-large.jpg)
New “failure to prevent fraud” offence under the ECCTA
Victoria Prescott
Senior Vice President, Risk and Error Management, Marsh UK
From 1 September 2025, a new corporate offence of “failure to prevent fraud” will come into force under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). This offence heralds a major shift in the UK’s fight against economic crime.
This article sets out the key risks for law firms and provides some early thoughts and practical advice on how to prepare. The Solicitors Regulation Authority has provided an update on this “failure to prevent fraud” offence.
Why the “failure to prevent fraud” offence?
Despite existing UK fraud laws (for example, the Fraud Act 2006), prosecutors have struggled to affix criminal liability on corporations when misconduct stemmed from mid- or lower-level employees. The Law Commission’s June 2022 report recommended a “failure to prevent fraud” offence, in driving robust corporate compliance cultures. Introduced by Parliament in October 2023, ECCTA’s new offence forms part of a suite of reforms to strengthen the UK’s armoury against economic crime and deliver on government strategy to “tackle fraudsters head-on”.
The legal framework
The new offence imposes strict liability on large organisations that fail to prevent fraud by an “associated person,” where the organisation benefits from the fraud and the organisation did not have reasonable fraud prevention procedures in place. In certain circumstances, the offence will also apply where the fraud offence is committed with the intention of benefitting a client of the organisation. It does not need to be demonstrated that directors or senior managers controlled or knew about the fraud.
The offence sits alongside existing law, so that the person who committed the fraud may be prosecuted individually for that fraud, while the organisation may be prosecuted for failing to prevent it.
If an associated person commits fraud under UK law (or targets UK victims), the organisation can be prosecuted even when the organisation and associated person are based overseas.
Who is caught?
1. “Large” organisations (Section 201)
The offence applies to large bodies corporate and partnerships, defined as those meeting two out of three criteria (in the financial year of the body that precedes the year of the fraud offence):
• More than £36 million net turnover
• More than £18 million net in total assets
• More than 250 aggregate employees
2. “Associated persons” (Section 199(7))
Anyone who performs services for or on behalf of the organisation can trigger liability if they commit a base fraud offence. This includes:
• Employees (at all levels)
• Agents and intermediaries
• Subsidiaries and their employees
• Contractors, consultants, and temporary staff
Firms may also be liable where an associated person commits fraud intending to benefit a client of the organisation, widening the net beyond purely internal misconduct.
3. “Base fraud” offences
ECCTA Schedule 13 lists the underpinning offences, including:
• Fraud by false representation (s.2 Fraud Act 2006)
• Fraud by abuse of position (s.4 Fraud Act)
• False statement by a company director (s.19 Theft Act 1968)
• False accounting (s.17 Theft Act 1968)
• Cheating the public revenue (common law)
This means that any financial misstatement, manipulation, or omission by an associated person can expose the firm to criminal liability unless robust prevention measures are in place.
Personal liability
The “failure to prevent fraud” offence is corporate only; it does not itself impose criminal liability on individuals for that particular offence. However, individuals who commit the underlying fraud remain liable under existing fraud laws (for example, the Fraud Act 2006).
What are “reasonable procedures”?
The statutory defence (Section 199(4) Economic Crime and Corporate Transparency Act 2023) is straightforward. An organisation avoids liability if it can prove:
(a) the body had in place such prevention procedures as it was reasonable in all the circumstances to expect the body to have in place, or
(b) it was not reasonable in all the circumstances to expect the body to have any prevention procedures in place.
“Prevention procedures” means procedures designed to prevent persons associated with the body from committing fraud offences.
The Home Office Guidance (Nov 2024) outlines six flexible, risk-based principles:
1. Top-level commitment
2. Risk assessment
3. Proportionate risk-based prevention procedures
4. Due diligence
5. Communication (including training)
6. Monitoring and review
Embedding these principles in a living system, not just undertaking a one-off “tick-box” exercise, is critical. Documentation of policies, training attendance, risk-assessment reports, and control-testing results will form the evidential backbone of any defence.
Law firm exposure
Law firms should not treat this as just another compliance update. The risk is real and multi-faceted. As gatekeepers to the financial system, often facilitating high-value transactions and handling client money, law firms are in a prime position where associated persons could commit fraud.
Below are examples where a law firm could be potentially exposed under the new office if reasonable procedures are not in place:
1. Dishonest billing practices
• Scenario: Overcharging clients, billing for work not done, duplicating time entries, or padding hours.
• Benefit to the firm: Increased billable revenue and profitability.
2. Client-related fraud (False representation/deception)
• Scenario: A solicitor knowingly misrepresents the strength of a client’s financial position or legal case to secure funding, investment, or favourable treatment — possibly in conveyancing, litigation funding, or mergers and acquisitions (M&A).
• Benefit to the firm: Retaining a major client, earning substantial fees, securing a transaction.
3. Mortgage and property fraud
• Scenario: A conveyancer knowingly processes transactions involving false identities, overvalued properties, or complicit parties.
• Benefit to the firm: Fees generated from the transaction and maintenance of client relationships (especially with high-volume developers or brokers).
4. Forging signatures or documents
• Scenario: A paralegal or junior lawyer fabricates a signature to expedite a deal or document execution.
• Benefit to the firm: Closing a deal on time, avoiding penalties, protecting client relationships.
5. Corporate or tax fraud involving client advice
• Scenario: A partner knowingly structures a transaction to deceive HMRC or Companies House (for example, hiding beneficial ownership, using false invoices).
• Benefit to the firm: Attracting high-net-worth or corporate clients seeking aggressive tax strategies.
6. Fraudulent statements in pitching or panel bids
• Scenario: Inflated claims about firm experience, qualifications, or success rates in tenders or public procurement bids.
• Benefit to the firm: Winning a lucrative contract.
Mitigating the risk
Below are some actionable risk techniques that can be deployed by firms ahead of 1 September:
1. Update risk assessments
• Evaluate where the business is most exposed to fraud risks.
• Consider using a fraud risk matrix or heatmap to score each area by:
- Likelihood of fraud occurring
- Potential benefit to the firm (direct or indirect)
- Effectiveness of current controls
- Legal/regulatory consequences
2. Review internal controls (gap analysis)
• Test existing anti-fraud controls, whistleblowing channels, and audit trails. Identify any weaknesses or blind spots.
3. Third-party risk and consultant engagements
• Review third-party relationships to ensure compliance with anti-fraud policies.
4. Incident response planning
• Develop a detailed incident response plan that outlines steps to take in the event of a fraud incident, including communication strategies and legal considerations.
5. Advise clients and boards
• Alert clients falling within the threshold to the new offence. Provide or recommend anti-fraud readiness reviews.
• Assign a senior executive as fraud officer with direct board access.
6. Training and culture-building
• Roll out targeted fraud awareness training for staff, including red flags, reporting channels, and the consequences of non-compliance.
7. Audit trail and record keeping
• Ensure fraud prevention procedures are clearly documented, communicated, and actively monitored.
• Centralise documentation of risk assessments, approvals, training attendance, and investigation outcomes.
8. Periodic controls testing
• Schedule “mock fraud” exercises to test decomposed control points.
• Use the results to refine control design and close loopholes.
9. Whistleblowing and incident-response protocols
• Review and upgrade (if necessary) whistleblowing policies to ensure anonymity.
• Develop an incident-response playbook: immediate containment, investigation team, internal/external reporting.
10. Use of technology and AI
• Leverage advanced analytics and artificial intelligence to monitor transactions in real-time for unusual patterns that may indicate fraud.
• Implement machine learning algorithms to continuously improve fraud detection capabilities.
Consequences of non-compliance
Failure to implement and demonstrate reasonable procedures carries severe consequences:
• Unlimited fines for the organisation upon prosecution.
• Criminal record and reputational damage.
• Civil lawsuits from shareholders, clients, or competitors claiming negligence.
• Regulatory scrutiny/sanctions.
Given the strict-liability nature, ignorance is not a defence. Only proactively documented, risk-based procedures will shield the organisation.
Final thoughts
[VP1] ECCTA’s “failure to prevent fraud offence” signals a clear shift from reactive enforcement to proactive prevention. For law firms, this is both a compliance challenge and an opportunity to demonstrate leadership in financial integrity and risk management.
For some firms only limited changes and updates will be necessary to evidence adherence to regulation and fraud prevention requirements. For those with less embedded controls and systems, more work will be required as ECCTA demands rigorous, data-driven fraud risk management but, if approached strategically, can greatly enhance internal controls, corporate culture, and stakeholder confidence.
[VP1]The change made requires the ‘The’ to be deleted
-large.jpg)