Failure to Prevent

Placeholder Picture


The UK Bribery Act 2010 introduced the ‘failure to prevent’ approach to corporate criminal liability. The Criminal Finances Act 2017 also contains ‘failure to prevent the facilitation of tax evasion’ offences.

Now, the Economic Crime and Corporate Transparency Act (ECCTA) 2023 introduces the risk of prosecution for non-compliant 'large organisations' whose associated persons (e.g., employees, agents or subsidiaries) commit fraud, intending to benefit (whether directly or indirectly) the large organisation.

Placeholder Picture

A large organisation is an organisation which satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees: (ii) more than £36 million turnover; and / or (iii) assets of more than £18 million.

What's New?

The ECCTA received Royal Assent on 26 October 2023.

Under Sec.199 of the ECCTA, a large organisation which fails to maintain reasonable procedures, designed to prevent fraud by an associated person, could soon be prosecuted in the criminal courts.

ECCTA provisions will come into force at a later date. The delay is to allow:

  • The government to initiate a consultation in 2024 on the content of guidance to be introduced on ‘reasonable fraud prevention procedures’ and the new failure to prevent fraud offence.
  • Companies sufficient time to prepare for the new requirements.

When implemented the ECCTA provides that large organisations could be strictly liable if:

  • a specified offence is committed by an employee or other associated person (e.g., contractor, intermediary or agent);
  • the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation (e.g., customers and clients); and
  • the organisation did not have reasonable prevention procedures in place to prevent the fraud from arising.

The offence will also apply to a parent entity where the parent and its subsidiaries meet, in aggregate, two or more of the large organisation criteria.

The government is expected to issue guidance on reasonable procedures, prior to the failure to prevent offence entering into force.

What's the impact?

Prosecution Risk

A large organisation could be liable where an employee (or agent) commits a specified offence for the organisation's benefit, where reasonable procedures are not in place to prevent involvement in a specified offence:

  • There would be no requirement to demonstrate senior management knowledge of an employee or agent committing a specified offence.
  • Criminal liability could apply to organisations which fail to assess and respond to the risk of fraud involving employees or agents.

If an employee of a large organisation commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.

Regulatory Risk

Firms supervised by the Financial Conduct Authority ('FCA') are already subject to compliance with regulatory requirements set out in the FCA Handbook, which include: "A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime." [SYSC 3.2.6

A large organisation supervised by the FCA could be subject to regulatory intervention or enforcement activity if significant non-compliance is identified with a legal or regulatory requirement. 

Internal Control Risk

The failure to prevent fraud offence under criminal law will apply to all 'large organisations'.  When passed, the new Act will: 

  1. Discourage organisations from turning a blind eye to fraud events. 
  2. Encourage implementation and maintenance of reasonable fraud prevention procedures (e.g., using a risk-based approach).
  3. Make it easier to prosecute non-compliant organisations in the criminal court.

Placeholder Picture

Is there a defence?

Reasonable Prevention Procedures

The Bribery Act 2010 provides a defence in law for the failure to prevent bribery offence. A similar defence will be available if a large organisation can show that despite a particular case of fraud, it nevertheless has reasonable prevention procedures in place to prevent persons associated with it from committing a specified offence. 

Whether current arrangements are sufficient requires consideration of how a large organisation could be linked to a specified offence and assessing whether existing controls would be considered reasonable.

It may be reasonable to have no prevention procedures in place (e.g., where the assessed risk is extremely low and the rationale is sufficiently documented).

Risk Assessment

An appropiate defence would involve documenting an assessment of where fraud risk might be present in a large organisation's operating environment.

Examples of areas to review/assess include:

  • Tone-from-the top (e.g., Policy content).
  • Management information (e.g., Key risk indicators).
  • Understanding of the risks (e.g., Fraud typologies).
  • Internal controls (e.g., Effectiveness of fraud prevention measures).
  • Transaction risk (e.g., In supply and distribution activity). 
  • Funds flow (e.g., Transparency and legitimacy). 
  • Use of agents or intermediaries (e.g., Contract terms and conditions).
  • Staff awareness of fraud (e.g., Training content and completion rates).
  • Whistle-blowing (e.g., suspicion and incident-reporting arrangements).

Risk Response

A large organisation's response to assesed risk should reduce opportunity for fraud-related events, incorporating measures to manage, eliminate, or limit the impact of risk-events. An effective response could include:

  • Board or senior management team engagement. 
  • Risk-based procedure to reduce opportunity for misconduct.
  • Clarity of responsibility for risk-ownership, oversight and testing of, the application of policy and procedure.
  • Raising staff awareness of fraud risk.
  • A mechanism for staff to report suspected misconduct.
  • Reporting to senior management on key risk indicators and control testing.
  • Escalation and reporting of notifiable events.
  • Routine review/refresh of applicable policy and procedure.
  • Obtain specialist support / assistance where necessary.

Additional context


Government guidance should help inform a focus for what to consider for inclusion in an organisation's reasonable prevention or internal defence arrangements, but guidance is not prescriptive.

The content of reasonable procedures for company 'A' may not be suited to company 'B', due to differences in organisational structure, operations, control environment or product/service offering.

SYSC326 supports organisations to identify and respond to fraud risk, or fraud events, and to prepare for the new failing to prevent fraud offence, by:

  • Supporting stakeholder planning for the new failure to prevent offence.
  • Advising on fraud control framework design and implementation.
  • Facilitating fraud risk-assessments.
  • Supporting development of policy and risk-based operating procedure.
  • Supporting Compliance monitoring and assurance testing arrangements.

Failure to Prevent Fraud FAQ

Our Services
Placeholder Picture
Useful links
UK Parliament
Factsheet: failure to prevent fraud offence

Identification principle for economic crime offences

Fraud - FCA Handbook

FCA - Fraud Reporting

Fraud Advisory Panel

FAQ on Fraud

SYSC326 Fraud Services