Guide

Prevent fraud in your organisation: ECCTA compliance

How to comply with the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Covers who is in scope, what fraud offences trigger liability, and how to build the six-principle defence.

UK-wide

Since 1 September 2025, large organisations face a new corporate criminal offence for failing to prevent fraud under Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

This offence follows the same model as the failure to prevent bribery offence under Section 7 of the Bribery Act 2010. Where an associated person commits a specified fraud offence intending to benefit the organisation, the organisation itself is criminally liable — unless it can prove it had reasonable fraud prevention procedures in place.

This guide explains who is affected, what triggers the offence, and the steps you need to take to build the defence.

Who is affected

The offence applies only to large organisations that meet minimum size thresholds:

What triggers the offence

Your organisation is liable if an associated person commits a specified fraud offence intending to benefit the organisation. It does not matter whether senior management knew about or authorised the fraud. The liability is strict unless you can prove the defence.

An "associated person" is anyone who performs services for or on behalf of your organisation, including employees, agents, subsidiaries, consultants, contractors, and intermediaries. The test is whether the person is acting in a capacity connected to your organisation — an employee committing fraud in a purely personal capacity outside work would not trigger the offence.

The defence: reasonable prevention procedures

The only defence is proving that your organisation had reasonable fraud prevention procedures in place at the time of the offence. The Home Office statutory guidance sets out six principles your procedures should follow:

Building your fraud prevention programme

If you already have compliance procedures under the Bribery Act 2010, you have a strong foundation. The six ECCTA fraud prevention principles closely mirror the Bribery Act's "adequate procedures" framework. However, you will need to extend your programme specifically to cover fraud risks:

  • Broaden your risk assessment — bribery risk assessments focus on corruption; fraud risk assessments must also cover false accounting, misrepresentation, abuse of position, and dishonest service obtaining
  • Review your associated persons — identify everyone performing services for your organisation and assess their fraud risk, not just their bribery risk
  • Update training content — ensure staff understand what fraud offences look like (not just bribery), how to recognise red flags, and how to report concerns
  • Strengthen financial controls — false accounting and revenue fraud require different controls from bribery, including segregation of duties, reconciliation procedures, and management oversight

If you do not have an existing compliance programme, start with a documented fraud risk assessment and work through each of the six principles proportionately to your organisation's size and complexity.

What happens if you are investigated

Prosecution is led by the Serious Fraud Office (SFO) or the Crown Prosecution Service (CPS). An organisation convicted of the offence faces an unlimited fine.

Individual directors or officers who consent to, connive in, or are negligent about the underlying fraud can also face personal criminal prosecution under separate provisions.

In practice, the SFO may offer a deferred prosecution agreement (DPA) if the organisation self-reports, cooperates fully, and implements robust remediation. Early engagement with legal counsel is critical if fraud is discovered.