The introduction of a new offence under the Economic Crime and Corporate Transparency Act 2023 - the failure to prevent fraud - marks a pivotal moment in corporate criminal liability. The offence builds on a now-familiar legislative model designed to drive cultural change within corporate governance. While the statutory language imposes liability on organisations, its practical effect is to sharpen the expectations placed upon directors, senior management and those responsible for governance within the organisation, particularly those in large organisations that fall within the offence’s scope. A director’s failure to engage proactively with fraud prevention, particularly where it contributes to regulatory breaches or financial harm, may be treated as evidence of unfitness under the Company Directors Disqualification Act 1986 (CDDA).

This development should be viewed not as a discrete change but as part of a broader recalibration of directors’ accountability in relation to financial crime, corporate ethics and public interest regulation. It may also have implications in terms of director disqualification, and businesses need to be aware of these.

The New ‘Failure to Prevent Fraud’ Offence

The offence, which forms part of the government’s response to perceived gaps in corporate criminal law, applies to “large organisations” - defined as those meeting two out of three criteria relating to turnover (exceeding £36 million), balance sheet total (exceeding £18 million), and headcount (over 250 employees). Where an “associated person” who provides services for or on behalf of the organisation commits an in-scope offence that the organisation could benefit from, the organisation is deemed to have committed an offence, unless it can show that it had “reasonable procedures” in place to prevent such conduct. This mirrors the statutory architecture of the Criminal Finances Act 2017.

From a legal standpoint, the offence reflects a move away from traditional attribution models, under which criminal liability required knowledge or involvement of senior decision-makers. Instead, the corporate liability is strict, with a statutory defence available only where reasonable fraud prevention mechanisms can be evidenced. It shifts the burden decisively onto the organisation to prove compliance - placing preventative systems, not individual intent, at the heart of the criminal risk assessment.

The Home Office published the Guidance to Organisations on the offence of Failure to Prevent Fraud (“the Guidance”) earlier this year. This is to assist large organisations by setting out clear and understandable expectations once the new offence comes into force on September 1st 2025.  The Guidance sets out six key principles creating a framework for preventing fraud. 

• Top-level commitment;
• Risk assessment;
• Proportionate risk-based prevention procedures;
• Due diligence;
• Communication (including training), and;
• Monitoring and review. 

Individual sectors are encouraged to develop sector-specific guidance to provide more detail on prevention measures to address the risks they face.

Directors’ Responsibilities Under the New Regime

Although the new offence does not impose personal liability on directors, it necessarily reshapes the legal and fiduciary environment in which directors operate. Under the Companies Act 2006, directors must exercise reasonable care, skill and diligence (section 174) and promote the success of the company (section 172), having regard to broader stakeholder and reputational concerns. These duties are interpreted objectively and subjectively, meaning directors are judged both on a general standard and in light of their own knowledge and responsibilities.

The failure to engage with fraud prevention, particularly where risks have been identified but not addressed, may now be viewed as a breach of those statutory duties. A passive or reactive posture is unlikely to be defensible. The offence therefore acts as a legislative proxy, embedding a new compliance expectation into directors’ legal obligations. Non-executive directors, often relied upon for independent oversight, are also within scope.

Moreover, internal documentation and board minutes may become central evidential tools. A director who cannot show that fraud prevention measures were discussed, reviewed, challenged, and resourced may struggle to defend their conduct in later enforcement actions. The rise of whistleblower disclosures and shareholder activism increases the probability that board-level failures will be scrutinised retrospectively.

How Director Disqualification May Follow a Compliance Failure

The Company Directors Disqualification Act 1986 provides a mechanism for removing directors whose conduct is deemed unfit, particularly in the context of corporate insolvency. Under section 6, the Insolvency Service may initiate proceedings where a company enters liquidation or administration, and where the director’s conduct raises public interest concerns. Disqualification is a civil process, judged on the balance of probabilities, and does not require a criminal conviction.

Failure to implement fraud prevention procedures - or to respond effectively to known weaknesses - may now be cited as evidence of unfitness. The threshold for disqualification does not require proof of dishonesty. Neglect, poor judgement, or systemic inaction may suffice where the consequences are serious. A director who disregards professional advice, ignores red flags, or fails to resource compliance functions may face proceedings even where there was no personal gain.

It is foreseeable that directors of companies prosecuted for failure to prevent fraud, or those that enter into deferred prosecution agreements (DPAs), may face disqualification proceedings based on the agreed facts. DPAs often involve detailed accounts of systemic failures, and these narratives can be persuasive in disqualification litigation, particularly where they show that a director was aware - or should have been aware - of deficiencies but failed to act.

Insolvency practitioners, too, are likely to explore this territory in post-insolvency reviews, particularly in high-value fraud cases. A director who allowed unauthorised payments, failed to supervise third-party agents, or left critical roles unfilled may now be viewed through the lens of the new offence, even if the company did not face criminal sanction.

The Potential For Cross-Regime Enforcement and Increased Scrutiny

The new offence does not operate in isolation. It is part of a growing arsenal of regulatory and criminal tools designed to increase corporate accountability. Regulators, including the FCA, SRA, and HMRC, already expect boards to maintain effective governance systems, and the existence of a failure-to-prevent offence adds weight to those expectations.

Where a company is prosecuted - or enters into a DPA - the implications may extend far beyond that proceeding. Statements of fact may be admissible in other forums; referrals to the Insolvency Service or professional regulators may follow. In this way, criminal enforcement becomes a gateway to wider personal accountability for directors. Professional disqualification, sectoral bans, and loss of authorisation are all plausible downstream consequences.

It is also worth considering the insurance and indemnity consequences. Most D&O policies exclude coverage for deliberate wrongdoing, but the failure-to-prevent model complicates this further. Directors may find themselves facing regulatory exposure that is not covered by existing policies, particularly if they failed to take reasonable steps or cannot evidence their diligence. This may lead to more active scrutiny of board decisions and increased demand for audit trails.

Public scrutiny, too, may have a regulatory effect. In listed companies, governance failures attract rapid shareholder pressure. In private companies and partnerships, reputational loss may lead to loss of banking facilities, partnership exits, or loss of public contracts. Directors may find themselves collateral to the organisation’s legal exposure, particularly where they played a central role in strategic or operational decision-making.

Proactive Steps Directors Should Now Take

In this new compliance environment, fraud prevention must be elevated to a board-level priority. Directors should not view this as a technical risk confined to finance or legal departments. Instead, they should adopt a structured approach that integrates fraud risk into the broader governance framework.

A formal fraud risk assessment is the necessary starting point. This should go beyond generic policies and focus on specific vulnerabilities across the business model, including product lines, procurement chains, agent relationships, and digital exposure. The assessment should be reviewed periodically and in response to operational changes.

Based on this, companies should implement targeted prevention procedures, including dual authorisation controls, real-time transaction monitoring, internal audit programmes, and accessible whistleblowing channels. These procedures should be proportionate to the risk and supported by documentation. A box-ticking exercise or reliance on off-the-shelf compliance products is unlikely to suffice.

Board engagement must be real and regular. Fraud risk should be a standing item on board agendas. Directors should challenge internal reports, seek updates on controls, and insist on remedial action. Where red flags are raised - whether through audit, whistleblowing, or external alerts - they should be recorded and followed up with clear audit trails.

Training must extend beyond junior employees. Directors and senior managers should undertake periodic fraud awareness training and seek independent assurance where necessary. Legal and compliance teams should have direct access to the board and be empowered to escalate concerns.

Perhaps most importantly, directors must document their efforts. Meeting minutes, policy reviews, board packs, and compliance logs may all be relevant in defending later allegations of unfitness. Without documentary evidence, directors may struggle to show that they took reasonable steps.

Looking Ahead

If a large organisation was convicted of the offence of failure to prevent fraud, the punishment available to the court is one of an unlimited fine, in addition to the prosecution of the associated person. While the court would take account of all the circumstances when determining an appropriate fine, the fact that this offence applies to large organisations gives scope for significant fines to be levied. Furthermore, separate civil proceedings or a regulatory investigation and prosecution may apply, in addition to the significant reputational damage that this would cause for an organisation.   

Obtaining legal advice will assist you and the organisation in ensuring that the principles within the Guidance are followed and that the organisation has effective processes and reasonable procedures in place.  This will be to both detect and prevent any instances of attempted fraud, or to provide the organisation with a defence to any allegation of “failure to prevent fraud” if it were to occur. 

It is important to remember that whilst the new offence applied only to “large organisations” at present, there is also the potential for future legislative expansion. Policymakers have already suggested that medium-sized entities could fall within scope in later phases. In parallel, regulators may embed fraud prevention expectations into sector-specific codes or authorisation conditions, increasing the compliance burden incrementally.

For directors, the message is clear. The failure-to-prevent fraud offence is a corporate offence with personal implications. It reframes the way boards must approach fraud, shifting the emphasis from response to prevention. Directors who fail to adapt may face regulatory, financial, and reputational consequences - including disqualification - based not on what they did, but on what they failed to do.