Failure to Prevent Fraud Guidance

Fraudsters are deploying increasingly sophisticated tactics – from payment and identity theft to targeted cyber scams – putting both individuals and firms at risk. Their use of technologies like AI, including deepfakes, has heightened the risks further, enabling them to evade standard checks and scale up their activity.

Fraud is costly for banks and other organisations, both in terms of the time it takes to manage cases and refunding customers who’ve lost money. But it also erodes consumer and business confidence, and often fuels serious organised crime.

The Economic Crime and Corporate Transparency Act (ECCTA) 2023 tackles the increased sophistication of fraud head-on by introducing a new corporate offence of "failure to prevent fraud", coming into force on 1 September 2025.

Under this regime, large UK companies can be held criminally liable if an “associated person” (employee, agent, subsidiary, or similar) commits fraud to benefit the organisation unless the company can demonstrate it had reasonable fraud prevention procedures in place. 

A large UK company is defined as one that meets two of the following:

• over 250 employees
• more than £36 million turnover
• over £18 million in total assets

Fraud prevention: Six guiding principles

Chapter 3 of the ECCTA guidance lays out six interlocking components of “reasonable” fraud prevention procedures:

1. Top level commitment

Visible endorsement from the board and senior management, embedding anti-fraud responsibilities into governance. Senior management plays a pivotal role by allocating appropriate resources and training as well as modelling ethical behaviour. By fostering an open culture where employees feel empowered to report suspicious activity, leaders ensure that fraud is neither accepted nor concealed at any level of the organisation.

2. Risk assessment

Organisations must continually assess and document their exposure to fraud risks posed by employees, agents, and other “associated persons,” maintaining a dynamic risk assessment that is regularly reviewed. Rather than creating a separate process, firms can extend existing fraud and economic crime assessments to cover offences under the ECCTA.

This dynamic, fraud-specific evaluation helps firms identify areas where they are most vulnerable - for example, payment flows, customer onboarding, and third-party intermediaries - and then quantify the potential impact.

3. Proportionate, risk-based procedures

Based on its dynamic risk assessment, the organisation should develop a fraud-prevention plan with measures proportionate both to the likelihood and potential impact of each risk and to the degree of control it can exert over different associated persons (for example, employees versus outsourced contractors).

Any decision to forgo particular controls must be formally documented and periodically reviewed. While existing compliance frameworks - such as financial reporting or health-and-safety processes - can help mitigate related fraud risks, they cannot be assumed to satisfy the “reasonable procedures” requirement under the ECCTA without specific adaptation to address fraud prevention.

4. Due diligence

 An organisation must implement proportionate, risk-based due diligence on all individuals and entities acting for or on its behalf to address its specific fraud exposures. Vetting “associated persons” (especially third parties) before and during engagement, with contractual fraud-prevention clauses where appropriate is particularly important.

While many firms already perform extensive checks for high-risk sectors or transactions, these existing processes must be explicitly tailored to the corporate “failure to prevent fraud” offence. Simply relying on generic due diligence for other risks is insufficient; organisations should clearly define and document fraud-focused vetting procedures to ensure they effectively mitigate the relevant threats.

5. Communication

An effective fraud-prevention framework relies on clear, organisation-wide communication and ongoing training. Senior and middle management should consistently articulate and endorse a zero-tolerance policy - reinforcing it in internal and external messaging - so that everyone providing services for the organisation understands the rules and repercussions of fraudulent conduct.

It might be useful for firms to require fraud-specific training for employees and third parties, ensuring they can spot warning signs, escalate concerns, and follow whistleblowing procedures. Integrating fraud reminders into existing policies (e.g. sales targets) and sharing investigation outcomes and sanctions further embeds awareness and highlights the real consequences of non-compliance.

6. Monitoring and review

The organisation should continuously monitor and review its fraud detection and prevention procedures - drawing on insights from investigations, whistleblowing incidents, and sector-wide developments - to identify weaknesses and implement targeted improvements. This ensures that controls evolve in line with emerging risks and best practices.

Preparing for the failure to prevent fraud offence

With the failure to prevent offence, set out in the ECCTA, due to come into force soon, we hosted a webinar for industry professionals to help them navigate the new rules.

The webinar, chaired by Scott Morris, Advisory Board Member Skillcast, brought together Jim Bridges, Head of Risk & Compliance Allsop LLP, and Martin Schofield Group, MLRO Market Financial Solutions to share their insights and advice. 
A quick poll of attendees found that very few are ready for the new offence set out in the ECCTA, despite the deadline being just a few months away:

• 2% are completely ready
• 20% are partially ready (written and approved but not embedded)
• 60% say there’s more to do to be ready by the headline
• 18% say there’s more to do and are concerned their firm won’t be ready

The biggest concern, highlighted by 69% of respondents, is creating/managing a fraud risk assessment with just over half indicating they are struggling to define the firm’s agents, partners and associates. 

During the webinar, attendees asked the experts a number of questions – which we’ve collated below to help you understand what ECCTA means for your business, and how you can prepare. 

You can also watch the full recording and download the slides. 

1. Apart from training, what are more examples of proportionate prevention procedures?

The following are all examples of proportionate prevention procedures:

• Policies
• Fraud risk assessments
• Internal audit functions with fraud controls
• Whistleblowing mechanisms
• Due diligence on third parties (including suppliers, vendors, consultants, representatives)
• Anti-fraud clauses in contracts
• Disciplinary policies; documented fraud prevention strategy. 

Guidance from the Ministry of Justice (Bribery Act) offers a helpful analogy since it requires firms to identify their associated person, like the ECCTA.

2. What are the best risk assessment templates to use to support the risk assessment process?

Use the HM Government’s National Risk Assessment format as baseline. You can also adapt the FCA Financial Crime Guide templates – but consider sector-specific templates from JMLSG or SRA (legal sector). Finally, it’s important to choose a format that allows you to document the methodology, controls, rationale and outcomes. 

Why risk assessment is critical

A robust fraud risk assessment is the cornerstone of compliance. It forces organisations to pinpoint:

• Which fraud risks matter most (e.g., cyber-enabled invoice fraud vs. internal embezzlement)
• How controls should be designed and prioritised
•  Where residual risk sits, helping the board weigh the cost of further controls against business realities

Without an up-to-date assessment, procedures become stale - document dust on a shelf rather than a living defence.

3. Is there any guidance on associated persons?

Yes. "Associated persons" under ECCTA s.199 follow the Bribery Act 2010 model: persons performing services for or on behalf of the organisation. It includes employees, agents, subsidiaries, contractors. You can find more information in the ECCTA Explanatory Notes and MOJ Bribery Guidance §33–38.

4. How does the offence work for groups of companies?

Each UK-incorporated body is individually assessed for scope under Schedule 1. You can implement group-wide policies for compliance purposes – but liability applies to individuals. If your company operates internationally, only UK-incorporated entities are covered. 

5. Do UK branches with fewer than 250 employees include all employees globally? 

No. Under Schedule 1, the 250-employee threshold only applies to employees of the UK-incorporated body.  Global headcount is not usually aggregated unless part of the same UK legal entity.

6. What are the reporting aspects of the ECCTA? Should a suspicion of fraud also be referenced to the NCA when making a SAR?

The ECCTA does not change Suspicious Activity Report (SAR) obligations. If you suspect fraud or money laundering, a SAR must be filed with the NCA under POCA 2002. Refer to NCA SARs Guidance for details.

7. Is an outsourced payroll service considered an "associated person" from a Failure to Prevent Fraud perspective?

It could be. Outsourced payroll may be an “associated person” under ECCTA s.199 if performing services for or on behalf of the organisation. A risk-based assessment will help you to determine this. Again, it’s similar to the Bribery Act, so take a look at those requirements. 

8. Does the new ECCTA Failure to Prevent Fraud offence potentially go further than the existing corporate offences for Bribery and Tax Evasion in terms of scope and seriousness?

Bribery and tax evasion offences are often difficult to detect and prove in their own right – but the concept of fraud is much broader. In practice, many forms of misconduct could include a fraudulent element – which significantly expands the range of activity that could fall within scope. This seems to create a broader and more easily triggered corporate offence.

The ECCTA Failure to Prevent Fraud offence under s.199 captures a broader spectrum of misconduct. The Fraud Act 2006 – which includes false representation, failure to disclose, abuse of position – creates wider scope for prosecution than bribery or tax evasion. This means the threshold for triggering liability may be lower due to breadth of the criminal conduct in scope.

9. What is the territorial scope of the Failure to Prevent Fraud?

The offence applies to UK-incorporated bodies or partnerships, or foreign bodies carrying on business in the UK (ECCTA s.199(6)). An associated person could be acting in another part of the world – but they will still be liable if their actions are intended to benefit the UK-linked firm. 

10. Is the act applicable if a company has fewer than 250 employees but projects to reach more than that by the end of the year?

No. Thresholds are assessed at the time of the offence, so projected future headcount doesn’t count. Under Schedule 1 ECCTA 2023, the employee count must be more than 250 on a rolling 12-month basis at the relevant time.

11. What type of firms are in scope for ECCTA in terms of number of employees, turnover and assets under management (AUM)?

ECCTA applies if you meet one or more of the following:

• More than 250 employees
• Turnover > £36 million
• Balance sheet total > £18 million. 

Assets Under Management (AUM) is not a listed criterion.

12. Who’s responsible for overseeing compliance if you don’t have a risk department?

Responsibility will normally fall to your MLRO (Money Laundering Reporting Officer), or the financial crime, compliance, finance or legal team.

If you don’t have a risk function, assign responsibility to the most senior governance/control team with cross-functional reach –and remember that responsibility must be at board or executive level. The MOJ Bribery Guidance ‘Top-Level Commitment’ has more information.

13. What do firms need to do in order to 'evidence' Top-Level Commitment?

All these principles are designed to help firms defend themselves if they’re accused or charged with failing to prevent fraud and end up in court. 

Demonstrating that you have taken every step to prevent fraud is key. You’ll need to provide evidence such as:

• A formal fraud prevention policy approved by the board
• Training attendance logs
• Documented executive oversight at board level (monitoring of KPI/BI, risk and issue management)
• Minutes of board discussion/decisions relating to fraud prevention
• KPI tracking of fraud risk mitigation activities
• Record of discussion of prior, open cases with relevance and/or lessons to learn.
• Take a look at examples of case law on corporate offence defence evidence thresholds (for example, Skansen Interiors) for more information. 

14. Should firms perform DBS checks on personnel? 

There is no statutory requirement for DBS under ECCTA – instead, a risk-based approach applies. DBS checks may be appropriate for high-risk roles (such as board members, MLRO, compliance officer, finance, procurement), although there is no frequency specified. Align these checks with internal hiring policy and consider periodic review or annual attestation.

How does culture impact the failure to prevent fraud?

Culture isn’t just boardroom rhetoric. During onboarding, assess cultural fit - and remind long-standing staff that fraud is a crime, not a commercial quirk. As “fraud-as-a-service” tools proliferate on the dark web, and insider fraud grows more prevalent, no organisation can afford complacency. Embedding a culture of awareness can be the difference between a firm falling victim to fraud and standing up against it.

With fraud accounting for nearly 40% of all crime in England and Wales, ECCTA’s “failure to prevent fraud” offence represents a watershed moment. Companies must act now - review risk assessments, refresh training, harness technology responsibly and, above all, cultivate a culture that treats every employee as a vital gatekeeper in the fight against financial crime.

Embedding robust, risk-based procedures

Too often, anti-fraud training and policy attestation are “sheep-dip” exercises—one-size-fits-all e-learning modules and generic memos that employees ignore. To make procedures stick:

• Anchor controls to the individual: Show staff how a phishing email, for example, could target them in their role and the consequences.
• Positive reinforcement: Recognise and reward proactive fraud reporting.
• Local nuances: Adapt processes to the payment methods and regulatory regimes of each jurisdiction you operate in.

Ensuring effective training

The ECCTA requires “reasonable measures” in both controls and training. Effective programmes:

1. Are data-driven, using incident metrics to refine content
2. Offer tiers of training: basic for all staff, specialist modules for high-risk teams
3. Are bite-sized and regular, rather than once-a-year marathon sessions
4. Clearly signpost escalation routes so employees know whom to contact when they spot anomalies

Leveraging technology and AI with caution

Advanced analytics and AI can supercharge your financial crime and fraud-detection functions. Machine-learning models (like HSBC’s risk-advisory tool) adapt to novel fraud patterns, reducing false positives and freeing up investigators. However, keep in mind:

• Explainability: Regulators will ask for clarity on how models make decisions.
• Ownership and governance: The risk committee must understand who owns the model, how it’s validated, and what data feeds into it.
• Human oversight: AI should augment - not replace - trained compliance professionals.

Want to learn more about Fraud?

We have compiled a Failure to Prevent Fraud training package that contains all the training your staff need to meet the requirementWe’ve created a comprehensive AML & CTF roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.

We also have additional free resources such as e-learning modules, microlearning modules, and more.