Failure to Prevent Fraud Act: Are You Ready?

Published: May 19, 2025

In September 2025, the UK Economic Crime and Corporate Transparency Act 2023 extends its reach to the action of employees. Thomas Cattee, Partner, Gherson Solicitors, and Sharon Hall, Director, Forensic Risk Alliance, consider the impact on treasury practices.

On 1 September 2025, a new corporate offence of the Failure to Prevent Fraud (FtPF), will come into force under the UK Economic Crime and Corporate Transparency Act 2023 (ECCTA). The ECCTA extends corporate liability for large organisations1 to the actions of employees, agents and other “associated persons” in circumstances where the fraud is intended to benefit the organisation (or its clients).

The UK will have jurisdiction for the offence provided that the fraud has a ‘UK nexus’, meaning the fraudulent act (i) must include an act that occurs in the UK; or (ii) results in a gain or loss in the UK. The only defence available is for the corporate to prove that it had “reasonable fraud prevention procedures” in place at the time of the offence.2

Large organisations

On 6 November 2024, the UK government released guidance to organisations on the Offence of Failure to Prevent Fraud, under ECCTA (‘Guidance’). The Guidance clarifies a large organisation as “whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located”. As such, an organisation with a minimal UK presence could be subject to the FtPF offence.

Fraud

Under the ECCTA, fraud includes a range of financial misconduct, including fraud, false accounting and cheating the public revenue. Corporate liability arises if the fraud is carried out by an associated person acting in the course of their duties and where the fraud is intended to benefit the organisation.3

For multinational organisations, it is important to assess for whose corporate benefit an individual, agent or subsidiary was acting. Importantly, the benefit to the organisation does not need to be the sole or dominant motivation for the fraud; it suffices that the organisation was intended to be a beneficiary. Further, if a fraud were to occur, there may well be additional ancillary offences, such as money laundering4, which can also arise. It is therefore especially important to guard against the event of unwitting involvement.

Location of fraudulent conduct, loss or benefit

Jurisdiction is determined by the location of the conduct, benefit or loss, not the location of the corporate seat. Large organisations should assess their UK connections, and firstly identify if:

  • The organisation acts directly or indirectly within the UK5
  • Has a customer base in the UK, which could be the victim of a fraud
  • There is a vehicle for corporate benefit in the UK6

Where applicable, the organisation should consider further steps to assess and mitigate the potential risk

Compliance defence: reasonable procedures

To rely on the “reasonable procedures” defence, an organisation must demonstrate proactive fraud prevention measures. Ultimately, courts will assess the organisation’s control, supervision, and proximity to the offender’s actions, though failing to conduct or update a fraud risk assessment will likely be viewed as evidence of inadequate procedures.

The Guidance lays out six principles, which are designed to be adaptable and result-oriented, to help tailor prevention strategies.

Organisations should:

  • Conduct a comprehensive fraud risk assessment
    • Identify vulnerable areas7
    • Consider sector-specific risks8
  • Adapt procedures to fit organisational structure, scale, and geographic presence
  • Implement effective internal controls including:
    • Clear policies
    • Control testing across defence lines
    • Red flag monitoring and KPIs
    • Independent assessments
    • Strong management oversight and communication

Six Principles

  1. Top-level commitment
  2. Risk assessment
  3. Proportionate risk-based procedures
  4. Due diligence
  5. Effective communication
  6. Monitoring and review process

Treasury – a key risk area

As the last gatekeeper of any financial transaction, strong financial controls are critical to prevent, detect, and respond to potential fraud. Treasury functions handling large cash flows and investments are especially vulnerable, making robust safeguards essential. These can include:

  1. Segregation of duties. No individual should control an entire transaction process (initiation, approval, execution)
  2. Dual authorisation: At least two approvers for financial transactions
  3. Authorisation protocols: Only authorised personnel approve payments, ideally with workflows to flag anomalies
  4. Account reconciliations and reviews: Independent daily cash monitoring and independent bank reconciliations. Regular managerial reviews
  5. Internal and external audits: Evaluate the effectiveness of control systems and procedures
  6. Access and security: Tiered permissions and multifactor authentication; regular review of access rights
  7. Transaction monitoring: Real-time monitoring (analytical tools) to detect unusual transactions or patterns, such as duplicate payments or suspicious vendor activity
  8. Counterparty and payroll validation: Ensure all vendors and employees are vetted; restrict bank account changes without senior approval

These controls are best practice for treasury-related transactions, and particularly where a FtPF offence may apply (i.e. transactions involving UK bank accounts, UK based parties) it is imperative that policies and procedures are robust and adhered to rigorously.

Treasury controls form a core role in developing a culture that actively discourages fraud and financial crime. A system of controls regularly reviewed and embedded in integrity, makes it harder for fraudulent activity to succeed. Encouraging ethical behaviour alongside financial control, creates transparency and accountability, which reinforces trust and helps safeguard financial reputations.

  1. The offence applies to large organisations defined as meeting at least two of the following criteria, having more than 250 employees; more than £36 million in turnover; more than £18 million in total assets.
  2. Section199(4) and (5) ECCTA.
  3. Not in a personal capacity.
  4. Unlawfully diverting company funds or manipulating financial records can generate “criminal property”, and if funds are moved, concealed or used this can constitute money laundering under the Proceeds of Crime Act 2002.
  5. UK offices, employees, subsidiaries or associated persons.
  6. Such as bank accounts.
  7. such as UK-linked transactions or high-risk operations
  8. Such as procurement fraud or false reporting
  9. x ECCTA 2023: guidance to organisations on the offence of failure to prevent fraud
Tags:Fraud PreventionRisk ManagementStandardisation
Article Last Updated: May 19, 2025