Failure to Prevent Fraud: What ECCTA Means for Accountants and Finance Teams

Since 1 September 2025, large organisations in the UK can be criminally liable if a person associated with them commits fraud intended to benefit the organisation — unless the organisation can prove it had reasonable fraud-prevention procedures in place. The "failure to prevent fraud" offence, created by the Economic Crime and Corporate Transparency Act 2023 (ECCTA), is the most significant expansion of UK corporate criminal liability since the Bribery Act 2010 — and accountants sit squarely in the middle of it.

What the offence actually says

A large organisation commits an offence where a specified fraud offence is committed by an employee, agent, subsidiary or other "associated person", intending to benefit (directly or indirectly) the organisation or its clients. There is no need to show that directors knew. The only full defence is that the organisation had reasonable fraud prevention procedures in place at the time — or that it was reasonable to have none.

The base fraud offences include fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, false accounting, false statements by company directors, fraudulent trading and cheating the public revenue.

Who is in scope?

The offence applies to "large organisations" meeting at least two of three criteria: more than 250 employees, more than £36 million turnover, or more than £18 million in total assets. The thresholds are assessed at group level, so subsidiaries of large groups are caught even if small themselves. The offence has extraterritorial reach: an overseas company can be liable if the fraud has a UK nexus.

Why this lands on the finance function

False accounting is a predicate offence

Aggressive revenue recognition, misstated accruals, window-dressed covenant calculations — conduct that once lived in the grey zone of "accounting judgement" can now expose the organisation to corporate criminal liability if done dishonestly to benefit it. Finance teams own the controls that prevent it.

Fraud risk assessment is the cornerstone

Government guidance sets out six principles for reasonable procedures: top-level commitment, risk assessment, proportionate procedures, due diligence, communication and training, and monitoring and review. The risk assessment must be documented, specific and refreshed — generic policies copied from the Bribery Act era will not survive scrutiny. The architecture mirrors existing AML and due-diligence frameworks, and in most organisations finance and risk teams are jointly building it.

Auditors and advisers face two-way exposure

Accountancy firms above the size thresholds are themselves in scope — a partner or employee committing fraud to win or keep a client engagement could trigger the offence for the firm. At the same time, auditors of in-scope clients are reassessing fraud-risk procedures under ISA (UK) 240 in light of the new corporate offence.

What "reasonable procedures" look like in practice

• A board-approved fraud prevention policy with named senior ownership.
• A documented, entity-specific fraud risk assessment covering internal and external fraud committed for the organisation's benefit — not just fraud against it.
• Controls mapped to the highest-risk areas: revenue recognition, procurement, sales incentives, financial reporting, tender processes.
• Training that reaches the people who can actually commit benefit fraud — sales, commercial, finance — not just a compliance e-learning rollout.
• Whistleblowing channels that are tested, and investigation protocols that preserve evidence.
• Periodic review with documented outcomes — regulators will ask when procedures were last refreshed.

Identification doctrine: the second ECCTA change

ECCTA also reformed the identification doctrine: organisations of any size can now be criminally liable for economic crimes committed by senior managers acting within their actual or apparent authority. Unlike failure to prevent fraud, this applies to companies of every size — a point widely missed in smaller firms.

Frequently Asked Questions

When did the failure to prevent fraud offence come into force?

1 September 2025. The offence is live and the Serious Fraud Office has signalled active interest in early enforcement.

Does it apply to small companies?

The failure-to-prevent offence applies only to large organisations (two of: 250+ employees, £36m+ turnover, £18m+ assets, assessed at group level). But the reformed identification doctrine applies to organisations of all sizes.

What is the penalty?

An unlimited fine for the organisation, alongside the reputational and regulatory consequences of a criminal conviction.

Is fraud against the company covered?

No — the offence covers fraud committed to benefit the organisation or its clients. Fraud against the organisation remains a matter for internal controls and ordinary criminal law.

Study with Learnsignal

Fraud risk, corporate criminal liability and economic crime compliance are now permanent fixtures of the finance agenda. Learnsignal's flexible online CPD courses help qualified accountants build practical compliance knowledge around a full-time workload, with expert-led content you can study anywhere.