Skip to content
HFW Corporate Bitesize

Corporate Bitesize: ECCTA – Failure to prevent fraud

Briefing
09 January 2025
8 MIN READ
3 AUTHORS

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) contains the new failure to prevent fraud offence which comes into force on 1 September 2025, giving organisations affected time to get their internal practices, policies and procedures in place.

What is the failure to prevent fraud offence?

Organisations, which include all UK companies, limited liability partnerships and partnerships, may now be held criminally liable where an employee, agent, subsidiary or other “associated” person commits a base fraud offence intending to benefit the organisation or a person to whom the associate provides services for on behalf of the organisation. It does not need to be shown that the organisation’s senior management or directors ordered or even knew about the fraud. An organisation will not commit the offence if it is the intended victim of the fraud.

Who does it apply to?

The offence applies to large, incorporated bodies and partnerships including co-operatives, LLPs and organisations incorporated by Royal Charter and Statute (e.g. NHS Trusts). The offence only applies to a “large organisation” (the relevant body) i.e. one that meets at least two of the following three criteria:

  • More than 250 employees
  • More than £36 million turnover
  • More than £18 million in total assets.

These conditions apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located. LLP networks, supply chain companies and franchises are not included in this calculation. 

What is an associated person?

Under the legislation the base fraud offence must be committed by a person “associated with the relevant body”. An employee, agent or a subsidiary of the organisation for whom the benefit is intended is automatically an “associated person” for the purposes of this offence. A person who provides services for or on behalf of the relevant body is also an associated person while they are providing those services. The corporate offence can only take place if the person commits the base offence whilst acting in the capacity of an associated person. If the person commits the fraud in another capacity, for example in their personal life, this does not give rise to corporate liability.

What does “intending to benefit” mean?

A relevant body does not need to receive any benefit from the fraud. It is enough that the relevant body was intended to be the beneficiary. The intention to benefit the organisation does not need to be the sole or dominant motivation for the fraud, it could be secondary to the fraudsters’ primary motivation to benefit themselves. The benefit may be financial or non-financial e.g. a fraud to obtain an unfair business advantage would be in the scope of the offence. The benefit could also be for the client of the large organisation, to whom the associated person provides services for, or on behalf of, the organisation. 

What is the territorial scope on the offence?

The offence will only apply where the associated person commits a base fraud offence under the law of part of the UK. This requires a UK nexus i.e. one of the acts connected to the underlying fraud must take place in the UK, or the gain or loss must occur in the UK. If a UK based employee commits fraud, the employing organisation could be prosecuted wherever it is based. Likewise if an employee or associated person of an overseas-based organisation commits fraud in the UK, or targets victims in the UK, the organisation could be prosecuted. 

The offence does not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus.

What sorts of fraud does the offence cover?

The offence applies to a number of specific fraud offences listed in Schedule 13 of the ECCTA (base fraud offences). These include fraud by false representation, obtaining services dishonestly, participation in a fraudulent business, false accounting, fraudulent trading and cheating the public revenue. Aiding, abetting, counselling or procuring the commission of any of the base fraud offenses would also qualify as a fraud offence.

What if the associated person is not prosecuted for the base fraud offence?

Relevant bodies can be prosecuted so long as the associated person’s conduct constitutes a base fraud offence. This is the case even if the associated person is prosecuted for an alternative offence or is not prosecuted at all. If the associated person is not prosecuted at all then the prosecution must prove, to a criminal standard, that the associated person did commit the base fraud offence before the organisation can be convicted of failure to prevent fraud.

What are the penalties of conviction?

If convicted, organisations can face an unlimited fine.

Are there any defences?

Relevant bodies will have a defence if they have reasonable procedures in place to prevent fraud, or if they can demonstrate to the court that it was not reasonable to expect the organisation to have any prevention procedures in place. The onus will be on the organisation to prove on the balance of probabilities that they had reasonable procedures in place at the time the fraud was committed.

Where can someone find further guidance on what an organisation can do to protect itself?

The Home Office published guidance on the offence which goes into what it considers to be reasonable fraud prevention procedures. It states that an organisation’s fraud prevention framework should be informed by six principles namely:

  • Top level commitment
  • Risk assessment
  • Proportionate risk-based prevention procedures
  • Due diligence
  • Communication (including training)
  • Monitoring and review.

These principles are intended to be flexible and outcome-focussed allowing for the huge variety of organisations that come under the new offence. The guidance goes into detail on what each of the principles mean.

What should organisations do now?

It is important that organisations check whether they come under this new legislation and ensure they are prepared when it comes into force on 1 September 2025. Specific actions to take include: looking at the profile of the organisation, identifying the structure and all associated persons, conducting a risk assessment in accordance with each of the listed fraud offences relevant to their business activities and ensuring that any existing policies and procedures are updated to reflect the new offence.

For further advice on whether your organisation may be affected and proactive steps you can take to ensure compliance, please contact one of the authors below.