Contact

clerks@5pb.co.uk

020 7583 6117

Failure to Prevent Fraud: What Large Organisations Need to Know

A Practical Approach to Compliance

Rebecca Dix, former Associate General Counsel at the Serious Fraud Office, shares her insights into the new offence and provides some key takeaway points.

Having worked on over half a dozen deferred prosecution agreements at the Serious Fraud Office and regularly advised FTSE-listed companies and the government on the similar offence of failure to prevent bribery, Rebecca is well aware of what organisations should be considering in order to meet their new legal obligation.

Thanks go to Gabriel Barnes, pupil barrister, for working with Rebecca to draft this article and for being just as interested in this exciting area as she is.

 

Introduction

The introduction of the new offence of failure to prevent fraud marks a significant shift in the landscape of criminal law for large, incorporated bodies and partnerships. In force since September 2025, the new offence means that business leaders will be expected to have in place effective, tailored systems to disincentivise, deter, detect, and deal with potentially fraudulent activity. Understanding and rising to these expectations will be essential for avoiding liability and protecting an organisation’s reputation.

Understanding the offence

Who is affected?

The new offence under section 199 of the Economic Crime and Corporate Transparency Act 2023 applies to large organisations. A large organisation is one with at least two of three characteristics:

  • More than 250 employees
  • A turnover of more than £36 million
  • Base assets of more than £18 million

When does the offence bite?

A large organisation will fall foul of section 199 when one of the organisation’s employees, agents, or subsidiaries, or someone else providing services for them or on their behalf, commits a fraud to benefit the organisation or its client. It does not matter whether anyone is brought to court or convicted of that base fraud; the large organisation can still be liable.

Why has this offence been introduced?

The new offence is as much about stopping fraud from happening in the first place as it is about punishing corporate bodies and partnerships when it takes places on their watch. Prosecutors anticipate that the introduction of section 199 will lead to a corporate culture shift, so that people operating within large organisations or on their behalf are left in no doubt as to the consequence of committing a fraud offence.

How can large organisations protect themselves?

There are two defences to the section 199 offence: the organisation can show either that it had reasonable procedures in place to prevent fraud, or (as an exception) that it was not reasonable to implement any such procedures at all. The question of ‘reasonableness’ will be a question firstly for the prosecutor when they are determining whether charges should be laid, and then ultimately for a jury. The government has published extensive (but not exhaustive) guidance on the principles that a large organisation should be considering when devising, implementing, and reviewing their fraud prevention procedures.

What does this mean for your organisation?

The upshot is that a corporate cannot rest on the laurels of their existing ethical and due diligence frameworks. The key to compliance will be a willingness to regularly review, reflect, test, and evolve their procedures.

 

Review, reflect, and test

Large organisations caught by the new offence will already be assessing risk in all manner of commercial, legal, and regulatory contexts. Those in the regulated sector will be well versed in their due diligence and compliance requirements. Organisations which are outside the regulated sector, or those smaller companies that are caught by the new offence through their connection to a larger parent company, may be less equipped to implement robust systems to mitigate the risk of fraud.

Identify fraud risks

It will be necessary to institute a formal and routine risk assessment cycle to ensure that developing or novel fraud risks do not go undetected. This cycle could involve, for example:

  • Reviewing contracts with employees, agents, temporary staff, and consultants
  • Analysing the results of audits, investigations, and whistleblowing incidents and marking tangible action points to resolve any red flags
  • Simulating scenarios to expose potential vulnerabilities, by making use of AI tools where possible
  • Consulting legal professionals to stress-test and advise on current procedures
  • Locating potential hot-spots for fraud within the organisation 

How fraud creeps in 

With over twenty years of experience of working on high-volume fraud and bribery cases against senior executives, Rebecca knows that fraud is most likely to occur where there is a convergence of three risk factors: 

  • the opportunity to commit fraud,
  • a motive to do so,
  • and a culture that rationalises fraudulent behaviour.

This is commonly referred to as the “fraud triangle.” Organisations should bear in mind the three points of the fraud triangle when assessing corporate risk.

1) Opportunity

Roles that are consistently contracted out to third parties with little oversight may be an area of risk. There might equally be parts of a team that have been overlooked for many years, allowing defects in compliance to creep in without any intervention. Both scenarios can open up opportunities for fraud.

2) Motive

Fraud could be inadvertently incentivised through an organisation’s bonus and compensation package. This will be a particular risk in sales teams, where employees are regularly subjected to pressures of time and financial performance.

3) Rationalisation

A corporate culture that allows for fraud or other bad behaviour to be legitimised on the basis that it is perceived to be necessary for business purposes or harmless will be open to risk.

Implement

When an organisation has identified areas of risk, it must design a model that is aimed at preventing fraud within its particular structural and cultural context. These measures should be proportionate to the risks faced. They may include the implementation of enhanced due diligence and whistleblowing procedures, providing bespoke training, or rethinking performance-based incentives.

Innovate

Emerging technologies tend to be associated with the increasing prevalence and sophistication of fraud, but they can also be used to assist corporates with its detection and prevention. Large organisations with resources to do so may benefit from harnessing the analytical and predictive power of artificial intelligence to flag up fraud risks before an offence is committed.

 

Culture and communication

Organisations will only be able to prevent fraud effectively with the ethos that fraudulent behaviour cannot be tolerated or justified. Everybody in the organisation, from the C-suite to the front line, needs to be familiar with and subscribe to that ethos for it to be effective, and the government’s guidance on the new offence places the responsibility for cultivating it squarely with senior leaders. They should promote a culture of integrity and transparency. This can be done in the following practical ways.

Organisational structure

The Head of Ethics or Compliance should have oversight of the organisation’s fraud prevention procedures. Other individuals should have designated responsibility for monitoring the effectiveness of anti-fraud initiatives, responding to new threats, and ensuring that lessons from internal investigations are integrated into revised policies and procedures. These senior leaders should be able to report directly to the board or C-suite.

Establishing the ethos

Senior leaders should be responsible for communicating and embodying the organisation’s culture, but there will ideally also be a clear Code of Ethics which explicitly prohibits fraudulent behaviour and explains why it cannot be justified. The Code should be annexed to the employment contract and then incorporated into learning and development programmes, which should equip employees with practical skills to identify the risks and understand the effects of fraud.

 

Investigations and prosecutions

In short, organisations will only have a defence to section 199 if they have reasonable measures in place to manage the risks of fraud in an effective and tailored way. As organisations begin to conform to these new requirements, prosecutors anticipate that there will be fewer opportunities for fraud to develop. However, where it does happen, they will now have an easier tool with which to bring a prosecution against a corporate. They will not have to prove that either a senior manager or the directing mind and will of the company had anything to do with the fraud. The section 199 offence is ultimately one of strict liability unless the defence can be proven on the balance of probabilities.

How to respond to a suspected fraud

Where an organisation suspects wrongdoing, one of its principal obligations is to investigate and respond promptly and robustly. The corporate should then have regard to the Serious Fraud Office (SFO) guidance on the circumstances in which it should consider self-reporting. If the SFO carries out an investigation, it will then determine whether a prosecution is required or a Deferred Prosecution Agreement (DPA) can be reached. The SFO has agreed a number of DPAs within the last decade and has expressed its intention to go on using them:

If a corporate self-reports promptly to the SFO and co-operates fully we will invite it to negotiate a DPA rather than prosecute unless exceptional circumstances apply.

 

Key points (TLDR) 

  • Large organisations must already have in place reasonable measures to prevent fraud.
  • What is reasonable will depend on features unique to the corporate or its sector, but organisations should start by making a comprehensive bespoke risk assessment.
  • The measures will affect all departments of an organisation, from the finance department and the teams negotiating contracts, to consultants and other agents.
  • Where a large organisation has evidence that a fraud has been committed, such that section 199 might be engaged, it is encouraged to seek advice on the next steps. Those next steps might include taking remedial action and self-reporting.
  • The SFO will continue to use DPAs as an alternative to taking a case to court where an organisation self-reports and co-operates fully with any investigation. 

 

If your organisation needs advice in relation to any matter raised in this article, do not hesitate to get in touch with the team at 5 Paper Buildings.