Articles

Prosecuting authorities remind organisations to prepare now for the Failure to Prevent Fraud Offence

Picture of Sonya Zywko

By Sonya Zywko, Cyra Roshan

22 Aug 2025 | 5 minute read

On 1 September 2025, the 'Failure to Prevent Fraud' offence (the "FTP Offence") will come into effect (pursuant to s.199 of the Economic Crime and Corporate Transparency Act 2023 (the "Act")). Under the FTP Offence, in broad terms, a "large organisation" can be liable for an unlimited fine where it fails to prevent the commission of certain fraud offences by an employee, agent, subsidiary or other "associated person" and there is evidence of an intended benefit from the fraud. It is a defence where there are reasonable procedures in place to prevent fraud. For a re-cap on the technical details of the FTP offence, please see our article here and our article on the accompanying Home Office guidance here.

In addition to the FTP Offence, the Act introduced the attribution of criminal liability to organisations if a senior manager commits certain offences including fraud whilst acting within their actual or apparent authority, regardless of the size of the organisation under s.196 of the Act (the "s.196 Offence").  There is no reasonable procedures defence to this offence, which came into force in December 2023. For more details read our article here. The scope of this offence is due to be widened to any offence committed by a senior manager whilst acting within their actual or apparent authority under the Crime and Policing Bill currently making its way through the House of Lords (for more details, see our article here.)

CPS/SFO joint guidance on corporate prosecutions

The Crown Prosecution Service ("CPS") and Serious Fraud Office ("SFO") have updated their joint guidance for prosecutors around dealing with corporate prosecutions to incorporate the FTP Offence and s.196 Offence and have emphasised that firms must take steps now to ensure compliance. For more details, please find a link to the CPS/SFO's joint guidance here and press release here. Points of note include:

  • Prosecution of the corporate entity should not be a substitute for the prosecution of criminally culpable individuals such as directors, senior managers, officers or employees, for example. 
  • The definition of "associated person" under the FTP Offence can include contractors or consultants in certain circumstances, depending on the nature of the relationship in practice and whether, in all the relevant circumstances, the individual was acting in the capacity of performing services for and on behalf of the organisation, irrespective of their contractual status or title.
  • The guidance discusses the broader attribution regime introduced under the s.196 Offence, highlighting that liability can arise irrespective of whether the senior manager holds a formal board position if that individual plays a significant role in either the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed/organised or is actually managing/organising them.
  • Corporate entities may be held criminally liable for a failure to prevent offence irrespective of whether they intended or were aware of the commission of the specified underlying criminal conduct.
  • Prosecutors should actively consider whether a referral to a regulatory authority is suitable, either as an alternative to criminal prosecution or in parallel, noting that regulatory sanctions may complement proceedings by addressing systemic failings, governance issues or fitness to operate.
  • Factors influencing prosecutorial discretion around the decision of whether to charge corporate entities will include: any history of similar conduct (whether criminal, civil or the subject of regulatory enforcement action) and whether the company had failed to take adequate action to prevent future unlawful conduct; whether the alleged conduct is part of the established business practices of the company; whether the offence was committed at a time when the company had an ineffective compliance programme; and failure to report wrongdoing within a "reasonable time" of the offending coming to light.
  • Conversely, factors against prosecution include: where a "genuinely" proactive approach has been adopted by the corporate management team, including self-reporting and remedial action such as compensation of victims, making witnesses available and disclosure of details of any internal investigation; and existence of a "genuinely" proactive and effective corporate compliance programme.

UK finance sector guidance

Earlier this year, UK Finance published supplemental (non-statutory) guidance for financial services firms, focusing on interpretation of the FTP Offence (including a helpful decision tree to help determine whether the FTP Offence applies and industry specific scenarios) and practical examples of what would (and would not) constitute reasonable procedures. It is important to note that this guidance is advisory only and the Home Office guidance should take priority in the event of a conflict. Please find the link to UK Finance's guidance here. Points of note include:

  • An emphasis on a proportionate and risk-based approach in line with the FCA's expectations.  The guidance highlights the overlap between the FTP Offence and the existing FCA regime, pointing out that firms may be able to leverage existing fraud risk assessments or may conduct a risk assessment specific to the FTP offence.
  • Integrating reasonable fraud prevention procedures into existing frameworks, having particular regard to high-risk activities, departments and/or roles held by associated persons (posing questions around the motives and opportunities to commit a fraud offence in each context, for example). 
  • Implementing systems and controls informed by those risk assessments, such as establishing clear ownership, documentation and implementing periodic, independent reviews of data.  This may be satisfied by adapting existing frameworks already in place.
  • The guidance clarifies that actions taken solely by AI or automated systems generally do not constitute fraud unless deliberately programmed to do so (as fraud requires intent and, in most cases, dishonesty).  
  • There are certain scenarios where prevention procedures may not always be reasonable (i.e., where there is no UK nexus, distributors are subject to MiFID II or equivalent, or the services undertaken are execution only). However, UK Finance observes that risk assessments will be rarely deemed as optional, and firms will be required to justify why they deem preventative measures unnecessary - a clearly documented analysis will be key here.

Practical next steps for businesses

Given the FTP Offence is about to come into force, the CPS/SFO joint guidance provides a timely opportunity for organisations to revisit their procedures ahead of implementation, to the extent this has not already been undertaken. In particular, organisations should ensure they have sufficiently considered potential exposure under both the FTP Offence and the broader s.196 Offence. To that end, organisations should:

  • Revisit fraud risk assessments, ensure these consider potential exposure for acts of senior managers and reflect current business models and risks.
  • Review existing fraud and financial crime policies, aligning them with the Home Office and, where relevant, the UK Finance guidance.
  • Document board-level oversight and training to evidence a culture of compliance.

The message from the CPS and SFO is clear: organisations must implement reasonable measures to prevent fraud, which are risk-based, proportionate and actively maintained.

For further context, please see our previous article and get in touch if your need any business fraud legal advice or read more about our expert dispute resolution lawyers if you would like support in preparing or reviewing your fraud prevention framework.

Get in touch

Related

View all