On 1 September 2025, the new UK corporate offence of “failure to prevent fraud” will come into force, as introduced under the Economic Crime and Corporate Transparency Act 2023 (the “Act”).

We cover in this client alert the new offence’s aims, scope including extra‑territorial reach, defence availability and some key areas of focus for asset managers from the Home Office statutory guidance (the “Guidance“), published on 6 November 2024.

What is the failure to prevent fraud offence trying to achieve?

The new offence is intended to make it easier to hold organisations to account for fraud committed by employees, or other associated persons, which may benefit the organisation, or, in certain circumstances, their clients. The offence will also encourage more organisations to implement or improve prevention procedures, driving a major shift in corporate culture to help prevent fraud.

If prosecuted, an organisation must demonstrate, on the balance of probabilities, that it had reasonable procedures in place to prevent fraud or that it was unreasonable to expect such procedures to avoid being found liable.

Which fraud offences are covered by the failure to prevent fraud offence?

The failure to prevent fraud offence itself captures a range of potential offences to be caught as the “base offence” for the purpose of the Act. These are detailed below and range from offences found in the Fraud Act 2006, common law, the Companies Act 2006 and the Theft Act 1968:

Offence List

1. Fraud by false representation
2. Fraud by failing to disclose information
3. Fraud by abuse of position
4. Participating in fraudulent business
5. Obtaining services dishonestly
6. Cheating the public revenue
7. False accounting
8. False statements by company directors
9. Fraudulent trading

Who is caught by the new offence?

The organisations in scope are defined as large, incorporated bodies and partnerships across all sectors of the economy. The offence applies to organisations regardless of how they are incorporated and could even include partnerships which are not bodies corproate, such as limited partnerships. Although, the Home Office encourages smaller organisations to review the Guidance as best practice.

Breaking this down, it covers:

• Large organisations, defined as meeting two out of three of the following criteria, as found in the prior financial year to the base fraud offence:
  • more than 250 employees
  • more than £36 million turnover
  • more than £18 million in total assets
• “Associated Persons”: the offence can be committed by a “person associated with the relevant body”. This includes individuals or entities who perform services for or on behalf of the organisation while acting in that capacity, such as employees, agents, contractors, subsidiaries and partners in a partnership. In further detail:
  • If a partner commits a fraud offence in the course of the partnership’s business, the partnership itself may also be held criminally liable for the substantive offence.
  • An employee, agent or subsidiary of a relevant organisation is automatically considered an “associated person” for the purposes of the offence.
  • A subsidiary undertaking of a large organisation is considered an associated person for the purposes of the failure to prevent fraud offence. This means that:
    • a parent company can be held criminally liable if a subsidiary commits a fraud that is intended to benefit the parent organisation; and
    • liability may also arise if the fraud benefits a client of the parent company, where the subsidiary provides services for or on behalf of the parent.
  • Additionally, employees of the subsidiary can bring both the subsidiary and the parent company into scope, as the subsidiary itself can be prosecuted if one of its employees commits a fraud intended to benefit the subsidiary or the parent company.

Importantly, this is a corporate offence only, directors and senior managers are not personally liable for a failure to prevent fraud within the organisation. However, any associated person who commits the underlying fraud offence may still be individually prosecuted for that offence as outlined in the relevant offence list above.

The Guidance also clarifies that individuals or firms providing services to an organisation, such as external lawyers, valuers, accountants or engineers, are generally not considered associated persons as they are not acting “for or on behalf of” the organisation.

What if we are out of the UK?

The offence applies only where the underlying fraud offence has a UK connection, referred to in the Guidance as the “UK Nexus”.

An offence will fall within this scope if either of the following conditions is met:

• at least one element of the fraudulent conduct took place in the UK: or
• the gain or loss resulting from the fraud occurred in the UK.

This means that if a UK‑based employee commits fraud, the employing organisation may be prosecuted and held liable regardless of where it is established.

Does an organisation need to receive a benefit?

An organisation does not need to receive a benefit for the offence to apply. The offence can be triggered as soon as the underlying fraud is committed, even if no gain has yet been, or would ever be, realised. It is sufficient that the fraud was carried out with the intention of benefiting the organisation.

The intention to benefit the organisation does not have to be the sole or dominant motivation of the fraud either. For example, an employee could be setting out to benefit themselves only but their actions will indirectly benefit the organisation as well. The benefit may also be financial or non‑financial (such as unfair business advantage).

Is there a defence?

Organisations will have a defence if they can show that they have ‘reasonable procedures’ in place to prevent fraud. Alternatively, if the organisation can demonstrate to the satisfaction of the court that it was not reasonable in all the circumstances, to expect the organisation to have any prevention procedures in place, then this can also qualify as a defence.

The Guidance does set out that a court will generally determine on a case‑by‑case basis as to whether an organisation has demonstrated that it had reasonable procedures in place to prevent the fraud. As determined by established case law, the standard of proof to be provided by the organisation hinges on the balance of probabilities.

What are reasonable fraud prevention procedures?

The Guidance sets out examples of reasonable fraud prevention procedures, but notes that the onus will remain on the relevant organisation, where it seeks to rely on the defence, to prove that it had reasonable prevention procedures in place (or that it was unreasonable to expect it to have such procedures). The standard of proof is on the balance of probabilities and it will be at the court’s determination as to whether an organisation did have reasonable prevention procedures in place to prevent fraud, with consideration to the context, facts and circumstances of that specific case.

The Guidance advises that the fraud prevention measures put in place should be designed and implemented with the organisations structure and the territoriality of the offence in mind. The reasonableness of procedures should take account of the level of control, proximity and supervision the organisation is able to exercise over a particular person acting on its behalf.

The Guidance

Principle: Top Level Commitment

Action: Senior management, specifically those charged with governance of the organisation, is expected to demonstrate active and visible leadership in fraud prevention. This can be achieved through:

• Communication and endorsement of the organisation’s stance on preventing fraud, including mission statements.
• Ensuring that there is clear governance across the organisation in respect of the fraud prevention framework.
• Commitment to training and resourcing.
• Leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices.

Principle: Risk Assessment

Action: Risk assessments will be key to identifying any potential areas within the organisation that could be exposed to fraudulent activity and are guided to be reviewed every two years as a minimum.

By assessing those who qualify as “associated persons” for the purpose of the offence, this provides a good foundation to then adopt the three elements that could lead to fraudulent activity:

1. Opportunity
2. Motive
3. Rationalisation

Reviewing internal data analytics, audits, sector specific information and any regulated enforcement action are also key to risk assessing. Testing of risks in emergency scenarios and having a classification of risks by its likelihood and impact are also detailed in the Guidance.

Principle: Proportionate risk‑based fraud prevention procedures

Action: It is essential that fraud prevention procedures are tailored to the specific risks and structure of your organisation. These procedures should be risk‑based and proportionate, reflecting the degree of control and oversight the organisation has over individuals acting on its behalf.

Where it is determined that implementing specific measures in response to a particular risk is not reasonable, this decision should be clearly documented, including the name and position of the individual who conducted the review and made the determination.

The Guidance notes that it is not necessary or desirable for organisations to duplicate existing work. Equally, it would not be a suitable defence to state that because the organisation is regulated, its compliance processes under existing regulations would automatically qualify as “reasonable procedures”, a balance must be struck.

An organisation must also consider how to reduce the opportunities for fraud, to reduce the motive for fraud and to put in place consequences for committing fraud. Furthermore, the Guidance sets out that organisations should consider how to reduce the rationalisation of fraudulent behaviour, where over time, “one‑off” frauds may become normalised as people rationalise certain behaviours, such as other businesses also acting a certain way.

Testing is also identified as a means to evaluate the effectiveness of the fraud prevention measures.

Principle: Due Diligence

Action: Relevant due diligence should be conducted on any “associated persons”, which could include third‑party risk management tools, professional regulated status, vetting checks and review of contracts for agents.

Principle: Communication

Action: A strong, visible endorsement of fraud prevention policies is essential for setting the tone across the organisation. This should be supported by tailored training, with attendance records maintained. There should be a culture that promotes openness and transparency, encouraging staff to report any suspected fraudulent activity, including through appropriate whistleblowing processes. Together, these measures strengthen the organisation’s ability to detect and respond to fraud risks effectively.

Principle: Monitoring and Review

Action: Regular monitoring of financial controls, tracking attendance at fraud prevention training, updating internal procedures and periodically reviewing contracts with associated persons all help organisations proactively identify and address emerging fraud risks.

What if we are sanctioned?

On summary or indictment conviction, the organisation can receive a fine (and there is of course likely to be reputational damage also).

For the specific associated persons who are caught committing an underlying fraud offence, they could be personally prosecuted, which could result in fines, criminal records and potential imprisonment depending on the offence and its severity.

What are some examples relevant for asset managers?

Two examples are provided in the Guidance in relation to investments:

• Example 1: A large company is seeking investments. The accounting department deliberately manipulates the accounts to over‑state the profits. The intent of the fraud is to benefit the company by making it appear more attractive to investors. The base fraud here is fraud by false accounting and the associated person is the relevant employee (or employees) in the accounts department. The company could be prosecuted under section 199(1)(a) and could be liable for failure to prevent fraud, unless the court determines that it had reasonable procedures in place to prevent such a fraud. Note that the offence applies even if potential investment is not actually secured. It is enough that the fraud was intended to benefit the company.
• Example 2: An investment fund provider promotes investment in a “sustainable” timber company, knowing that, in fact, this company’s environmental credentials are fabricated and that the timber is harvested from protected forest. Investors are deceived into placing funds with the investment fund provider. The base fraud is fraud by fraud by false representation. The intent is to benefit the fund provider. The associated person is the relevant member of staff at the investment fund provider who knowingly used the false information in the investment fund’s brochures for clients. The investment fund provider could be liable under section 199(1)(a) unless a court determines that it had reasonable procedures in place to prevent this fraud. Again, the offence applies even if the investment is not actually secured. It is enough that the fraud was intended to benefit the investment fund provider.