
ECCTA: UK Government issues guidance on failure to prevent fraud offence

When the Economic Crime and Corporate Transparency Act 2023 (ECCTA) was introduced, one of the measures prompting major interest was the introduction of a new offence entitled “Failure to Prevent Fraud”. The Act, which will be enforceable from 1 September 2025, is tailored to ensure that corporations are more accountable in the event that serious crimes are committed in the course of business.
The "failure to prevent fraud" offence aims to broaden a corporation's accountability for fraudulent acts carried out by associated individuals and entities intended to benefit the business. Companies with inadequate fraud prevention measures can be criminally prosecuted under this Act. Importantly, there's no need to show that directors or senior managers directed or were aware of the fraudulent activities. Even if the leadership is unaware of the fraud, the corporation can still be held responsible.
The UK Government has now published advisory guidance to help companies develop and implement reasonable fraud prevention procedures. This guidance takes a risk-based approach, directing companies to build a tailored response.
Get a head start on ECCTA
Download our whitepaper today and adapt swiftly to stay compliant and protect your reputation.
Download nowIn-scope organisations
The failure to prevent fraud offence is relevant to incorporated companies and organisations classified as “large” according to the Companies Act 2006. This classification applies if they meet two of the following criteria:
- They have more than 250 employees
- Their Turnover is more than £36m
- They hold more than £18m in assets
This includes organisations such as NHS Trusts and some charities. The offence applies to base fraud committed in the UK, or fraudulent gain or loss occurring in the UK. It also covers UK-based employees that commit fraud, wherever the employing organisation is based, and overseas employees who commit fraud in the UK or targeted at UK victims.
Although smaller organisations are not directly governed by this regulation, it is recommended they adopt the guidance as a best practice for managing fraud risks.
Companies are advised to use the guidance to inform their fraud prevention strategies, considering their unique circumstances and particular areas of risk. The Government is at pains to point out that “even strict compliance with the guidance will not necessarily amount to having reasonable procedures” if a court could conclude that this fails to take account of the operational and ethical realities facing the business.
In-scope person and entities
The offence applies to fraud committed by “employees, agents, subsidiaries or other ‘associated persons’ who provide services for or on behalf of the organisation, where the fraud was committed with the intention of benefiting the organisation or its clients.”
Including 'associated persons' who provide services in this context has significant implications for supplier due diligence and oversight. Organisations must extend their monitoring and fraud prevention measures to their supply chains where suppliers act on their behalf.
These individuals may also face separate prosecution for the primary fraud. However, the offence does not cover company members who failed to prevent the fraudulent behaviour from occurring.
Your essential ECCTA checklist
Confidently address the complexities of ECCTA and discover practical steps for your organisation.
Download the checklistExamples of “intention to benefit”
The guidance highlights that the issue of who is “intended to benefit” from fraudulent activity is key to determining whether the organisation is liable for failing to prevent the fraud.
For instance: an organisation can still be held accountable, if the person committing fraud seeks to do so for their own benefit, but the net result is also a benefit for the organisation. The example cited is that of a salesperson mis-selling to increase their own commission, but also increasing the company’s sales. It's also vital to understand that benefits aren't limited to monetary gains; they can include indirect advantages that lead to an unfair competitive edge.
Cyber Risk Virtual Summit
Gain actionable insights into the critical requirements of NIS2, Cyber Resilience Act and DORA and their impact on operational resilience.
Register today“Reasonable” fraud prevention measures
“Reasonable” fraud prevention measures are vital in defending against accusations of failing to prevent fraud. Organisations must demonstrate that their strategies, procedures, and implementations for preventing fraud were adequate, sufficient, and suited to the specific context of their business at the time the fraud occurred.
The guidance offers six key pillars around which organisations should structure a risk-based fraud prevention strategy:
Top level commitment: The board of directors, partners and senior management are explicitly responsible for setting an anti-fraud culture. This should be achieved through communication, governance processes, policy-setting, committing to and implementing training, leading by example and building an open culture where whistleblowing is supported.
Risk assessment: Fraud risk should form an integral part of the organisation’s risk identification, assessment, and management strategy. Many organizations will already look at risk under other rules against fraud and economic crime. So, it may be a case of adding new activities to those that are already in place to cover the new offence. This could include fraud risk assessments for suppliers and other associated persons and should also recognise risks arising in emergency scenarios.
Proportionate risk-based fraud prevention measures: The fraud prevention plan must be proportionate to the risk and the potential impact. The associated procedures should be clear, practical, accessible, effectively implemented, and enforced.
Due Diligence: Persons who perform services on behalf of the organisation must be subjected to effective due diligence procedures that follow best practices including the use of screening tools, third party risk management technology, contract reviews and staff monitoring for higher risk of fraud e.g. due to “stress, targets or workload”
Communication (including training): Policies and procedures must be effectively “communicated, embedded and understood” throughout the organisation and by relevant third parties. Training is required and should be regularly repeated. Whistleblowing policies should be especially well-publicised.
Monitoring and review: This must cover detection of fraud and attempted fraud, investigations, and monitoring the effectiveness of fraud prevention measures. The fraud risk management programme should be regularly reviewed to account for changes in circumstances, operating environments, and emerging risks.
By adhering to these six pillars, organisations can establish a robust fraud prevention strategy that is both effective and adaptable to their specific needs.
Elevating fraud risk management
Much of what is covered in the guidance on the failure to prevent fraud offence is risk management best practice that risk professionals will recognise – it just needs to be tailored for this new offence. This guidance presents an opportunity to strengthen fraud risk management and compliance, which can positively impact other aspects of the company’s risk strategy.
This is particularly relevant in third-party risks. This is not the only regulation that now requires companies to extend due diligence and risk management more deeply into their supply chain, and there will likely be cross-over in the actions and measures required.
In-scope organisations should move fast to assess their current fraud prevention procedures and perform a gap analysis against the official guidance.
They must ensure that their risk and compliance teams have the right tools to manage and report fraud risks to achieve visibility over fraud risk evolution.
The failure to prevent fraud offence adds a new degree of corporate accountability for fraud by associated persons. To ensure they are in a strong defensive position, companies should take proactive measures to be ready for the 1 September 2025 deadline.
Ready to transform your ECCTA compliance from a challenge into a competitive advantage? Find out more and request a demo with Diligent Entities here.

Master entity management and compliance with our essential ECCTA checklist
Our ECCTA checklist helps to ensure that your organisation not only complies with the law but also leverages that compliance for a strategic advantage.

Making the switch to Diligent Entities: Users share their experience
Real users describe their experience switching to Diligent Entities from traditional entity management solutions.

The Economic Crime and Corporate Transparency Act (ECCTA): Key impacts for Company Secretaries at UK-registered companies
As the UK tightens its grip on financial and economic crime, businesses must adapt swiftly to ECCTA to stay compliant and protect their reputations.

What are the new responsibilities for company secretaries under the Economic Crime and Corporate Transparency Act (ECCTA)?
ECCTA introduces a range of measures designed to tackle corporate crime, among which are significant reforms to Companies House. Read our blog for more.