Failure to Prevent

Placeholder Picture


The UK Bribery Act 2010 introduced the ‘failure to prevent’ approach to corporate criminal liability. The Criminal Finances Act 2017 also contains ‘failure to prevent the facilitation of tax evasion’ offences.

Now, the Economic Crime and Corporate Transparency Bill ('the Bill') is at an advanced stage of the legislative process, introducing the risk of prosecution for non-compliant 'large organisations' whose employees or agents commit fraud.

Placeholder Picture

A large organisation is an organisation which satisfies two or more of the following conditions in the financial year preceding the year of the offence: (i) more than 250 employees: (ii) more than £36 million turnover; and / or (iii) assets of more than £18 million.

The Bill could receive Royal Assent before the end of 2023.

What's New?

A large organisation which fails to prevent fraud by an associated person could be prosecuted in the criminal courts.

On 6 September 2023 the House of Commons (HoC) considered earlier amendments proposed by the House of Lords in July 2023. The HoC chose to:

  • exempt small and medium-sized enterprises (SME) from the failing to prevent offence; and
  • remove a proposed extension to include failure to prevent money laundering.

When Royal Assent is granted and the Bill becomes an Act of Parliament, a large organisation could be strictly liable if:

  • a specified offence is committed by an employee or other associated person (e.g., contractor, intermediary or agent);
  • the fraud is intended to benefit the organisation or a person to whom services are provided on behalf of the organisation (e.g., customers and clients); and
  • the organisation did not have reasonable procedures in place to prevent the fraud from arising.

The offence will also apply to a parent company where the parent entity and its subsidiaries meet, in aggregate, two or more of the large organisation criteria.

The government is expected to issue guidance on reasonable procedures, prior to the failure to prevent offence entering into force.

Useful links:
Gov.UK Factsheet
The Bill - Current status

What's the impact?

Prosecution Risk

A large organisation could be liable where an employee (or agent) commits a specified offence for the organisation's benefit, where reasonable procedures are not in place to prevent involvement in a specified offence:

  • There would be no requirement to demonstrate senior management knowledge of an employee or agent committing a specified offence.
  • Criminal liability could apply to organisations which fail to assess and respond to the risk of fraud involving employees or agents.

If an employee of a large organisation commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.

Regulatory Risk

Firms supervised by the Financial Conduct Authority ('FCA') are already subject to compliance with regulatory requirements set out in the FCA Handbook, which include: "A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime." [SYSC 3.2.6

A large organisation supervised by the FCA could be subject to regulatory intervention or enforcement activity if significant non-compliance is identified with a legal or regulatory requirement. 

Internal Control Risk

The failure to prevent fraud offence under criminal law will apply to all 'large organisations'.  When passed, the new Act will: 

  1. Discourage organisations from turning a blind eye to fraud events. 
  2. Encourage implementation and maintenance of reasonable fraud prevention procedures (e.g., using a risk-based approach).
  3. Make it easier to prosecute non-compliant organisations in the criminal court.

Placeholder Picture

Is there a defence?

Reasonable Prevention Procedures

The Bribery Act 2010 provides a defence in law for the failure to prevent bribery offence. A similar defence will be available if a large organisation can show that despite a particular case of fraud, it nevertheless has reasonable prevention procedures in place to prevent persons associated with it from committing a specified offence. 

Whether current arrangements are sufficient requires consideration of how a large organisation could be linked to a specified offence and assessing whether existing controls would be considered reasonable.

It may be reasonable to have no prevention procedures in place (e.g., where the assessed risk is extremely low and the rationale is sufficiently documented).

Risk Assessment

An appropiate defence would involve documenting an assessment of where fraud risk might be present in a large organisation's operating environment.

Examples of areas to review/assess include:

  • Tone-from-the top (e.g., Policy content).
  • Management information (e.g., Key risk indicators).
  • Understanding of the risks (e.g., Fraud typologies).
  • Internal controls (e.g., Effectiveness of fraud prevention measures).
  • Transaction risk (e.g., In supply and distribution activity). 
  • Funds flow (e.g., Transparency and legitimacy). 
  • Use of agents or intermediaries (e.g., Contract terms and conditions).
  • Staff awareness of fraud (e.g., Training content and completion rates).
  • Whistle-blowing (e.g., suspicion and incident-reporting arrangements).

Risk Response

A large organisation's response to assesed risk should reduce opportunity for fraud-related events, incorporating measures to manage, eliminate, or limit the impact of risk-events. An effective response could include:

  • Board or senior management team engagement. 
  • Risk-based procedure to reduce opportunity for misconduct.
  • Clarity of responsibility for risk-ownership, oversight and testing of, the application of policy and procedure.
  • Raising staff awareness of fraud risk.
  • A mechanism for staff to report suspected misconduct.
  • Reporting to senior management on key risk indicators and control testing.
  • Escalation and reporting of notifiable events.
  • Routine review/refresh of applicable policy and procedure.
  • Obtain specialist support / assistance where necessary.

Additional context


Government guidance should help inform a focus for what to consider for inclusion in an organisation's reasonable prevention or internal defence arrangements, but guidance is not prescriptive.

The content of reasonable procedures for company 'A' may not be suited to company 'B', due to differences in organisational structure, operations, control environment or product/service offering.

SYSC326 supports organisations to identify and respond to fraud risk, or fraud events, and to prepare for the new failing to prevent fraud offence, by:

  • Supporting stakeholder planning for the new failure to prevent offence.
  • Advising on fraud control framework design and implementation.
  • Facilitating fraud risk-assessments.
  • Supporting development of policy and risk-based operating procedure.
  • Supporting Compliance monitoring and assurance testing arrangements.

Frequently Asked Questions

Our Services
Placeholder Picture
Useful links
UK Parliament - Bill Timeline
Gov.UK Factsheet: failure to prevent fraud offence

Fraud - FCA Handbook

FCA - Fraud Reporting

Fraud Advisory Panel

FAQ on Fraud

SYSC326 Fraud Services