Prevent fraud in your organisation: ECCTA compliance

Since 1 September 2025, large organisations face a new corporate criminal offence for failing to prevent fraud under Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

This offence follows the same model as the failure to prevent bribery offence under Section 7 of the Bribery Act 2010. Where an associated person commits a specified fraud offence intending to benefit the organisation, the organisation itself is criminally liable — unless it can prove it had reasonable fraud prevention procedures in place.

This guide explains who is affected, what triggers the offence, and the steps you need to take to build the defence.

Who is affected

The offence applies only to large organisations that meet minimum size thresholds:

ECCTA failure to prevent fraud size thresholds

Size criteria determining which organisations are subject to the Section 199 failure to prevent fraud offence.

The failure to prevent fraud offence under Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) applies only to large organisations. An organisation is in scope if it meets at least two of the following three conditions at the time the fraud offence is committed:

Employee threshold: More than 250 employees
Turnover threshold: More than £36 million annual turnover
Total assets threshold: More than £18 million total assets
Criteria required: Must meet at least 2 of the 3 thresholds
Effective date: 1 September 2025 (applies to conduct on or after this date)
Maximum penalty: Unlimited fine

Who counts as an organisation: Companies, partnerships, and other bodies corporate, whether incorporated in the UK or carrying on business (or part of a business) in the UK. Subsidiaries of large groups may be in scope if the group meets the thresholds.

Small and medium businesses: Not directly caught by this offence. However, SMEs acting as agents, contractors, or service providers to large organisations may be the "associated persons" whose fraudulent conduct triggers liability for the larger body.

What triggers the offence

Your organisation is liable if an associated person commits a specified fraud offence intending to benefit the organisation. It does not matter whether senior management knew about or authorised the fraud. The liability is strict unless you can prove the defence.

An "associated person" is anyone who performs services for or on behalf of your organisation, including employees, agents, subsidiaries, consultants, contractors, and intermediaries. The test is whether the person is acting in a capacity connected to your organisation — an employee committing fraud in a purely personal capacity outside work would not trigger the offence.

Specified fraud offences under ECCTA Section 199

The list of fraud offences that can trigger corporate liability under the failure to prevent fraud provisions.

The organisation is liable where an associated person — an employee, agent, subsidiary, or other person performing services for or on behalf of the organisation — commits one of the following fraud offences intending to benefit the organisation or its clients:

Fraud by false representation: Fraud Act 2006, Section 2
Fraud by failing to disclose information: Fraud Act 2006, Section 3
Fraud by abuse of position: Fraud Act 2006, Section 4
Obtaining services dishonestly: Fraud Act 2006, Section 11
Participation in fraudulent business: Companies Act 2006, Section 993
False accounting: Theft Act 1968, Section 17
False statements by company directors: Theft Act 1968, Section 19
Cheating the public revenue: Common law offence

Key point: The organisation does not need to have known about or authorised the fraud. Liability is strict unless the defence of reasonable prevention procedures applies. The associated person must have intended to benefit the organisation (or a person to whom services are provided on behalf of the organisation).

The defence: reasonable prevention procedures

The only defence is proving that your organisation had reasonable fraud prevention procedures in place at the time of the offence. The Home Office statutory guidance sets out six principles your procedures should follow:

Six principles for fraud prevention procedures (ECCTA)

The Home Office statutory guidance principles for reasonable fraud prevention procedures that form the only defence to the Section 199 offence.

The only defence to a charge under Section 199 is proving that the organisation had reasonable fraud prevention procedures in place at the time of the offence. The Home Office has published statutory guidance setting out six principles that these procedures should follow. These mirror the "adequate procedures" framework under the Bribery Act 2010.

Principle 1: Top-level commitment: Board and senior management must foster a culture of honesty and fraud prevention
Principle 2: Risk assessment: Assess the nature and extent of exposure to fraud risk, including from associated persons
Principle 3: Proportionate risk-based prevention procedures: Policies and controls must be proportionate to the risks identified
Principle 4: Due diligence: Risk-based checks on persons who perform services for or on behalf of the organisation
Principle 5: Communication and training: Fraud prevention policies must be communicated effectively with appropriate staff training
Principle 6: Monitoring and review: Procedures must be monitored, reviewed, and improved as necessary

Proportionality: What is "reasonable" depends on the organisation's size, nature, and complexity. The procedures must be genuinely implemented, not merely documented. They are assessed at the time the fraud occurred — procedures cannot be implemented retrospectively.

Building on existing compliance: Organisations with mature anti-bribery compliance programmes under the Bribery Act 2010 may be able to extend their existing risk assessments, training, and due diligence to cover fraud prevention.

Building your fraud prevention programme

If you already have compliance procedures under the Bribery Act 2010, you have a strong foundation. The six ECCTA fraud prevention principles closely mirror the Bribery Act's "adequate procedures" framework. However, you will need to extend your programme specifically to cover fraud risks:

Broaden your risk assessment — bribery risk assessments focus on corruption; fraud risk assessments must also cover false accounting, misrepresentation, abuse of position, and dishonest service obtaining
Review your associated persons — identify everyone performing services for your organisation and assess their fraud risk, not just their bribery risk
Update training content — ensure staff understand what fraud offences look like (not just bribery), how to recognise red flags, and how to report concerns
Strengthen financial controls — false accounting and revenue fraud require different controls from bribery, including segregation of duties, reconciliation procedures, and management oversight

If you do not have an existing compliance programme, start with a documented fraud risk assessment and work through each of the six principles proportionately to your organisation's size and complexity.

What happens if you are investigated

Prosecution is led by the Serious Fraud Office (SFO) or the Crown Prosecution Service (CPS). An organisation convicted of the offence faces an unlimited fine.

Individual directors or officers who consent to, connive in, or are negligent about the underlying fraud can also face personal criminal prosecution under separate provisions.

In practice, the SFO may offer a deferred prosecution agreement (DPA) if the organisation self-reports, cooperates fully, and implements robust remediation. Early engagement with legal counsel is critical if fraud is discovered.

Prevent fraud in your organisation: ECCTA compliance

Persons with Significant Control (PSC) register requirements

Fire safety duties for Northern Ireland businesses

Fire safety duties for Scottish businesses

Set up a limited company

Creditor priority in company insolvency

Who is affected

What triggers the offence

The defence: reasonable prevention procedures

Building your fraud prevention programme

What happens if you are investigated

Official guidance

Related guides in Compliance & Legal

Who is affected

What triggers the offence

The defence: reasonable prevention procedures

Building your fraud prevention programme

What happens if you are investigated

Official guidance