The Act represents a step-change in corporate criminal liability in that area and organisations need to prepare in advance of a new offence - the failure to prevent fraud - coming into force on 1 September 2025.
Key Features
Building on earlier laws, the Act seeks to enhance both transparency and accountability within organisations, making it: (i) harder for fraudsters to exploit the system; and (ii) easier to prosecute organisations who fall short with their counter-fraud efforts. In so doing, the Act puts fraud prevention measures in the spotlight by introducing a new failure to prevent fraud offence (s. 199) with obligations to ensure relevant bodies have reasonable fraud prevention measures in place - in a similar way to the Bribery Act's (2010) requirement for organisations in the UK to have adequate procedures in place to prevent bribery.
The Act also sees Companies House move away from being a largely passive recipient of information to a much more active gatekeeper. This will empower Companies House to scrutinise the information provided to it more rigorously, ensuring that organisations are not being used as vehicles for illicit activities. Under the new provisions, Companies House has the power to query any filings, request further evidence and/or reject any filings (as set out, in passing, below).
Harsher penalties and failure to prevent fraud
Whilst there are some existing powers to fine and prosecute organisations (and their directors and officers) for fraud, the creation of the new corporate offence of failing to prevent fraud strengthens the position, closing the net and making investigations and prosecutions more likely.
The new offence will make relevant bodies (namely "large organisations") criminally liable if they fail to prevent fraud by an associated person and the fraud committed by the associated person is intended to benefit the organisation (or a person to whom services are provided on behalf of the organisation). There must be a UK connection, so either the fraud takes place in the UK or the gain occurs in the UK (regardless of where an employer is based).
Who is at risk?
A "large organisation" for the purposes of the Act is a body corporate or partnership (including incorporated charities), which satisfies at least two of the three following criteria in the year preceding the year of the fraud offence:
More than £36 million turnover
More than £18 million total assets
More than 250 employees
The offence will also stretch to apply to a parent company if the group headed by it satisfies (in aggregate) at least 2 of the 3 criteria set out above.
An "associated person" covers employees, agents, or any other person who otherwise performs services for or on behalf of the relevant body. The offence is broadly defined and will be based on all of the relevant circumstances, not solely on the nature of the relationship between the parties. Importantly, if an organisation is found guilty of the failure to prevent fraud offence, it is liable to an unlimited fine, plus it will need to deal with all associated negative PR, loss of management time (which can be very significant) and disruption.
It is important to highlight that a relevant body will not be guilty of the failure to prevent offence if it was or was intended to be a victim of the offence. However, organisations must implement reasonable fraud prevention procedures in the wake of the Act as the failure to prevent offence is one of strict liability, meaning it is not necessary to show intent on the part of the organisation - only that the organisation failed to take such reasonable measures and the fraud committed was intended to benefit the organisation.
The much-anticipated guidance on reasonable fraud prevention procedures (the Guidance) was published in November 2024. As above, the failure to prevent offence will come into force on 1 September 2025.
This leaves relatively little preparation time and means that relevant organisations need to ensure that they have completed their risk assessments and other compliance homework (including updating relevant policies and contracts) so that they can brief their boards and take action in good time.
Section 199 of the Act provides a defence to relevant organisations if they have reasonable procedures in place to prevent fraud and the Guidance makes clear that the fraud prevention framework put in place by relevant organisations needs to be informed by the following six principles:
The Guidance expands upon these six principles further and they interlink. For example, risk assessments must be reviewed regularly and top-level commitment is crucial/pervasive.
That said, one size does not fit all, and the Guidance encourages organisations to take a proportionate and risk-based approach according to the particular fraud risks which they face, building on existing policies where possible. However, a fresh look is needed. It is clear that this cannot be seen as a tick box exercise. Indeed, the Guidance makes it clear that the necessary risk assessments are dynamic and need to be kept under regular review. Whilst it may "in some limited circumstances" be deemed reasonable not to introduce measures in response to a particular risk, the Guidance makes clear that "it will rarely be considered reasonable not to have even conducted a risk assessment". That is, in our view, a non-negotiable.
Similarly, "training and maintaining training are key" steps to take (see Section 3.5 of the Guidance). The corporate offence of holding an organisation liable for the wrongdoing of people under their control, the defence of taking reasonable steps and these six principles all have echoes of the Bribery Act 2010. However, the Guidance for this new offence is different and must be considered carefully.
We recommend organisations (both in scope of the failure to prevent offence and outside scope, as best practice) should review their current fraud prevention strategies to ensure they meet the new requirements. There is no "prescription" for this, but measures to take include:
With changes aimed at improving the reliability of data maintained by Companies House, organisations face (amongst other things) new requirements for mandatory identity verification. These provisions affect new and existing directors, LLP members, persons with significant control, general partners of LPs, and individuals filing documents at Companies House.
The Act provides two routes for verification:
For overseas entities, the Economic Crime Transparency and Enforcement Act 2022 (which is aimed at foreign criminals using UK property for money laundering and was part of the UK's attempts to eradicate corrupt overseas funds from the economy) already requires overseas entities who want to buy, sell or transfer land or property in the UK to register (on the Register of Overseas Entities) their beneficial registrable owners or managing owners with Companies House. This applies retrospectively and companies will receive a unique overseas entity ID to provide to the Land Registry.
As a result, we would recommend that organisations:
We are helping clients prepare for the implementation of the new failure to prevent offence, including assisting with risk, policy and contract reviews and the provision of relevant training. We have both a specialist fraud team and an ECCTA task force, who can assist with both preparations and readiness for implementation, as well as advising on fraud-related matters and investigations generally where the need arises.