ECCTA Failure to Prevent Fraud: A Practical Compliance Guide for Large Organisations

Section 199 of the Economic Crime and Corporate Transparency Act 2023 creates a new corporate criminal offence: failure to prevent fraud. The offence came into force on 1 September 2025, commenced by the ECCTA 2023 Commencement No. 4 Regulations 2025 (SI 2025/349). It applies a strict liability model: an organisation commits the offence simply by being the intended beneficiary of a fraud carried out by an associated person — there is no requirement to prove that senior management knew about or directed the conduct.

Three elements must be established for a conviction to be possible. First, there must be a relevant body (an in-scope large organisation). Second, an associated person of that body must have committed a base fraud offence listed in Schedule 13 of the Act. Third, the associated person must have intended that their conduct would benefit the body (or any person to whom the body provides services). If the prosecution establishes all three, the burden shifts to the organisation to prove it had reasonable fraud prevention procedures in place.

This model mirrors the approach used for the Bribery Act 2010 corporate offence of failing to prevent bribery, which has shaped a decade of corporate compliance practice and SFO enforcement. Compliance teams familiar with the Bribery Act framework will recognise the structure, though the fraud offence applies to a broader range of underlying conduct and a wider class of associated persons.

The offence applies only to relevant bodies that qualify as large organisations under the company-law size test. An organisation is large for these purposes if it meets at least two of the three following conditions: more than 250 employees, more than £36 million annual turnover, and more than £18 million balance-sheet total. An organisation that fails the test in its own right may still be in scope if it is a parent undertaking of a group that meets the test in aggregate.

The UK-nexus requirement limits extraterritorial reach but does not confine the offence to UK-registered bodies. Overseas companies with a UK connection — for example, because the fraud was committed in the United Kingdom or because the conduct was directed at UK victims — may be in scope. The Home Office guidance addresses the nexus test in detail; organisations with cross-border operations should take qualified legal advice on how it applies to their group structure.

Many mid-market and large organisations that have not considered themselves subject to financial-crime compliance regimes will find they are in scope once headcount and financials are aggregated at group level. The size test is applied to the relevant body, which may be the parent undertaking rather than the entity that employs the relevant workers or holds the customer relationships.

An associated person is broadly defined in s.196(2). The definition covers employees, agents, and subsidiary companies, as well as employees of those subsidiaries. Crucially, it extends to any person who performs services for or on behalf of the body, regardless of whether there is an employment relationship. This includes consultants, contractors, joint-venture partners, and others in the supply chain who carry out work for the organisation.

The breadth of the definition means most large organisations will have associated-person networks that are considerably larger than their employee headcount. An organisation with 300 employees may have thousands of individuals in scope as associated persons once agents, contractors, and supply-chain participants are counted. Mapping that perimeter is the first step in building a proportionate risk assessment.

Not all associated persons carry equal fraud risk. The compliance task is not to apply due diligence uniformly across every person who might conceivably qualify, but to segment by risk — identifying the roles, functions, and third parties most likely to be in a position to commit a listed fraud for the organisation's benefit — and to calibrate procedures to that risk profile.

Schedule 13 of the Act lists the fraud offences that trigger liability. The list includes fraud by false representation (Fraud Act 2006, s.2), fraud by failing to disclose information (s.3), fraud by abuse of position (s.4), cheating the public revenue, false accounting (Theft Act 1968, s.17), offences relating to fraudulent business carried on by a sole trader, VAT and customs fraud, fraudulent trading (Companies Act 2006, s.993), money-market manipulation, and certain consumer-fraud offences under the Financial Services and Markets Act 2000.

The offences in Schedule 13 span a wide range of conduct. False representation covers misstatements in contracts, invoices, and regulatory filings. Fraud by abuse of position captures agents and employees who exploit access to client assets or inside information for personal gain. Cheating the public revenue and VAT fraud are particularly relevant for organisations with complex cross-border supply chains. The breadth of the list means most large organisations will face residual fraud risk across multiple offence types.

Identifying which offences are most plausible given the organisation's sector, business model, and associated-person network is the core task of the fraud risk assessment. An organisation that focuses only on the most obvious fraud type for its sector is likely to have gaps; a systematic review against each Schedule 13 offence, filtered by likelihood and impact, provides a more defensible foundation.

The Home Office guidance sets out six non-prescriptive principles for assessing whether an organisation's fraud prevention procedures are reasonable. The principles are: (1) top-level commitment, (2) risk assessment, (3) proportionate procedures, (4) due diligence on associated persons, (5) communication and training, and (6) monitoring and review. Procedures are reasonable if they are proportionate to the risk profile — there is no single required standard, and a small in-scope organisation with limited third-party relationships will not need the same apparatus as a multinational with thousands of agents.

Top-level commitment (Principle 1) requires visible board-level ownership of the anti-fraud framework. This means more than approving a policy: it requires documented evidence that the board has considered the organisation's fraud risk, approved the procedures, and continues to oversee them. Communication and training (Principle 5) requires that the procedures are embedded in the organisation — that people who need to understand them do understand them, evidenced by training records and attestations.

Monitoring and review (Principle 6) is the principle most often treated as an afterthought but which the SFO's compliance programme evaluation guidance treats as a signal of genuine versus paper compliance. Procedures that were proportionate when designed may not remain proportionate as the organisation's risk profile changes. Evidence that the organisation monitors whether procedures are working — and has refreshed them in response to what it finds — is qualitatively more convincing than a policy last reviewed three years ago.

The reasonable-procedures defence is an evidence question, not a structural one. Having a policy is necessary but not sufficient: the organisation must be able to demonstrate that the procedures were operational — that they were communicated, trained on, monitored, and refreshed — and that they were proportionate to the risk. Evidence of the procedures' existence at the moment a prosecution is contemplated is far less valuable than evidence that they were operating continuously in the period leading up to the alleged conduct.

A defence file should contain, at minimum: the scope determination (the organisation's analysis of whether and why it is in scope), the fraud risk assessment (identifying scenarios, documenting controls, noting gaps), the policy and procedure documentation (approved by the board, version-controlled), evidence that procedures were operational (training completion records, attestation records, monitoring reports), associated-person due diligence records (risk-tiered, documented, reviewed), and board-pack evidence showing top-level commitment and ongoing oversight.

Source lineage is important throughout: evidence should be traceable to the person who created it, the date it was created, and whether it has been reviewed by a qualified person. An evidence register that logs each item with its source, review status, and gap notes creates a structured basis for adviser review and, if needed, for demonstrating to prosecutors that compliance was genuine rather than retrospective.

The Serious Fraud Office published its guidance on evaluating corporate compliance programmes in November 2025, setting out the factors it considers when deciding whether a company's compliance programme was genuine and effective at the time of the relevant conduct. The guidance emphasises operational evidence: what actually happened in the business, not what the policy document said. Attestation records, training completion data, monitoring reports, and board minutes are the kinds of contemporaneous evidence that support a genuine-compliance argument.

Deferred prosecution agreements (DPAs) under the Crime and Courts Act 2013 offer in-scope organisations a route to resolution short of prosecution if they self-report, cooperate, and demonstrate a commitment to remediation. The existing DPAs in the SFO's collection — primarily from bribery cases — provide the clearest signal of what prosecutors consider adequate versus inadequate compliance at the time of the conduct. Common themes across those agreements are: a compliance programme that was largely paper-based, inadequate due diligence on third parties, and a failure to act on red flags that were visible to senior management.

Compliance teams should approach ECCTA preparation as a continuous process rather than a one-time exercise. The organisations most exposed in an enforcement scenario are those whose compliance documentation was assembled reactively — in response to an investigation — rather than maintained contemporaneously. Building and maintaining a dated, auditable evidence register from now creates a defensible factual foundation that retrospective assembly cannot replicate.