The fraud enforcement landscape is undergoing significant change. With the Government's official guidance now published, businesses subject to the new offence of failure to prevent fraud by associated persons under the Economic Crime and Corporate Transparency Act 2023 (the "Act") are now on the clock to implement reasonable fraud prevention measures. The offence will come into force on 1 September 2025.
The offence and its accompanying guidance have sparked extensive commentary, largely focusing on the three key areas: the scope of the failure to prevent offence, the breadth of underlying fraud offences, and what reasonable fraud prevention procedures look like.
Much attention has been given to the Government’s decision to limit the offence to "large organisations," defined broadly as businesses meeting at least two of the following criteria: more than 250 employees, turnover exceeding £36 million, and total assets exceeding £18 million (measured in the financial year preceding the relevant fraud offence). However, a closer look at the Act reveals that businesses not meeting these thresholds may still fall within the offence’s reach due to their corporate structure or relationships.
Groups: Expanding the Net
Section 201(1) of the Act outlines the quantitative criteria for large organisations. However, section 201(2) expressly excludes parent undertakings from these criteria. Parents are rather dealt with under section 202, which confirms that the entire group's aggregate metrics are relevant when determining whether the parent is a large organisation (the turnover and asset thresholds now expressed as net and gross – £36 million net/£43.2 million gross turnover and £18 million net/£21.6 million gross assets).
As clarified in the Act’s Explanatory Notes, this formulation has implications for parents and subsidiaries. In the case of parents, bringing the entire group's figures into play means that some entities will be captured that would, on a standalone basis, have otherwise fallen outside the Act. In the case of subsidiaries, the approach to groups also needs to be read alongside section 199(2)(c), which explicitly includes subsidiaries of qualifying parent entities as in-scope of the offence, regardless of their standalone financial position. Together, these provisions ensure businesses cannot sidestep the offence by splitting assets and operations across multiple entities to fall below the thresholds.
Each company within a qualifying group must therefore implement reasonable fraud prevention measures. A practical starting point is conducting a group-wide fraud risk assessment to ensure consistent evaluations across all entities, while tailoring questions to address the specific fraud risks of individual businesses. Establishing comprehensive group-wide policies, controls, and procedures – such as due diligence, transaction monitoring, internal reporting mechanisms, and targeted training – can provide a cohesive framework. Incorporating risk-based adjustments where appropriate ensures the approach remains flexible and responsive to varying risk levels.
We have set out in this article some of the key risk-based measures businesses should consider implementing prior to 1 September 2025
Associated Persons: Beyond Large Organisations
Businesses that do not meet the thresholds or form part of a qualifying group may nevertheless be affected if they act as associated persons for a large organisation. As with the Bribery Act 2010 and Criminal Finances Act 2017, which respectively introduced failure to prevent bribery and tax evasion facilitation offences, a company’s ability to demonstrate reasonable prevention procedures under the Act will rely in large part on:
- Due diligence and ongoing monitoring of parties providing services for or on its behalf,
- Regular reviews of such parties' fraud controls, and
- Remediation of identified weaknesses, or termination of the business relationship if remediation is not feasible.
There is therefore a clear incentive for service providers of larger organisations to start putting their houses in order; they will come under increased scrutiny as their principals assess fraud risks across their networks. Proactively addressing these risks will help maintain valuable client relationships.
Moreover, even if a business does not fall under the Act’s failure to prevent offence, it remains subject to the Act's updated corporate criminal liability rules for certain economic crimes, including fraud. These revised rules, which have been in force since 26 December 2023, amend the restrictive “identification principle” by expanding the cohort of senior managers whose guilt can be attributed to a company.
Key Takeaway
Even if your company does not meet the failure to prevent offence thresholds, ignoring it is not an option. The offence is broadly defined and will likely affect many businesses, whether through their corporate structures or relationships with larger organisations. Now is the time to prepare.
Howard Kennedy has extensive experience assisting organisations review and enhance their financial crime and regulatory compliance systems and controls, including risk assessments, policies, and procedures. Please contact a member of the Business Crime team if you have any questions or require any assistance navigating the new offence and associated guidance.
Want to hear more from us? 
