Skip to content
Get In Touch Support Hub Partners Investors
Free trial Book a demo
Back to blog

Failure to Prevent Fraud Guidance

5 minute read

Fraud
failure to prevent fraud
Last updated: May 22, 2025

As fraudsters deploy ever more sophisticated tactics—from payment and identity theft to targeted cyber scams—organisations face mounting challenges in safeguarding their operations. We examine the new legislation around the failure to prevent fraud and what it means for UK firms.

The Economic Crime and Corporate Transparency Act (ECCTA) 2023 tackles the increased sophistication of fraud head-on by introducing a new corporate offence of “failure to prevent fraud”, coming into force on 1 September 2025.

Under this regime, large UK companies can be held criminally liable if an “associated person” (employee, agent, subsidiary, or similar) commits fraud to benefit the organisation unless the company can demonstrate it had reasonable fraud prevention procedures in place. 

A large UK company is defined as one that meets two of the following:

  • over 250 employees
  • more than £36 million turnover
  • over £18 million in total assets

See our Fraud Prevention Training Package

Fraud prevention framework: Six guiding principles

Chapter 3 of the ECCTA guidance lays out six interlocking components of “reasonable” fraud prevention procedures:

1. Top level commitment

Visible endorsement from the board and senior management, embedding anti-fraud responsibilities into governance. Senior management plays a pivotal role by allocating appropriate resources and training as well as modelling ethical behaviour. By fostering an open culture where employees feel empowered to report suspicious activity, leaders ensure that fraud is neither accepted nor concealed at any level of the organisation.

2. Risk assessment

Organisations must continually assess and document their exposure to fraud risks posed by employees, agents, and other “associated persons,” maintaining a dynamic risk assessment that is regularly reviewed. Rather than creating a separate process, firms can extend existing fraud and economic crime assessments to cover offences under the ECCTA.

This dynamic, fraud-specific evaluation helps firms identify areas where they are most vulnerable - for example, payment flows, customer onboarding, and third-party intermediaries - and then quantify the potential impact.

3. Proportionate, risk-based procedures

Based on its dynamic risk assessment, the organisation should develop a fraud-prevention plan with measures proportionate both to the likelihood and potential impact of each risk and to the degree of control it can exert over different associated persons (for example, employees versus outsourced contractors).

Any decision to forgo particular controls must be formally documented and periodically reviewed. While existing compliance frameworks - such as financial reporting or health-and-safety processes - can help mitigate related fraud risks, they cannot be assumed to satisfy the “reasonable procedures” requirement under the ECCTA without specific adaptation to address fraud prevention.

4. Due diligence

 An organisation must implement proportionate, risk-based due diligence on all individuals and entities acting for or on its behalf to address its specific fraud exposures. Vetting “associated persons” (especially third parties) before and during engagement, with contractual fraud-prevention clauses where appropriate is particularly important.

While many firms already perform extensive checks for high-risk sectors or transactions, these existing processes must be explicitly tailored to the corporate “failure to prevent fraud” offence. Simply relying on generic due diligence for other risks is insufficient; organisations should clearly define and document fraud-focused vetting procedures to ensure they effectively mitigate the relevant threats.

5. Communication

An effective fraud-prevention framework relies on clear, organisation-wide communication and ongoing training. Senior and middle management should consistently articulate and endorse a zero-tolerance policy - reinforcing it in internal and external messaging - so that everyone providing services for the organisation understands the rules and repercussions of fraudulent conduct.

It might be useful for firms to require fraud-specific training for employees and third parties, ensuring they can spot warning signs, escalate concerns, and follow whistleblowing procedures. Integrating fraud reminders into existing policies (e.g. sales targets) and sharing investigation outcomes and sanctions further embeds awareness and highlights the real consequences of non-compliance.

6. Monitoring and review

The organisation should continuously monitor and review its fraud detection and prevention procedures - drawing on insights from investigations, whistleblowing incidents, and sector-wide developments - to identify weaknesses and implement targeted improvements. This ensures that controls evolve in line with emerging risks and best practices.

Why risk assessment is critical

A robust fraud risk assessment is the cornerstone of compliance. It forces organisations to pinpoint:

  • Which fraud risks matter most (e.g., cyber-enabled invoice fraud vs. internal embezzlement)
  • How controls should be designed and prioritised
  •  Where residual risk sits, helping the board weigh the cost of further controls against business realities

Without an up-to-date assessment, procedures become stale - document dust on a shelf rather than a living defence.

Leveraging technology and AI - with caution

Advanced analytics and AI can supercharge your financial crime and fraud-detection functions. Machine-learning models (like HSBC’s risk-advisory tool) adapt to novel fraud patterns, reducing false positives and freeing up investigators. However, keep in mind:

  • Explainability: Regulators will ask for clarity on how models make decisions.
  • Ownership and governance: The risk committee must understand who owns the model, how it’s validated, and what data feeds into it.
  • Human oversight: AI should augment - not replace - trained compliance professionals.

Embedding robust, risk-based procedures

Too often, anti-fraud training and policy attestation are “sheep-dip” exercises—one-size-fits-all e-learning modules and generic memos that employees ignore. To make procedures stick:

  • Anchor controls to the individual: Show staff how a phishing email, for example, could target them in their role and the consequences.
  • Positive reinforcement: Recognise and reward proactive fraud reporting.
  • Local nuances: Adapt processes to the payment methods and regulatory regimes of each jurisdiction you operate in.

Ensuring effective training

The ECCTA requires “reasonable measures” in both controls and training. Effective programmes:

  1. Are data-driven, using incident metrics to refine content
  2. Offer tiers of training: basic for all staff, specialist modules for high-risk teams
  3. Are bite-sized and regular, rather than once-a-year marathon sessions
  4. Clearly signpost escalation routes so employees know whom to contact when they spot anomalies

How culture impacts the failure to prevent fraud

Culture isn’t just boardroom rhetoric. During onboarding, assess cultural fit - and remind long-standing staff that fraud is a crime, not a commercial quirk. As “fraud-as-a-service” tools proliferate on the dark web, and insider fraud grows more prevalent, no organisation can afford complacency. Embedding a culture of awareness can be the difference between a firm falling victim to fraud and standing up against it.

With fraud accounting for nearly 40% of all crime in England and Wales, ECCTA’s “failure to prevent fraud” offence represents a watershed moment. Companies must act now - review risk assessments, refresh training, harness technology responsibly and, above all, cultivate a culture that treats every employee as a vital gatekeeper in the fight against financial crime.

Want to learn more about Fraud?

We’ve created a comprehensive AML & CTF roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.

We also have additional free resources such as e-learning modules, microlearning modules, and more.

Explore our collection

Written by: Emmeline de Chazal

Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.

Emmeline de Chazal

Related articles

the-fraud-act-2006-|-a-comprehensive-guide-|-skillcast
Fraud

The Fraud Act 2006 | A Comprehensive Guide | Skillcast

6 minute read

With our guide, you can learn everything you need to know about the Fraud Act 2006, from what it covers to how to protect your business from fraud.

Read more
bank-fraud-&-how-to-prevent-it-|-skillcast
Fraud Financial Crime

Bank Fraud & How to Prevent it | Skillcast

4 minute read

Learn about the key types of bank fraud and how to prevent them with effective strategies and training. Protect your financial institution with Skillcast.

Read more
fraud-reporting:-5-simple-steps-|-fraud-prevention-|-skillcast
Fraud

Fraud Reporting: 5 Simple Steps | Fraud Prevention |...

6 minute read

Think you’ve spotted fraud? Whether it’s tax fraud, cybercrime or something else, here’s a Skillcast guide to help you confidentially report fraud to the authorities.

Read more
Visit the blog