UK’s Failure To Prevent Fraud Offence: How To Comply

No organisation is immune to fraud — even the biggest ones. Google and Facebook lost US$100 million to a scammer posing as a trusted vendor in 2020. He created a fake company, sent phony invoices, and got paid for two years before being caught. In the coming months, U.K. businesses could face criminal charges for failing to prevent similar schemes.

The U.K.’s new “failure to prevent fraud” offence falls under the Economic Crime and Corporate Transparency Act (ECCTA) and will take effect on 1 September 2025. This landmark legislation represents a significant shift in how organisations must approach fraud prevention, placing unprecedented responsibility on businesses to implement robust protective measures or face severe penalties.

With time dwindling before it goes into effect, companies operating in the U.K. face an urgent compliance deadline. Those that can demonstrate robust, auditable, and forward-looking fraud prevention frameworks will be better positioned to avoid liability and adapt to this more stringent regulatory environment.

What is the “failure to prevent fraud” offence?

The “failure to prevent fraud” offence is a new corporate criminal offence under the ECCTA. This law, modelled on the U.K. Bribery Act 2010, allows authorities to prosecute a company when an employee or agent, including consultants or independent contractors, commits fraud for the organisation’s benefit.

Under this legislation, a business can be held liable when fraud is committed by an “associated person” (such as an employee, contractor, or agent) for the benefit of the organisation, even if senior leadership was unaware of the fraudulent activity.

This marks a big shift in how companies are held accountable. Businesses can’t just say they didn’t know fraud was happening — they’re now expected to take active steps to stop it before it starts. The only legal defence is being able to show a business had reasonable fraud prevention measures in place, tailored to its size and risk level. If not, an organisation could face unlimited fines, potentially millions for larger businesses.

This regulatory update comes amid a marked rise in economic crime, with Authorised Push Payment (APP) fraud now the U.K.’s most significant financial scam. More than £500 million was lost to APP fraud in the first half of 2024 alone, intensifying scrutiny from regulators and legislators. According to PwC’s 2024 Global Economic Crime Survey, 55% of surveyed organisations reported procurement fraud is widespread in their country, yet a minority are using tools to identify or combat it.

Experts emphasize that organisations with robust governance, compliance, and fraud prevention frameworks will be better positioned to navigate these regulatory changes. “Reasonable procedures” must go beyond internal controls — organisations must also extend due diligence across their entire ecosystem and supply chain to truly protect against risk.

Specific fraud offences to which this legislation applies

The “failure to prevent fraud” offence applies to numerous “base fraud” offences under U.K. law, including:

• False representation: Dishonestly making a false representation to gain an advantage. This can manifest across business operations, from misrepresenting product capabilities to clients to falsifying credentials to secure contracts.
• Failing to disclose information: Failure to provide information when there is a legal duty to do so. This could include withholding material facts in financial reports or omitting critical information in regulatory filings.
• Abuse of position: Abusing a position where one is expected to safeguard financial interests. A common example is an employee using their access to company funds or assets for personal gain, such as the 2023 case where an Amazon employee in charge of organising events submitted and received over US$350,000 in fraudulent meal and drink expenses for a virtual event where no food was required.
• False accounting: Destroying, defacing, concealing, or falsifying any account, record, or document required for accounting purposes. This encompasses various schemes such as creating fake invoices (invoice fraud), submitting duplicate invoices for payment, or manipulating expense reports (expense fraud). In 2020, four brothers operating a wholesale business were arrested for swindling nearly US$19 million from Amazon by invoicing the company for thousands of additional toothbrushes it never ordered — a form of invoice fraud called “bill padding.”
• Fraudulent trading: Knowingly carrying on business with the intent to defraud creditors. This could involve continuing to trade and take payments while insolvent or operating shell companies with no real commercial purpose.
• Obtaining services dishonestly: Obtaining services by dishonest means without intending to pay or by deception. An example would be a company continuously engaging contractors with no intention of settling their invoices.
• False statements by company directors: Making materially misleading, false, or deceptive statements in company documents or communications. This extends to misrepresentations in annual reports, financial statements, or shareholder communications.
• Cheating the public revenue: Defrauding His Majesty’s Revenue and Customs (HMRC), or other tax authorities through dishonest practices such as tax evasion schemes, deliberate underreporting of income, or falsifying VAT returns.

This legislation casts a wide net when it comes to fraud, meaning businesses need to look beyond just their finance team when building protections. You’ll need to consider fraud risks in every corner of your organisation — from procurement to sales to HR — not just where the money changes hands. There’s no one-size-fits-all approach.

While bribery is not explicitly listed in the base fraud offences, it often intersects with them, particularly in cases involving procurement fraud or abuse of position. Since the UK already has the Bribery Act 2010 with its own “failure to prevent” offence for bribery, organisations with robust anti-bribery procedures may have some compliance foundations in place that can be extended to address the new fraud offence.

More on the UK’s Economic Crime and Corporate Transparency Act (ECCTA)

Beyond the failure to prevent fraud offences, the ECCTA introduces several other significant provisions that U.K. businesses must understand:

Identity verification

ECCTA introduces mandatory identity checks for directors, persons with significant control (PSCs), relevant officers of registrable relevant legal entities, and LLP members. Once implemented, directors cannot act without verified identities, potentially affecting over 7 million individuals according to Companies House estimates.

Verification will be available through two routes: directly via Companies House (using GOV.UK ID Check app, One Login, or Post Office) for those with U.K. ID documents, or indirectly through an Authorised Corporate Service Provider (ACSP) for those without U.K. documentation.

The rollout begins with voluntary verification from 8 April 2025, becomes mandatory for new companies and appointments by autumn 2025, and extends to all existing directors during a 12-month transition phase. By spring 2026, verification will be required for anyone submitting documents to Companies House.

Each verified individual will receive a one-time Unique Identifier Number (UIN) valid across all their company roles, streamlining the process for those involved with multiple businesses.

Enhanced powers for Companies House

The ECCTA significantly expands the role and powers of Companies House, transforming it from a primarily administrative registry to an active gatekeeper with investigative and enforcement capabilities. Companies House will have new powers to query suspicious information, share data with law enforcement, and reject filings that appear fraudulent. This enables more proactive intervention when potential fraud is identified, rather than merely serving as a repository of information.

Greater transparency of ownership

The legislation strengthens requirements around declaring beneficial ownership, making it harder for criminals to hide behind complex corporate structures. This includes more stringent reporting requirements for overseas entities with U.K. property interests and increased scrutiny of companies with unusual ownership structures. The aim is to unveil the true beneficiaries of corporate entities, addressing a key weakness that has historically enabled economic crime.

Restrictions on corporate directors

The ECCTA tightens rules on corporate directors by requiring that they be overseen by real individuals, not other companies. This “chain of responsibility” approach ensures that accountability ultimately extends to identifiable individuals, closing a loophole that has been exploited for fraudulent purposes.

Expanded information sharing

The act enhances information-sharing capabilities between government agencies, law enforcement, and regulated sectors, creating a more coordinated approach to combating economic crime. This enables better detection of patterns and connections that might indicate fraudulent activity across different organisations and sectors.

Who does the “failure to prevent fraud” offence apply to?

The new offence applies widely to organisations meeting at least two of these three criteria:

• More than 250 employees
• Annual turnover above £36 million
• More than £18 million in total assets

These thresholds are designed to capture medium and large enterprises while exempting smaller businesses that might find comprehensive fraud prevention measures disproportionately burdensome. However, smaller organisations should not ignore the principles behind the legislation, as they remain vulnerable to fraud and may still face civil consequences.

The offence also applies to overseas organisations and employees if an employee commits fraud under U.K. law or targets U.K. victims. That means a U.S.-based company with a U.K. office could be prosecuted in the U.K. if an employee in its Singapore division commits fraud that benefits the company. Even if U.K. leadership had no knowledge of the fraudulent activity, the company would still be liable unless it could demonstrate that reasonable fraud prevention procedures were implemented globally.

This extends liability far beyond U.K. borders and requires multinational businesses to implement consistent fraud controls and training across all geographical locations — a potentially significant undertaking for organisations with complex international structures. International businesses with U.K. operations must ensure compliance across their entire global operations, not just within their U.K. subsidiaries. This creates substantial new compliance obligations for multinational corporations operating in multiple jurisdictions.

Organisations particularly at risk include:

• Financial services firms handling large transaction volumes and complex financial products. The sector’s inherent exposure to financial transactions makes it a prime target for various fraud schemes, from false accounting to misrepresentation.
• Healthcare providers managing significant public funds and sensitive patient data. The combination of large budgets, complex billing systems, and critical services creates multiple fraud risk points, particularly around false invoicing and service misrepresentation.
• Construction and infrastructure companies with complex supply chains and large-scale project management. These industries often involve numerous contractors and subcontractors, creating opportunities for false invoicing, kickback schemes, and bid rigging.
• Technology companies with substantial intellectual property assets and innovative business models. The fast-paced nature of tech businesses can sometimes lead to control gaps that fraudsters exploit, particularly around revenue recognition and asset valuation.
• Retail businesses with high-volume transaction processing and extensive inventory management. The sheer volume of transactions creates opportunities for various frauds, from false refunds to supplier kickbacks.
• Professional services firms advising on financial matters and managing client funds. The trusted position these organisations hold makes them particularly susceptible to reputational damage from fraud, in addition to financial losses.

Any organisation where employee fraud occurs and the business may benefit from it falls within the legislation’s scope, even without direct knowledge of the crime. For example, a procurement manager might collude with a vendor to inflate invoices in exchange for kickbacks, with the vendor delivering some actual value to the business despite the fraudulent overbilling. Even though the fraud primarily benefits the employee and vendor, the business receives some services and could be considered a beneficiary of the fraud, potentially triggering liability under the new offence.

The key determining factor is whether the fraud was committed to benefit the organisation, not whether the organisation actually received that benefit. This broad interpretation significantly expands the potential liability landscape for businesses across all sectors.

Why this matters to finance, procurement, and supply chain teams

The new offence turns fraud prevention into a company-wide responsibility. While finance has traditionally owned this risk, procurement and supply chain teams are now equally accountable — requiring closer coordination, shared oversight, and potential changes to how these functions work together. Here’s how it will impact finance, procurement, and supply chain teams individually — and why each function will play a critical role in safeguarding the business:

Finance

As the head of an organisation’s financial transactions, the finance department is a natural focal point for scrutiny under the new law. Gaps in payment processes — even if exploited by a single bad actor — could expose the entire organisation to criminal liability. This shifts finance’s role from simply tracking and reporting transactions to being a critical line of defence against fraud.

Finance teams typically bear primary responsibility for regulatory compliance and financial governance. Under the “failure to prevent fraud” offence, this role becomes even more critical as finance leaders must demonstrate that appropriate controls are in place across the organisation. CFOs and finance directors may find themselves accountable for evidencing the “reasonable procedures” defence if fraud occurs, regardless of the department in which it originated.

The pressure is especially high given the scale of the threat. A 2023 FBI investigation discovered that 80% of organisations reported being victims of payment fraud attacks and attempts, the highest rate reported since 2018. Traditional audit cycles won’t cut it when significant sums of money move through complex approval chains. Instead, finance teams need to implement multi-level verification protocols, especially for large or unusual transactions, and implement real-time monitoring.

Procurement

A single dishonest buyer or vendor relationship can now trigger criminal liability for the entire organisation — even if senior leadership was unaware of the misconduct. Consider the case of an Apple employee who stole US$17 million from the company by using their position to receive kickbacks from vendors, inflate invoices, and steal repair parts. Under the new law, the company could still be held liable unless it could demonstrate that reasonable preventive procedures were in place.

Activities like bid rigging, vendor favoritism, and conflicts of interest have been illegal under U.K. laws. However, the new “failure to prevent fraud” offence significantly expands corporate liability for these activities, making organisations directly accountable even without leadership involvement. To mitigate these risks, procurement teams must implement robust vendor verification processes, competitive bidding procedures, and conflict-of-interest declarations.

Supply chain

Complex supply chains create numerous opportunities for fraud, from false invoicing to kickback schemes. In 2021, fraudsters stole US$7 million from the U.S. government by committing vendor fraud through quality substitution and false billing schemes. They illegally imported goods on contracts set aside for veterans and falsified the value of those goods to evade higher duties and taxes. The new legislation requires organisations to extend due diligence beyond their internal operations to their entire vendor ecosystem, demanding greater visibility into supplier practices and relationships.

What should organisations be doing now to prepare?

With the September 2025 compliance deadline approaching, organisations should take these steps to prepare:

1. Conduct a comprehensive fraud risk assessment

• Identify vulnerable processes across all business units and functions.
• Map potential fraud scenarios specific to your industry and operational model.
• Assess current prevention procedures against potential fraud risks.
• Document gaps in existing controls using a structured framework.
• Prioritise high-risk areas for immediate attention based on likelihood and impact.
• Implement proactive fraud detection software to monitor high-risk areas continuously.
• Consider engaging external specialists to ensure objectivity in risk assessment.

A thorough risk assessment is the foundation of compliance with the new legislation. According to PwC’s research, 42% of companies with annual revenues between US$1 billion and US$10 billion have fallen victim to cybercrime in a 24-month period, highlighting the importance of understanding where vulnerabilities exist.

2. Develop and implement a fraud prevention policy

• Create clear, documented procedures for detecting and preventing fraud.
• Ensure policies are proportionate to the organisation’s size and risk profile.
• Make policies accessible to all employees through training and communication.
• Establish ownership and oversight responsibilities at the board and executive levels.
• Include fraud response protocols for when suspicious activities are detected.
• Ensure policies address third-party risks, not just internal fraud threats.

Effective fraud prevention policies should be living documents that evolve with changing business practices and emerging fraud techniques. They should include clear definitions of fraud, specific prevention measures, reporting mechanisms, investigation procedures, and consequences for fraudulent activities.

3. Strengthen internal controls

• Implement segregation of duties for financial transactions to ensure no single person can initiate, approve, and process payments.
• Deploy three-way matching for invoice processing (purchase order, receipt of goods, invoice).
• Enhance approval workflows for payments with appropriate thresholds and verification steps.
• Consider virtual cards to reduce fraud opportunities in payments.
• Implement automated systems to flag unusual transactions or deviations from established patterns.
• Regularly test controls to ensure they’re operating effectively.
• Document control activities to demonstrate due diligence.

Virtual cards deserve special attention as a fraud prevention measure. Unlike traditional payment methods, virtual cards generate a new number dynamically for each transaction or unique supplier, enhancing security and control.

4. Train employees and raise awareness

• Provide regular fraud awareness training tailored to specific job functions.
• Ensure training covers both internal and external fraud scenarios.
• Establish clear reporting mechanisms for suspicious activities.
• Create a culture where raising concerns is encouraged and protected.
• Include fraud prevention in onboarding for new employees.
• Conduct simulated fraud attempts to test awareness and response.
• Update training as new fraud trends emerge.

Employee awareness is crucial because 84% of fraudsters display behavioral red flags before detection, according to ACFE’s 2024 Occupational Fraud report. The top five warning signs include living beyond means, financial difficulties, unusually close relationships with vendors, unwillingness to share duties, and irritability. Well-trained employees can spot these indicators early.

5. Extend due diligence to third parties

• Implement robust vendor onboarding processes with thorough background checks.
• Conduct regular risk assessments of supply chain partners and service providers.
• Verify banking details through multiple channels before payment.
• Include fraud prevention requirements in contracts with third parties.
• Monitor vendor performance and transaction patterns for anomalies.
• Implement a supplier code of conduct with explicit fraud prevention expectations.
• Conduct periodic audits of high-risk suppliers.

Third-party risk is a significant concern, with J.P. Morgan reporting that more than 60% of businesses were either victims of attempted or actual payment fraud in 2022. Many of these incidents involved supplier impersonation or account takeover.

6. Establish monitoring and review processes

• Implement continuous monitoring of financial transactions using analytics and AI.
• Conduct regular audits of fraud prevention procedures and their effectiveness.
• Document reviews and improvements to demonstrate ongoing commitment.
• Establish key performance indicators for fraud prevention efforts.
• Create a feedback loop to incorporate lessons learned from detected fraud attempts.
• Review and update policies in response to changing business operations or emerging fraud trends.
• Ensure board-level oversight of fraud prevention effectiveness.

Continuous monitoring is vital as the average duration of a fraud scheme is 12 months before detection. Real-time analytics can significantly shorten this timeframe and limit financial damage.

The importance of fraud prevention as a business imperative is now underscored by legal obligation. Organisations that treat this as a compliance exercise rather than an opportunity to strengthen business resilience may find themselves vulnerable not just to fraud but to prosecution.

Using fraud detection software for real-time monitoring

Given the strict liability nature of the new offence, organisations should consider implementing fraud detection software to strengthen their prevention framework. Advanced fraud detection tools use AI and machine learning to monitor transactions in real-time, flagging suspicious activities before they result in losses.

According to a recent study by PYMNTS Intelligence and Coupa, automated fraud detection systems outperform traditional, manual methods, yet just 28% of firms have adopted them. Over 70% of respondents say automation is the most impactful strategy for reducing fraud, compared to just 27% who say the same about staff training.

Here’s how fraud detection software works to protect your organisation:

Integrates across your entire source-to-pay process

Effective fraud detection software connects with your existing financial systems to provide visibility across all transactions, from requisitions to invoices to payments. This integration eliminates silos that fraudsters often exploit.

SpendGuard™ monitors six key categories, including purchase orders, invoices, payments, and expenses in a unified platform, ensuring suspicious activities aren’t hidden between disconnected systems.

Leverage AI to detect suspicious patterns

AI doesn’t just spot fraud after it happens — it transforms your entire approach from reactive detection to proactive prevention. By analyzing patterns in your transaction data, AI can help you identify and address process vulnerabilities before fraudsters exploit them.

For example, if AI detects employees regularly submitting expenses just under approval thresholds, you can update your business rules to require additional verification for transactions within certain ranges. Similarly, when the system identifies vendors using suspicious round-number invoicing, you can implement automatic validation requirements for those suppliers.

With data from over US$8 trillion in real-world transactions, Coupa AI, working across SpendGuard, continuously learns from patterns across source-to-pay processes, enabling organisations to strengthen controls, redesign workflows, and close gaps before they result in fraud or compliance issues.

Automate compliance with customisable workflows

Create approval chains that automatically route high-risk transactions for additional review. For example, flag payments to new vendors or invoices exceeding certain thresholds for expert scrutiny. Some general rules to apply include:

• Under £100: Automatically approved if within policy and supported by a valid receipt.
• £100–£500: Requires line manager approval, with receipt and brief justification logged in the system.
• Over £500: Requires dual approval from both finance and a senior manager. Transactions are automatically flagged for anomaly detection (e.g., timing, vendor name patterns).
• Claims without a receipt: Require a written explanation and manager approval. Repeated non-receipted claims are escalated for compliance review.
• Expense reports exceeding department budgets: Automatically sent to finance for investigation.
• Managers and executives: They may have higher thresholds, but out-of-policy claims are automatically flagged and reviewed by an independent approver or compliance officer.

SpendGuard’s drag-and-drop functionality lets you quickly adapt workflows as your business evolves, ensuring all non-compliant spend is reviewed by the right people before payment.

Implementing fraud detection technology demonstrates a proactive approach to fraud prevention, crucial for establishing the “reasonable procedures” defence under the new legislation. The U.K.’s new “failure to prevent fraud” offence transforms fraud prevention from financial prudence to a legal imperative with serious consequences. Organisations that adopt a strategic approach will not only mitigate legal risk but also gain operational advantages through enhanced visibility and stronger supply chain relationships. The time to prepare is now.