Failure to Prevent Fraud (FtPF): have you done enough?

The Economic Corporate Crime and Transparency Act (ECCTA) became law in the UK on 26 October 2023, with its purpose being to help tackle the use of UK businesses for criminal activities by overhauling aspects of the existing legal framework and improving powers for enforcement agencies.

Under ECCTA, businesses are required to take a proactive approach to detecting and preventing fraud or face legal and reputational risks. The act extends to the actions of suppliers and other third parties, as well as to those of employees.

One of the most significant aspects of ECCTA is the introduction of the Failure to Prevent Fraud (FtPF) offence, which holds organisations criminally liable if they fail to prevent fraud, even if they were not aware of the conduct that led to it.

Who is covered by the FtPF?

The FtPF covers large organisations meeting two of the three following criteria:

• more than 250 employees
• more than £36 million turnover
• more than £18 million in total assets

As well as large organisations, those that do not meet the criteria, but which are growing, should remain vigilant about falling within the scope of FtPF and plan accordingly.

When does the FtPF come into force?

Whilst ECCTA is already in effect, it has provided organisations with a deadline 1 September 2025 to comply with the FtPF offence.

What does it mean for your business?

If a company is found to have inadequate procedures in place to detect and prevent fraud, it can face significant financial penalties, regulatory scrutiny, and severe reputational damage.

To avoid these consequences, businesses must take active steps to prevent fraud, which should generally include the development of effective anti-fraud policies, implemented through due diligence processes over suppliers and other third-parties prior to engaging with them, as well as monitoring and verification systems to ensure that employees and third-parties are aware of their responsibilities.

No system of internal control can be wholly effective, and in recognition of this the act provides organisations with a defence if, at the time an offence was committed, reasonable prevention procedures were in place. Although more challenging to demonstrate in practice, a defence is also provided if it can be claimed that it was not reasonable in the circumstances for the organisation to have had such prevention procedures in place. In either case, the burden of proof falls on the organisation.

Six principles organisations should put in place before 1 September 2025

When implementing a fraud prevention framework, an organisation should be guided by the following six principles:

1. Top level commitment

Senior management should take overall responsibility for an organisation’s anti-fraud controls and should be seen to act with integrity, setting the example for expected behaviours. A “speak-up” culture should be encouraged, assisted by the implementation of secure, confidential reporting systems to promote transparency.

2. Risk assessment

Organisations should conduct risk assessments to identify potential threats and areas of vulnerability, and to refresh those on a regular basis.

3. Proportionate risk-based prevention procedures

All risk assessments should be risk-based and proportionate, bearing mind the size and nature of the organisation and the specific fraud risks that it faces.

4. Due diligence

Due diligence processes should be implemented with respect to engagement with suppliers and other third parties in order to reduce the risk of fraud and financial crime.

5. Communication (including training)

Customised training should be provided to employees with respect to fraud awareness and compliance with an organisation’s anti-fraud policies and procedures.

6. Monitoring and review

Internal audits of an organisation’s internal controls should be carried out periodically to ensure compliance with its policies and procedures.

How we can help

ECCTA, and particularly FtPF, represent a significant shift in the expectations placed on organisations to prevent financial crime, and it is more important than ever to take a proactive approach by implementing preventative measures for the prevention and detection of fraud.

The deadline of 1 September 2025 means swift action is necessary to prepare and protect your business. At Moore Kingston Smith, we have significant experience of helping organisations to conduct fraud risk assessments and develop and implement appropriate, risk-based anti-fraud policies and procedures. Get in touch with us to find out more about the Failure to Prevent Fraud (FtPF) offence and how we can help protect your business.