The new strict liability corporate criminal offence of Failure to Prevent Fraud (FTPF) comes into effect in England and Wales on 1 September 2025. The FTPF offence forms part of a broader suite of reforms to the investigation and prosecution of corporate crime contained in the Economic Crime and Corporate Transparency Act (ECCTA), which received Royal Assent on 26 October 2023.
The UK Serious Fraud Office (SFO) has signalled its intent to pursue organisations under the new FTPF offence from the get-go. The Director of the SFO, Nick Ephgrave, put down a marker in his first speech as Director saying, “I want to be the first to prosecute someone under the new provisions of [ECCTA]”,1 and the agency’s messaging has remained consistently threatening, culminating in the Director’s April 2025 speech:
“Come September, if they haven’t sorted themselves out, we’re coming after them … I’m very, very keen to prosecute someone for that offence. We can’t sit with the statute books gathering dust, someone needs to feel the bite.”
Taken together, the reforms contained in ECCTA significantly increase the likelihood of organisations being successfully prosecuted in the UK for economic wrongdoing. With the coming into force of the FTPF offence on 1 September - which has wide extra-territorial reach - the corporate criminal landscape in the UK has fundamentally shifted, and organisations domiciled here and abroad need to reflect on and react to the new higher-risk environment in which they find themselves.
This alert takes a holistic view of the wider ECCTA reforms, including but not limited to the new FTPF offence, and offers in-scope organisations, wherever they are located, practical and achievable steps that they should be taking now to enhance and evidence their proactive fraud prevention measures.
Wider ECCTA reforms designed to facilitate the investigation and prosecution of economic crime
The new FTPF offence forms only part of the radical reforms contained in ECCTA. We flag below two other key reforms which have not attracted the same level of focus and attention as the FTPF offence.
Corporate criminal attribution overhaul
Most significantly of all, ECCTA overhauled how criminal liability can be attributed to a corporate body in the UK with respect to a comprehensive list of economic crimes, including fraud, bribery, money laundering, sanctions, cheating the public revenue and conspiracy to defraud offences.
Previously an organisation could only be held criminally liable if the offence was committed by someone who was held to be the “directing mind and will” of the company, typically a senior executive or board member. This made it difficult to prosecute large, complex organisations with diffuse decision-making responsibilities.
ECCTA introduced a new statutory threshold, allowing for the actions of “senior managers”, acting within their actual or apparent authority, to fix the organisation with criminal liability.
A senior manager is defined as someone playing a significant role in making decisions about how the whole or a substantial part of the organisation is managed or organised.2 Senior managers therefore comprise not only those who decide on broad strategy but also those who make operational decisions covering the whole of the corporation or a substantial part of it. This may not capture someone whose role was limited to management of a discrete unit that does not represent a substantial part of the company’s affairs but probably would include someone whose responsibilities involve making decisions relating to corporate strategy and policy in a particular area—such as operations, legal or finance.
The new corporate criminal attribution rules have been in force since 26 December 2023 and, unlike the FTPF offence, apply to all companies and partnerships established in the UK, regardless of their size (the FTPF offence only applies to “large” organisations, as defined below). Critically, and this is a point that often gets missed in discussions focused on the new FTPF offence, there is no reasonable procedures defence available to organisations being investigated and prosecuted for the actions of a senior manager, acting within their actual or apparent authority, who has committed a substantive fraud offence. The recently updated Joint SFO-CPS Corporate Prosecution Guidance makes this point explicitly:
“It should be noted that an organisation facing liability under the Failure to Prevent Fraud offence … may also face prosecution for the underlying substantive fraud or other economic crime offence, where the conduct of the associated person can be attributed to the organisation by other means – such as through section 196 of … ECCTA [which provides for senior manager corporate criminal attribution].”
Proposals in the Crime and Policing Bill, which had its first reading in the House of Lords in June 2025, would extend the senior manager attribution rules, to cover all criminal offences, not just those specified economic crimes under ECCTA.3 If enacted, the reforms would make it more straightforward to prosecute organisations for a broader range of financial and non-financial offences in the UK.
SFO pre-investigation compulsory powers
Prior to ECCTA, the SFO’s powers to compel the provision of documents and information prior to the opening of a formal investigation were limited to cases of international bribery and corruption. Per section 211 of ECCTA, the SFO is now able to deploy its pre-investigation compulsory powers in respect of all its cases, including cases of fraud and domestic bribery.
Using its new powers, the SFO will be able to obtain data, such as banking records, allowing them to restrain assets at an earlier stage and to take more informed decisions on whether to open a formal investigation.4 This should help the SFO to progress investigations more quickly once opened; facilitating the more efficient allocation of resources and reducing the risk of the financial and reputational impact of dropped investigations.5
New FTPF offence – who can commit it?
The new FTPF offence is intended to broadly mirror the structure of the UK’s existing strict liability ‘failure to prevent’ corporate offences, namely failure to prevent bribery (under section 7 of the Bribery Act 2010) and failure to prevent the facilitation of tax evasion (under part 3 of the Criminal Finances Act 2017).
Under section 199(1) of ECCTA, a large organisation commits an offence and can be subject to an unlimited fine, if a person who is associated with the organisation commits a specified fraud offence intending to benefit, directly or indirectly, the organisation, or any person to whom the associated person provides services on behalf of the organisation.
A large organisation is a body corporate or partnership which meets any two of the following criteria in the financial year preceding the year in which the underlying fraud offence is committed:
- More than £36 million turnover;
- More than £18 million in total balance sheet assets; and / or
- More than 250 employees.
Employees, agents or subsidiary undertakings of the organisation are automatically regarded as associated persons for purposes of the offence. Other parties may also be deemed associated persons depending on the circumstances, namely if they perform services for or on behalf of the organisation (persons providing goods, but not services, to an organisation are not associated persons).
For the offence to be made out, the associated person must be acting in their capacity as an associated person. Fraud that takes place outside this capacity, for example in the person’s private life, does not give rise to corporate liability.
The specified fraud offences include the common law offence of cheating the public revenue and statutory fraud offences under the Fraud Act 2006 (fraud by false representation, failing to disclose, abuse of position and obtaining services dishonestly), the Theft Act 1968 (false accounting and false statements) and the Companies Act 2006 (fraudulent trading), or aiding, abetting, counselling or procuring the commission of the same.
Organisations are not liable if they are the victim or intended victim of the fraud. An intention to benefit is sufficient; there is no need for the organisation or client in fact to benefit. There is no requirement for this to be the sole or dominant intention. Benefit may be financial or non-financial.
The jurisdictional scope of the offence is broad, albeit it does require a UK nexus, meaning that one of the acts which was part of the underlying fraud must take place in the UK or that the gain or loss occurred in the UK. A large US-based company, for example, whose employee commits fraud in the UK, or targets UK victims, for the company’s benefit would, in the absence of being able to establish that it had reasonable fraud prevention procedures in place, potentially be liable under the new offence.
The breadth of the specified fraud offences means that strict criminal liability could technically attach to a wide range of corporate conduct, including M&A activity (representations to investors, buyers and sellers); financial and regulatory reporting (asset valuations, related-party disclosures, revenue recognition practices); non-financial reporting (ESG disclosures and modern slavery statements); asset management (procurement processes, cash inventory); tax; and lending activity (representations to lenders), as well as more typically bribery and corruption issues such as third-party/intermediary and government dealings.
The statutory defence - reasonable fraud prevention procedures
ECCTA provides a statutory defence for an organisation if it has in place fraud prevention procedures that were reasonable in all the circumstances or where it was not reasonable in all the circumstances to expect the organisation to have any fraud prevention procedures in place.
In November 2024, the UK Home Office issued guidance that addresses what constitutes reasonable fraud prevention procedures. The Guidance adopts the same framework of six non-prescriptive principles which large organisations that have previously dealt with the failure to prevent bribery and facilitation of tax evasion offences will recognize:
- Top level commitment.
- Risk assessment.
- Proportionate risk-based prevention procedures.
- Due diligence.
- Communication (including training).
- Monitoring and review.6
In certain important respects, however, the Guidance goes further than it did previously and provides more detail on the practical steps that senior management can take to foster an anti-fraud culture.
- Risk Assessment. Risk assessments are the cornerstone of an organisation’s fraud prevention framework. The Guidance acknowledges that organisations may already undertake risk assessments in relation to other economic crime and confirms that these organisations do not need to duplicate existing risk assessments but must adapt them to incorporate fraud risks. To properly assess in-scope fraud risks, the Guidance recommends nominated risk owners within the organisation adopt an approach that is as focused on personnel, behaviours and culture as it is on policies, procedures and controls. The Guidance recommends organisations start by identifying the different categories of associated persons within their corporate ecosystem. Using these categories, organisations may then consider a wide range of circumstances under which associated persons could attempt in-scope fraud, taking into account the three elements of the fraud triangle: opportunity, motive and rationalisation.
- Integrated financial crime landscape. The Guidance acknowledges that the failure to prevent fraud offence sits within a landscape of other related and sometimes overlapping domestic and overseas financial crime laws and regulations, and related guidance. In recognition of this, it refers organisations to various other sources on fraud prevention measures, including the UK Corporate Governance Code, and to international standards such as the US Department of Justice’s Evaluation of Corporate Compliance Program guidance.
What should in-scope organisations do now?
Notwithstanding the imminent coming into force of the new FTPF offence and the SFO’s publicly stated desire to secure the first conviction, there is no need to panic, even for those organisations who did not previously realise they were in scope and have taken no additional steps to date.
Many large companies will already have in place procedures, controls and monitoring systems designed to detect and prevent fraud, particularly those subject to sector-specific regulatory obligations such as financial services firms. These should be adjusted and updated to reflect the focus on outward fraud in the new offence. Whilst there is no need to overreact, there are certain positive steps that in-scope organisations should take to evidence their commitment to fraud prevention, including:
- Conduct and document an informed risk assessment to determine inherent outward fraud risks, existing mitigation procedures, residual risks and the steps required to plug any gaps.
- Seek the input of legal advisors with practical experience of defending against investigations and prosecutions commenced in respect of the underlying fraud offences and testing the reasonableness / adequacy of an organisation’s compliance procedures in the context of a criminal failure to prevent investigation.
- Review existing contracts with agents and service providers to assess the extent to which they contain obligations requiring compliance with anti-fraud provisions and the ability to terminate in the event of a breach.
- Appoint a person responsible for fraud prevention at the organisation and in each subsidiary.
- Implement and document enhanced anti-fraud procedures.
- Conduct targeted anti-fraud training for employees, subsidiaries and, where possible, agents and service providers.
Conclusion
Large organisations domiciled in the UK and overseas organisations with UK operations and / or a UK customer base must be on the front foot to avoid straying into the sights of an SFO keen to make use of the new powers it has gained over the past two years.
Regardless of the inevitable time lag before we see an uptick in investigations and prosecutions pursuant to the new FTPF offence (as we saw with the lag between the coming into force of the Bribery Act 2010 and the first significant corporate investigations and resolutions pursuant to that legislation), the ECCTA reforms undoubtedly increase the likelihood of companies being successfully prosecuted in the UK for economic wrongdoing and in-scope organisations cannot stand idly by.
Footnotes
