The Economic Crime and Corporate Transparency Act and the failure to prevent fraud

The Economic Crime and Corporate Transparency Act (ECCTA) received Royal Assent on 26 October 2023 and came into force in stages. Its purpose was to tackle the use of UK business and finance for criminal activities.

On 1 September 2025, a significant (from the perspective of large corporations) aspect of the ECCTA - the introduction of a “failure to prevent fraud” - came into force.

This makes it an offence for a “person associated” with a “relevant body” (i.e. a “large organisation” with a turnover of more than £36m, a balance sheet total of more than £18m and more than 250 employees) to commit a fraud offence.  This will include subsidiaries of a “large organisation”, even if they do not meet the criteria of a “large organisation” itself. 

A “person associated” with the organisation includes employees, agents, subsidiaries and consultants.  It includes all associated persons, even if they are based outside the UK.  This legalisation should therefore be viewed as the UK seeking to hold companies to account for the criminal acts of their employees and third parties.

A fraud offence is anything listed in Schedule 13 of ECCTA, which is very broad.  It includes false accounting, company directors making false statements, fraudulent trading, fraud, obtaining services dishonestly, and cheating the public revenue.  It also includes aiding and abetting these offences.

This is a strict liability offence, so if a qualifying fraud offence is committed by, for example, an employee, then the corporate body has automatically committed the offence.

However, the organisations will have the following defences and may avoid liability:

• If it was itself the victim of the fraud.
• Where the employee did not intend to benefit the company.
• If the organisation had in place preventative procedures to prevent a fraud, or did not, but this lack of prevention procedures was reasonable.

It will apply to UK companies and also companies outside the UK, where the fraudulent act takes place in the UK or targets UK victims.  This is a corporate-only offence, so directors and managers are not personally liable for failing to prevent fraud. 

Guidance on this offence from the UK Home Office includes the following:

• Reputational damage alone does not make an organisation a victim for the purposes of the defence.
• The intention to benefit the organisation does not need to be the primary reason for the fraud being committed – the benefit can be incidental.
• Preventative procedures to prevent a fraud should include top level commitment; risk assessment; proportionate risk-based prevention procedures; due diligence; communication (including training); and monitoring and review.

Despite the guidance, we anticipate that large organisations may seek to test the interpretation of certain terms, through the courts, to provide further clarity or avoid a prosecution.

This legislation is likely to concern all large organisations that operate in the UK.  However, given their enhanced risk of being a target for fraud generally, financial institutions are particularly at risk of this offence.  For example:

• Fund managers could dishonestly misrepresent investments to their clients.
• Investment advisors could knowingly promote unsuitable products.
• Companies could mispresent their own credentials when seeking investment.
• An investment bank who underwrites an IPO could knowingly allow the Prospectus to contained errors in relation to forecasts..

A further reason that financial institutions may be more at risk is that they tend to be FCA regulated, and under FCA regulations, they have a duty to disclose to the FCA anything which the FCA “would reasonably expect notice of”. Financial institutions may therefore have to self-report to the FCA if it notices any fraudulent activity.  It may also be guilty of the failure to prevent fraud offence if it does not have adequate procedures in place.

A corporate prosecution under ECCTA could result in an unlimited criminal fine. 

Comment

Financial institutions should be checking that their internal policies, controls and training meets the UK government guidance on preventative procedures.  This guidance sets a high standard so firms would be advised to tailor their fraud prevention procedures to the specific risks that the organisation is likely to face.  Equally as important is ensuring that such procedures are clearly documented, in case they need to avail themselves of the ‘preventative procedures’ defence.  Organisations will also want to confirm that they are supervising and auditing any subsidiaries, agents or other representatives to ensure that they are operating with comparable levels of fraud prevention procedure. 

Similarly, the underwriters of indemnity policies for financial institutions will want to make sure that the entities that they underwrite can demonstrate a robust fraud prevention plan at all levels of the organisation. 

Whilst the number of prosecutions may be limited by Crown Prosecution Service and Serious Fraud Office resources and capacity, the new Act will bring the risk of criminal investigations, the costs of which may be sought under the financial institution’s insurance policy.

Related articles:

• Navigating the Economic Crime and Corporate Transparency Act 2023
• Fraud and order: corporate intent under scrutiny
• Navigating the failure to prevent fraud offence