Failure to Prevent Fraud: The New Guidance

10/03/2025

Among the many changes introduced by the Economic Crime and Corporate Transparency Act 2023 is a new offence of failure to prevent fraud which will come into force in September 2025. Section 199 of the Act makes it an offence for a person associated with a large organisation to commit fraud with intent to benefit either the organisation or to benefit a person to whom the organisation supplies services. It is a defence for the organisation to establish that it had reasonable fraud prevention procedures in place or that it was reasonable not to have any such procedures.

This article looks at the new guidance that accompanies the legislation and asks if it is fit for purpose, considering that it was the Government’s aim to “help prevent corporations committing crimes”. The focus of this assessment is how well the guidance reconciles the twin needs of commercial certainty and practical flexibility. The guidance itself is published here.

Prevention and Deterrence

Relevant organisations can be prosecuted if the associated employee’s conduct constitutes a base fraud offence, even if the associated person is prosecuted for an alternative offence or is not prosecuted at all. However, if the associated person is not prosecuted, then the prosecuting body must prove to the criminal standard that the associated person did commit the base fraud offence. There may be many reasons why a prosecution again an individual isn’t pursued: perhaps a key witness would not give evidence, the associated person has fled outside the jurisdiction, or there is no public interest in the prosecution of an individual due to reasons connected with that individual’s health. The legislation ensures that companies will not escape prosecution due to these contingencies arising.

The guidance provides encouragement for organisations to actively co-operate with the relevant prosecuting bodies. The organisation’s level of co-operation will be acknowledged by the prosecuting body and can have an impact on whether criminal proceedings are instigated at all, and if they are, whether a prosecution is pursued or whether a deferred prosecution agreement may be explored.

The “reasonable fraud prevention measures” defence is naturally discussed in some detail within the guidance. If an organisation sought to rely on this defence, it would be for the organisation to establish reasonable measures on the balance of probabilities. The guidance sets out that what is reasonable for an organisation to do will be assessed in light of how much control, proximity and supervision an organisation can exercise over certain parties: an organisation will be expected to regulate the behaviour of its employees or its primary contractor to a greater extent than in relation to a chain of sub-contractors. The guidance suggests that organisations should consider the motivations that may influence employees to commit fraud as well as their opportunities to do so. The guidance sets out the importance of top-level buy-in at Board level as well as training and regular review of policies, but one of the core principles is the need for risk assessments to take place.

The guidance notes that it in order for an organisation to determine whether it is reasonable to have fraud prevention measures or how extensive such measures should be, it will be necessary for the organisation to have undertaken a risk assessment. Any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision. The only situation which the guidance posits might result in a decision of this kind being made is if existing controls for other regulatory reasons are already in place: whilst the guidance states that prevention measures should be proportionate to the scale of the risk and the nature of the organisation’s work, it does not suggest that the mere fact such controls might be expensive to implement could furnish a defence.

Certainty and flexibility

The guidance needs to provide a measure of certainty to allow companies to trade in confidence knowing that they and they employees are on the right side of the law. Equally however, there must be some flexibility and a recognition that one size will not fit all for all large organisations.

The guidance makes it plain that apparent adherence to the letter of the guidance will not necessarily mean that an organisation has reasonable procedures in place. Equally, it would appear that not implementing every suggestion made by the guidance will render an organisation’s measures inadequate: everything turns on what is reasonable and proportionate.

All large organisations are directly affected by this guidance (a large organisation being one that has two or more of the following features: more than 250 employees; balance sheet £18 million; turnover £36 million). The Guidance notes that its principles are good practice for small organisations too although they cannot be prosecuted under section 199: it may be thought that prosecuting authorities may have an eye to this guidance if they were considering the prosecution of a small organisation under the revised rules concerning corporate liability.

In order to prevent corporate fraud, the Government needed to provide clarity to business, so that companies could work with Government to regulate actions undertaken by employees and contractors. This guidance goes some way to ensuring that companies have the tools they need to design effective fraud prevention measures whilst acknowledging that a company’s ability to do so will be constrained to some extent by external factors. All companies should however be clear that the onus will now be on them to digest and implement this guidance and to demonstrate that they have done so in a proportionate manner.