Reactive (response to change)

New corporate fraud offence takes effect 1 September 2025: what your business must do

From 1 September 2025, large organisations face a new criminal offence for failing to prevent fraud under the Economic Crime and Corporate Transparency Act 2023. This editorial explains who is affected, what the offence covers, the six-principle defence framework, and what steps businesses must take.

Change event: Failure to prevent fraud offence under ECCTA in effect from 1 September 2025 Effective 1 September 2025

Related guidance

What is changing

Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduces a new corporate criminal offence of failure to prevent fraud. The offence came into force on 1 September 2025.

This follows the same model as the failure to prevent bribery offence under Section 7 of the Bribery Act 2010. Where an associated person commits a specified fraud offence intending to benefit the organisation, the organisation itself is criminally liable — unless it can prove it had reasonable fraud prevention procedures in place.

Legislation
Economic Crime and Corporate Transparency Act 2023, Section 199
Effective date
1 September 2025
Maximum penalty
Unlimited fine
Employee threshold
More than 250 employees
Turnover threshold
More than £36 million
Total assets threshold
More than £18 million
Defence
Reasonable fraud prevention procedures based on six Home Office principles

Who is affected

The offence applies to large organisations that meet at least two of the following three conditions:

  • more than 250 employees
  • more than £36 million turnover
  • more than £18 million total assets

This includes companies, partnerships, and other bodies corporate, whether incorporated in the UK or operating here. Subsidiaries of large groups are also in scope if the group itself meets the thresholds.

Small and medium businesses are not directly caught by this offence. However, SMEs that act as agents, contractors, or service providers to large organisations may be the "associated persons" whose fraudulent conduct triggers liability for the larger body.

What the offence covers

The organisation is liable where an associated person — an employee, agent, subsidiary, or other person performing services for or on behalf of the organisation — commits a specified fraud offence with the intention of benefiting the organisation (or its clients).

Specified fraud offences include:

  • fraud by false representation (Fraud Act 2006, s.2)
  • fraud by failing to disclose information (Fraud Act 2006, s.3)
  • fraud by abuse of position (Fraud Act 2006, s.4)
  • obtaining services dishonestly (Fraud Act 2006, s.11)
  • participation in a fraudulent business (Companies Act 2006, s.993)
  • false accounting (Theft Act 1968, s.17)
  • false statements by company directors (Theft Act 1968, s.19)
  • fraudulent trading (Companies Act 2006, s.993)
  • cheating the public revenue (common law)

It does not matter whether the organisation knew about or authorised the fraud. Liability is strict unless the defence of reasonable procedures applies.

The six principles defence

The only defence is proving that the organisation had reasonable fraud prevention procedures in place at the time of the offence. The Home Office has published statutory guidance setting out six principles that these procedures should follow:

  • Top-level commitment — the board and senior management must foster a culture of honesty and fraud prevention
  • Risk assessment — the organisation must assess the nature and extent of its exposure to fraud risk, including from associated persons
  • Proportionate risk-based prevention procedures — policies and controls must be proportionate to the risks identified
  • Due diligence — risk-based checks on persons who perform services for or on behalf of the organisation
  • Communication and training — fraud prevention policies must be communicated effectively, with appropriate training for staff
  • Monitoring and review — procedures must be monitored, reviewed, and improved as necessary

These six principles mirror the "adequate procedures" framework under the Bribery Act 2010. Organisations that already have mature anti-bribery compliance programmes may be able to extend them to cover fraud prevention.

Penalties

An organisation convicted of failure to prevent fraud faces an unlimited fine. The Sentencing Council will consider the seriousness of the fraud, any gain to the organisation, the harm caused, and whether the organisation cooperated with the investigation.

Individual directors or officers who consent to, connive in, or are negligent about the fraud can also face personal criminal prosecution under separate provisions.

What you need to do

If your organisation meets the size thresholds, you should:

  • Conduct a fraud risk assessment — identify where fraud risks arise across your operations, supply chain, and associated persons
  • Review existing compliance programmes — if you have anti-bribery or anti-money laundering procedures, assess whether they adequately cover fraud prevention
  • Develop or update fraud prevention policies — document your procedures in line with the six Home Office principles
  • Train your staff — ensure employees and agents understand the fraud risks relevant to their roles and how to report concerns
  • Establish reporting channels — put in place confidential whistleblowing arrangements so concerns can be raised safely
  • Document everything — keep records of your risk assessments, policies, training, and due diligence to evidence the defence if needed

Building on your Bribery Act compliance

The failure to prevent fraud offence follows the same structural model as the Bribery Act 2010 Section 7 offence. If your organisation already has a Bribery Act compliance programme, you can use it as a foundation — extend your risk assessments, training, and due diligence procedures to cover fraud as well as bribery.

Related updates