TPRM ramifications of the UK’s Failure to Prevent Fraud Offence

Finally,  a new failure to prevent fraud offence means that prosecutors only need to show a lack of reasonable procedures to prevent fraud, to obtain further convictions. Essentially, ECCTA reframes the approach to fraud detection programmes. Rather than the focus only being protecting the company from falling victim to fraud, businesses need to focus on measures to prevent any direct or indirect  benefit they receive from fraud. 

Taken together, these changes (some of which are in force and some of which will come into force on 1 September 2025), materially heighten the risk for UK businesses, directors and senior leaders, as attendees to a recent Ethixbase360 webinar were told,  

“These are some of the most fundamental changes of the risk of liability for corporate businesses that there has been the last one hundred years.” 
Harriet Territt, Partner at Global Investigations, Addleshaw Goddard 

Failure to Prevent Fraud Offence 

To mitigate ECCTA risk without adding unnecessary compliance tasks , it’s important to understand key aspects of ECCTA compliance,  including ECCTA’s Failure to Prevent Fraud offence which can be especially difficult to manage. 

Designed to hold organisations accountable for fraud committed by their employees or associated persons, the offence allows organisations to be held liable when a ‘specified fraud offence’ is committed by an employee or associated person for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place.  

It has an incredibly broad scope, as it applies to a wide range of fraudulent activities committed by employees, agents, or subsidiaries for the organisation’s benefit. For any organisation with even a basic supply chain, policing third party agents and subsidiaries is no small task. To achieve effective mitigation, there needs to be a significant cultural change that puts fraud prevention at front of mind of every stakeholder. Any compliance programme needs to go beyond procedural changes and include a shift in mindset and behaviour.  

Producing a cultural change, however, can be very challenging for companies, especially smaller ones, as the process tends to be resource-intensive and time-consuming.  

ECCTA takes a broad view of fraud compared to previous regulations, listing several ways associated persons can commit fraud (with equivalent offences in Scotland): 

• Fraud by false representation (section 2, Fraud Act 2006) 

• Fraud by failing to disclose information (section 3, Fraud Act 2006) 

• Fraud by abuse of position (section 4, Fraud Act 2006) 

• Obtaining services dishonestly (section 11, Fraud Act 2006) 

• Participation in a fraudulent business (section 9, Fraud Act 2006) 

• False statements by company directors (section 19, Theft Act 1968) 

• False accounting (section 17, Theft Act 1968) 

• Fraudulent trading (section 993, Companies Act 2006) 

• Cheating the public revenue (common law) 

Under this expanded definition, dishonest sales practices, withholding crucial information from consumers or investors, or dishonest practices in financial markets can all be considered fraud. An example provided by Ms Territt is the case of a sales agent claiming the current price is the best offer possible and cannot be negotiated lower. If that agent knows this is not true when making the claim, this can be considered fraudulent. 

Organisations in Scope 

The Failure to Prevent Fraud offence in ECCTA targets large bodies corporate, subsidiaries, and partnerships across all sectors, including large not-for-profit organisations such as charities and incorporated public bodies. The Companies Act 2006 defines large organisations as those meeting two out of three criteria: 

• 250+ employees 

• £36 million+ turnover 

• £18 million+ in total assets 

If the combined resources of a parent company and its subsidiaries meet the size threshold, they are considered in scope, and while smaller organisations are excluded, those supplying larger in-scope organisations will be impacted and will need to comply with ECCTA indirectly. 

The need for a cultural shift

Traditionally, companies have focused on fraud detection to avoid becoming victims. Compliance with ECCTA, however, demands an approach centered on ensuring the organisation does not benefit from fraudulent activities. 

Fraud detection now includes an ethical and moral element, suggesting a change of ownership for fraud detection within the organisation. The responsibility may be better suited for the ethics and compliance teams rather than the finance department. Ensuring employees understand what constitutes fraudulent practice requires a shift in corporate culture, mindset, and behaviour.  

‘Typically, fraud has been a risk owned by finance in most organisations. In our experience, this is starting to change, we’re focusing on helping companies refresh their fraud risk assessments and build fraud prevention procedures mostly now with heads of ethics and compliance.’ 

Ian Bennington, Partner – National Leader for Governance Risk and Compliance Services, BDO Transparency is crucial—white lies, truth-bending, or omitting information can no longer be acceptable at any organisational level. This cultural shift demands consistent, clear modelling and communication from top leadership. 

Preparing for implementation  

Proactive organisations have begun1 preparing for the Failure to Prevent Fraud offence well before the September deadline, and now that the guidance has been published, others are catching up. For those lagging behind, these points can help with the planning of a compliance strategy: 

• Risk Assessment 

The first step is to conduct a risk assessment of current processes to highlight weaknesses, gaps, and overlaps with other regulations.  

For a deeper understanding of the risk of fraud, the assessment should probe jurisdictional and industry risk, and detail what the third party (associate) does on behalf of the company. Are they involved in financial transactions, especially high-intensity or high-value transactions, do they distribute goods or services, or do they make payments on their behalf? These are all points that would flag high risk.  

• Leverage existing processes 

The Failure to Prevent Fraud offence is similar in some respects to other regulations, including the ‘failure to prevent bribery’ offence included in 2011 under the UK Bribery Act in 2010 and the ‘failure to prevent facilitation of tax evasion’ offence under the Criminal Finances Act 2017. Leveraging these similarities can help to rationalise the integration process, but it’s crucial to understand key differences to ensure the updated compliance procedure covers all ECCTA obligations. 

For example, the UK Bribery Act offers an adequate procedures defence while the Failure to Prevent Fraud offence has a reasonable procedures defence. Those reasonable procedures will need to be extended to all employees and associated persons throughout the supply chain. 

Adequate procedures: The company must show it had thorough and effective anti-bribery measures in place to avoid liability, even if bribery occurs. The focus is on the overall sufficiency and robustness of procedures. 

Reasonable procedures: Measures must be sensible and proportionate to the circumstances. This implies that actions taken are appropriate and fair, considering the company’s size, complexity, and risk profile. The focus is on practicality and proportionality. 

• Risk-Based Approach 

Compliance teams are being asked to do more with less, and managers will be reluctant to add another compliance layer. However, the Act and the associated guidance for FtpF provides less flexibility in terms of governance and responsibilities to prevent fraud, potentially requiring more resources. A risk-based approach can help manage costs, but it requires a detailed understanding of third-party risk to be effective.  While key information may already be available through previous anti-corruption and bribery compliance efforts, a reputational assessment will add details relevant to fraud risk. 

“The third parties that you’ve identified as being high risk from a bribery and corruption perspective or a financial crime perspective are probably going to be located in similar jurisdictions that you might consider to be high risk for fraud.” 

James Swenson, Managing Director, Enhanced Due Diligence, Ethixbase360  

Request details such as: 

• Registration status 

• Duration of operation 

• Track record 

• Previous and existing partnerships with other multinational companies 

• Names of current and previous shareholders, leaders, and decision-makers 

Search for litigation and regulatory records in the jurisdictions where the company operates, and check media for adverse publicity. 

• Risk Profiles 

With this information, construct a risk profile for each third-party relationship that will inform the level of due diligence required. While negative information is key, it’s also important to scan for information that may be missing. A lack of positive corporate relationships, for example, can indicate risk. 

Conclusion  

ECCTA makes detection of fraudulent activity within an organisation, its subsidiaries, employees and third parties a priority.   Essentially, fraud is a dishonest and knowing act that someone has carried out, knowing that it’s wrong, with the intent to make a gain, either for themselves or for someone else, or to cause loss for another or to someone else. Compliance processes can be adapted to include fraud detection, it is a matter of designing an appropriate workflow execution to find a balance between doing business and mitigating risk through robust third-party management.  

Many companies may struggle to find that balance. Companies in scope will have extensive value chains with potentially thousands of employees and associated people, all incredibly challenging to police.   It requires careful evaluation of their current risk assessment and due diligence capabilities to effectively manage and mitigate fraud risks, as well as a redefining of the understanding of fraud within the organisation.  By proactively embracing these changes, organisations can ensure compliance while fostering a culture of transparency and ethical business practices. 

To watch Ethixbase360’s on-demand webinar TPRM & Value Chain Implications of the UK’s Failure to Prevent Fraud Offence featuring experts Ian Bennington, Partner – National Leader for Governance Risk and Compliance Services, BDO, Harriet Territt, Partner – Global Investigations, Addleshaw Goddard and James Swenson, Managing Director – Enhanced Due Diligence, Ethixbase360 please visit our OnDemand Webinars on the Ethixbase360 Resource Centre.