The Economic Crime and Corporate Transparency Act 2023 introduced a new corporate offence called “failure to prevent fraud”. Under this provision, large organisations may be held criminally liable when fraud is committed by associated persons, such as employees, agents, or third parties acting on the company’s behalf. Criminal liability arises unless the company can demonstrate that it had “reasonable fraud prevention measures” in place to prevent fraud taking place.

The legislation reflects a shift in the UK government’s approach, holding companies accountable for institutional failings, rather than only focusing on the individual who committed the offence. The objective of the failure to prevent fraud offence is to drive businesses towards active fraud prevention. However, historically companies have been known to respond to “failure to prevent” offences with a tick-list of policies, rather than using the government’s framework flexibly to create their own tailor-made fraud prevention measures. This pattern leaves businesses vulnerable to fraud that exploits the gaps between written policy and operational reality.

Here, the expert business crime solicitors at JMW outline the key requirements and risks for businesses in implementing fraud prevention policies that must be considered if the legislation’s aims are to succeed.

The limits of policy-led compliance

Compliance frameworks are often viewed as a legal shield to defend against corporate criminality rather than a proactive tool for detecting or preventing fraud. This results in some common weaknesses.

First, policies are routinely adopted without being properly embedded. Firms may conduct training sessions, circulate guidance, and set up reporting mechanisms, yet employees often fail to understand their relevance or practical application. Inconsistent enforcement and a lack of operational integration mean fraud risks remain unaddressed in practice.

Fraudsters can also adapt faster than regulatory cycles. Criminals are exploiting evolving methods such as synthetic identity fraud, invoice redirection, and cyber-enabled scams. A static policy that reacts to regulation, rather than anticipating threats, is insufficient. When fraud prevention is reduced to a procedural formality, businesses remain exposed.

The failure to prevent fraud offence seeks to replace passive observance with proactive engagement. However, the practical impact of such legislation depends on whether businesses treat fraud as a legal formality or a commercial threat requiring strategic attention.

Previous corporate liability offences

The Bribery Act 2010 and the Criminal Finances Act 2017 both introduced failure to prevent offences: bribery and the facilitation of tax evasion, respectively. Both intended to elevate corporate responsibility and encourage stronger internal controls but, in practice, enforcement of the offences has been sporadic.

The Bribery Act prompted many businesses to introduce anti-bribery policies, yet few embedded these into daily operations. Initial enforcement was limited, and even now, penalties are relatively rare. Compliance exercises have largely sufficed in meeting expectations.

Similarly, the Criminal Finances Act created obligations for businesses to prevent tax evasion by an associated person. Despite the severity of the offence, HMRC has taken enforcement action in only a small number of cases. As a result, the deterrent effect has been limited, and many businesses have adopted minimal measures to reduce their liability.

These precedents suggest that where enforcement is weak and regulatory expectations unclear, businesses default to risk-averse compliance behaviour rather than undertaking substantive reform. The new fraud offence may meet the same fate unless supported by consistent enforcement application and clear incentives to act.

Integrating fraud prevention

To reduce exposure, businesses must address fraud not as a regulatory tick box exercise but as an operational risk. This requires investment in systems, culture, and governance.

A thorough fraud risk assessment is the starting point. Businesses must understand their specific risk profile, determined by sector, size, and operational structure, as generic policies are not sufficient. Areas such as supply chains, finance functions, and digital processes must be scrutinised for vulnerabilities, and risk assessments should be reviewed regularly, particularly when changes are made to business operations. 

Proportionate policies and procedures commensurate to the risk will significantly reduce the risk of prosecution. The policies and procedures implemented should be specific to the company.

Due diligence procedures are both a form of fraud risk assessment and also a way to mitigate risk. In its simplest form, due diligence refers to the steps a company takes to establish any risk associated with working with persons or organisations that will perform services on that company’s behalf.

Communicating anti-fraud policies effectively and supporting them with regular training sessions is crucial. Employees should be aware of how to identify and report potential fraud. Training should cover practical examples and warning signs relevant to the business sector, to help employees to apply the guidance effectively in their roles.

Implementing a system for regular monitoring and review of anti-fraud measures allows procedures to remain effective and evolve with changing risks. This system can include audits, feedback mechanisms, and updates based on new fraud techniques or business changes.

Top-level commitment (‘tone from the top’) and board-level engagement is critical. Leadership must treat fraud prevention as integral to the business, and senior management should be actively engaged in managing compliance-based measures and monitoring fraud prevention measures.

The role of policymakers and regulators

Legislative change must be accompanied by regulatory clarity and practical support. The current law requires organisations to adopt “reasonable” fraud prevention measures, but offers little definition. This ambiguity may lead businesses to over-comply in some areas while overlooking others. Clearer sector-specific guidance would allow firms to act with confidence and consistency and it is hoped that this will develop over time. UK Finance has developed its own guidance for the financial services sector, but this is only a temporary solution.

Enforcement must also be coordinated. Disparate approaches from the Serious Fraud Office, Financial Conduct Authority, HM Revenue & Customs, and the National Crime Agency risk creating confusion and uneven accountability. A unified enforcement framework would drive consistent expectations across industries.

Finally, although the offence applies only to large companies, its effects will cascade down supply chains. Small and medium-sized enterprises will face pressure to meet the fraud prevention standards of their corporate partners. Policymakers should recognise this and provide proportionate, accessible guidance to support these businesses.

The failure to prevent fraud offence represents an attempt to shift the responsibility for fraud prevention to those in control of business operations. Its success depends less on the law itself and more on how companies respond.

Organisations that treat the offence as a signal to strengthen operational resilience, invest in proactive measures, and elevate fraud risk to a board-level concern will be better protected. Those that fall back on policy paperwork, staff training exercises, and tick-box compliance will remain exposed to evolving fraud threats and the risk of criminality.

Fraud cannot be eliminated through written policy alone. It requires organisational alignment, investment in detection, cultural change, and accountable leadership. The challenge is not merely to comply, but to act.