TL;DR: The UK’s Failure to Prevent Fraud is a corporate liability law targeting large businesses where employees or associates commit fraud and the company fails to prevent it. To comply with the failure to prevent fraud offence, firms must follow the Failure to Prevent Fraud Guidance and prove reasonable procedures were in place.
The Growing Risk of Corporate Fraud in the UK
The introduction of the UK’s Failure to Prevent Fraud offence marks a pivotal moment for financial services compliance. The fraud triangle, developed by Donald Cressey, posits a model for three conditions that lead to fraud. The three conditions being pressure, opportunity and rationalisation. This framework helps explain why the new UK legislation coming into force targets large organisations with direct liability for fraudulent business perpetrated by employees, agents, or subsidiaries.
It forms part of wider reforms under the Economic Crime and Corporate Transparency Act 2023, significantly broadening the scope of liability for existing procedures. For financial services firms, this represents a shift in how internal controls, training, and third-party oversight are assessed. For risk and compliance leaders, the law demands a strategic overhaul of how fraud risk is managed. Heavy measures are no longer optional, they are legal expectations for company directors.
To remain compliant, firms must build demonstrable frameworks that reduce the risk of prosecution for crimes. Examples of fraud acts include tax evasion offences, associated persons making false statements, false accounting, fraudulent trading, bribery acts, false representation fraud, obtaining services dishonestly, and cheating the public to name a few. This guide outlines a practical checklist for preparation, clarifies common myths, and shows how companies can put in place fraud prevention procedures.
What is the Failure to Prevent Fraud Offence?
The Failure to Prevent Fraud offence introduces regulations for organisations specific to when an “associated person” commits fraud for the business’s benefit, particularly when it falls under a specified offence in the ECCT 2023. Even if the senior leadership is unaware of any wrong-doing, the offence applies and they are held criminally liable for any fraudulent conduct. As a result if firms are found liable, they can face unlimited fines and reputational harm unless they can prove “reasonable procedures” were put in place.
Large organisations can now face criminal prosecution for fraud committed by employees or agents, regardless of whether senior management was aware.
Fraud Prevention Consultant, Milosh Caunhye says, “Large organisations can now face criminal prosecution for fraud committed by employees or agents, regardless of whether senior management was aware. Without reasonable fraud prevention procedures in place by 1 September 2025, firms risk facing unlimited fines and irreversible reputational damage. The defence requires organisations to demonstrate adequate fraud controls tailored to their risk environment.
It must go beyond a policy document, there must be clear evidence of implementation. Failure to meet this bar exposes firms to criminal prosecution. By implementing tools to support this evidentiary standard, companies can avoid underlying fraud offenses through real-time controls and audit capabilities.
How Failure to Prevent Fraud Impacts Financial Services and Corporate Liability
Recent data has shown a disproportionate amount of offenses across banking, lending, and insurance. This marks a significant shift in who takes accountability and how fraud prevention has now become a board-level concern for large organisations. Senior managers and leadership teams must build out effective fraud frameworks that are implemented and regularly reviewed. For those in the financial sector, legal exposure, reputational risk and sector-specific obligations are major impacts under the new offence.
The Serious Fraud Office (SFO) has been designated as the lead enforcement body under the new legislation. Failing to adequately implement such procedures put financial institutions at risk of civil litigation, reputational damage, and direct investigations. The pressure to create thorough risk assessment protocols is only increasing due to heightened regulatory scrutiny. This broadening of liability moves the focus from reactive incident responses to proactive risk governance thereby raising the bar for what regulators expect from firms under scrutiny.
Who Does the Failure to Prevent Fraud Offence Apply To?
The failure to prevent fraud offence applies to companies referred to as large organisations. They are defined by meeting two or more of the following thresholds:
£36 million in turnover
£18 million in assets
250 employees.
The parameters of this offence are assessed and put in place based on the financial year preceding the offence. Typically, organisations such as banks, insurers, investment firms, and most fintechs fall within the scope of this offence. Even smaller firms could be indirectly affected through third-party relationships or by future legislation.
Importantly, the law could extend beyond fraud to include related offences such as tax evasion or crimes impacting public revenue. This broad applicability makes it critical for firms to evaluate both direct and indirect exposure. Assessing anti-fraud procedures that prevent bribery, criminal finances or mitigate any particular risks that a person commits, keeps firms ahead of the curve. Early class-action can support firms with status, operational risk and help determine the level of procedural rigour required under the law.
Who are “Associated Persons” under Failure to Prevent Fraud?
The failure to prevent fraud offence adopts an expansive view of who qualifies as an “associated person.” This includes employees, contractors, subsidiaries, agents, and third-party service providers. Senior managers also fall within scope, reflecting a broader view of corporate responsibility. Under this definition, fraud committed by anyone acting on behalf of the organisation may result in criminal liability.
Firms must design fraud prevention frameworks that cover all contributors at risk of underlying fraud offences, not just staff that are fraud offence intending. The inclusion of non-employees and leadership elevates the importance of cross-functional risk mapping. Organisations must maintain oversight of anyone acting in their interest, especially in high-risk roles. This calls for comprehensive onboarding checks and ongoing monitoring.
Scope and Expectations of Failure to Prevent Fraud
There is often uncertainty around the scope of reasonable fraud prevention measures and the intent of the new failure to prevent fraud offence. In some cases, it is assumed that the rules apply only to internal fraud or that current policies already provide sufficient coverage. However, the offence targets any fraud by an associated person that benefits the organization. Whether it be internal or external, large businesses need to be wary of whether their Anti-Money Laundering (AML) controls fulfil the requirements.
In truth, AML frameworks address different risks and lack the targeted specificity required under this offence. Written policies alone will not satisfy regulators of these large organisations. Implementation and monitoring of effective controls are essential to promoting an anti-fraud culture. The new law also demands fraud-specific measures that can withstand scrutiny from the Serious Fraud Office (SFO).
The Difference between AML Compliance and Failure to Prevent Fraud Procedures
AML compliance is fundamentally reactive, focused on detecting suspicious activity after it occurs. In contrast, the new offence demands preventive measures to stop such a fraud act before it happens. This mirrors UK corporate offence legislations such as the UK Bribery Act 2010, where companies are penalised for failing to prevent wrongdoing by associated persons. Prioritizing corporate criminal attribution demonstrate in a shift from detection to prevention. Firms must not confuse AML risk assessments with the fraud prevention requirements introduced here.
To establish a valid defence under the new offence, companies must prove they had reasonable fraud prevention procedures in place. These controls must be tailored to the business’s specific risk profile and operations. It is not enough to have generic policies, procedures must be documented, implemented, and periodically updated. Clear communication and operational visibility are also essential. This marks a shift from passive compliance to evidence-based readiness. Regulatory bodies will expect firms to demonstrate that their controls were functional at the time of the offence.
Assessing and Managing Internal Fraud Risks
Effective prevention begins with a detailed risk assessment process. Firms must identify areas of the business most vulnerable to fraud and assess how associated persons interact with these functions. Key steps include mapping high-risk business units, identifying threat vectors, and quantifying potential impacts. Prioritisation based on exposure to theft acts helps allocate controls efficiently.
Financial firms should also account for changes in fraud risk over time, driven by internal changes or external threats. This requires ongoing analysis and a willingness to adjust controls accordingly. By using tools that enable this flexibility, as strong foundation can be built through adaptive workflows and risk scoring tools. Risk mapping is essential to meet legal obligations under the new offence.
Reviewing Gaps in Existing Processes
Reviewing and strengthening existing compliance processes is necessary in avoiding duplication and ensuring legal alignment. Many firms assume that their AML tools or existing fraud policies are sufficient. However, controls must be audited against the regulations of the failure to prevent fraud offence. The review goes across onboarding, escalation, and third-party management.
Key starting points include reassessing risk-based onboarding flows, stress-testing escalation logic, and mapping out procedures. Firms should document findings and integrate updates into a formal fraud prevention framework. This type of process review signals a proactive stance on compliance to regulators.
Core Fraud Prevention Procedures Every Firm Needs
Based on regulatory guidance and industry best practices, there are key procedures every firm should adopt. These include mandatory staff training on fraud indicators, such as false representation and financial misconduct. Firms must also implement whistleblower hotlines, real-time transaction monitoring, and enhanced vetting for high-risk roles. Continuous vendor screening further helps mitigate third-party risk.
These procedures must be embedded across departments, not siloed within compliance functions. A comprehensive prevention plan should also evolve with changes in regulatory expectations or internal risk appetite. Establishing a culture of fraud awareness is equally critical for long-term effectiveness.
The Role of Due Diligence in Preventing Fraud
Under the new offence, due diligence becomes an ongoing obligation. Companies should continuously verify the legitimacy and risk profile of customers, vendors, and associated persons. Effective due diligence enables early fraud detection and strengthens a firm’s legal defence against other criminal activity such as money laundering. By identifying synthetic identities, fraudulent trading, and other financial misconduct over time, businesses can ensure thorough due diligence.
Firms should conduct Know Your Customer (KYC) and Know Your Business (KYB) checks across its entire customer, partner and employee base. KYC and KYB checks should be supported by refreshed Politcally Exposed Person (PEP) checks, sanctions and adverse media screenings. Behavioural monitoring flags suspicious activity that signal underlying fraud. ComplyCube supports these efforts through automated controls and integration-ready solutions. You can learn more here: What is a Politically Exposed Person (PEP)?
Case Study: HSBC’s £64M Fine Highlights Risks of Inadequate Fraud Controls
In December 2021, the UK Financial Conduct Authority fined HSBC £63.9 million for longstanding weaknesses in its anti-money laundering systems. Between 2010 and 2018, HSBC failed to maintain effective transaction monitoring controls, exposing the bank to serious financial crime risks.
The FCA found that HSBC:
- Did not update or test key fraud detection systems for eight years
- Missed alerts involving high-risk customers and suspicious activity
- Lacked proper oversight of AML controls and internal risk escalation
While the penalty predates the UK’s new Failure to Prevent Fraud offence, it illustrates the operational gaps that now carry potential criminal liability under updated legislation. If internal or third-party fraud had occurred, HSBC could have faced prosecution in addition to financial penalties.
This case serves as a clear warning. Outdated systems and passive controls are no longer defensible. Under the new law, firms must demonstrate that reasonable procedures to prevent fraud are in place, operationalised, and supported by audit-ready evidence.
Auditing and Evidencing Fraud Readiness
Documentation is central to demonstrating a valid defence under the new offence. Firms must keep records of training attendance, internal audits, vendor risk assessments, and case handling. These artefacts help prove that reasonable procedures were not only designed but also followed. Regulators will look for evidence that procedures were implemented at the time of the alleged offence.
ComplyCube’s reporting and audit modules allow firms to export logs, compliance reports, and process trails easily. This enables fast, transparent responses during enforcement actions or audits. Firms that build documentation into their daily workflows will be better equipped to defend against allegations. Evidencing readiness is as critical as implementing controls.
Preparing Your Board and Risk Committee
Leadership accountability is embedded in the new offence, placing boards and senior risk committees at the heart of compliance. MLROs and Heads of Fraud must ensure that decision-makers understand fraud exposure across the business. Regular reviews of KPIs, audit results, and incident reports should become standard governance practice. It is equally important to allocate resources for continuous improvements in fraud controls.
A well-defined fraud prevention plan, backed by real data, supports a strong corporate culture and legal defence. Boards should treat this offence not just as a compliance issue, but as an enterprise risk. Firms that fail to engage leadership early risk being unprepared for enforcement. ComplyCube enables actionable visibility into fraud controls across business units, supporting strategic oversight.
How ComplyCube Enables End-to-End Fraud Prevention
ComplyCube offers a unified compliance platform tailored to the demands of the new fraud offence. It enables real-time identity verification, sanctions screening, and behavioural fraud checks, all of which support the “reasonable procedures” defence. The unified platform uses custom rules through its workflow, allowing firms to implement and adjust controls to their specific risk profile without writing any code. This not only ensures flexibility, but prioritizes a quick deployment of fraud prevention measures.
Fraud detection measures can be implemented across the customer journey, providing full visibility and control. The modules cover document, biometric, and database verification, which can be coupled with connections into fraud networks, device intelligence, and fraud risk scores, enabling holistic fraud detection and insights. These purpose-built tools support proactive prevention and audit readiness. Integrated solutions such as ComplyCube will be essential as enforcement ramps up.
Key Takeaways
- The UK Failure to Prevent Fraud law introduces strict and expanded corporate liability for fraud.
- Associated persons include employees, contractors, agents, vendors, and subsidiaries.
- AML systems alone are insufficient to meet the new fraud prevention requirements.
- Organisations must have fraud-specific frameworks that are tested, evidenced, and updated regularly.
- ComplyCube enables fraud prevention to be embedded across business processes.
Overall Timeline of Roll-Out and Implementation
The new failure to prevent fraud offence took effect on September 1st, 2025 and initially focused on high-risk sectors such as finance and fintech. Firms with larger customer bases or public-facing operations faced higher scrutiny. The Serious Fraud Office (SFO) began leading investigations and prosecutions under this expanded framework. Regulators are expected to ask for documented proof of compliance readiness. Companies that prioritize early compliance can build a great reputation and reduce regulatory pressure.
Talk to ComplyCube‘s compliance experts to enhance your customer due diligence workflows.
Frequently Asked Questions
What is the UK Failure to Prevent Fraud law?
The UK Failure to Prevent Fraud law, introduced under the Economic Crime and Corporate Transparency Act 2023, makes companies liable if an employee, contractor, agent, or subsidiary commits fraud for the organisation’s benefit. Leadership can be prosecuted even if they were unaware. The only defence is showing that “reasonable procedures” were in place. The Serious Fraud Office is the lead enforcement body. The law came into effect on September 1, 2025.
Which UK companies are affected by the Failure to Prevent Fraud law?
The law applies to large UK organisations that meet at least two of these thresholds in the previous financial year: turnover of £36 million or more, assets of £18 million or more, or 250 employees or more. Smaller companies are not directly in scope but can still face indirect exposure as suppliers or agents to larger firms. UK entities may also be liable for fraud committed by overseas subsidiaries if it benefits the business.
What are reasonable procedures to prevent fraud under UK law?
Reasonable procedures under the UK Failure to Prevent Fraud law include mandatory staff training on fraud indicators, whistleblowing hotlines, real-time transaction monitoring, enhanced vetting for high-risk roles, and continuous vendor screening. Strong due diligence is also required, such as KYC and KYB checks, sanctions screening, and adverse media monitoring. Firms must keep evidence such as training records, audit logs, and risk assessments to prove these controls were active at the time of any alleged offence.
How is the UK Failure to Prevent Fraud law different from AML compliance?
AML compliance is mostly reactive, focused on detecting suspicious activity after it happens. The UK Failure to Prevent Fraud law requires proactive fraud-specific measures that reduce risks before they occur. Written policies alone are not sufficient. Regulators expect firms to demonstrate that tailored fraud prevention procedures are in place, regularly reviewed, and documented. AML and fraud prevention frameworks work together but cover different risks, and both are required for full compliance.
What are the penalties for failing to prevent fraud in the UK
Companies that fail to comply with the UK Failure to Prevent Fraud law face unlimited fines and significant reputational damage. Senior managers and boards are accountable for ensuring effective fraud frameworks. Key steps include risk assessments, continuous monitoring, whistleblowing processes, and audit-ready documentation. Early compliance helps reduce regulatory scrutiny. Platforms such as ComplyCube provide tools for identity verification, sanctions screening, and audit reporting to evidence readiness
