The Failure To Prevent Fraud Offence: Understanding Corporate Liability Under ECCTA 2023

THE FAILURE TO PREVENT FRAUD OFFENCE: UNDERSTANDING CORPORATE LIABILITY UNDER ECCTA 2023

1. INTRODUCTION

The United Kingdom's Economic Crime and Corporate Transparency Act, 2023 (“ECCTA”), which came into force on December 26, 2023, has introduced a new corporate offence of Failure to Prevent Fraud (“FTPF Offence”), which came into effect on September 1, 2025.

Broadly stated, under the FTPF Offence, a “large organisation”¹ may be criminally liable where an employee, agent, subsidiary or other associated persons commit a fraud intended to directly or indirectly benefit the organisation (“Relevant Body”), unless the Relevant Body is able to establish that, at the time the fraud was committed, it had reasonable and proportionate fraud prevention procedures in place.

Crucially, the FTPF Offence has a broad reach and applies to body corporates and their subsidiaries wherever they may be incorporated, as long as there exists a United Kingdom (“UK”) nexus. As such, the FTPF Offence has far-reaching extra-territorial implications.

The FTPF Offence marks a significant shift in the regulatory framework concerning corporate criminal liability for fraud offences, placing a direct obligation upon large organisations to proactively prevent fraud by persons employed and/or associated with them. The stricter corporate liability under the FTPF Offence increases the risk of penalties and reputational damage to global organisations in case of non-compliance, and necessitates the implementation of proactive fraud prevention measures, not only to avoid fraud offences, but also to shield the Relevant Body against liability under the offence.

2. LEGAL FRAMEWORK

Sections 199 – 206 of the ECCTA provide for the legal framework for the FTPF Offence (“FTPF Framework”). The key components are as follows:

1. An FTPF Offence can be committed only by the Relevant Body which qualifies as a large organisation.
2. The FTPF Offence applies to incorporated bodies and partnerships (including Scottish partnerships and Limited Partnerships), but not to unincorporated organisations other than partnerships.
3. Such a Relevant Body is guilty of the FTPF Offence when a person who is associated with it (“Associated Person”) commits fraud intending to directly or indirectly benefit the Relevant Body or any persons to whom such Associated Person provides services on behalf of the organisation. Therefore, where the fraud benefited or was intended to benefit the clients to whom the Associated Person provides services for and on behalf of the Relevant Body, the FTPF Offence would apply. Critically, the Associated Person need not be convicted of the Base Fraud Offence (defined below) for the Relevant Body to be liable; it is sufficient that the fraud occurred.
4. The benefit need not be financial in nature and may also be non-financial. For example, a fraud intended to confer an unfair business advantage would also fall within the scope of the FTPF Offence. However, where the Relevant Body is a victim or the intended victim of the fraud, in such cases, there would be no liability under the FTPF Framework.
5. An employee, agent or subsidiary undertaking of the Relevant Body is automatically an “Associated Person.” Furthermore, any other person providing services for and on behalf of the Relevant Body would also qualify as an Associated Person for the duration during which they continue to provide the services. This includes contractors, consultants, and service providers, creating broad exposure for the Relevant Body relying on external parties.
6. The FTPF Offence applies to a number of offences specified under Schedule 13 of the ECCTA (“Base Fraud Offence”) which can be committed by an Associated Person as stated above. The listed offences include statutory offences of fraud, false accounting, false statements by company directors, fraudulent trading, and common law offences of cheating public revenue. Aiding, abetting, counselling or procuring the commission of any of the listed fraud offences also qualify as a Base Fraud Offence.
7. Pertinently, the FTPF Framework contemplates strict liability upon the Relevant Body and it does not need to be established whether directors or senior managers of the Relevant Body ordered or knew about the fraud.
8. Liability under the FTPF Offence can be mitigated if the organisation can demonstrate that at the time of the occurrence of the offence, “reasonable” and “proportionate” fraud prevention mechanisms were in place. To demonstrate compliance with the “reasonable procedures” requirement under the FTPF Framework, organisations must build their fraud prevention efforts around six core principles: (i) Proportionality; (ii) Due diligence; (iii) Top-level commitment; (iv) Training and communication; (v) Risk assessment; and (vi) Monitoring and review. These principles offer a foundation for sound governance and should serve as a guide for internal accountability.
9. Upon conviction under the FTPF Offence pursuant to a criminal prosecution, the Relevant Body can receive a fine. Notably, there is no capping on the possible fines that may be levied, and the courts may take into account all surrounding circumstances when deciding the appropriate level of fines for a particular case. Beyond financial penalties, the Relevant Body may face serious collateral consequences, including debarment from public procurement, loss of licenses, mandatory compliance monitoring, and significant reputational harm affecting investor and client confidence.

3. EXTRA-TERRITORIAL APPLICATION

The FTPF Offence also applies to bodies incorporated and partnerships formed outside the UK; however, what is crucial to establishing liability under the FTPF Framework is that fraud must have a UK nexus.

As per the guidance issued by the UK Government on the FTPF Framework² (“FTPF Guidance”) the FTPF Offence will only apply where the Base Fraud Offence committed by the Associated Person has a UK nexus, which means that at least one of the acts that was part of the underlying fraud took place in the UK or that the gain or loss occurred in the UK. To illustrate, if the sales director of an Indian technology company with no physical presence in the UK submits falsified product certifications to win a contract with a UK-based financial services firm; then in this case, even though the fraud was entirely committed from India, the FTPF Framework could apply because: (i) the victim/client is located in the UK, and (ii) the financial loss occurred in the UK when the client paid for services based on false representations. The Indian parent company could face prosecution under the FTPF Framework if it cannot demonstrate that reasonable fraud prevention procedures were in place.

Therefore, the FTPF Offence will not apply to a Relevant Body incorporated in the UK whose overseas employees, subsidiaries, or associated persons commit fraud with no UK nexus. However, if a UK-based employee commits fraud, the employing Relevant Body could be prosecuted, regardless of where the Relevant Body is based.

On the other hand, the FTPF Guidance clarifies that if an employee or an Associated Person of an overseasbased Relevant Body commits fraud in the UK or targets victims/clients in the UK, such Relevant Body could be prosecuted for the offence. Examples of UK nexus include fraudulent invoices sent from the UK, payments processed through UK bank accounts, or victims located in the UK.

Furthermore, the FTPF Framework also contemplates that the FTPF Offence would be applicable to an overseas Relevant Body even if no part of the Base Fraud Offence took place in the UK, as long as there is actual gain or loss on account of the same in the UK. It is noteworthy that, as per the FTPF Guidance, in such a scenario, a UK nexus would exist only if there is actual gain or loss and not just intended gain or loss.

Thus, under the FTPF Framework, even though the Relevant Body may be incorporated or based outside the UK or the fraud may have been committed outside the UK, if there is a UK nexus, the FTPF Offence could be triggered.

4. NAVIGATING THE STRINGENT LIABILITY UNDER THE FTPF OFFENCE

Given the extraterritorial application to Relevant Body outside the UK, it is essential to ensure that such a Relevant Body can sufficiently and effectively navigate the specific requirements under the FTPF Framework.

The stringent and onerous impact of the FTPF Offence on a Relevant Body necessitates a prompt, exhaustive, and proactive approach to fraud prevention as opposed to a mere reactive approach. To this end, it is imperative for a Relevant Body to have robust, reasonable, and proportionate fraud prevention procedures and frameworks in place.

While the test of “reasonableness” may vary on a case-to-case basis, any fraud prevention framework must be informed by certain principles to ensure mitigation of any possible liability. To that end, any fraud prevention framework must formally articulate commitment from the senior management towards fraud prevention, as well as have clear governance across the Relevant Body in respect of the same.

This may include articulating policies or a code of practice on fraud prevention, highlighting key fraud prevention procedures, listing key individuals and/or departments involved in implementing the fraud prevention procedures, and articulating consequences to the Associated Person for breaching the policy on fraud, for example, incorporating relevant clauses in the contracts. A Relevant Body should also implement clear whistleblowing channels and ensure protection for those reporting suspected fraud.

Senior management should be involved in the development and implementation of fraud prevention measures, or this may also be delegated to heads of ethics and compliance committees. There should be designated responsibilities in place with regard to, inter alia, scanning for new fraud risks, approving risk assessments, implementing disciplinary measures for breaches, fraud investigations, monitoring and review of the framework, whistleblowing, reporting and escalation routes. 

There should be a commitment to conducting training and resource allocations. A Relevant Body should allocate adequate funding for new technology and due diligence tools, as well as, undertake third-party due diligence Risk-based due diligence is particularly critical when engaging new contractors, agents, or entering joint ventures.

Fraud prevention measures should be proportionate to the Relevant Body's size, complexity and risk profile. Regular training should be provided, especially with respect to fraud risks, business benefits of rejecting fraud (reputational, customer and business partner confidence), and due diligence. Training should be tailored to specific roles and risk exposure levels. Furthermore, the procedures must be regularly tested, reviewed and updated to address emerging fraud typologies and regulatory developments.

5. CONCLUSION

The introduction of the FTPF Offence under the EECTA marks a significant shift in corporate liability. Not only does the FTPF Offence impose strict liability regardless of the senior management's knowledge of fraud, but crucially, its broad extra-territorial reach means that even a non-UK-based Relevant Body must adhere to its provisions if a UK nexus exists in the underlying fraud. Navigating this stringent regulatory environment necessitates more than mere compliance.

The FTPF Framework creates several immediate practical challenges for a Relevant Body:

1. Scope uncertainty: It requires careful analysis to determine which third-party relationships constitute “providing services on behalf of” the Relevant Body.
2. Documentation burden: Maintaining evidence of “reasonable procedures” necessitates comprehensive records of risk assessments, training, and oversight activities.
3. Cross-border complexity: A Multinational Relevant Body must ensure fraud prevention measures extend to all jurisdictions with a potential UK nexus.
4. Resource allocation: A Smaller Relevant Body (just meeting the threshold) may face disproportionate compliance costs.

A Relevant Body must now proactively ensure that robust and proportionate fraud prevention procedures are in place, failing which they risk onerous fines and reputational damage. By embedding the six core principles as stated above, including top-level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, training and regular monitoring, organisations, both domestic and global, can protect themselves against severe financial penalties and reputational damage in an increasingly regulated international business landscape. A Relevant Body should conduct gap analysis against the FTPF Framework requirements immediately and establish ongoing compliance monitoring to adapt to enforcement trends as they develop.

Footnotes

1. CMS IndusLaw: In order to qualify as a “large organisation”, the Relevant Body must satisfy at least 2 (two) out of the following 3 (three) criteria, in the financial year preceding the year in which the offence was committed, viz. (1) More than 250 (two hundred and fifty) Employees, (2) Turnover of more than GBP 36 (thirty-six) million and (3) Total assets being more than GBP 18 (eighteen) million.

2. Home Office, UK Government (November 2024), Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud. Available at: https://www.gov.uk/government/publications/offence-of-failure-to-prevent-fraud-introduced-by-eccta

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.