What is happening?
On 1 September 2025 a new corporate offence of failure to prevent fraud comes into force in the UK. The offence has been introduced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) and is intended to hold large organisations to account if they benefit from fraud committed by their employees or other ‘associated persons’.
The only defence against prosecution for a large organisation is to prove it had reasonable fraud prevention procedures in place at the time of the commission of the fraud. These procedures should be developed and implemented by 1 September 2025.
What is the offence?
- A large organisation will be criminally liable where a specified fraud offence (or ‘base fraud’) is committed by a person associated with the organisation (such as an employee, agent or subsidiary) with the intention of benefiting the organisation or its clients.
- It is a strict liability offence, meaning that there is no requirement to prove the organisation or its senior managers had any prior knowledge of the base fraud for the corporate offence to be made out.
- The definition of a ‘specified fraud offence’ captures the fraud and false accounting offences most relevant to large organisations, such as fraud by false representation, false accounting, cheating the public revenue and false statements by company directors.
- An organisation found liable for the corporate offence could face an unlimited fine.
- The only defence is that at the time of the offence, the organisation had reasonable fraud prevention procedures in place.
- Natural persons (like company directors or employees) cannot be prosecuted for the corporate offence but may of course be prosecuted separately for the base fraud.
The focus on fraud committed for the benefit of the organisation is significant and may mean that existing fraud risk assessments and associated procedures are not sufficient to meet the requirements of the new legislation. Up until now organisations have generally concentrated their attention and resources on fraud that could harm their businesses. The new legislation means that organisations should review their existing fraud prevention frameworks to ensure that they are fit for purpose and protect them from potential prosecution.
Who does the offence apply to?
The offence directly applies to ‘large organisations’, defined in ECCTA as incorporated bodies or partnerships that meet at least two of the following conditions:
- a turnover of more than £36m;
- more than £18m in total assets;
- more than 250 employees.
It does not matter where in the world the organisation was incorporated, but there must be a UK nexus for the offence to apply (see below).
Smaller organisations should be aware that they may be ‘associated persons’ while they provide services for or on behalf of large organisations. In these circumstances, small organisations may be subject to contractual or other requirements imposed by large organisations to implement reasonable fraud prevention procedures of their own.
What is its relevance to Irish companies?
The corporate offence has broad extra-territorial scope and Irish companies that meet the definition of a ‘large organisation’ could attract attention from UK authorities if:
- the base fraud committed qualifies as a fraud under UK law;
- any act which is part of a base fraud committed in Ireland took place in the UK; or
- the actual (not just intended) gain or loss occurred in the UK.
This means that an Irish company may be captured by the scope of this offence if a base fraud committed by one of its employees or other associated persons involved conduct or victims in the UK. For example, if the mis-selling or misrepresentation of an investment opportunity by an Irish company resulted in losses to UK investors.
In addition, the legislation is clear that subsidiaries of large organisations are ‘associated persons’ for the purposes of this offence. As a result, Irish companies could be liable where a base fraud is committed by its UK subsidiary and the fraud benefits the Irish company.
What do large organisations need to do before 1 September 2025?
The UK government guidance (the Guidance) sets out six principles that should inform the fraud prevention framework that organisations should implement in order to protect themselves from potential prosecution for this offence. The principles are consistent with the prevention procedures already found in the other UK corporate ‘failure to prevent’ offences in relation to bribery and the facilitation of tax evasion: top level commitment, risk assessment, proportionate, risk-based prevention procedures, due diligence, communication (including training) and monitoring and review.
Initial practical steps should include:
- Clear governance in respect of the fraud prevention framework. In some organisations senior management will be personally involved in the design and implementation of fraud prevention measures, whereas in others, this responsibility may be delegated to other parts of the business.
- A comprehensive risk assessment that identifies and assesses the potential risk of frauds captured within the scope of the new offence, as an immediate priority.
For Irish companies, this could mean assessing risks associated with any UK subsidiaries, other third-party ‘associated persons’, and potential victims in the UK such as investors, shareholders or customers. The Guidance puts particular emphasis on the need to conduct risk assessments, as the results of a thorough risk assessment process will impact the design and implementation of the other principles. - The organisation should draw up a risk-based fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment. A key principle is that the fraud prevention plan is proportionate to the risk and the potential impact.
- A commitment from the organisation to allocate a reasonable and proportionate budget specifically for the leadership, staffing and implementation of the fraud prevention plan, including training. This budget could encompass not only personnel costs but also funding for technology that may include third party due diligence, platforms and related due diligence tools.
- Organisations should ensure that procedures are in place for reporting potential offences (such as a whistleblowing process) and the reactive investigation of offences captured under the new legislation. Organisations may have existing procedures in respect of investigating frauds or attempted frauds against the organisation but may need to extend them to cover frauds that are intended to benefit the organisation.