New rules requiring companies to implement robust systems to prevent fraud came into force in the UK in September. In-House Perspective assesses what companies need to do to avoid falling foul of the law and how counsel should help them evaluate risk.

In September, legislation came into force in the UK that aims to hold businesses to account if they profit from fraud committed by their employees. Under the new ‘failure to prevent fraud’ offence, a company will be liable where a specified fraud offence is committed by an employee or ‘associated person’ for the organisation’s benefit and the business lacked ‘reasonable’ procedures to prevent it.

The government says the law will encourage organisations to implement and improve compliance, driving a major shift in corporate culture to help reduce fraud, which accounts for over 40 per cent of crime recorded against individuals in England and Wales. The legislation follows similar ‘failure to prevent’ laws introduced in previous years in relation to bribery and the facilitation of tax evasion.

In order to fall under the scope of the law, companies need to meet two of three criteria: they must have more than 250 employees, a turnover of above £36m and/or over £18m in assets. Fraudulent conduct covered by the legislation includes dishonest sales practices or the hiding of important information from consumers or investors. It also includes dishonest practices in financial markets.

Enforcement will be primarily handled by the UK’s Serious Fraud Office (SFO) and Crown Prosecution Service (CPS), with penalties for breaking the law including unlimited fines, criminal convictions and significant reputational damage.

The failure to prevent fraud offence is expected to reshape business thinking about risk – from how a company may become a victim of fraud to how an organisation could benefit from it through the actions of their employees. For compliance professionals who already have experience of meeting the requirements of the other failure to prevent laws, the process of implementing organisation-wide fraud controls should be similar.

‘It’s a big concern if you are a business of that size which is now thinking this is a major new risk because it’s not just about falling victim to fraud, or maybe there will be some civil proceedings because [the organisation has] been sued by an unhappy counterparty, but [the company] might actually get locked into a criminal investigation which is going to last five to ten years,’ says Nick Barnard, a partner in Corker Binning’s criminal and regulatory practice in London.

Barnard says that the main difference between the new offence compared to other ‘failure to prevent’ laws is its much broader application for large companies because the risk isn’t specific to a particular industry or jurisdiction. ‘There’s no business out there that meets the threshold and can say we don’t have a fraud risk,’ he says.

The broad scope of the offence is also demonstrated by its extraterritorial reach and its definition of ‘an associated person’, which is wider than that attached to the other ‘failure to prevent’ offences and includes employees, subsidiaries, contractors and suppliers. ‘Non-UK businesses may want to assess their exposure to the UK more,’ says Alex Swan, an Officer of the IBA Business Crime Committee. ‘It’s not merely a question of do we have subsidiaries operating in the UK but to what extent does our business involve the UK and UK persons.’

Swan says companies should also keep in mind that although the new legislation requires that the associated person commits a fraud offence to benefit the company, it doesn’t have to be their sole motivation for the misconduct. ‘When organisations are conducting their risk assessments or otherwise assessing the sufficiency of their anti-fraud procedures, they may want to consider not only assessing the extent to which they prevent fraud being committed against the organisation but importantly the extent to which they address fraud which may be committed for the organisation’s benefit,’ says Swan, who’s also a shareholder in Greenberg Traurig’s white-collar practice in London.

The failure to prevent fraud offence doesn’t apply to small and medium-size enterprises (SMEs), which account for 99.8 per cent of the business population in the UK. The carve-out for these businesses has drawn criticism from anti-corruption experts, who argue it misses an opportunity to introduce accountability across the entire corporate sector and for many smaller businesses that are at a high risk in regards to fraud. The government says it included the exemption to ‘avoid disproportionate burdens on SMEs and support economic growth,’ adding that the impact of the offence will be kept under review and, if necessary, amended to apply to more companies.

Lloydette Bai-Marrow, a former investigative counsel at the SFO, says despite the law only being targeted at large companies, there will be a ‘trickle down effect’ for SMEs and therefore it’s best practice for them to establish robust anti-fraud measures. ‘Small businesses by virtue of the legislation may be classed as associated persons,’ says Bai-Marrow, who’s also an ex-CPS prosecutor. ‘SMEs will need to be in a position to have their own processes in place to assure the large companies in scope that they are not going to bring them risk.’

Embedding an anti-fraud culture

Following various large-scale, high-profile financial scandals that have resulted in numerous job losses, the UK government is keen to promote a corporate culture that’s anti-fraud in nature. ‘Next time there is a financial crisis, and a big institution is perceived to have behaved badly, the offence provides a mechanism by which they can be prosecuted as a result of the actions of their associated persons,’ Barnard says.

The government says in its guidance for the failure to prevent fraud offence, which was published by the Home Office in 2024, that fraud prevention systems designed by businesses must be underpinned by six principles. These include top-level commitment, risk assessment and due diligence. Ben Ticehurst, Senior Vice-Chair of the IBA Business Crime Committee, says that top-level commitment requires the most senior people in the organisation to understand compliance as an investment in their business and to devote the appropriate level of resources to ensure the correct systems and controls are in place. ‘People call it tone from the top, but it needs to be more than communication from the board,’ says Ticehurst, who’s a partner in HCR Law’s risk and regulatory practice in London. ‘Compliance really has to be embedded and demonstrated.’

The introduction of the failure to prevent bribery offence, under section 7 of the UK’s Bribery Act in 2010, led many organisations to overhaul their compliance programmes and adopt robust anti-corruption frameworks to raise standards. Criminal investigations opened into businesses for alleged breaches of the legislation have resulted in huge fines from billion-dollar global settlements, reached in the UK by deferred prosecution agreement where in exchange for admitting wrongdoing and agreeing to cooperate, a company can avoid criminal prosecution.

Alongside holding companies to account for defrauding the public purse or making false financial statements, the failure to prevent fraud offence also makes greenwashing a criminal offence. Rebecca Dix, a barrister at 5 Paper Buildings and former associate general counsel at the SFO, says that in the current climate where companies are under increased pressure to reduce carbon emissions, they need to be careful to avoid making misleading or false statements about their environmental credentials. ‘Fraud could potentially emanate from many areas of a business, but ultimately, environmental and regulated sectors are at a high risk,’ she says.

To illustrate the type of misconduct law enforcement agencies would investigate, the government included in its guidance an example of an investment fund provider promoting investment in a ‘sustainable’ timber company while aware that the environmental claims of the business are fabricated and their product is in fact harvested from a protected forest.

The Director of the SFO, Nick Ephgrave, has made investigating and prosecuting fraud a clear enforcement priority of the agency and said in a speech in April that he is ‘very, very keen’ to prosecute businesses who fail to comply with the failure to prevent fraud offence. ‘The challenge around enforcement is to make sure that the SFO has the resources that it needs to take up those cases,’ says Bai-Marrow. ‘It’s important to recognise that these cases take time and it’s not going to be overnight.’

The UK government introduced the Bribery Act in 2010 and the Criminal Finances Act seven years later, which included the failure to prevent the facilitation of tax evasion offence. However, only a handful of companies have been prosecuted under these laws. The first prosecution resulting from the failure to prevent facilitation of tax evasion offence was announced in August, for example. However, the laws are largely credited with a driving a major shift in corporate culture – from a reactive to a proactive approach – in tackling bribery and tax evasion.

White-collar legal practitioners say that while prosecutions are important, the success of the failure to prevent fraud law shouldn’t be measured by the number of companies prosecuted for alleged wrongdoing. ‘What should be a measure of success is whether across the board compliance standards have improved,’ says Barnard.

‘If we look at the Bribery Act, whilst there hasn’t been a huge amount of prosecutions, it has been incredibly effective in terms of changing culture or at least sensitising people to the risks around bribery,’ says Bai-Marrow. ‘If the failure to prevent fraud offence can do something similar it would count as a success.’

The expansion of corporate criminal liability

The failure to prevent fraud offence is one of a number of new corporate enforcement powers that were included in the Economic Crime (Transparency and Enforcement) Act, which received Royal Assent in 2022. The Act introduced a broad range of measures to strengthen the UK’s ability to tackle economic crime. Alongside making companies criminally responsible for failing to prevent fraud, the legislation included amendments to the identification doctrine to allow prosecutors to attach corporate liability to a company where a ‘senior manager’ commits crimes including bribery, fraud and money laundering.

Under the previous corporate criminal liability system, a company could only be found guilty of an offence if the ‘directing mind and will of the company’ had committed a crime. Under the latest changes to the identification doctrine, ‘senior managers’ – defined as individuals who play ‘a significant role’ in making decisions about or managing the company – can now also trigger corporate criminal liability for the business. Commentators tell In House Perspective that these changes, paired with the new failure to prevent fraud offence, should in theory make it much easier for law enforcement to investigate and prosecute companies for fraud. ‘It gives prosecutors a broader base of options to pursue corporates,’ says Bai-Marrow.

She adds that changes to the identification doctrine could prove to be a more potent tool for corporate accountability than the failure to prevent fraud offence, because liability for the company can be triggered for crimes other than fraud. ‘Some organisations are failing to see the jeopardy of the widening of the identification principle, and they really need to,’ says Bai-Marrow.

Barnard says that for criminal lawyers, changes to the identification doctrine are likely to be more significant because failure to prevent fraud captures ‘a narrow set of facts and circumstances’, whereas the inclusion of senior managers means ‘the strata of people whose actions can now trigger liability of the company is much bigger’. He adds that, ‘from a compliance level, they represent the same risk, so the question for the organisation is what are we actually doing top to bottom – rather than just at the very top – to make sure people are behaving themselves.’