Failure to prevent fraud countdown: Act now to avoid unlimited fines

On 1 September 2025, the Failure to Prevent Fraud Offence takes effect as part of the Economic Crime and Corporate Transparency Act (ECCTA) enforceable by the Crown Prosecution Service and Serious Fraud Office. With the deadline now only weeks away, the countdown to compliance is almost over.

What is failure to prevent fraud?

The Failure to Prevent Fraud Offence raises the bar for corporate accountability in the UK. For proactive companies, this is an opportunity to go beyond compliance: to strengthen governance, demonstrate leadership, and build resilience into their culture. Those who act now will not only protect themselves from penalties but also earn lasting stakeholder trust.

At its core, the offence makes large organisations directly responsible for stopping fraud committed by anyone acting on their behalf, whether that’s an employee, agent, or subsidiary. The company doesn’t need to know the fraud is happening to be held liable. If it benefits the business and you can’t prove you had the proper safeguards in place, you’re exposed. Regulators have signalled that they intend to enforce the new law aggressively and they’re expected to make examples of companies that fall short. The risk of reputational damage from being in that first wave of enforcement is something businesses can’t afford to take.

For those who don’t review, refresh, and reinforce their fraud prevention strategies now? This could be the most expensive compliance mistake they ever make – in both financial and reputational terms. And the clock is ticking.

Large organisations beware

The new Failure to Prevent Fraud Offence doesn’t target everyone, but it casts a wider net than many businesses realise. It applies to “large organisations”, defined as those meeting at least two of these three thresholds:

• Turnover over £36 million
• Assets over £18 million
• More than 250 employees

Crucially, these thresholds are calculated globally. So, even if your UK entity is small, you may still fall under the rules because of your wider group structure.

Worryingly, our research shows that fewer than half of firms with more than 500 employees believe they are compliant with the new requirements. Given that most existing anti-fraud and ethics policies won’t satisfy the updated standards, the true level of readiness could be even lower.

The best defence available under this offence is proving you had “reasonable procedures” in place before any fraud occurs. That means leadership must ensure fraud prevention measures are not just written into policy documents but actively embedded into business operations as a cultural shift.

To help businesses get there, the government has set out six guiding principles for building these procedures:

1. Top-level commitment
2. Risk assessment
3. Proportionate controls
4. Due diligence
5. Effective communication and training
6. Ongoing monitoring and review

These principles aren’t optional. They are the benchmark against which organisations will be judged, and where they could find themselves falling short.

Compliance complacency is a significant threat

When it comes to compliance with the new Failure to Prevent Fraud Offence, one of the biggest dangers is complacency. Firms are telling us they have fraud policies in place, but often they don’t know if their fraud risk detection process follows the UK guidance. 

Firms may assume that because they have an up-to-date code of conduct, or because they’ve never faced a fraud incident, they’re automatically protected. Others rely on the assumption that their people simply “wouldn’t do that.” The reality is stark: fraud is a billion-pound industry in the UK, and assumptions are not a defence. Without robust, proactive measures, this false sense of security is exactly what can lead to unlimited fines and irreparable reputational harm.

Under the new rules, generic policies won’t cut it. A code of conduct without fraud-specific risk assessments, active enforcement and evidence of preventative measures is unlikely to meet the legal standard. Regulators won’t accept good intentions as a defence. Saying employees “know” not to commit fraud is meaningless without proof – proof of training, monitoring and risk-based prevention protocols.

Blind spots could be anywhere. Maybe you have a whistleblowing policy that nobody uses because it’s poorly communicated. Perhaps your onboarding process ignores third-party risks, or supplier contracts fail to adequately deal with fraud. These cracks may not have caused problems yet but once enforcement begins, they’ll be exposed fast.

The most risky assumption right now is believing you’re safe simply because fraud hasn’t happened yet. The Failure to Prevent Fraud Offence is about shifting the focus from reaction to prevention. With the 1 September deadline just around the corner, boards need to act decisively now or risk finding out the hard way that complacency is the costliest risk of all.

Why large businesses need a proactive fraud risk review

With the new Failure to Prevent Fraud Offence looming, businesses can’t afford to guess where they stand. What’s needed is a structured fraud audit that digs into your organisation’s specific risks and tests whether your prevention measures truly hold up under the new legal standards.

A comprehensive review also sends a powerful message to regulators, investors, and stakeholders that you take corporate accountability seriously. In a climate where reputation is everything, that’s an advantage you can’t afford to miss.

So, what should you be reviewing? Key areas include:

• Internal reporting channels: Are they strong, trusted, and widely used?
• Investigation and response procedures: Are they clear and consistently applied?
• Third-party oversight: Is risk management built into supplier and partner relationships?
• Fraud training and awareness: Do employees understand the risks and know what’s expected?
   

Boards should also be asking the tough questions:

• Are fraud risks being actively identified and escalated?
• Do senior leaders understand both their personal and corporate responsibilities?
• If a fraud offence happened tomorrow, could we prove we’d taken every reasonable step to prevent it?

These are the questions you need to answer before regulators come looking for the answers themselves.

Your ECCTA action plan

Taking a proactive, structured approach to ECCTA compliance will help futureproof your company against potential shocks. We recommend the following steps:

• Conduct a comprehensive ECCTA readiness audit: identify gaps in your current processes, documentation and controls. Assess whether your digital identity verification, fraud detection mechanisms and internal policies meet the new regulatory standards.
• Identify Directors and Persons of Significant Control (PSCs): conduct a review to make sure you have identified all relevant personnel.
• Implement digital identity verification solutions: ensure directors, PSCs and LLP members are verified using secure, compliant digital platforms.
• Update and strengthen internal controls: review and revise onboarding, record-keeping and filing procedures to align with the ECCTA’s requirements, including time-stamped audit trails and transparent traceable processes.
• Deliver targeted training: equip directors, company secretaries and senior management with up-to-date training on the ECCTA obligations, fraud prevention and reporting standards.
• Engage an external fraud specialist: commission an independent expert to conduct a fraud risk assessment and audit, providing objective insight into vulnerabilities and recommended mitigations.
• Engage in regular compliance health checks: ongoing reviews help maintain compliance as regulatory expectations evolve and ensure your controls remain effective.
• Leverage independent expertise: consider third-party support to validate your compliance framework and provide peace of mind for your board and stakeholders.

We offer a range of related services that alleviate the practical and mental load of ECCTA compliance:

• End-to-end digital identity verification services
• Independent ECCTA readiness audits and ongoing compliance health checks
• Training modules and advisory services for directors and company secretaries

Don’t let assumptions put your company at risk. Let Vistra take care of keeping your organisation 100% compliant and worry-free.

Contact Vistra today to schedule your ECCTA audit and build a foundation of compliance, credibility and resilience for your business.