Territorial scope of the Offence of Failure to Prevent Fraud

02 Apr 2025, 53 mins ago

The UK Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) created a new offence of failure to prevent fraud, which will come into force on 1 September 2025. Like the Bribery Act before it, the ECCTA extends corporate liability to the actions of employees, agents and other associated persons in circumstances where the criminality (in this case fraud) is intended to benefit the organisation or its clients.

The UK will have jurisdiction for the offence, provided that the fraud has a UK nexus. This means that the fraudulent act (i) must include an act that occurs in the UK; or (ii) results in a gain or loss in the UK. The only defence available is for the corporate to prove that at the time of the offence it had reasonable fraud prevention procedures in place.  

On 6 November 2024, the UK government issued Guidance to Organisations on the Offence of Failure to Prevent Fraud, under ECCTA (“Guidance”)

In the context of global business, the extent to which the offence can apply to overseas companies and advice on the implementation of reasonable procedures to mitigate risk in advance of 1 September 2025, are of particular interest.

Large organisations  

The offence applies to large organisations[1] defined as meeting at least two of the following criteria, having

  • more than 250 employees
  • more than £36 million in turnover[2]
  • more than £18 million in total assets

Importantly for international organisations, the guidance sets out that when determining whether an organisation is a “large organisation

“These criteria apply to the whole organisation, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located.”

Accordingly, an organisation with only a small presence or customer base in the UK could be caught by the remit of the act (depending on the establishment of a jurisdictional nexus to the fraudulent act, loss or benefit).

What types of fraudulent conduct must be prevented?

The act applies to a failure of a large organisation to prevent fraud, including:

  • Fraud by false representation (s.2 Fraud Act 2006 (FA))
  • Fraud by failing to disclose information (s.3 FA)
  • Fraud by abuse of position (s.4 FA)
  • Participation in a fraudulent business (s.9 FA)
  • Obtaining services dishonestly (s.11 FA)
  • Cheating the public revenue (common law)
  • Fraud by false accounting (s.17 Theft Act 1968)
  • False statements by company directors (s.19 Theft Act 1968)
  • Fraudulent trading (s.993 Companies Act 2006)

It also includes aiding, abetting or procuring the commission of these offenses.  Importantly, there is no requirement for a conviction for the base offence, or indeed for a prosecution of the relevant conduct.

Whose fraudulent conduct must be prevented?

To be attributed to the organisation, the fraud must be committed by an associated person acting in the course of their duties (not in a personal capacity), where the act is intended to benefit the organisation. 

Associated Persons, as defined by the ECCTA, include any individual or entity acting for or on behalf of the organisation.  This will be a matter of fact, but can include employees, agents, subsidiaries, and others providing services for or on behalf of the organisation.

The facts of each case will be vitally important in the context of multinational organisations, in order to determine for whose corporate benefit an individual, agent or subsidiary was acting.

For example, there are two ways in which fraud committed by the employee of a subsidiary may fall within scope of the offence:

  1. Where a fraud committed by an employee of a subsidiary belonging to a large organisation benefits the subsidiary, then the subsidiary may be prosecuted; or
  2. Where a fraud committed by an employee of a subsidiary benefits the parent company, then the parent company may be prosecuted for failing to prevent fraud.

The benefit to the organisation does not need to be the sole or dominant motivation for the fraud; it suffices that the organisation was intended to be a beneficiary. For example, an employee mis-selling a product to earn commission would benefit both themselves and the company, yet the company would still be liable for failing to prevent fraud under the act (provided other relevant criteria were met).

Location of fraudulent conduct, loss or benefit

It is the location of the conduct, loss or benefit which is important for jurisdiction under the ECCTA, not the location of the corporate seat.  For example:

  • If a UK-based employee commits fraud in the UK for the benefit of their employer, the employing organisation could be prosecuted for a failure to prevent fraud no matter where the organisation is based.
  • If an employee or associated person of an overseas-based organisation commits fraud overseas for the benefit of the organisation, but there is a victim in the UK, the overseas organisation could be prosecuted for a failure to prevent fraud.
  • If an overseas organisation’s employee commits fraud overseas for or on behalf of the organisation, resulting in a benefit in the UK, then the organisation can be prosecuted for the failure to prevent fraud.
  • But the offence will not apply to UK based organisations whose overseas employees, agents or subsidiaries commit fraud abroad with no UK nexus.
Practical Examples
A large US based financial services firm has a strong client base in the UK.  An employee operating out of New York (acting for or on behalf of the US firm) fraudulently mis-sells investments in a US fund. The victims of the fraud are in the UK. In this instance, the US financial services firm can be prosecuted in the UK for failure to prevent fraud.
A large US manufacturing firm sells exclusively to the French market.  However, the firm relies on a technical expert based in the UK to provide a certification to its French customers for or on its behalf regarding the safety of its products.  The safety certifications are discovered to be false. The US company can be prosecuted for failing to prevent fraud by the UK based technical expert.
A UK Headquartered IT firm operates around the world.  An employee of an overseas subsidiary commits fraud intending for it to benefit the overseas subsidiary. The UK headquartered firm cannot be prosecuted for failing to prevent fraud as there is no UK nexus to the fraud.

Organisations will only have a defence if they can prove they had reasonable fraud prevention procedures[3]  in place at the time the fraud was committed.  What is reasonable in any particular case will depend on the level of control, proximity and supervision which the organisation was able to leverage over the relevant offender’s actions.

In the context of a global organisation, where should reasonable fraud prevention procedures be implemented?

Each organisation capable of falling within the definition of a large organisation should consider the jurisdictional reach of the act.  The first step in deciding whether the ECCTA could “bite” will be to determine if:

  • The organisation itself acts directly or indirectly within the UK (i.e. are there UK based offices, employees, subsidiaries or associated persons who act for the benefit of the organisation?).
  • There is a customer base in the UK, which could be the victim of fraud by the organisation (or those acting on its behalf).
  • There is a vehicle for corporate benefit in the UK (bank accounts etc).

If the answer to the above is yes, the organisation should consider further steps to risk assess and implement reasonable fraud prevention procedures under ECCTA, wherever the organisation is located.

Compliance defence: reasonable procedures

As set out in the Guidance, reasonable procedures will not be a “one size fits all” process.  An organisation’s appropriate time and resources must be focussed on creating a risk-based approach which is proportionate to the relevant organisation.  The guidance sets out that “in some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk.  However, it will rarely be considered reasonable not to have even conducted a risk assessment”. 

As will be familiar to those falling within the Bribery Act 2010, the Guidance sets out that policies and procedures should be designed and implemented in accordance with the following compliance principles:

  1. Top level commitmentThe board of directors and senior management should be demonstrably committed to preventing fraud by associated persons.
  2. Risk assessmentA periodic, well documented fraud risk assessment should be undertaken identifying organisation-specific risks and mitigation actions.
  3. Proportionate risk-based prevention procedures Anti-Fraud policies and procedures should be adopted to combat the risks identified.  These should be practical, clear, well implemented and enforced with consequential management.
  4. Due diligence Anti-fraud due diligence should be implemented on any potential associated persons.
  5. Communication (including training)Training on relevant policies and procedures must be effective, implemented and repeated as necessary.  This will include whistleblowing policy guidance and awareness.
  6. Ongoing monitoring and review Risk assessments must be dynamic; compliance with policies and procedures should be reviewed regularly; incidents should be investigated, and compliance improvements identified and implemented.

How can Gherson help?

At Gherson we regularly advise organisations on designing and implementing effective financial crime prevention policies, procedures and controls.

If you need further advice on what the new offence of failure to prevent fraud means for your organisation, please do not hesitate to contact Caroline Black, Thomas Cattee or Sara Thomas-Arano at Gherson.

Contact us

If you would like to discuss any issues raised in this article or need advice regarding your specific circumstances, please do not hesitate to contact us. You can also reach out via e-mail or follow us on XFacebook or LinkedIn to stay updated.

Updated: 2 April 2025

The information in this blog is for general information purposes only and does not purport to be comprehensive or to provide legal advice. Whilst every effort is made to ensure the information and law is current as of the date of publication it should be stressed that, due to the passage of time, this does not necessarily reflect the present legal position. Gherson accepts no responsibility for loss which may arise from accessing or reliance on information contained in this blog. For formal advice on the current law please do not hesitate to contact Gherson. Legal advice is only provided pursuant to a written agreement, identified as such, and signed by the client and by or on behalf of Gherson.

©Gherson 2025

[1] Section 201 of ECCTA.  Applies to the financial year prior to the year of the base offence,

[2]Turnover” means the amount derived from the provision of goods and services falling within the ordinary activities of the commercial organisation or subsidiary undertaking, after deduction of

  • (a) trade discounts;
  • (b) value added tax; and
  • (c) any other taxes based on the amounts so derived.

[3] Section199(4) and (5) ECCTA