ECCTA Penalties for Failure to Prevent Fraud: What Unlimited Fines Mean in Practice

Section 199 of the Economic Crime and Corporate Transparency Act 2023 provides that an organisation convicted of failure to prevent fraud is liable to an unlimited fine. There is no statutory minimum and no statutory cap. The unlimited fine provision reflects Parliament's intention that the penalty should be capable of reaching a level that is genuinely deterrent and reflective of the seriousness of the conduct — particularly where the organisation is large and the benefits from the fraud were substantial.

Alongside the fine, the court may impose ancillary orders including confiscation orders under the Proceeds of Crime Act 2002 (where the organisation obtained a financial benefit from the associated person's fraud), compensation orders in favour of victims, and publicity orders requiring the organisation to publicise its conviction. These orders are not automatic but they are available and have been used in corporate criminal proceedings in related areas.

No ECCTA failure-to-prevent-fraud cases had been prosecuted to conviction at the time of writing, so there are no sentencing precedents specific to the offence. The closest available guidance is the Sentencing Council's guideline on fraud and the financial crime sentencing guidelines for organisations, together with the outcomes in existing DPA cases that have been concluded on bribery-related matters.

For corporate fraud offences, the Sentencing Council guidelines identify the key factors as: the harm caused or risked, the level of culpability, and the size of the organisation (in terms of its ability to pay a fine that has punitive effect). For ECCTA failure-to-prevent-fraud, the harm factor would encompass the losses caused to fraud victims, any benefit obtained by the organisation, and the scale and duration of the associated person's fraud.

Culpability in a failure-to-prevent-fraud context is likely to centre on the adequacy of the compliance programme. An organisation with no meaningful fraud prevention procedures in place at the time of the conduct will be treated as more culpable than one that had genuine, proportionate procedures that nonetheless failed to prevent a specific fraud. The Home Office's guidance on the six principles and the SFO's compliance-programme evaluation framework are the benchmarks that are likely to inform this assessment.

The quality of the organisation's response to the discovery of the fraud will also be a significant factor: whether the organisation self-reported to the SFO, how fully it cooperated with any investigation, and whether it implemented a credible remediation programme. These factors have been determinative in several DPA negotiations and are likely to be similarly important in the ECCTA enforcement context.

Deferred prosecution agreements are available for failure-to-prevent-fraud offences under paragraph 3 of Schedule 17 to the Crime and Courts Act 2013. A DPA is an agreement between the prosecutor and the organisation that prosecution is deferred — typically for two to three years — while the organisation pays a financial penalty, cooperates with any ongoing investigations, and implements a compliance remediation programme. If the organisation complies with the DPA, the prosecution is discontinued.

DPAs have been used by the SFO in a number of major bribery cases since 2014, with financial penalties that have ranged from tens of millions to several hundred million pounds depending on the scale of the conduct and the organisation's cooperation. The key factors that made DPAs available in those cases were: early self-reporting to the SFO, full and proactive cooperation with the investigation, and a genuine remediation programme that addressed the root causes of the misconduct.

For ECCTA compliance teams, the DPA precedents reinforce the importance of having a compliance programme that is genuine and operational at the time of any conduct — because the quality of that programme will be a material factor in determining whether a DPA is available if fraud occurs, and on what terms. A compliance programme that exists on paper but was never genuinely implemented is unlikely to be treated as a material mitigant by the SFO.