How failure to protect fraud rules affect UK directors

0800 158 2313Speak to an expert 24/7

In the wake of landmark legislation changes on the offence of failure to prevent fraud, companies will need to review and reform their fraud prevention procedures - and the clock is ticking on implementation.

Businesses now have less than eight months until 1 September 2025 to put in place processes to counteract fraud within their corporate structure to avoid being held criminally liable.

Scope of the offence

Under the new legislation, set out in the Economic Crime and Corporate Transparency Act (ECCTA), an organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’, commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place.

‘Associated person’ has a broad definition: a person who provides services for or on behalf of an organisation classes as an associated person while they are providing those services.

So, for example, if an employee is engaged in dishonest sales practices or deceitful behaviour in financial markets then the company itself could face prosecution. This would also apply if employees were engaged in the practice of hiding significant information from its investors or consumers.

Organisations should also be aware that the offence will also be applicable when a fraud has been committed for the benefit of the entity, even if there has been no actual advantage. So, even if dishonest sales practices did not result in any increase in sales, the organisation may still be liable under the provisions of the new offence.

Individuals who carried out the actual fraud can still be prosecuted under existing laws, but, crucially, the organisation which employs them will now face a prosecution too if investigators can reasonably conclude that they failed to prevent the crime.

If an employee or agent has committed a fraud, as a defence to prosecution, the organisation will need to be able to demonstrate that it had adequate policies and procedures in place to prevent fraud.

An organisation can also escape liability if it itself was a victim of, or was intended to be a victim of the fraud. However, where the individual committed the fraud intending to benefit the company, this does not apply (even if in practice the company did not benefit).

For example, if an individual engaged in mis-selling practices with the intention of increasing sales for the company, the organisation may be liable for prosecution if it did not have adequate procedures in place to prevent the fraud, even if sales did not increase.

Who does it apply to?

Under rules brought forward in 2023 under ECCTA, this applies to all companies with more than 250 employees, a turnover of more than £36m, or total assets of more than £18m.

However, smaller businesses will still need to consider compliance with the legislation because a large organisation in the supply chain will likely require them to have reasonable procedures in place if they fall within the scope of ‘associated person’.

The definition is purposely detailed, leaving no room for ambiguity, so claiming to be unaware that the new rules apply will not be an acceptable defence.

Extra-territorial impact

The new regime will include organisations incorporated outside of the UK, and as such businesses registered in other jurisdictions may find themselves liable for actions of employees or associates carried out within the UK.

It will apply to organisations where part of the offence takes place in the UK. This would include situations where part of the fraud takes place in the UK but could also apply where there are victims in the UK or, for certain offences, where there is a gain in the UK.

Even if an organisation is based outside of the UK and doesn’t have any nexus here, it could still be liable for actions of a third-party service provider operating within the UK.

Accordingly, both UK and non-UK companies will need to assess whether the acts of their employees, subsidiaries, or agents are likely to give rise to liability under the new offence.

Action businesses should take to prepare

With less than a year to go until the new rules come into force, companies should implement stronger fraud prevention procedures without delay.

Serious Fraud Office (SFO) director Nick Ephgrave recently warned that ‘time is now running short for corporations to get their house in order’. He reiterated the regulator’s determination to ‘act swiftly and send a strong signal to companies profiting from malpractice’ and insisted that any behaviour proven to be fraud will not be tolerated.

Companies should act now to consider whether the business itself or its associates fall within the scope of the legislation and, if so, take steps to have the right protections and policies in place ahead of the 1 September 2025 deadline to avoid being held criminally liable if one of their employees, agents or associates acts fraudulently in the future.

Ahead of the September deadline, businesses should review their processes to identify risks of fraud within the business and then review the appropriate policies and procedures to consider whether there is adequate fraud protection.

For areas of the business identified as being particularly high risk of fraud, consider obtaining professional advice on policies and procedures to ascertain whether there are sufficient checks and balances in place and to obtain advice as to additional checks, balances and safeguards which could be introduced.

The fact that professional advice has been obtained may assist in the event of a prosecution. Whilst it may not prevent fraud, it does show investigators that proper steps have been taken to consider policies, procedures and safeguards.

The onus will lie with businesses to demonstrate they have taken steps to prevent fraud and they will no longer be able to turn a blind eye to the actions of employees and associates.

Authored by Rachael Gregory, partner at Grosvenor Law

Visit BrAInbox today where you can find answers to questions like Do I have to sack someone when they have committed gross misconduct?