In our view, the new offence will have a significant impact and should be viewed as the most important development in corporate criminal liability since the introduction of the Bribery Act 2010.
This Q&A article explains the new offence and the compliance steps organisations can take.
What is the offence?
Section 199 of the Economic Crime and Corporate Transparency Act 2023 (commonly known as ECCTA) creates a new offence of failure to prevent fraud.
The offence applies to “large organisations” i.e. those meeting at least two of the following criteria:
The three criteria apply to the entire organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located.
A “large organisation” can be criminally liable where someone associated with it commits fraud and intends to benefit either the organisation or its customers / clients.
The benefit can be financial or non-financial and does not need to be the sole or dominant motivation. The official guidance says: “The offence can apply where a fraudster’s primary motivation was to benefit themselves, but where their actions will also benefit the organisation.”
By way of example, if an employee of a large organisation submits exaggerated invoices to a third party (perhaps to achieve an internal target and therefore a bonus), the corporate failure to prevent fraud offence may apply because there would be a benefit to the organisation in the form of payment of the exaggerated invoices.
The concept of an associated person is explained in ECCTA (section 199(7) – (9)) and the guidance. Associated persons are (1) employees, agents or subsidiaries and (2) others performing services for or on behalf of the organisation. Advice should be taken on whether an individual / organisation is an associated person for the purposes of ECCTA. A contract is not required, and the legislation makes it clear that “all the relevant circumstances” must be considered.
Unlimited fines can be imposed where an organisation is convicted of the corporate failure to prevent fraud offence (section 199(12) of ECCTA).
Are there Scottish specific aspects to the new offence?
Yes.
In order for the corporate failure to prevent fraud offence to apply, an associated person must have committed a base fraud offence. The relevant base fraud offences are contained in Schedule 13 to ECCTA and include offences under the Fraud Act 2006 (applying in England and Wales) as well as the Scots law offences of fraud (a practical result caused by a false pretence), uttering and embezzlement.
In this way, there are Scottish specific aspects to ECCTA. Businesses with operations in Scotland should therefore seek Scottish professional advice.
My business doesn’t operate solely in the UK – does the new offence impact us?
Yes.
The offence applies where an associated person commits a base fraud offence / where the loss or gain occurred in the UK. In this way, there must be a sufficient nexus to the law of the UK. That question will turn on the circumstances.
The guidance makes it clear that:
As a result, organisations operating in multiple jurisdictions should take account of those operations when preparing fraud prevention procedures.
My business is not a “large organisation” – does the new offence impact us?
Yes.
As matters stand, the offence only applies to “large organisations”. There is scope within ECCTA for that position to be changed and those that have followed the passage of the legislation will recall that SMEs were originally within scope.
There are two ways in which the new offence impacts non-large organisations. First, subsidiaries of large organisations can be liable under ECCTA. Second, “large organisations” will likely hold their supply chain to exacting compliance standards including in relation to anti-fraud. Non-large organisations should expect updated compliance clauses in contracts and agreements together with increased due diligence, monitoring and audit.
What would happen if my business is the victim of a fraud?
The new offence does not apply to victims of fraud (or intended victims).
In the event an individual or business is the victim of fraud, legal advice should be taken immediately with a view to securing recovery. There are a range of recovery options and we regularly advise individuals and organisations in these circumstances.
What approach are the regulators taking?
There is a strong appetite to investigate suspected breaches of the new offence.
In recent weeks, we have seen publications from the likes of the Serious Fraud Office (SFO) emphasising their commitment to enforcing the new offence.
Nick Ephgrave, director of the SFO, is quoted as saying: “Now is the time to take action. Corporations must get their house in order or be ready to face investigation.” and “Come September, if they haven’t sorted themselves out, we’re coming after them. I’m very, very keen to prosecute someone for that offence. We can’t sit with the statute books gathering dust, someone needs to feel the bite.”
The SFO and the English prosecutorial body, the Crown Prosecution Service, have also published joint guidance on the prosecution of corporate criminal offences, including the new failure to prevent fraud offence.
We expect the equivalent Scottish authorities such as Police Scotland and the Crown Office and Procurator Fiscal Service to take a similarly robust approach to the investigation and prosecution of the new offence.
What compliance steps should our business take?
There are two defences in section 199(4) of ECCTA:
We have been assisting organisations to develop and implement fraud prevention procedures. The guidance provides insight on the measures that can be taken. There are six guiding principles. Those principles also apply to the corporate failure to prevent bribery offence (section 7 of the Bribery Act 2010) and the corporate failure to prevent the facilitation of tax evasion offences (sections 45 and 46 of the Criminal Finances Act 2017). The principles are:
Some organisations will have existing anti-fraud procedures. Those procedures tend to be viewed through the lens of preventing the organisation from becoming the victim of fraud. Whilst still applicable, those procedures are unlikely to deal properly with the requirement to have reasonable procedures to prevent a situation in which the organisation benefits from fraud by an associated person. A shift in focus is required.
In our view, it is important to have a robust fraud risk assessment and to implement appropriate control measures to address the identified risks. Anti-fraud policies and training (including enhanced training to ‘at risk’ roles) can be effective in communicating expectations. In addition, organisations should have processes in place to monitor the conduct of their staff and supply chain.
Different organisations will be at different stages of their anti-fraud journey. Some will be advanced. Others will not yet have taken any steps or still be in the development stage.
Regardless of the stage at which your organisation finds itself, our message is clear: far better to invest in compliance now than to experience a breach and “feel the bite”.
Please contact our Ramsay Hall if you require support in relation to the new offence or other financial crime matters.
© 2025 BTO Solicitors LLP | V.A.T. No: 260371482 | All rights reserved.
Stay informed
