Failure to prevent fraud: straight answers
Direct, sourced answers to the questions in-scope organisations ask about the ECCTA failure-to-prevent-fraud offence — then a path to organising the evidence. Answers, not legal advice.
The sample board pack — a one-page view of where evidence is complete and what is missing — opens in your browser, no email, no form.
- Do I need to comply with the failure to prevent fraud offence?The offence applies to a relevant body that meets the large-organisation size test — at least two of: more than 250 employees, more than £36m turnover, and more than £18m balance-sheet total. A qualifying body can be liable where an associated person commits a listed fraud intending to benefit it, subject to the reasonable-procedures defence.
- When does the failure to prevent fraud offence come into force?The failure-to-prevent-fraud offence in the Economic Crime and Corporate Transparency Act 2023 came into force on 1 September 2025, commenced by the Commencement No. 4 Regulations 2025 (SI 2025/349).
- What are the penalties for failure to prevent fraud?An organisation convicted of the failure-to-prevent-fraud offence is liable to an unlimited fine. There is no statutory cap; the fine is set by the court on the facts of the case.
- What counts as reasonable fraud prevention procedures?The Home Office guidance frames reasonable fraud-prevention procedures around six principles: top-level commitment; risk assessment; proportionate risk-based prevention procedures; due diligence; communication and training; and monitoring and review. The guidance is principles-based, so what is reasonable is fact-specific.
- Who is an associated person under the failure to prevent fraud offence?An associated person is a person who performs services for or on behalf of the relevant body — which can include employees, agents, subsidiaries, and other service providers. The category is wider than payroll and is assessed on all the circumstances.
- What is a large organisation under the ECCTA failure to prevent fraud offence?For the failure-to-prevent-fraud offence, a body is a large organisation when, in the financial year before the offence, it met at least two of three thresholds: more than 250 employees, more than £36m turnover, and more than £18m balance-sheet total. Group undertakings are aggregated.
- Does the failure to prevent fraud offence apply to small companies?The offence is aimed at large organisations that meet the size test, so a body that does not meet the thresholds is generally outside the direct scope of the offence. However, a smaller company can still be an associated person of a large organisation, and group aggregation can bring entities into scope.
- What is the failure to prevent fraud defence?It is a defence for the organisation to prove that it had reasonable fraud-prevention procedures in place, or that it was not reasonable in all the circumstances to expect it to have any procedures. The burden is on the organisation, on the balance of probabilities.
- What evidence do I need for the failure to prevent fraud defence?Because the defence depends on showing reasonable procedures, the practical evidence to organise includes the fraud risk assessment, the procedures themselves, due-diligence and attestation records for associated persons, training and communication logs, and monitoring and board-oversight records.
- How do I prepare for the failure to prevent fraud offence?A practical sequence is: screen whether you are in scope; run a fraud risk assessment; put proportionate procedures in place; communicate and train; carry out due diligence and collect associated-person attestations; monitor and review; and secure board oversight. Keep the evidence at each step.
- What is the difference between failure to prevent fraud and failure to prevent bribery?Failure to prevent bribery (Bribery Act 2010, s.7) and failure to prevent fraud (ECCTA 2023) are both corporate offences with a procedures defence, but they differ: the bribery offence applies to any commercial organisation and uses an 'adequate procedures' defence, while the fraud offence applies only to large organisations and uses a 'reasonable procedures' defence and requires a listed base fraud committed to benefit the body.
- What are the base fraud offences under the failure to prevent fraud offence?The offence is triggered only where an associated person commits a base fraud offence listed in Schedule 13 to ECCTA. These include fraud by false representation, failing to disclose information, and abuse of position (Fraud Act 2006), obtaining services dishonestly, participating in a fraudulent business, false accounting, fraudulent trading, and cheating the public revenue. Conspiracy to defraud is not listed.
- Is there a failure to prevent fraud risk assessment template?There is no official failure-to-prevent-fraud risk assessment template. The Home Office guidance is principles-based, so a useful assessment is one that follows the six principles and reflects how your organisation actually operates: it maps your associated persons, the fraud risks they could commit to benefit you, the controls in place, and the gaps.
- Does the failure to prevent fraud offence apply to overseas companies?The offence can apply to a large organisation incorporated or formed anywhere, provided the size test is met and there is a UK nexus — broadly, where the fraud or a relevant act takes place in the UK, or the gain or loss occurs in the UK. It is not limited to UK-incorporated bodies.
- What if our organisation does not meet the large-organisation threshold?An organisation that does not meet at least two of the three Companies Act large-company conditions — more than 250 employees, more than £36 million turnover, or more than £18 million in assets — is outside the scope of the failure-to-prevent-fraud offence as it currently stands. Qualifying as out-of-scope is a factual determination, not a legal guarantee.
- What if our group structure is complex or we cannot confirm consolidated employee numbers?Where group consolidated figures cannot be confirmed — because subsidiaries are numerous, data is delayed, or the group boundary is contested — the GOV.UK guidance recommends documenting the uncertainty and taking a conservative position. DefenceFile surfaces a group-structure-unknown flag in the scope screen so the limitation is recorded rather than hidden.
- What do we do if evidence extraction fails or OCR cannot read a scanned document?An extraction failure or an unable-to-extract scan state does not mean the evidence is invalid. The source document is still stored and can be reviewed by a named human reviewer who confirms its content. The scanned-PDF or extraction-failed label tells reviewers that the text content was not machine-readable, not that the document is inadmissible.
- What is a deferred prosecution agreement and how does it affect ECCTA failure-to-prevent-fraud liability?A DPA suspends prosecution on agreed conditions — typically including compliance reforms and evidence of reasonable procedures. ECCTA liability and DPA conditions overlap significantly on what counts as adequate fraud prevention evidence.
- What evidence do I need for ECCTA Principle 6 — monitoring and review?Principle 6 requires evidence that your fraud prevention procedures are actively monitored and periodically reviewed — not just adopted once. Evidence includes dated review records, change logs when scope changes, and a defined re-attestation cadence.
- What training evidence do I need for ECCTA Principle 5?Principle 5 requires evidence that relevant staff and associated persons received training on fraud prevention procedures — with dated completion records, training content, and confirmation the training was role-appropriate.
DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.