ECCTA Update: The New “Failure to Prevent Fraud” Offence

In the second of our two-part update on the upcoming changes to be introduced as part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), this article focuses on the new corporate offence of “failure to prevent fraud” (FTPF), introduced to ensure that corporations are effectively held to account for committing serious crimes. The FTPF offence will come into force on 1 September 2025.  

‘Large organisations’ will be liable for acts of their ‘associates’ who commit a ‘fraud offence’ intending to benefit (whether directly or indirectly) the organisation or any person to whom the associate provides services on behalf of the organisation (e.g. its customers and clients). If organisations are found liable under the FTPF offence, they are subject to unlimited fines.

Which organisations are in scope?

A ‘large organisation’ is defined as a corporation or partnership that fulfils two or more of the following conditions in the year that precedes the year of the offence: (1) more than 250 employees; (2) more than £36 million turnover; and/or (3) more than £18 million in total assets. These conditions apply to whole organisations, including subsidiaries, irrespective of where the headquarters of the organisation or the subsidiaries are located, provided there is a ‘UK nexus’. 

Who is considered an associate?

An ‘associate’ can be an employee, an agent, a subsidiary, an employee of a subsidiary or any other person who otherwise performs services for or on behalf of the organisation. The definition is intentionally broad, stating that all relevant circumstances will be taken into consideration when determining whether someone performs services for or on behalf of the organisation. Sub-contractors, joint venture partners and suppliers can therefore also be in scope.

What are the fraud offences?

The FTPF offence only applies to specific fraud offences committed by an associate, including but not limited to fraud by abuse of position, false accounting, false statements by company directors and fraudulent trading (‘base fraud’). The organisation does not actually need to benefit from the base fraud. The associate’s intention to benefit the organisation is sufficient. The main motivation for the associate could be personal gain. If the organisation was however the victim or intended victim of the base fraud, it will not be liable under the FTPF offence.

What is the UK nexus?

At least one part of the fraud offence must occur in the UK. This can be the act by the associate committing the base fraud or the intended gain of the organisation. If a UK based associate of a non-UK organisation commits a fraud offence in the UK with the intention to benefit the non-UK organisation, the non-UK organisation can be prosecuted. If an associate of a UK organisation commits a fraud offence outside the UK but targets clients of the UK organisation, the UK organisation can be prosecuted.

What are defences?

Similar to the 'failure to prevent bribery offence' under the Bribery Act and the 'failure to prevent the facilitation of tax evasion offence' under the Criminal Finances Act 2017, an organisation will not be liable under the FTPF offence if it can prove that, at the time the base fraud was committed by an associate, it had reasonable procedures in place to prevent fraud, or it can demonstrate that it was not reasonable in the given circumstances to have prevention procedures in place. The burden of proof will be on the organisation.

 Ahead of the new offence coming into force this Autumn, the Government published guidance setting out six principles organisations should consider when developing the appropriate fraud prevention framework proportionate to the business of the organisation and its exposure to the risk of an associate committing a base fraud. These principles are:

1. Top level commitment: senior management must demonstrate dedication to prevent associates from committing fraud offences.

2. Risk assessment: organisations must assess the nature and extent of their exposure to the risk of associates committing fraud offences, document and regularly review such assessments.

3. Proportionate risk-based fraud prevention procedures: organisations must draw up a fraud prevention plan implementing appropriate procedures considering the risks identified in the risk assessment.

4. Due diligence: organisations must conduct proportionate and risk-based due diligence on their associates.

5. Communication: organisations must ensure that prevention procedures are effectively communicated and embedded throughout the organisation (with an emphasis on training and maintaining training).

6. Monitoring and review: organisations must monitor and review existing procedures and make improvements where necessary.

What are the key take-aways?

The key take aways are: (1) there is no ‘one size fits all’, and (2) simply relying on existing economic crime prevention measures will not be sufficient. The procedures an organisation needs to implement to be able to rely on the defence will depend on its risk profile and can therefore only be determined after having conducted a risk assessment. Potential in-scope organisations should therefore use the remaining four months to consider the risk of base frauds being committed by its associates and, based on the outcome of that assessment, review and adjust existing measures.

Whilst strictly only applicable to large organisations, small and mid-size businesses should be aware of the FTPF offence as a matter of good practice. When performing services on behalf of large organisations, they might even face tougher fraud scrutiny themselves due to the large organisations’ due diligence requirement of their subcontractors or other service providers.

The above is intended to give a brief summary on upcoming ECCTA changes.  If you would like further guidance or advice, please contact Ines Krausler, Imogen Kelland or your usual Wallace contact.