When the UK’s Failure to Prevent Fraud offence came into force on 1 September 2025, it quietly, but decisively, redrew the boundaries of corporate accountability.
Tucked within the Economic Crime and Corporate Transparency Act (ECCTA), this law gives prosecutors a powerful new tool to hold companies to account when someone connected to them commits fraud for their benefit. It’s the latest in the UK’s “failure to prevent” family of offenses, joining the Failure to Prevent Bribery and Failure to Prevent Tax Evasion laws, and it signals that the era of plausible deniability in the boardroom is over.
For directors, it means one thing above all: saying “that’s what I was told by management, and I believed them” will no longer be an acceptable defence as Ty Francis, MBE, the Chief Advisory Officer of LRN Corporation explains...
So what does the law actually do?
The Failure to Prevent Fraud offence makes an organisation criminally liable if a person “associated with” it, an employee, agent, subsidiary, or third-party partner, commits fraud for the organisation’s benefit. That could include false accounting, misleading investors, or manipulating financial information.
The offence applies to all large organisations that meet two or more of the following thresholds such as more than 250 employees, over £36 million in annual turnover, and more than £18 million in total assets.
In essence, that captures the majority of listed firms, private equity portfolio companies, major partnerships, and large multinationals.
Crucially, the law also applies to overseas companies that “carry on business” in the UK, even if incorporated elsewhere. That means any non-UK entity with substantial operations, offices, clients, or supply chains in the UK will need to adhere to the same standards. If the fraudulent conduct benefits a UK-facing business, the offence can apply, even if the act itself happened abroad.
In short, if you do business in or through the UK, this law is your concern.
Under the new regime, the only way a company can avoid liability is by proving that it had “reasonable procedures” in place to prevent fraud, or that it was not reasonable to expect such procedures given its risk profile.
That defence will be tested by evidence, for example how the board identified fraudrisk, what controls were implemented, what training was delivered, and how often those systems were reviewed.
It’s not about perfection per se, it’s about prevention. The law is designed to encourage companies to take proactive steps to reduce the risk of fraud, not to punish those who make honest mistakes. But it expects boards to show leadership, not hindsight.
A cultural and legal shift
For directors, especially independent non-executives, this marks a cultural and legal shift. Under the old “directing mind and will” test, prosecutors had to prove that a very senior individual personally committed or directed the fraud for the company to be liable. That bar was almost impossibly high.
The new law changes that entirely. Now, if anyone associated with the business commits fraud for its benefit, and the company cannot show it took reasonable preventive steps, the organisation can be prosecuted.
So while the offence itself may not create personal criminal liability for directors, it will inevitably raise questions about board oversight and governance. Regulators, investors, and auditors will ask: Where was the board? What information did it receive? What questions did it ask? What systems did it approve of?
The board’s role in setting the tone, funding prevention measures, and ensuring transparent reporting will become a key line of inquiry in any investigation.
Fraud rarely starts in the accounts. It starts in the culture. It thrives where targets trump ethics, where pressure goes unexamined, and where speaking up is seen as risky.
That’s why this law isn’t just about internal controls, it’s about culture. Boards can no longer treat fraud prevention as a matter for compliance and risk departments alone. They must take responsibility for shaping an environment that discourages misconduct at every level.
Prevention starts with curiosity: What behaviours are rewarded? How do people interpret leadership signals? Are whistleblowers confident they’ll be protected? These questions are not soft governance, they’re hard risk management.
A strong culture doesn’t just reduce fraud risk; it provides the board with evidence of reasonable prevention. When regulators ask what you did to stop misconduct, a culture that measures trust, transparency, and ethical confidence is part of the answer.
Training as the first line of defence
Too often, fraud training is a tick-box exercise, an annual e-learning course no one remembers. Under the new regime, that will no longer suffice.
Training must be risk-based, role-specific, and behaviourally grounded. It should show how fraud actually occurs within the business model, what red flags to watch for, and how employees should respond. Refreshing that old SCORM file and throwing it out to everyone in the hopes that you’ll get 100% completion and taking that as your only data point, well I guess you’re still getting NETFLIX DVD’s delivered too.
Boards should expect metrics that go beyond those completion rates: they should see surveys results that test understanding, scenarios that reinforce ethical decision-making, and data that measures whether employees feel empowered to report issues.
If training works, it becomes both prevention and evidence, which is a living breathing demonstration of reasonable procedures.
Measuring what matters
One of the most interesting side effects of this legislation is the way it reframes “reasonable procedures” as both a compliance and culture challenge. Boards will need to look at non-financial data to assess risk: ethics hotline trends, employee engagement results, exit interviews, and culture surveys. A rise in anonymous reports or a decline in trust could indicate areas of exposure.
Forward-thinking boards are already integrating these insights into risk dashboards tracking culture as a form of control. In a future enforcement action, that kind of data could be the difference between liability and defence. Because prevention isn’t only about having the right policies; it’s about being able to prove that they’re working.
What overseas and UK companies should do now
If your organisation operates in or through the UK, it’s time to start preparing. That includes:
-Assessing exposure: Determine whether you meet the “large organisation” thresholds and where UK operations may create risk.
-Conducting a fraud risk assessment: Identify the areas of greatest vulnerability, particularly within sales, procurement, finance, and third-party relationships.
-Reviewing existing policies and training: Ensure your anti-fraud framework is integrated into your wider ethics and compliance programme.
-Enhancing board oversight: Make fraud prevention a standing item on audit or risk committee agendas, and ensure clear escalation channels to the board.
-Documenting evidence: Keep thorough records of the board’s discussions, decisions, and challenges around fraud prevention—minutes will matter.
For overseas companies, the simplest test is this: If your operations, people, or services touch the UK market, assume the law applies and prepare accordingly.
The message behind the Failure to Prevent Fraud offence is clear. Corporate integrity is no longer just a compliance issue, it’s a leadership test. So, Boards must move beyond passive oversight and show they are actively engaged in preventing fraud, measuring culture, and challenging management assumptions.
The law doesn’t ask boards to know everything; it asks them to care enough to find out. Because in 2025, when the inevitable question is asked: “What did your board do to prevent this? it will no longer be acceptable to say, “That’s what I was told.” Now, you’ll need to show what you asked, what you measured, and what you led.
Photo by Julio Lopez on Unsplash
