ECCTA’s Failure to Prevent Fraud Offence – Is your Organisation ready?

The Economic Crime and Corporate Transparency Act 2003 (ECCTA), which received Royal Assent on 26 October 2023, forms a landmark piece of legislation intended to strengthen the UK’s fight against economic crime and enhance transparency around corporate structures.

The factsheet that accompanied the publication of ECCTA notes that “the UK has one of the world’s largest and most open economies, making it an attractive place for global business. However, this same openness exposes the UK to the risk of bad actors taking advantage, including to perpetrate fraud and money laundering, which, in turn, funds serious and organised crime here in the UK and facilitates corruption overseas”.

The Act, consequently, introduces a suite of reforms with one of the most impactful provisions being the creation of a new corporate criminal offence: the “Failure to Prevent Fraud” offence. The novel approach to fraud, focused on failure to prevent it, represents a fundamental shift in corporate responsibility with the emphasis now firmly on the organisation’s proactive prevention measures rather than on a reactive response to acts of fraud committed for benefit of the company. 

Key provisions

Beyond the "Failure to Prevent Fraud" (FTPF) offence and the reform to the identification principle, discussed below, ECCTA introduces a wide range of measures intended to tackle economic crime and improve corporate transparency. These include:

• Reforms of the powers of the Companies Registrar – To root out fraudulent companies, the Companies Registrar is granted new powers to challenge, decline and remove suspicious information on the Companies Register. This is supported by more effective investigation and enforcement powers and better data cross-checking with other public and private sector bodies. In addition, new identity verification requirements are introduced for all new and existing registered company directors, people with significant control, and those delivering documents to the Registrar, to enhance the reliability of the Register data.
• Reforms to prevent the abuse of partnerships – Stricter rules aim to tackle the abuse of limited partnerships by strengthening transparency and enabling them to be deregistered. Limited partnerships must provide more information about their partners, maintain a UK office, and file annual statements, making them far less attractive for money laundering and other illicit activities.
• Amendments to the Register of Overseas Entities – Amendments are introduced to ensure the maximum amount of transparency around the involvement of a legal entity trust in a chain of ownership. Importantly, a successfully registered entity could be prevented from dealing with its registered property interests if it fails to provide information requested by Companies House to evidence statutory obligations compliance or to clarify any confusion. (See The Register of Overseas Entities – closing loopholes and extending the scope with ECCTA : Clyde & Co )
• Extended SFO powers - ECCTA amends the Criminal Justice Act 1987 enabling the SFO to use its investigative powers at the earlier pre-investigation stage to compel individuals and companies to provide information in cases of suspected fraud. This allows for earlier intervention and more effective intelligence gathering.
• Powers to seize and recover cryptoassets more swiftly – ECCTA creates powers to seize and recover cryptoassets linked to crime much more easily. A judicial authority may now also order the forfeiture of cryptoassets intended for unlawful conduct or that form recoverable property. 
• New powers and exemptions around AML enforcement – ECCTA creates new exemptions from the principal money laundering offences to reduce unnecessary reporting by businesses carrying out transactions on behalf of their customers and grants new powers for law enforcement to obtain information to tackle money laundering and terrorist financing.
• Reforms to Information Sharing -  Reforms are introduced to enable businesses in regulated sectors (i.e. banks) to share information more effectively with each other over suspected economic crime without fear of breaching confidentiality rules and with the aim of fostering a more collaborative approach to fraud prevention.
• Reform of the powers of the Solicitors Regulatory Authority (SRA) – ECCTA introduces measures allowing the SRA to proactively request information to monitor compliance with economic crime rules and legislation and permits the SRA to set its own limits on financial penalties imposed for economic crime disciplinary matters. 
• New powers to strike out Strategic Lawsuits Against Public Participation (SLAPPs) – SLAPPs are legal actions brought by corporations or individuals with the intention of harassing, intimidating and financially or psychologically exhausting opponents. It is estimated that the majority of SLAPPs are related to economic crime. To address this improper use of the legal system, ECCTA introduces the first statutory definition of SLAPPs, enabling courts to identify them early on in proceedings and strike them out where they are less likely than not to succeed at trial. 

FTFP offence and amendment to the identification principle

Out of the reforms, amendments and new powers introduced by ECCTA, two key measures stand out in respect of the fight against economic crime: the introduction of the FTPF offence and the amendment to the identification principle. Although much has been written about the former, little attention has fallen on the latter despite it applying to every organisation and being in force since 26 December 2023 - in contrast to the FTPF offence which only concerns large organisations and is due to enter into force on 1 September 2025. 

Identification principle 

The identification principle is the legal test used to determine whether the actions and mind of a natural person can be attributed to an organisation. 

Section 196 of ECCTA widens the scope of the identification principle, in the context of economic crime offences, to address past difficulties in finding an organisation criminally liable for acts committed by certain individuals within the organisation. Prior to the reforms introduced under ECCTA, it was essential to establish that the offence was committed by an individual representing the “directing mind and will” of that organisation.

An organisation may now be found criminally liable where a “senior manager” who was “acting within the actual or apparent scope of their authority” commits a (specified) economic offence, which could include fraud, bribery, money laundering, sanctions violations, tax evasion and false accounting, amongst other offences. This conceivably widens the pool of people who may be caught under this principle and increases the number of those who may be capable of attributing criminal liability to their organisation. 

A “senior manager” is defined as an individual who plays “a significant role in the making of decisions about how the whole or substantial part of the activities of the organisation are to be managed or organised”, or actually manages or organises “the whole or a substantial part of those activities”. However, it is important to note that there is little guidance around what precisely constitutes a senior manager and organisations may find it quite difficult to identify their senior managers. 

The reformed identification principle applies to all companies and partnerships established in the UK and, if convicted, organisations will face a fine, unlimited for the most serious crimes.  It also applies to overseas companies, but where no act or omission forming part of the relevant offence takes place in the UK, an organisation will not be guilty of an offence unless it would be guilty of the relevant offence in the country where it was committed. 

Looking ahead, there is potential scope for an extension of the circumstances in which an organisation could be found criminally liable under the identification principle. The scope could be widened to any offence committed by a senior manager while acting within the actual or apparent scope of their authority, and not just limited to the (specified) economic crimes listed under ECCTA, Schedule 12. This extension is being proposed under section 196 of the Crime and Policing Bill which went through its first reading before the House of Lords on 19 June 2025. If it passes, it will be easier to prosecute organisations for a wider range of offences.

FTPF offence 

First, it is important to clarify that the FTPF offence is not concerned with instances of fraud levelled against the organisation itself, e.g. company theft or embezzlement, but rather fraudulent acts perpetrated for, whether directly or indirectly, the intended benefit of the organisation by someone associated with it and carried out to the detriment of an external party such as a customer, client, shareholder, investor or regulator.

Following the publication of guidance in respect of what constitutes reasonable fraud prevention procedures, in November 2024, the offence enters into force on 1 September 2025, allowing organisations an implementation window to prepare.

Who could be guilty of the FTPF offence? Under ECCTA,  a “large organisation” will be guilty of the FTPF offence where:

• an “associated person” 
• commits a specified fraud offence 
• intending to benefit, directly or indirectly,  the relevant body or its clients or customers, and 
• the organisation did not have reasonable fraud prevention procedures in place.

In order to qualify as a “ large organisation” which is subject to the FTPF offence, the entity (company or partnership) must satisfy at least two out of three of the following criteria in the financial year preceding the year in which the offence is committed: 

1. More than 250 employees
2. More than £36 million turnover, and/or 
3. More than £18 million in total assets

The Act defines certain categories of people who are automatically an  “associated person” for the purposes of the offence. These are employees, agents, subsidiaries or partners. Other entities/parties may also be “associated persons” depending on the circumstances; any person who performs services for or on behalf of the large organisation is an “associated person” while providing those services. 

It does not need to be demonstrated that directors or senior managers ordered or knew about the fraud. This shift to strict liability lowers the bar for prosecution considerably. 

In terms of jurisdictional scope, section 2.5 of the government guidance for the offence of FTPF published in November 2024 provides that:

“The offence will only apply where the associated person commits a base fraud offence under the law of part of the UK. This requires a UK nexus. By UK nexus, we mean that one of the acts which was part of the underlying fraud took place in the UK, or that the gain or loss occurred in the UK. If a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based. If an employee or associated person of an overseas-based organisation commits fraud in the UK, or targeting victims in the UK, the organisation could be prosecuted” 

It is important to note that an organisation does not need to actually receive any benefit for the offence to apply - since the fraud offence can be complete before any gain is received. It is enough that the organisation was intended to be a beneficiary. 

Intent to benefit the organisation is to be judged according to the position of the “associated person” at the time they commit the fraud offence. 

Furthermore, the intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud. 

It should, nevertheless, be noted that the relevant organisation is not liable if it is a victim or intended victim of a fraud even where that fraud was intended to benefit the organisation’s clients. 

FTPF risk scenarios 

There are various scenarios under which a FTPF offence could be committed. Below are some examples of the base fraud offence that may be committed by an “associated person” that could engage the FTPF offence:

• Product/services misrepresentation
  • Deliberately mispricing/mislabelling/greenwashing 
  • Misrepresenting the organisation’s claims process
  • Misrepresenting the organisation’s expertise 
• Customer suitability
  • Deliberately selling product/services not in line with the customer’s needs
• Third party risks
  • Procurement risks – misrepresenting or withholding information
  • Defrauding suppliers
• Misreporting of information
  • Misleading regulators
  • Overstating green (or other) credentials 
  • Misstating the organisation’s solvency position
• Misrepresentation of professional services fees 
  • Misstated timesheets (for example in the context of any services charged on an hourly basis)
  • Misstated expenses where those are charged back to the client

Key government principles for reasonable fraud prevention procedures 

UK government guidance, published in November 2024, intended to protect organisations from fraud, provides advice on procedures they can put in place to prevent fraud offences by “associated persons”. Should organisations face allegations of FTPF, the guidance outlines six core principles that should be followed to establish a defence:

1. Top-level commitment and governance – Senior leadership must visibly support and drive anti-fraud efforts, including demonstrating a commitment to fraud prevention measures through resourcing and training, for example.
2. Risk assessment – Organisations must identify and evaluate fraud risks across all areas.  This is a key factor and effectively informs all other elements of the procedures. 
3. Proportionate procedures – Controls should be tailored to the organisation’s size, complexity, and risk profile.
4. Due diligence – Third parties and associated persons must be vetted.
5. Communication and training – Staff must be educated on fraud risks and expected behaviours.
6. Monitoring and review – Procedures must be regularly tested and updated.

What constitutes reasonable procedures will depend on the specific context of the organisation and the relevant base offence; and there is certainly no one-size fits all approach, nor can it be a tick-box exercise.   

Most organisations will have some measures in place, including certain risk assessments and processes regarding due diligence procedures that can be adapted and developed to support a robust anti-fraud programme. In this context, it is important that any such measures are not simply applied in their original form, but amended as necessary to address the specific risks of fraud that the organisation faces. 

Key takeaways 

• Benefit can be inferred
  • Even if the fraudster’s primary motive is personal (e.g., earning commission), if the organisation benefits, liability may still apply.
  • Fraud that benefits a client may also be considered as benefiting the organisation.
• Risk assessment alone is not enough
  • A full fraud prevention framework is required.
  • Culture, leadership, and ongoing monitoring are critical to effectiveness.
• Documentation and review are essential
  • Decisions around risk and controls must be documented.
  • Fraud prevention plans should evolve with the organisation and external environment.
• Global implications are complex
  • The offence applies where there is a UK nexus (e.g., part of the fraud occurred in the UK or the benefit/loss was realised in the UK).
  • Multinational groups should consider applying fraud prevention measures across their entire structure.

What should organisations do now?

To prepare for entry into force of the FTPF offence in a couple of months, there are various steps an organisation should already be considering, including:

• Appointing a responsible individual to oversee fraud risk management.
• Conducting a comprehensive fraud risk assessment across all departments.
• Implementing and documenting proportionate procedures, which extend beyond a specific fraud prevention policy to include measures relating to procurement or employee conduct, for example.
• Training staff and embedding a culture of integrity and considering how to reduce internal motivations to commit fraud.
• Reviewing and updating controls regularly.
• Considering whether contractual provisions are required to support the organisation’s fraud prevention measures.

If you would like to discuss any of the information contained in the article or have questions around this topic, our team will be happy to answer any questions you may have.