All organisations must be aware that a new offence for failure to prevent fraud is now in force from 1 September 2025.

You need to consider whether it applies to your organisation. It can only commit the offence if it is defined as being large. (Where at least two of the following three apply: more than 250 employees, more than £36M turnover and/or more than £18M total assets.)

Even if it does not apply, organisations must be aware of it. It might not apply now, but it might do so as they grow.

In any event, all organisations should have in place policies and procedures to combat bribery and corruption. The Bribery Act 2010 continues to apply, and you must have in place proper procedures to prevent offending.

The Government has published guidance that tackles adverse practices to avoid bribery and corruption. Under the new offence, there is additional guidance for the new offence – you have to have in place reasonable fraud prevention procedures, and the framework is that it follows six principles or areas:

• top-level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review.

Organisations should visit or revisit these areas if the new offence applies to them, as it is large, as defined, but they do so anyway as part of their general anti-bribery regime. Indeed, the principles might be said to apply to any regulatory regime an organisation has to comply with.

The new offence – Failure to Prevent Fraud

A large organisation will be guilty of the offence if fraud is committed or attempted to be committed with the intent that the organisation benefits. Senior management does not have to know about it, necessarily. That is the point: to establish a regime that ensures organisations cannot be an environment within which fraud can occur.

Who must commit the fraudulent activity itself?

The actual core fraud is committed by:

• employees
• agents
• subsidiaries
• associated persons providing services for the organisation.

The risks associated with who might commit the fraud will vary from organisation to organisation. It may have no staff other than employees, but those staff may be on, say, pay/bonus sales arrangements that could incentivise fraud. Alternatively, it might deploy external agents on its behalf that may work independently and unsupervised, which poses a risk.

However, an organisation cannot be guilty if it was always intended to be the victim of fraud, or if the offender is not benefiting the organisation, e.g. if an employee is defrauding it.

Defences

Importantly, it will be a defence to prove that when the fraud was committed, the organisation had in place:

“such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place” or “it was not reasonable in all the circumstances to expect the body to have any prevent procedures in place”.

Prevention procedures mean fraud offence prevention. The ‘not reasonable’ defence appears intended to tackle circumstances where a fraud occurred but happened in a way or area that could not have been foreseen.

What is meant by fraud offences?

Failure to prevent fraud is an umbrella for a failure to prevent various offences under the Fraud Act, Theft Act and Companies Act. It encompasses basic fraud offences such as false representation, failing to disclose information, abuse of position, participating in a fraudulent business, dishonestly obtaining services, cheating the public revenue, false accounting, Company Director false statements and fraudulent trading.

Who commits the offence?

In essence, the employees, agents, subsidiaries, or those who supply services for the organisation will commit the trigger offence(s).

The organisation will commit the new offence of failure to prevent fraud – unless one of the defences is established.

What must organisations now do?

The default position is that if you are a large organisation and a fraud offence occurs, you are prima facie guilty of the failure to prevent it.

If you have an existing anti-bribery regime, this needs to be reviewed and updated root-and-branch so that it is fit to meet the requirements of this new offence.

If there are no current policies in place, this needs to be addressed. (Even if you are not a large organisation, but you do not have anti-bribery measures in place, this needs to be tackled.)

If this is not done and something happens, it will be too late – your organisation will not have its building blocks in place: the platform for your defence. The work to be done here will be involved – but it is critical.

Directors and senior management must ‘buy into’ this – there must be clear evidence of a cultural desire to achieve the desired outcome.

Risk assessments must be done to analyse the risk areas and the relative dangers. Measures must be put in place that are proportionate, as one does in any assessment process.

There must be ongoing auditing and monitoring. There must be training and clear internal and external communications.

As with all compliance: ‘document, document, document’ and positively prove what is in place and how you arrived at it.

The potential consequence of failing to address this is not only the normal consequences of a criminal conviction (and significant fines based on the turnover) but also potentially irreparable reputational damage.

Contact our business crime or employment law solicitors today

If you have any questions regarding any of the issues raised in this article, please do not hesitate to contact our Regulatory & Crime team for business defence advice or our Employment Law team to assist with putting in place Anti-Bribery Policies, by using our online enquiry form or by calling 0330 191 5713.