2025, the UK’s new corporate offence of Failure to Prevent Fraud came into force under the Economic Crime and Corporate Transparency Act 2023 (ECCTA).
It is a deceptively simple change with a very non-simple impact. In broad terms, a large organisation can be criminally liable if a person associated with it commits a specified fraud offence intending to benefit the organisation (or, in some circumstances, the organisation’s client) and the organisation did not have reasonable fraud prevention procedures in place. Crucially, prosecutors do not need to prove that senior managers or directors ordered or even knew about the fraud.
Now that we are into January 2026, that “implementation period” is no longer theoretical. Awareness is no longer the benchmark. The benchmark is whether you can evidence reasonable prevention procedures in the parts of the business where fraud risk actually sits.
What changed on 1 September 2025, in plain English
The offence is now in force. Here is what it changed, in practical terms.
1) The offence only applies to “large organisations”, but that net is wide.
A “large organisation” is defined as meeting at least two of: more than 250 employees, more than £36m turnover, and more than £18m in total assets (assessed by reference to the prior financial year).
2) “Associated persons” means more than employees.
The statutory guidance frames the risk around employees, agents, subsidiaries and other people who provide services for or on behalf of the organisation. That is exactly where many compliance programmes still have blind spots: outsourced sales, introducers, contractors, distributors, and certain supplier relationships that sit outside classic procurement controls.
3) The defence is real, but it is not a safe harbour.
The guidance is explicit that even strict compliance with the guidance will not necessarily be enough if your organisation’s real world risks were not addressed. And if you want to rely on the defence, the burden is on the organisation to prove it had reasonable prevention procedures (or that it was unreasonable to expect them) on the balance of probabilities.
4) A UK nexus can still pull in non UK organisations.
The guidance explains that bodies incorporated or formed outside the UK can be in scope where there is a UK nexus, and the offence applies across the UK.
What “reasonable procedures” looks like (and what it does not)
In the official statutory guidance, the government sets out six principles that should inform a fraud prevention framework:
- Top level commitment
- Risk assessment
- Proportionate risk based prevention procedures
- Due diligence
- Communication (including training)
- Monitoring and review
Most organisations can point to at least some of these already. The gap we see most often is not intent, it is execution. A policy exists, a risk assessment exists, training exists, but they do not line up to the actual ways fraud happens in that business.
A quick way to sanity check your programme is to ask one uncomfortable question:
If an employee, agent, or subsidiary committed a fraud “to help hit the number”, could we evidence that we had designed our controls to stop that specific scenario?
If the honest answer is “we have a general anti-fraud policy and an annual e learning module”, you are probably not where you need to be.
Four months on: where organisations are still exposed
Here are the patterns we keep seeing when teams revisit their readiness with fresh eyes in early 2026.
The risk assessment is too generic.
The statutory guidance is clear that it will rarely be considered reasonable not to have even conducted a risk assessment, and it stresses that risk assessment should be documented and kept under review.
In practice, many risk assessments stop at “fraud risk exists” and never get to “which frauds, by whom, in which process, with what controls, and how do we know they work?”
Third parties are treated as a procurement issue, not a fraud issue.
Due diligence often focuses on sanctions, bribery, or modern slavery and misses the fraud specific angle: who is selling for you, who is introducing business, who has access to your customers, who can submit claims, who can approve changes, and who can create data that drives revenue recognition.
Training is not aimed at the people who create the risk.
The guidance explicitly includes communication and training as part of a reasonable procedures framework.
Yet many organisations still deliver one broad module to everyone, rather than targeted training for high risk roles like sales, finance, procurement, customer success, and anyone who manages agents or resellers.
Whistleblowing exists, but it is not trusted or not used.
Your reporting channel is part of your prevention system. If employees do not believe they can raise concerns safely or that anything will happen when they do, you lose your best early warning signal.
Monitoring is not built for detection.
The guidance describes monitoring as including detection of fraud and attempted fraud, investigations, and monitoring the effectiveness of prevention measures.
If your approach is “we will investigate when something blows up”, you are relying on luck, not controls.
Why January 2026 is the moment to tighten, not to wait
A common misconception is that enforcement takes years to show up. Sometimes it does. But regulators and prosecutors have already been signalling expectations clearly.
The Crown Prosecution Service has framed the offence as pushing organisations to have proper fraud prevention procedures in place, and the government has positioned the guidance as part of a wider push for an anti-fraud culture shift.
Separately, the Serious Fraud Office’s corporate cooperation guidance is blunt: prompt self reporting and full cooperation weigh heavily in favour of a DPA invitation rather than prosecution, unless exceptional circumstances apply.
That matters because it changes the calculus when issues surface. Your readiness is not only about preventing fraud. It is also about how quickly you can investigate, preserve evidence, decide whether to self report, and demonstrate that your controls were designed properly.
A practical readiness check you can run this month
If you want a simple, action focused benchmark, work through these six prompts (mapped to the statutory principles).
Top level commitment
Can you evidence board level ownership, not just awareness? For example: named accountability, regular reporting, and visible leadership messages that challenge “fraud is a victimless crime” style rationalisations.
Risk assessment
Have you explicitly assessed where associated persons could commit a fraud in scope, and updated that assessment since the offence came into force?
Proportionate procedures
Do your controls match your real risk profile, including where you have less direct supervision (outsourcing, agents, subsidiaries) and need contractual controls and oversight?
Due diligence
Is your third party due diligence designed to catch fraud enabling relationships, not only bribery or sanctions risks?
Communication and training
Is training targeted, role based, and backed by practical guidance (what good looks like, what red flags look like, how to escalate)?
Monitoring and review
Can you show you test and review your controls, and that you can detect attempted fraud, not only proven fraud?
If you cannot evidence these, that is the gap to close. Not with more policy pages, but with a prevention programme that is linked to how work actually gets done.
Join VinciWorks’ upcoming webinar
Join VinciWorks experts for our upcoming live one hour webinar where we will answer your questions on UK corporate compliance in 2026.
We will look at how failure to prevent fraud, bribery and tax evasion interact, what “adequate procedures” now need to cover in practice, how the Crime and Policing Bill could increase the risk of prosecution, and what the Employment Rights Bill means for harassment, wellbeing and workplace management.
