Guide
Prevent fraud in your organisation: ECCTA compliance
How to comply with the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Covers who is in scope, what fraud offences trigger liability, and how to build the six-principle defence.
Large organisations must have fraud prevention procedures in place by 1 September 2025. This applies if you have over 250 employees or £36 million turnover. You must follow six principles to avoid fines if an employee commits fraud.
- 初三点的盾构对语 Check if your organisation meets size thresholds (250+ staff or £36m+ turnover)"
- revention procedures in place before 1 September 2025"
- Follow six principles: commitment, risk assessment, proportionate controls, due diligence, training, and monitoring
- Cover fraud types like fake accounting, misuse of position, and lying to clients
- Assess fraud risks from employees, contractors, and agents
- Extend existing anti-bribery policies to include fraud prevention
- Fines are unlimited if fraud occurs and you lack reasonable procedures
- Procedures must be active at time of fraud, not added later
Since 1 September 2025, large organisations face a new corporate criminal offence for failing to prevent fraud under Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA).
This offence follows the same model as the failure to prevent bribery offence under Section 7 of the Bribery Act 2010. Where an associated person commits a specified fraud offence intending to benefit the organisation, the organisation itself is criminally liable — unless it can prove it had reasonable fraud prevention procedures in place.
This guide explains who is affected, what triggers the offence, and the steps you need to take to build the defence.
Who is affected
The offence applies only to large organisations that meet minimum size thresholds:
What triggers the offence
Your organisation is liable if an associated person commits a specified fraud offence intending to benefit the organisation. It does not matter whether senior management knew about or authorised the fraud. The liability is strict unless you can prove the defence.
An "associated person" is anyone who performs services for or on behalf of your organisation, including employees, agents, subsidiaries, consultants, contractors, and intermediaries. The test is whether the person is acting in a capacity connected to your organisation — an employee committing fraud in a purely personal capacity outside work would not trigger the offence.
The defence: reasonable prevention procedures
The only defence is proving that your organisation had reasonable fraud prevention procedures in place at the time of the offence. The Home Office statutory guidance sets out six principles your procedures should follow:
Building your fraud prevention programme
If you already have compliance procedures under the Bribery Act 2010, you have a strong foundation. The six ECCTA fraud prevention principles closely mirror the Bribery Act's "adequate procedures" framework. However, you will need to extend your programme specifically to cover fraud risks:
- Broaden your risk assessment — bribery risk assessments focus on corruption; fraud risk assessments must also cover false accounting, misrepresentation, abuse of position, and dishonest service obtaining
- Review your associated persons — identify everyone performing services for your organisation and assess their fraud risk, not just their bribery risk
- Update training content — ensure staff understand what fraud offences look like (not just bribery), how to recognise red flags, and how to report concerns
- Strengthen financial controls — false accounting and revenue fraud require different controls from bribery, including segregation of duties, reconciliation procedures, and management oversight
If you do not have an existing compliance programme, start with a documented fraud risk assessment and work through each of the six principles proportionately to your organisation's size and complexity.
What happens if you are investigated
Prosecution is led by the Serious Fraud Office (SFO) or the Crown Prosecution Service (CPS). An organisation convicted of the offence faces an unlimited fine.
Individual directors or officers who consent to, connive in, or are negligent about the underlying fraud can also face personal criminal prosecution under separate provisions.
In practice, the SFO may offer a deferred prosecution agreement (DPA) if the organisation self-reports, cooperates fully, and implements robust remediation. Early engagement with legal counsel is critical if fraud is discovered.