New “failure to prevent fraud” offence under the ECCTA: What accountants need to know before 1 September 2025

From 1 September 2025, a new corporate offence of “failure to prevent fraud” will come into force under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). This offence heralds a major shift in the UK’s fight against economic crime.

This article sets out the key risks for accountancy professionals and provides some early thoughts and practical advice on how to prepare. Institute of Chartered Accountants in England and Wales (ICAEW) members might also review the guidance at The new “failure to prevent fraud” offence: A compliance and accounting perspective.

Why the “failure to prevent fraud” offence?

Despite existing UK fraud laws (for example, the Fraud Act 2006), prosecutors have struggled to affix criminal liability on corporations when misconduct stemmed from mid- or lower-level employees. The Law Commission’s June 2022 report recommended a “failure to prevent fraud” offence, in driving robust corporate compliance cultures. Introduced by Parliament in October 2023, ECCTA’s new offence forms part of a suite of reforms to strengthen the UK’s armoury against economic crime and deliver on government strategy to “tackle fraudsters head-on”.

The legal framework

The new offence imposes strict liability on large organisations that fail to prevent fraud by an “associated person”, where the organisation benefits from the fraud and the organisation did not have reasonable fraud prevention procedures in place. In certain circumstances, the offence will also apply where the fraud offence is committed with the intention of benefitting a client of the organisation. It does not need to be demonstrated that directors or senior managers controlled or knew about the fraud.

The offence sits alongside existing law, so that the person who committed the fraud may be prosecuted individually for that fraud, while the organisation may be prosecuted for failing to prevent it.

If an associated person commits fraud under UK law (or targets UK victims), the organisation can be prosecuted even when the organisation and associated person are based overseas.

Who is caught?

1. “Large” organisations (Section 201)

While the offence applies only to large bodies corporate and partnerships, defined as those meeting two out of three criteria (in the financial year of the body that precedes the year of the fraud offence):

More than £36 million net turnover,
More than £18 million net in total assets, and
More than 250 aggregate employees.

Accountants advising or working within these entities face increased scrutiny — especially if they are part of internal controls, audit, compliance, or finance teams.

2. “Associated Persons” (Section 199(7))

Anyone who performs services for or on behalf of the organisation can trigger liability if they commit a base fraud offence. This includes:

Employees (at all levels)
Agents and intermediaries
Subsidiaries and their employees
Contractors, consultants, and temporary staff

Firms may also be liable where an associated person commits fraud intending to benefit a client of the organisation, widening the net beyond purely internal misconduct.

3. “Base fraud” offences

ECCTA Schedule 13 lists the underpinning offences, including:

Fraud by false representation (s.2 Fraud Act 2006)
Fraud by abuse of position (s.4 Fraud Act)
False statement by a company director (s.19 Theft Act 1968)
False accounting (s.17 Theft Act 1968)
Cheating the public revenue (common law)

This means that any financial misstatement, manipulation, or omission by an associated person can expose the firm to criminal liability unless robust prevention measures are in place.

Personal liability

The “failure to prevent fraud” offence is corporate only; it does not itself impose criminal liability on individuals for that particular offence. However, individuals who commit the underlying fraud remain liable under existing fraud laws (for example, the Fraud Act 2006).

What are “reasonable procedures”?

The statutory defence (Section 199(4) Economic Crime and Corporate Transparency Act 2023) is straightforward. An organisation avoids liability if it can prove:

(a) the body had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place, or

(b) it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place.

“Prevention procedures” means procedures designed to prevent persons associated with the body from committing fraud offences.

The Home Office Guidance (Nov 2024) outlines six flexible, risk-based principles:

Top-level commitment
Risk assessment
Proportionate risk-based prevention procedures
Due diligence
Communication (including training)
Monitoring and review

Embedding these principles in a living system, not a “tick-box” exercise, is critical. Documentation of policies, training attendance, risk-assessment reports, and control-testing results will form the evidential backbone of any defence.

For accountants, this will mean greater involvement in the design, implementation, and assurance of anti-fraud controls, particularly for financial reporting, procurement, tax planning, and third-party relationships.

Practical risk mitigation steps

As guardians of financial integrity, and bearing in mind ongoing revisions to codes of ethics, accountants play a pivotal role in rolling out and delivery of ECCTA compliance. Below are some actionable risk techniques that can be deployed ahead of 1 September:

1. Update risk assessments

Evaluate where the business is most exposed to fraud risks. Focus on high-risk functions (for example, sales incentives, procurement, financial reporting, provision of corporate services). Ensure independence testing takes account of current regulations (for example, ICAEW’s “role and mindset” and “necessity for enquiring mind”).

2. Review internal controls (gap analysis)

Test existing anti-fraud controls, whistleblowing channels, and audit trails. Identify any weaknesses or blind spots.

3. Third-party risk management

Establish a comprehensive due diligence process for third-party vendors, including background checks and financial health assessments.
Regularly review third-party relationships to ensure compliance with anti-fraud policies.

4. Incident response planning

Develop a detailed incident response plan that outlines steps to take in the event of a fraud incident, including communication strategies and legal considerations.

5. Advise clients and boards

Alert clients falling within the threshold to the new offence. Provide or recommend anti-fraud readiness reviews.
Assign a senior executive as fraud officer with direct board access.

6. Training and culture-building

Roll out targeted fraud awareness training for staff, including red flags, reporting channels, and the consequences of non-compliance.

7. Audit trail and record keeping

Ensure fraud prevention procedures are clearly documented, communicated, and actively monitored.
Centralise documentation of risk assessments, approvals, training attendance, and investigation outcomes.

8. Periodic controls testing

Schedule “mock fraud” exercises to test decomposed control points.
Use the results to refine control design and close loopholes.

9. Whistleblowing and incident-response protocols

Review and upgrade (if necessary) whistleblowing policies to ensure anonymity.
Develop an incident-response playbook: immediate containment, investigation team, internal/external reporting.

10. Use of technology and AI

Leverage advanced analytics and artificial intelligence to monitor transactions in real-time for unusual patterns that may indicate fraud.
Implement machine learning algorithms to continuously improve fraud detection capabilities.

Consequences of non-compliance

Failure to implement and demonstrate reasonable procedures carries severe consequences:

Unlimited fines for the organisation upon prosecution.
Criminal record and reputational damage.
Civil lawsuits from shareholders, clients, or competitors claiming negligence.
Regulatory scrutiny/sanctions.

Given the strict-liability nature, ignorance is not a defence. Only proactively documented, risk-based procedures will shield the organisation.

Professional and regulatory risks for accountants

Accountants are likely to come under pressure in several ways:

Being the “associated person” committing the fraud, exposing their employer or client to liability.
Being found negligent in failing to spot fraud risks as auditors or advisers.
Breach of professional conduct rules, including those from the ICAEW, the Association of Chartered Certified Accountants (ACCA), or the Chartered Institute of Public Finance and Accountancy (CIPFA).
Reputational damage where fraud occurs on their watch.

Final thoughts

The ECCTA's failure to prevent fraud offence signals a clear shift from reactive enforcement to proactive prevention. For accountants, coupled with regulatory changes for many, this is both a compliance challenge and an opportunity to demonstrate leadership in financial integrity and risk management.

For some firms only limited changes and updates will be necessary to evidence adherence to regulation and fraud prevention requirements. For those with less embedded controls and systems, more work will be required as ECCTA demands rigorous, data-driven fraud-risk management but, if approached strategically, can greatly enhance internal controls, corporate culture, and stakeholder confidence.

Article

New “failure to prevent fraud” offence under the ECCTA: What accountants need to know before 1 September 2025