The Economic Crime and Corporate Transparency Act 2023 (ECCTA) aims to strengthen corporate governance and tackle economic crime in the UK. It contains, among other things, a new corporate offence of failure to prevent fraud, which comes into force on 1 September 2025.

Under the offence, an organisation may be criminally liable where an employee, agent, subsidiary, or other “associated person”, commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place. In certain circumstances, the offence will also apply where the fraud offence is committed with the intention of benefitting a client of the organisation. It does not need to be demonstrated that directors or senior managers ordered or knew about the fraud.

The offence sits alongside existing law; for example, the person who committed the fraud may be prosecuted individually for that fraud, while the organisation may be prosecuted for failing to prevent it.

The offence will make it easier to hold organisations to account for fraud committed by employees, or other associated persons, which may benefit the organisation, or, in certain circumstances, their clients. The offence will also encourage more organisations to implement or improve prevention procedures, driving a major shift in corporate culture to help prevent fraud.

The offence applies to large, incorporated bodies and partnerships across all sectors of the economy.

A ‘large organisation’ is defined as meeting two or three out of the following criteria:

  • More than 250 employees
  • More than £36 million turnover
  • More than £18 million in total assets

NHS Foundation Trusts, NHS Trusts and Integrated Care Boards will be in scope provided they also qualify as a ‘large organisation.’

Types of fraud covered by the offence

The offence of failure to prevent fraud applies to a number of specific fraud offences, referred to as ‘base fraud’ offences. The offence list for England and Wales is:

  • Fraud offences under section 1 of the Fraud Act 2006 including:

 Fraud by false representation (section 2 Fraud Act 2006)

 Fraud by failing to disclose information (section 3 Fraud Act 2006)

 Fraud by abuse of position (section 4 Fraud Act 2006)

  • Participation in a fraudulent business (section 9, Fraud Act 2006)
  • Obtaining services dishonestly (section 11 Fraud Act 2006)
  • Cheating the public revenue (common law)
  • False accounting (section 17 Theft Act 1968)
  • False statements by company directors (section 19 Theft Act 1968)
  • Fraudulent trading (section 993 Companies Act 2006).
Defence of reasonable fraud prevention procedures

Relevant organisations will have a defence if they have reasonable procedures in place to prevent fraud, or if they can demonstrate to the satisfaction of the court that it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place.

The question of whether a relevant organisation had reasonable procedures in place to prevent fraud in the context of a particular prosecution is a matter that can only be resolved by the courts, taking into account the particular facts and circumstances of the case. If a case comes to court, the onus will be on the organisation to prove that it had reasonable procedures in place to prevent fraud at the time that the fraud was committed.

Depending on the organisation’s structure, there are steps that can be taken by parent undertakings to prevent fraud by subsidiaries. For example, implementing group level policies or training and ensuring that there is a nominated person responsible for fraud prevention in each subsidiary.

Reasonable fraud prevention procedures

The fraud prevention framework put in place by relevant organisations should be informed by the following six principles:

  • Proportionate risk-based prevention procedures
  • Top level commitment
  • Risk Assessment
  • Due diligence
  • Communication (including training)
  • Monitoring and review

These principles are intended to be flexible and outcome-focused, allowing for the wide variety of circumstances that relevant bodies find themselves in. Procedures to prevent fraud should be proportionate to the risk.

The six principles identified above are already reflected in the NHS CFA requirements which in turn derive from the Government Functional Standard Gov 013 for Counter Fraud. NHS funded services are already required to provide the NHS CFA with details of their performance against the functional standard annually.

The NHS CFA recommend that NHS organisations prepare their fraud prevention procedures before the offence is in force, be able to demonstrate that reasonable procedures for the prevention of fraud are in place and ensure that fraud prevention procedures are informed by the NHS CFA requirements and the six principles.

For more information:

Failure to prevent fraud offence | NHS Counter Fraud Authority

At TIAA, we’re here to help you prepare. Our Fraud Health Check assesses your organisation’s readiness and provides practical guidance to ensure compliance – find out more –
Fraud Health Check
Contact Us for more information