U.K.’s new fraud law could reshape compliance

The U.K.’s “failure to prevent fraud” offense finally went into effect in September 2025. The law holds large organizations criminally liable if an investigation shows they lack adequate anti-fraud systems, placing a stronger emphasis on corporate accountability. The authors explore the law’s practical impact on businesses and compliance teams, highlight weak spots in the law and provide suggested reforms, and outline steps companies can take to stay on the right side of the law.

In 2020, the U.K.’s Serious Fraud Office (SFO) saw its high-profile case against Barclays collapse — not because the allegations weren’t serious, but because the law couldn’t keep up. The case concerned complex deals that occurred during the 2008 financial crisis with Qatari investors, which prosecutors claimed were fraudulent. Prosecutors alleged the U.K. bank gave Qatar undisclosed financial incentives to secure its participation in two emergency fundraising rounds. They claimed Advisory Service Agreements (ASAs) were used to pay extra commissions not reported to the market, with vague service descriptions suggesting disguised payments. Investigators also questioned a multibillion-pound loan to Qatar, arguing it may have funded Qatar’s Barclays investment and constituted unlawful financial assistance. These allegations formed the basis of claims that Barclays misled investors and regulators during the financial crisis.

Ultimately, the court ruled that no one could be identified as the bank’s “directing mind and will.” Without a clear individual to blame, the company escaped criminal liability. In corporate fraud cases, the “directing mind and will” refers to individuals whose decisions legally represent the company. Under the identification doctrine, prosecutors must show a senior leader — typically a board member or chief executive officer (CEO) — both intended to act dishonestly and controlled the relevant actions. For example, if a CEO knowingly authorizes misleading financial statements to secure investment, their intent is attributed to the company. Misconduct by lower-level employees without senior approval usually fails to meet this threshold. This high bar often complicates fraud prosecutions against large organizations, where decision-making is diffuse and proving individual attribution is difficult. The “directing mind and will” doctrine has long posed challenges. It worked in the 19th century when business ownership and control were obvious, but it’s ill-suited to today’s dispersed corporate structures. Other common law countries (where legal precedent from judicial decisions, alongside statutes, form the basis of the legal system) addressed this decades ago by enacting legislation that introduced more practical, functional tests.

The outcome of the Barclays case wasn’t an isolated event. Similar legal roadblocks derailed cases against Tesco and the London Interbank Offered Rate (LIBOR). LIBOR, a benchmark (based on the U.S. dollar, the euro, the British pound, the Japanese yen and the Swiss franc) that is used for trillions in loans and derivatives, became embroiled in scandal when major banks manipulated it to benefit trading positions and appear financially healthier during the 2008 financial crisis. The scheme led to billions in fines, criminal prosecutions and a global overhaul of benchmark rate systems. All LIBOR rates ceased to be published after Sept. 30, 2024. The U.K. Supreme Court ultimately overturned major convictions in the LIBOR case because prosecutors failed to show that traders knew their actions were dishonest, a required element for fraud. The court ruled that deviating from internal policy wasn’t enough; defendants needed a subjective awareness of wrongdoing.

In 2014, British multinational grocery retailer Tesco admitted it had overstated profits by 250 million pounds (later revised to 326 million pounds) due to prematurely booking supplier income and delaying costs. The scandal led to executive suspensions, SFO charges, a 6.4 billion pound loss in 2015, and a deferred prosecution agreement requiring the organization to pay 129 million pounds in fines and 85 million pounds in investor compensation. But the case against Tesco’s former executives collapsed because the judge ruled it lacked sufficient evidence for a jury to consider. Two executives — Christopher Bush and John Scouler — were acquitted after the court found the SFO’s prosecution fundamentally flawed. Ultimately, Tesco itself avoided criminal conviction through a deferred prosecution agreement, paying fines and compensation instead. The takeaway from these missed opportunities? The bigger and more complex the companies, the harder it was to hold them accountable.

The signature feature of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) is the “failure to prevent fraud” offense, designed to close the gap on lack of accountability among large corporations where fraud is being committed. The ECCTA was signed into law in 2023 at a time when fraud accounted for 40% of all reported crime in the U.K. The failure to prevent fraud offense took effect on Sept. 1, 2025, and applies to large organizations in the U.K. Instead of trying to prove intent at the top, the law now focuses on whether companies have proper systems in place to stop fraud from happening in the first place. This shift means businesses can be held criminally liable if someone connected to them — an employee, agent or subsidiary — commits fraud that benefits the company or its clients. And prosecutors don’t need to prove that senior management knew about it.

The reform offered by the failure to prevent fraud provision is a welcome step toward stronger corporate accountability, but we argue that further change and a more robust approach to enforcement are necessary to make a real difference in tackling corporate fraud.

What the new law means for business

The ECCTA links the new failure to prevent fraud offense to existing fraud and related offenses under U.K. law, most notably those in the Fraud Act 2006, which established three primary ways to commit fraud: by false representation, by failure to disclose information and by abuse of position. The intent isn’t solely to catch bad actors. It’s about making sure companies have real systems in place to prevent fraud.

Under the new law, companies can be prosecuted regardless of whether senior leadership knew fraud was taking place, authorized it or directed it. This marks a clear break from the identification doctrine, which required proof that a company’s directing mind and will was personally involved. The failure to prevent fraud offense doesn’t require proof of intent or knowledge at the top. If someone connected to the company commits fraud — whether they’re charged or not — the company could still be held responsible.

The failure to prevent fraud offense applies to large organizations meeting two of the following three thresholds:

1. More than 250 employees.
2. More than 36 million pounds in turnover.
3. More than 18 million pounds in assets.

The types of fraud covered include:

• False representation.
• Failure to disclose information.
• Abuse of position.
• False accounting.
• Fraudulent trading.
• Cheating the public revenue.

Money laundering isn’t included, as it’s covered by the Proceeds of Crime Act 2002.

The failure to prevent fraud offense applies to U.K.-based crimes, but it doesn’t stop at the border. If a company is part of a larger group that meets the applicable thresholds — even if the parent company is overseas — it could still be liable. That means international businesses with U.K. operations need to pay close attention.

The offense provision kicks in when someone commits fraud under U.K. law and is considered an “associated person,” a broad category that includes employees, agents, subsidiaries and anyone performing services for the company. If fraud was intended to benefit the company or its clients, even partially, the company could be liable. And it’s not just about money. The law covers any kind of benefit, financial or otherwise. That includes gaining an unfair edge over competitors or securing a business advantage through dishonest means.

As to the nature of the benefit, the guidance from the U.K. government explains that:

“The benefit may be financial or nonfinancial. For example, a fraud intended to confer an unfair business advantage would be in scope, as this would constitute an indirect benefit. Equally, a fraud that disadvantaged a competitor would be in scope.”

A way out — but it’s not easy

A limited statutory defense that mirrors the approach of the Bribery Act 2010 and the Criminal Finances Act 2017 is available to corporations. Companies can avoid prosecution if they can prove they had “reasonable procedures” in place to prevent fraud or that it wasn’t reasonable to expect them to have such procedures. But that’s a judgment call, and only the courts can decide what’s reasonable based on the facts of each case.

The Home Office guidance cautions: “The question of whether a relevant organisation had reasonable procedures in place to prevent fraud in the context of a particular prosecution is a matter that can only be resolved by the courts, taking into account the particular facts and circumstances of the case.”

Prosecutors aren’t likely to drop cases because a company claims it tried. If there’s evidence of weak controls, they’ll likely let the courts determine the merits of the case.

The U.K. government has laid out six guiding principles to assess the adequacy of a company’s fraud prevention procedures.

1. Top-level commitment: Active support for fraud prevention among senior leaders.
2. Risk assessment: Know where fraud risks exist.
3. Proportionate procedures: Tailor internal controls to the level of risk.
4. Due diligence: Vet partners and third parties.
5. Training and communication: Ensure that everyone understands the rules.
6. Monitoring and review: Regularly check that controls are working.

Leadership plays a key role in oversight. Under the UK Corporate Governance Code boards of large companies are expected to conduct regular assessments of emerging and principal risks. They also must review and report on the effectiveness of all material controls: financial, operational and compliance.

Global reach, local impact

The scope of the failure to prevent fraud offense is expansive. If any part of the fraud happened in the U.K. or if the gain or loss occurred there, foreign companies can be prosecuted too. That creates complex risk management challenges for multinational organizations, which now must manage fraud risks across jurisdictions. The ECCTA offers no immunity from overseas prosecution, so cross-border coordination is key to avoiding duplicative penalties, regulatory overlap and reputational damage.

But the provision doesn’t have limitless reach. If the misconduct has no U.K. connection, it doesn’t apply. And prosecutors still must decide whether it was reasonable to expect the company to have prevention procedures in place. Tools such as deferred prosecution agreements, voluntary self-reporting and memoranda of understanding will help, but they’re not guaranteed. Companies must be proactive.

Can fraud help a company? Sometimes — until it doesn’t

It may seem counterintuitive to suggest that a company can benefit from fraud committed by its own employees. In the long term, most corporate frauds inflict serious harm, including reputational damage, regulatory sanctions, legal costs, loss of jobs, and the loss of investor and public trust. Yet in many cases, fraud is committed precisely to help the business, at least in the short term. Employees may manipulate results to meet performance targets, secure financing, win contracts or maintain market confidence. The business looks stronger, more profitable, more competitive. But it’s a house of cards.

The Tesco accounting scandal offers a clear example of a corporation’s fraudulent actions providing short-term benefits. The grocery and retail chain overstated profits by 326 million pounds, which initially enhanced market credibility and share value, but ultimately exposed the company to prosecution, fines and reputational damage. Similarly, during the LIBOR manipulation scandal, banks gained trading advantages and protected their perceived financial strength, even as they sowed the seeds of systemic mistrust.

The failure to prevent fraud offense recognizes this reality, that dishonest acts done for the company’s benefit may occur without the knowledge or direction of senior management, often in cultures where aggressive targets and commercial pressure override ethical restraint. The new law is designed not only to punish corporate inaction but also to encourage better governance, integrity and oversight within organizations.

Making sense of ‘reasonable procedures’

The best defense against this new offense isn’t a clever legal argument; it’s prevention. The law’s goal isn’t to punish companies after the fact. It’s to push them to build cultures of integrity, where boards and senior management foster environments that embed honesty and transparency in everyday decision-making. The guidance emphasizes that reasonable procedures aren’t based on box-ticking but instead stem from a desire to demonstrate a genuine and sustained commitment to integrity.

For most organizations, this requires taking a hard look at culture, incentives and governance. Policies alone aren’t enough if commercial pressure or weak oversight allows dishonest conduct to thrive. Prevention starts with the tone from the top, or visible leadership that promotes ethical behavior and sets realistic performance expectations. Senior management must ensure that fraud risk management isn’t treated as an afterthought but as an integral part of business strategy. The precise form of a prevention framework will vary depending on the organization’s size, complexity and risk profile, but certain fundamentals are universal. Effective fraud risk management is built on the same foundation as strong internal control but with a sharper focus on behavior, incentives and override. In practice, organizations that manage fraud risk well tend to demonstrate the following:

• Accountability and oversight: Clear ownership of fraud risk at board and executive levels, including responsibility for managing management override, conflicts of interest and responses to allegations.
• Fraud risk assessment and management: Regular fraud risk assessments that translate into actionable mitigation steps, enhanced controls and clear accountability, aligned with the organization’s business model, incentives, third-party relationships and geographic exposure.
• Targeted control activities: Controls designed specifically to address high-risk fraud areas such as revenue recognition, sustainability metrics, contract management and related-party transactions, rather than generic compliance controls.
• Training and communication: Role-specific training that goes beyond awareness to explain how fraud occurs in practice, why controls exist and how staff are expected to respond when concerns arise.
• Reporting and investigation: Accessible, confidential reporting mechanisms supported by independent, well-resourced investigation processes that ensure consistency, fairness and protection of whistleblowers.
• Monitoring and review: Ongoing monitoring of fraud risks and controls, including the use of data analytics, with clear escalation, remediation and follow-up where weaknesses or incidents are identified.

Documentation is critical if there’s an investigation. A company must show not only that policies and controls existed, but that they were actively implemented and reviewed. Evidence of board minutes, audit trails and periodic reviews will carry far more weight than generic compliance statements.

Culture and prevention aren’t static. Economic uncertainty, remote working and complex supply chains all create evolving fraud risks. Reasonable procedures must adapt accordingly. The most resilient organizations will be those that treat prevention as a continuous process embedded in governance, reflected in incentives and reinforced by example from the top.

Lessons from the Bribery Act

If history is any guide, companies that currently follow the U.K.’s Bribery Act are ahead of the curve. Historically, enforcement has focused on firms that ignored warning signs or failed to properly vet their agents and intermediaries. Expect the same approach under the new failure to prevent fraud offense: Enforcement will likely target big-ticket frauds, cross-border cases and situations in which poor governance caused serious harm.

The broader consequence of the failure to prevent fraud offense is likely to be a genuine corporate culture shift. Large organizations will be compelled to design, implement and document robust anti-fraud systems, representing a move from reactive response to proactive prevention. Inevitably, companies, particularly multinationals with U.K. connections, will face new compliance burdens and group-level reassessments of risk management structures.

Enforcement agencies face equal pressure. The failure to prevent tax evasion offense under the Criminal Finances Act 2017 has seen no prosecutions to date, a fact often cited as limiting its deterrent effect. Without credible enforcement, the failure to prevent fraud offense risks becoming symbolic rather than substantive.

Where the law falls short

Although the failure to prevent fraud offense is a welcome reform, it remains, in many respects, a half-hearted and conceptually confused measure, according to critics. For example, the law’s definition of “senior manager” is unclear, particularly outside regulated sectors, leaving ambiguity over who falls within scope. Equally vague is the practical question of whether fraud can truly “benefit” an organization.

Many cases will involve employees seeking to protect their own positions or meet performance targets, blurring the line between personal and corporate advantage. The law also misses an opportunity to promote a holistic culture of integrity and transparency. It excludes misconduct that benefits individuals rather than the organization, and its limitation to large companies leaves substantial gaps in coverage. The Home Office guidance does acknowledge “… the principles outlined in this guidance represent good practice and may be helpful for smaller organisations.”

Enforcement and deterrence may also prove weak. Deferred prosecution agreements have often prioritized settlement over deterrence, and resource constraints, evidential hurdles and diplomatic sensitivities hamper international collaboration in complex cross-border cases.

The extraterritorial reach of the offense adds further difficulty. What counts as reasonable procedures under U.K. expectations may differ significantly from business norms abroad. In addition, organizations could manipulate group thresholds or structures to fall outside the scope, and the “for the benefit of” requirement could enable blame-shifting between parent companies and subsidiaries. Prosecutors must show the wrongdoing was intended to benefit the company, its subsidiaries or the corporate group financially (securing contracts, inflating revenue) or strategically (improving market position). In multinational groups, this creates complexity: A parent company may claim a subsidiary acted for its own benefit; the subsidiary may argue the advantage flowed to the parent. Such ambiguity enables blame-shifting across entities. The “for the benefit of” test, meant to limit liability to fraud tied to corporate advantage, can inadvertently allow multijurisdictional groups to evade responsibility. Finally, the absence of any enhanced whistleblower protection or alignment with the Public Interest Disclosure Act 1998 weakens early detection and internal transparency, discouraging employees from reporting misconduct before it escalates.

Making the law work: What needs to change

The failure to prevent fraud offense represents meaningful progress in strengthening corporate accountability. For it to deliver a lasting impact, however, further policy reform is essential. In particular, its current scope — limited to large organizations — should be expanded. Many midsize and small companies, especially in high-risk sectors, such as construction, logistics and technology, fall below the statutory thresholds. Given that the vast majority of U.K. companies are small or midsize enterprises, this narrow coverage significantly undermines the offense’s deterrent effect and creates opportunities for structural manipulation of corporate size to evade liability. The reason the government excluded small companies from the law is because its impact assessment concluded that limiting the offense to large entities best met strategic goals while controlling compliance costs. Smaller businesses pose lower systemic fraud risk, and requiring all firms to adopt formal prevention systems would impose disproportionate costs. The targeted scope aims to push well-resourced organizations to implement robust controls without burdening small and medium-sized enterprises.

In addition, the benefit test should be broadened to include internal and third-party frauds, not solely those committed for the organization’s gain. For example, procurement or payroll frauds that harm the company but arise from weak controls reflect systemic governance failings no less serious than those intended to benefit it. Likewise, corporate groups and subsidiaries need clear rules. A parent company shouldn’t be able to repudiate misconduct within its group when it exercises control or derives indirect benefit from it.

Enforcement reform is also critical. Strengthening enforcement requires more than deferred prosecution agreements, which often yield large settlements without individual accountability. Stronger, well-resourced prosecutions, especially in high-profile or cross-border cases, would send a clearer deterrent message and reinforce public trust. A robust system needs well-funded, trial-ready prosecutions of corporations and individuals where evidence supports personal culpability. The new failure to prevent fraud offense targets organizations, not managers. Individuals remain prosecutable only under traditional fraud laws if they commit, enable or knowingly permit wrongdoing.

To enhance deterrence, policymakers could add mechanisms such as a “senior management failure” offense or a corporate culture test. Complementary reforms might include mandatory fraud prevention standards for large firms, routine audits, expanded SFO and Financial Conduct Authority resources, and better cross-border evidence access. Finally, sanctions beyond fines, such as compliance monitorships, director bans or limits on public sector contracts, would ensure enforcement drives real behavioral change rather than treating penalties as a business cost. In addition, the Procurement Act 2023, alongside the ECCTA, significantly expands the scope for debarring suppliers from public contracts. It creates a central debarment list, mandates exclusions for serious offenses, such as cartel activity, fraud, bribery and tax evasion, and allows bans of up to five years. It also introduces a “self-cleaning” mechanism (paying compensation, changing management or procedures to prevent future misconduct) for suppliers to demonstrate reform.

The U.K. government should also issue detailed, sector-specific guidance on what constitutes reasonable procedures, reflecting differences between, for example, financial services, manufacturing and professional services. Further specification would help compliance officers move beyond generic policies toward tailored, risk-based frameworks.

Given the increasingly global nature of corporate fraud, anti-fraud policies need to be coordinated across jurisdictions, and cross-border response frameworks for investigations need to be developed. Evidence gathering, data protection and privilege rules often differ among the U.K., the EU and other major markets, creating delays and legal uncertainty. Coordinated mechanisms similar to the Organisation for Economic Co-operation and Development’s (OECD) anti-bribery cooperation model could streamline mutual legal assistance and reduce friction among regulators.

The new law glaringly lacks whistleblower protections. The U.K.’s Public Interest Disclosure Act 1998 hasn’t been updated to match the scale of today’s fraud risks and remains a missed opportunity. Effective prevention depends on employees feeling safe to report wrongdoing early, supported by clear channels, confidentiality guarantees and incentives for disclosure when appropriate.

Without active and consistent enforcement, the new offense risks remaining largely symbolic. Real accountability means expanding the law’s reach, clarifying how it works, and creating an environment where integrity is rewarded and complacency is punished.

How organizations can stay up to date

The introduction of the failure to prevent fraud offense underscores the need for organizations to move beyond minimal compliance and foster a genuine culture of integrity. Building such a culture requires embedding honesty, transparency and accountability throughout the organization. Addressing fraud risk isn’t merely a question of legal compliance; it’s fundamental to protecting individuals and organizations, safeguarding reputational capital, and promoting economic stability and growth that depend on public and investor trust.

Organizations should begin with a comprehensive fraud risk assessment, identifying vulnerabilities across business units and mapping associated persons — employees, agents, intermediaries and subsidiaries — who may expose the organization to liability. This process should inform targeted enhancements to controls, governance and oversight mechanisms, ensuring clear allocation of responsibility at the senior level.

The goal is to establish defensible systems that demonstrate diligence, proportionality and good faith in preventing misconduct. Strengthened approval and audit trails, effective segregation of duties and robust financial monitoring are essential components. Technology can enhance early detection through data analytics, transaction monitoring and anomaly detection tools. Equally important are confidential and trusted whistleblowing channels, supported by anti-retaliation measures and visible management support. Employees must be confident that concerns will be taken seriously and addressed promptly.

Fraud prevention should be viewed as a continuous process rather than a one-off exercise. Regular testing, internal audits and independent reviews ensure that controls remain effective as risks evolve. Documented follow-up and visible board engagement will be critical evidence of reasonable procedures if an investigation arises.

In practical terms, organizations, particularly multinational groups and companies with U.K.-linked operations, should consider the following actions to implement these principles effectively:

• Conduct a gap analysis. Review existing fraud controls against Home Office guidance and Bribery Act best practices, documenting findings and remediation steps.
• Map associated persons. Maintain a register of agents, intermediaries and subsidiaries with risk ratings and contractual safeguards.
• Coordinate policies. Develop a consistent, groupwide baseline for anti-fraud procedures, allowing proportionate local adaptation.
• Invest in training and culture. Deliver targeted, role-specific training supported by senior leadership messaging to reinforce tone from the top.
• Plan incident response. Prepare cross-border response plans covering evidence preservation, data transfer and legal privilege.
• Engage with regulators. Establish clear protocols for self-reporting, voluntary disclosure and remedial action to demonstrate cooperation.

These measures should be integrated into broader governance frameworks, internal controls and third-party management systems. In line with Home Office guidance, priority areas include:

• Leadership and tone from the top: Visible ownership of fraud risk by the board and senior executives with clear escalation pathways.
• Proportionate, risk-based procedures: Regular assessments at group and business unit levels aligned to identified risks.
• Third-party due diligence: Rigorous vetting and ongoing monitoring of intermediaries, vendors and partners, particularly in higher-risk jurisdictions or sectors.
• Data and evidence management: Policies for preserving and producing evidence across borders with escalation mechanisms for conflicts of law or privilege.
• Incentives and whistleblowing: Balanced reward structures that discourage excessive risk-taking and support protected, accessible reporting channels.
• Monitoring and continuous improvement: Independent reviews, periodic audits and timely remediation of identified weaknesses.

Fraud prevention is no longer just a compliance issue; it’s a business imperative. Companies that take it seriously won’t only stay on the right side of the law, but also earn trust from investors, customers and employees.

Rasha Kassem, Ph.D., CFE, is senior lecturer and fraud research group leader at Aston University in the United Kingdom. Contact her at r.kassem@aston.ac.uk. 

Martin Polaine, FCIARB, FAIADR, is a barrister and director of amicus legal consultants in the United Kingdom. Contact him at m.polaine@brookechambers.co.uk.