A New Era of Corporate Accountability
From 1 September 2025, a new corporate offence has reshaped the compliance landscape in the United Kingdom. The “Failure to Prevent Fraud” (FTPF) offence, introduced under the Economic Crime and Corporate Transparency Act 2023, signals a decisive shift in how organisations must think about fraud — not just as an external threat, but as a potential risk from within.
For many compliance professionals, this marks the beginning of an “inside-out” era — where fraud prevention is no longer about shielding the company from external attackers, but about building systems that detect and deter wrongdoing by employees, agents, and even business partners.
The implications go far beyond British shores. Large organisations in countries such as Germany — or any with UK market connections — now face new compliance obligations and potentially unlimited fines for failing to prevent fraudulent acts carried out for their benefit.
What the Law Covers
At its core, the FTPF offence applies when an “associated person” — acting for or on behalf of a company — intentionally commits fraud to benefit that company, even partially.
This includes offences under the UK’s Fraud Act 2006 as well as related economic crimes such as:
- Theft and fraudulent accounting
- False statements
- Certain tax-related frauds
Crucially, “associated persons” extend far beyond direct employees. They can include subsidiaries, agents, suppliers, consultants, intermediaries, and even freelancers — anyone who represents the company’s interests.
The individual must act “dishonestly and knowingly”, meaning negligence or poor oversight alone do not trigger liability. Examples include:
- A sales executive knowingly issuing fake invoices to inflate revenue.
- An agent falsifying customs documents to avoid UK import duties.
Who’s Affected — and When
The law targets “large organisations”, defined as those meeting at least two of the following criteria:
- More than £36 million in turnover
- More than £18 million in assets
- More than 250 employees
However, the definition of “UK nexus” broadens the reach dramatically. Even without a UK subsidiary, companies may fall under the law if their activities touch UK markets — such as selling to UK consumers, using British banks, or operating on digital platforms accessible to UK users.
Rethinking Compliance: Inside-Out
Traditionally, compliance programs have prioritised anti-corruption, antitrust, AML, and data protection. Fraud has often been viewed as an “outside-in” issue — something done to the company.
Now, the UK’s FTPF regime demands that companies turn their focus inward. They must ensure that internal misconduct — intentional fraud by employees or partners — cannot occur unchecked.
For global firms, the question is strategic:
- Should they perform a detailed entity-by-entity assessment of FTPF exposure?
- Or should they upgrade their entire global compliance management system (CMS) to address fraud risks comprehensively?
The choice will depend on risk appetite, operational complexity, and the extent of UK involvement.
Building a Strong Defence: “Reasonable Procedures”
The only real defence against FTPF liability lies in demonstrating that the company had “reasonable procedures” in place to prevent fraud.
Guidance from the UK Home Office outlines six key principles — many echoing international best practices like Germany’s IDW PS 980 — but with a sharper focus on fraud prevention from within:
1. Leadership and Governance
Top management must set a visible “tone at the top,” promoting ethical conduct and embedding compliance values into corporate culture. Middle management must echo this tone — ensuring integrity is reflected “in the middle” as well.
2. Risk Assessment
Companies should perform a fraud-specific risk analysis, examining all departments — including those not traditionally seen as high-risk, such as accounting, ESG, or internal controls — for potential fraud vulnerabilities.
3. Policies and Procedures
Fraud prevention should be embedded into internal policies across HR, finance, ESG, and procurement. These documents must be practical, accessible, and enforced — not just archived.
4. Controls and Technology
Stronger internal controls and AI-driven analytics can detect anomalies and red flags earlier. Collaboration between compliance, controlling, and finance teams is crucial for oversight.
5. Business Partner Screening
All “associated persons” — from vendors to consultants — should undergo systematic due diligence, with fraud prevention clauses integrated into contracts and regular monitoring in place.
6. Training and Whistleblowing
Tailored, ongoing training should reach both employees and external partners. Equally vital are secure, confidential channels for whistleblowing — already mandated under EU law but now central to FTPF compliance.
Continuous Monitoring and Evolution
As with other areas of corporate governance, compliance cannot be static. Companies are expected to review and update their anti-fraud systems regularly, ensuring they remain proportionate to changing risks and business models.
“Paper compliance” — ticking boxes without evidence of real-world implementation — will not suffice. Regulators are clear: what matters is effectiveness, documentation, and proof of impact.
The Bigger Picture
The “Failure to Prevent Fraud” offence represents more than another compliance requirement. It’s a philosophical shift — a move from reactive defence to proactive prevention.
For international companies, especially those with even a faint UK connection, the message is unmistakable:
- Fraud prevention is no longer a back-office function — it’s a boardroom responsibility.
- The cost of inaction is no longer theoretical — it’s unlimited.
In Summary
The new UK law compels multinational companies to strengthen their compliance frameworks, focusing on the internal dynamics of fraud. It challenges businesses to foster transparency, accountability, and vigilance — not because regulation demands it, but because integrity is fast becoming the currency of global trust.