Economic Crime and Corporate Transparency Act 2023 - managing fraud risk and the failure to prevent offence

The Act represents a step-change in corporate criminal liability in that area and organisations need to prepare in advance of a new offence - the failure to prevent fraud - coming into force on 1 September 2025.

Key Features

Building on earlier laws, the Act seeks to enhance both transparency and accountability within organisations, making it: (i) harder for fraudsters to exploit the system; and (ii) easier to prosecute organisations who fall short with their counter-fraud efforts.  In so doing, the Act puts fraud prevention measures in the spotlight by introducing a new failure to prevent fraud offence (s. 199) with obligations to ensure relevant bodies have reasonable fraud prevention measures in place - in a similar way to the Bribery Act's (2010) requirement for organisations in the UK to have adequate procedures in place to prevent bribery.  

The Act also sees Companies House move away from being a largely passive recipient of information to a much more active gatekeeper. This will empower Companies House to scrutinise the information provided to it more rigorously, ensuring that organisations are not being used as vehicles for illicit activities. Under the new provisions, Companies House has the power to query any filings, request further evidence and/or reject any filings (as set out, in passing, below).

Harsher penalties and failure to prevent fraud

Whilst there are some existing powers to fine and prosecute organisations (and their directors and officers) for fraud, the creation of the new corporate offence of failing to prevent fraud strengthens the position, closing the net and making investigations and prosecutions more likely.

The new offence will make relevant bodies (namely "large organisations") criminally liable if they fail to prevent fraud by an associated person and the fraud committed by the associated person is intended to benefit the organisation (or a person to whom services are provided on behalf of the organisation). There must be a UK connection, so either the fraud takes place in the UK or the gain occurs in the UK (regardless of where an employer is based).  

Who is at risk?

A "large organisation" for the purposes of the Act is a body corporate or partnership (including incorporated charities), which satisfies at least two of the three following criteria in the year preceding the year of the fraud offence:

1. More than £36 million turnover

2. More than £18 million total assets

3. More than 250 employees

The offence will also stretch to apply to a parent company if the group headed by it satisfies (in aggregate) at least 2 of the 3 criteria set out above.

An "associated person" covers employees, agents, or any other person who otherwise performs services for or on behalf of the relevant body. The offence is broadly defined and will be based on all of the relevant circumstances, not solely on the nature of the relationship between the parties. Importantly, if an organisation is found guilty of the failure to prevent fraud offence, it is liable to an unlimited fine, plus it will need to deal with all associated negative PR, loss of management time (which can be very significant) and disruption.

It is important to highlight that a relevant body will not be guilty of the failure to prevent offence if it was or was intended to be a victim of the offence. However, organisations must implement reasonable fraud prevention procedures in the wake of the Act as the failure to prevent offence is one of strict liability, meaning it is not necessary to show intent on the part of the organisation - only that the organisation failed to take such reasonable measures and the fraud committed was intended to benefit the organisation.

Failure to prevent guidance

The much-anticipated guidance on reasonable fraud prevention procedures (the Guidance) was published in November 2024. As above, the failure to prevent offence will come into force on 1 September 2025.

This leaves relatively little preparation time and means that relevant organisations need to ensure that they have completed their risk assessments and other compliance homework (including updating relevant policies and contracts) so that they can brief their boards and take action in good time.

What do reasonable fraud prevention procedures look like?

Section 199 of the Act provides a defence to relevant organisations if they have reasonable procedures in place to prevent fraud and the Guidance makes clear that the fraud prevention framework put in place by relevant organisations needs to be informed by the following six principles:

1. Top level commitment
2. Risk assessment
3. Proportionate risk-based prevention measures
4. Due diligence
5. Communication including training
6. Monitoring and review

The Guidance expands upon these six principles further and they interlink.  For example, risk assessments must be reviewed regularly and top-level commitment is crucial/pervasive. 

That said, one size does not fit all, and the Guidance encourages organisations to take a proportionate and risk-based approach according to the particular fraud risks which they face, building on existing policies where possible.  However, a fresh look is needed.  It is clear that this cannot be seen as a tick box exercise. Indeed, the Guidance makes it clear that the necessary risk assessments are dynamic and need to be kept under regular review. Whilst it may "in some limited circumstances" be deemed reasonable not to introduce measures in response to a particular risk, the Guidance makes clear that "it will rarely be considered reasonable not to have even conducted a risk assessment". That is, in our view, a non-negotiable.

Similarly, "training and maintaining training are key" steps to take (see Section 3.5 of the Guidance). The corporate offence of holding an organisation liable for the wrongdoing of people under their control, the defence of taking reasonable steps and these six principles all have echoes of the Bribery Act 2010.  However, the Guidance for this new offence is different and must be considered carefully.

What should you do now?

We recommend organisations (both in scope of the failure to prevent offence and outside scope, as best practice) should review their current fraud prevention strategies to ensure they meet the new requirements. There is no "prescription" for this, but measures to take include:

• Engage senior leadership and management strata so they are aware of what is coming down the track. Senior leadership buy in is needed to ensure sufficient budget is allocated to plan and implement appropriate and tailored anti-fraud measures to address the specific risks faced by organisations, ensuring that culture aligns with taking the prevention of fraud seriously and is not just a 'tick box' exercise.
• Conducting tailored risk assessments will be key.
• Understand what is in the Guidance.
• Hold workshops to assess risks with people in key roles and who understand different parts of the organisation - so as to understand the nature of the risks faced, including identifying where fraud could occur, what opportunities there are for people to commit fraud including where there is currently insufficient oversight or weak controls, where people are motivated to commit fraud such as through personal financial pressures or organisational targets or time pressures, and the culture in the organisation or sector that may bring additional pressure to bear.
• Consider what steps are needed to address the risks, including changing any cultural position or targets, or explaining how fraud will not be tolerated, considering how people are recruited and monitored in their roles, and having technological solutions that may assist.  As part of this, specific vulnerabilities should also be identified (e.g. due to role or individual circumstances).  These steps may build on existing processes or create entirely new ones.
• Review all relevant contracts - with staff, agents and other third parties.  Is there sufficient disincentive to deter fraud?  Are there prohibitions for doing so, such as investigations and termination of the relationship?
• Consider what training is needed for all applicable persons at all levels. This is imperative to ensure top-down commitment. For some positions, this may involve just a simple explanation for people in that role; for others, more detailed training of what they are expected to do may be needed.
• Consider policies/perform policy reviews to showcase how the organisation works, the culture, and its zero tolerance for fraud, with clear whistleblowing procedures and a direct reporting line to the Board, ensuring lessons are learned and processes/controls are adapted if fraud occurs. 
• Consider engaging with external advisers (eg specialist lawyers and accountants/auditors) to help to achieve a "fresh look" at the risks you face and what can be done more effectively to help to prevent fraud in your organisation.

New powers for Companies House

With changes aimed at improving the reliability of data maintained by Companies House, organisations face (amongst other things) new requirements for mandatory identity verification. These provisions affect new and existing directors, LLP members, persons with significant control, general partners of LPs, and individuals filing documents at Companies House.

The Act provides two routes for verification:

1. Directly with the registrar, using a digital service linking a person with a primary identity document
2. Indirectly via an Authorised Corporate Service Provider (ACSP) (ie an accountant or law firm), who delivers to the registrar a verification statement by the ACSP confirming that they have verified a person's identity. ACSPs must also be granted authorised status by the registrar

For overseas entities, the Economic Crime Transparency and Enforcement Act 2022 (which is aimed at foreign criminals using UK property for money laundering and was part of the UK's attempts to eradicate corrupt overseas funds from the economy) already requires overseas entities who want to buy, sell or transfer land or property in the UK to register (on the Register of Overseas Entities) their beneficial registrable owners or managing owners with Companies House. This applies retrospectively and companies will receive a unique overseas entity ID to provide to the Land Registry. 

As a result, we would recommend that organisations:

• Review and Update Registers, Records, and Appointments at Companies House: Ensure all filings and company records are accurate and up to date. Consider any new policies and procedures that may be required to comply with the obligations introduced by the Act.
• Prepare for Software-Only Accounts Filing: Begin transitioning to digital accounts filing systems in anticipation of the upcoming implementation in this regard.

How can we help?

We are helping clients prepare for the implementation of the new failure to prevent offence, including assisting with risk, policy and contract reviews and the provision of relevant training. We have both a specialist fraud team and an ECCTA task force, who can assist with both preparations and readiness for implementation, as well as advising on fraud-related matters and investigations generally where the need arises.

For further information or queries on these crucial changes/developments in the law, including how we can help you, please reach out to: Terence Dickens on 0117 314 5408; Ed Husband on 0117 314 5233; or Dominic Speedie on 0207 665 0910 in our Fraud team or your usual VWV contact. Alternatively please complete the form below.