| UK & Europe | Articles
The corporate offence of Failure to Prevent Fraud, set out in the Economic Crime and Corporate Transparency Act 2023, comes into effect on 1st September 2025. This means that “large” sized UK firms have only three months to complete their preparations.
With the September deadline looming, here are three things that you should be doing now to make sure everything is in order in good time.
Step One: Review the scope
How do you know if you’re in scope?
You shouldn’t assume that you’re too small and out of scope. The offence applies to “large organisations”, defined in the legislation as “those meeting at least two of: a turnover of more than £36m; or more than £18 million in total assets; or more than 250 employees”. This includes all companies in the group if it’s registered in the UK. This means relatively modest sized organisations with international subsidiaries may be caught.
Jurisdictions, subsidiaries, and branches
Be careful about the jurisdictional application, as it can be complex depending on the location of the firm, a branch, subsidiary, or an employee who has committed a fraud to benefit the organisation. Essentially, if a fraud offence could be prosecuted by UK authorities, then the Failure to Prevent offence can also apply. So, the corporate offence can apply to a UK firm, and its branches and subsidiaries globally. This means each one, individually or collectively, could meet the threshold and the offence would apply if there’s a UK nexus. It can also apply to branches of foreign firms in the UK.
Criminal behaviour and liability
It is also important to be clear about the sort of behaviours that will be caught. Under the corporate offence, an organisation will be criminally liable if a specified fraud offence is committed by a person associated with the organisation (such as an employee, agent, or contractor) with the intention of benefiting the organisation or its clients. If the organisation is a victim of the offence, it’s not criminally liable.
It’s also a strict liability offence, meaning there’s no requirement to prove that the organisation or its senior managers had any prior knowledge of the fraud for the offence to apply. That’s why establishing a defence by implementing the principles is so important.
Specified fraud offences that can give rise to the corporate offence include fraud and false accounting offences, such as fraud by false representation, false accounting, false statements by company directors, and cheating the public revenue.
Remember to check if your organisations in scope based on size. Then look at the parts of your organisation that maybe in scope and start to consider who might commit a fraud offence, and where those may be.
Step two: Conduct a comprehensive risk assessment
One of the key strands of reasonable prevention procedures that provide a defence to the corporate offence is to carry out a robust risk assessment.
Most financial services firms have some form of crime related risk assessment, at least for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF), as this has been a requirement for some time. Many mature firms will also have anti-fraud risk assessments that might sit alongside sanctions risk assessments, insider dealing risk assessments, and others. Outside of financial services, it’s far less common for businesses to have these risk assessments, which means there’s a wide variance of practice across UK firms.
Aligning risk assessment methods
The number of risk assessments for financial crime has notably increased. With these now including market abuse, tax evasion, bribery and corruption, is adding the Failure to Prevent Fraud offence to an already creaking assessment method the best approach? This may not give you the best results and might mean it’s time for a wholesale review.
Equally, we have clients who have used new assessments for this corporate offence resulting in misalignment with their wider financial crime and enterprise-wide risk assessments. All risk assessments should have a coherent and common method that looks at the possible risks, provides a probability and impact score, and then considers controls and their effectiveness to produce a residual score.
It won’t always be possible to achieve an integrated approach immediately. According to industry guidance from UK Finance, a risk assessment that considers the following would be reasonable: (i) areas of risk; (ii) consideration of territorial scope; (iii) assessment of level of risk informed by the effectiveness of controls; (iv) clear assignment of ownership and responsibility; (v) clear documentation including a link between the risk assessment and the prevention procedures; and (vi) review on a periodic basis.
Step Three: Integrate the guiding principles into your anti-fraud framework
If you’ve decided which parts of your business are in scope, and dealt effectively with the risk assessment, there are still five more principles to consider:
Top level commitment
Responsibility for putting in place reasonable procedures starts at the top. You’ll need a board level statement of intent, allocated responsibilities, and regular board check-ins to ensure that the risk assessment is appropriate, and controls are effective. This might include a well-define risk appetite statement.
Risk-based prevention procedures
The risk-based prevention procedures will be in informed by your risk assessment that we discussed above. When the board considers the risk assessment and controls, it should explicitly consider whether the controls and prevention procedures are appropriate to the size and complexity of the overall business.
Due diligence
Most firms will already carry out a level of due diligence on staff and suppliers, however this should go hand-in-hand with your risk assessment and scoping. Ask yourself, are there valuation agencies working for the firm who might over or undervalue assets to benefit the organisation? And if there are, what should those due diligence processes look for and how deep should they be? You’ll also need to consider any risk-based review of employees and suppliers and others in-scope of associated persons.
Communication and training
A cascade from the board that includes and education package for all relevant staff should be carried out before September 2025. As training and education is also one of the risk-based procedures, ensure that it’s effective through testing and enhanced for higher risk roles.
Regular monitoring and reviews
Make sure to review your framework if you have near misses or risk crystallises to make sure you’re meeting the regulator’s expectations. The framework should be included in your compliance monitoring plan and an internal audit plan in 2026 / 2027.
How can Bovill Newgate help you get your anti-fraud risk assessment house in order?
We’ve been speaking to a range of firms, both regulated and unregulated, that are in scope of the new corporate offence and can help design a proportionate anti-fraud framework.
We can work with you to identify where you might be vulnerable, put in place robust anti-financial crime measures, and make sure you are complying with the relevant rules. Our international reach also means we can identify and address challenges across connected operations.
Get in touch if you’d like to discuss any of the steps above or would like a short, free consultation.
Get in touch
Send a message:
Send a message:
