ECCTA: Failure to Prevent Fraud (FTPF)

The much-anticipated guidance regarding the new UK corporate offence of Failure to Prevent Fraud (FTPF Offence) was published on 6 November 2024. This FTPF Offence is part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which was granted Royal Assent on 26 October 2023. The FTPF Offence came into effect on 1 September 2025.

The aim of the FTPF Offence is to change the way in which organisations look at fraud and to encourage measures aimed at detecting and preventing fraud in much the same way as the failure to prevent provisions in s.7 of the Bribery Act 2010 changed the way in which businesses looked at Bribery when that Act was introduced.

This offence applies across the UK and can have extra-territorial reach when there is a “UK nexus” – see below for an explanation of what this means in practice.

Since the FTPF Offence was introduced, one of the main questions was what “reasonable procedures” should look like for fraud prevention. This Guidance outlines some recommended procedures that organisations can put in place to help prevent fraud.

What is the FTPF Offence?

This offence is set out in sections 199 – 206 and schedule 13 of ECCTA, and applies to large,  incorporated bodies and partnerships across all sectors of the economy.

Organisations will be guilty of an offence if an associated person commits a fraud offence intending to directly or indirectly benefit the organisation or their clients. The definition of associated persons is again similar to that under the Bribery Act 2010.  Associated persons include employees, agents, subsidiaries and others. It does not need to be demonstrated that senior managers or directors ordered or knew about the fraud.

A defence is available where the organisation can prove that they had reasonable prevention procedures in place, or that it would have been unreasonable to have expected prevention procedures to be in place.

What are large, incorporated bodies and partnerships?

“Incorporated bodies” include organisations incorporated or formed by any means, including but not limited to the Companies Act 2006, Royal Charter, and the Limited Liability Partnerships Act 2000. The FTPF Offence also applies to partnerships which are not bodies corporate, including Scottish Partnerships and Limited Partnerships formed under the Limited Partnerships Act 1907. As detailed below, this offence can also apply to incorporated bodies and partnerships outside of the UK in some circumstances.

“Large organisations” meet at least two out of the below three criteria, which apply to the whole organisation including subsidiaries:

• More than 250 employees.
• More than £36 million in turnover.
• More than £18 million in total assets.

What does the Guidance say about reasonable fraud prevention procedures??

The Guidance provides more details on the meaning of “intending to benefit”, territoriality, and enforcement. However, a significant portion of this Guidance addresses reasonable fraud prevention procedures. In essence, the Guidance recommends that an organisation’s fraud prevention frameworks be informed by 6 flexible and outcome focused principles:

1. Top level commitment from those charged with the governance of the organisation.
2. Risk assessment that is dynamic, documented, and regularly reviewed. Consider factors such as opportunities to commit fraud, systems that could incentivise fraud, and whether a culture might quietly tolerate fraud.
3. Proportionate risk-based prevention procedures which are effectively implemented and enforced.
4. Due diligence regarding people who perform or will perform services for or on behalf of the organisation.
5. Communication and training to ensure that the prevention policies and procedures are embedded and understood throughout the organisation.
6. Monitoring and review.

Again there are significant similarities here with the guidance issued to accompany the Bribery Act 2010 and it should be relatively simple for most businesses to be able to extend those principles to also deal with the new FTPF Offence.

Who has written the guidance?

The guidance has been written by the UK Home Office.  It says it has been developed with input from the Crown Prosecution Service (CPS), Serious Fraud Office (SFO), HM Treasury, HMRC, Ministry of Justice, Cabinet Office, Attorney General’s Office and Financial Conduct Authority (FCA). 

Are non-UK businesses in scope?

Many will be.  Again the extra-territorial provisions are similar to the Bribery Act 2010.  Firstly if an employee or associated person of an overseas-based organisation commits fraud in the UK, or targeting victims in the UK, the organisation could be prosecuted.

If a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based.

But the guidance says “The offence will only apply where the associated person commits a base fraud offence under the law of part of the UK. This requires a UK nexus. By UK nexus, we mean that one of the acts which was part of the underlying fraud took place in the UK, or that that the gain or loss occurred in the UK…The offence will not apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad with no UK nexus. This would be a matter for law enforcement in the country concerned.”  

It is also important to remember that a subsidiary undertaking of a large organisation is an associated person for the purposes of the new offence. This means that it is possible for a parent company to be prosecuted for failure to prevent fraud where the initial fraud offence is committed corporately by a subsidiary and where the beneficiary is the parent organisation, or there is a connection with the parent company’s clients.  Again we have seen cases under the Bribery Act 2010 where parent companies outside the UK have been involved because of the acts of subsidiaries in the UK.

In addition, there are two ways in which frauds committed by the employee of a subsidiary may be in scope:

1. if an employee of a subsidiary of a large organisation (where that subsidiary is not itself a large organisation) commits a fraud that is intended to benefit the subsidiary, the subsidiary may be prosecuted
   
2. if the employee of a subsidiary of a parent company that is a large organisation commits a fraud that is intended to benefit the parent company, that parent company may be prosecuted

Can a director be personally liable for fraud offences?

Yes. A policy paper (Economic Crime and Corporate Transparency Act: failure to prevent fraud offence – GOV.UK) confirmed that the government will not be introducing individual liability under the failure to prevent offence. The reasoning was that individuals within the company can already be prosecuted for committing, encouraging, or assisting fraud, so it’s not proportionate to prosecute an individual where they did not consent or know about the fraud offence happening.

However, it is important to note that the law has not effectively changed with the new provisions. A director, manager, or officer can be personally liable for fraud under the Fraud Act 2006. A director, manager, or other senior person can be prosecuted when a corporate body commits an offence with the “consent and connivance” of its senior officers. For example, fraud by false representation is an offence under the Fraud Act 2006. If this offence were to be proven to have been committed with the consent or connivance (such as tacit permission or “blind eye knowledge”) of a senior officer, that officer along with the corporate body could be guilty of fraud by false representation. The maximum sentence for fraud by false representation, fraud by failing to disclose information, and fraud by abuse of position is 10 years’ imprisonment.

It is important to remember that prosecutors will still prosecute people personally where that is in the interest of justice. The Guidance says:

“The prosecution of a corporate entity should not be a substitute for the prosecution of criminally culpable individuals such as directors, senior managers, officers, employees, shareholders or persons associated with the relevant corporate entity.”

A director or senior officer can also be personally liable for “consent and connivance” under other Acts such as the Bribery Act 2010 and the Terrorist Asset-Freezing Act 2010. The case of Huckerby v Elliott [1970] 1 All ER 189 is an example of a prosecution based on “wilful blindness” as a type of consent or connivance.

Another way in which an individual can be held personally liable is the criminal offence of fraudulent trading under section 993 of the Companies Act 2006: “If any business of a company is carried on with intent to defraud creditors of the company or creditors of any other person, or for any fraudulent purpose, every person who is knowingly a party to the carrying on of the business in that manner commits an offence”. The maximum sentence for this offence is also 10 years’ imprisonment.

What are the next steps?

This offence came into effect on 1 September 2025.

The clock has started, and as a result businesses will want to take a look at their own fraud prevention policies and procedures.

What are some practical tips to get started?

The plan of action for businesses will be different and will depend on the processes and procedures they already have in place. A starting point for many may include:

1. Top level commitment: consider organising board level briefings and specialised sessions for senior managers. These events can focus not only on the details of the new offence, but also on soft skills to better influence organisational culture. Is it time for your organisation to reconsider the senior managers most responsible for fraud prevention? Should your organisation have a specific Chief Compliance Officer or will someone else like a Director or even the CEO for smaller firms take on those responsibilities? And what measures can be put in place to guard against conflicts or perceived conflicts including the need to hit targets vs the obligation to do business legally and ethically?
   
2. Risk Assessment: A practical first step could be to examine what kinds of associated persons your organisation deals with, or if your organisation itself is an associated person? It may be worth documenting your analysis work (e.g. gap analyses) with references to the Guidance’s fraud triangle, or to map out how to build upon existing frameworks to include elements of the fraud triangle. It’s wise to review the risk assessment regularly too to catch new developments e.g. GenAI applications making it easier than before to generate credible fake documentation to assist those committing fraud.
   
3. Proportionate risk-based prevention procedures: Most organisations likely already have robust risk prevention processes in place, so organisations should start by identifying if existing processes could be amended or improved upon, or if whole new processes need to be developed and implemented, with a goal of avoiding duplication. You’ll need to look at the nature of your workforce too – for example studies suggest that Gen Z employees are more likely to bend or break workplace rules than older generations.
   
4. Due Diligence: Again, many organisations already have solid due diligence processes and polices in place. However, this could also be a good time to think about the technology and software being used, and if changes are needed. Additionally, it may be worth exploring if contracts should be reviewed for vendors and agents etc. Larger firms may also wish to review their due diligence policies for future acquisitions.
   
5. Communication: This new offence, and the organisation’s fraud policies and ethos should be clearly understood by everyone within the organisation, and at all levels. Organisations should decide which teams will need more specialised and bespoke training, including in-person workshops. Organisations could also review the methods they use to monitor the effectiveness of the training provided e.g.: post training quizzes. In general, refreshing all staff on whistleblowing policies and an ethical way of doing business is also encouraged.
   
6. Monitoring and Review: The guidance shows that investigations are a key element of fraud-prevention however, it is vital that those investigations are done properly to be defensible and, where necessary, preserve privilege. One element may be to take into account the rights of individuals including under GDPR – investigations often involve large amounts of personal data, and data sharing between multiple different teams as well as external consultants, auditors and regulators.

For more information

• Jonathan Armstrong talks about these changes with Tom Fox in a podcast: Data Driven Compliance – Understanding the ECCTA and Its Impact with Jonathan Armstrong – Compliance Podcast Network.
• The full guidance can be found at Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud.
• Our thoughts on the SFO’s guidance on self-reporting can be seen here: UK Serious Fraud Office publishes new guidance on self-reporting.
• Jonathan Armstrong discusses the current climate in investigations with Dr Christian Rosinus on the Criminal Compliance Podcast: Jonathan Armstrong on the current climate in investigations.

There are more details on Punter Southall Law’s investigations practice here: Punter Southall Law Investigations Lawyers.