The UK’s New “Failure to Prevent Fraud” Law

UK companies awoke on Monday, September 1st to the commencement of the new Economic Crime and Corporate Transparency Act (ECCTA) 2023. Specifically, companies were paying attention to Sections 199 through 206 as it took effect. Billed as one of the most radical and consequential expansions of criminal liability for corporations in generations, this seeming afterthought set of sections located at the end of the 207 section ECCTA belies the scale of its implications for financial institutions.

Introducing the “Failure to Prevent Fraud” Offence

This new corporate offence of “failure to prevent fraud” entered into force on 1 September 2025, introducing strict liability for large organizations where an associated person, such as an employee, agent, or subsidiary, commits a specified fraud offence for the organization’s benefit. The offence reflects the UK government’s broader drive to impose direct criminal accountability on institutions, not just individuals. Unlike the UK Bribery Act of 2010 or the various tax evasion legislation, the focus here is on core fraud offences that arise regularly in commercial and financial transactions.

What Does This Offence Actually Cover? (or “What Did I Do Wrong?”)

Examples of offending conduct include such mainstays as fraud by false representation, fraud by abuse of position, false accounting, and others. Crucially, liability does not depend on whether senior management knew of or endorsed the misconduct. If a fraud is committed by a person performing services for the organization, and that fraud was intended (even unsuccessfully) to benefit the organization or its clients, the offence is presumed, unless the organization had “reasonable procedures” in place to prevent it. The burden of proof for that defense lies squarely on the institution.

Who is in Scope? (or “Does This apply to Me?)

The Failure to Prevent Fraud offence uses a 2 out of 3 criteria approach, and applies to any organization meeting two or more of the following criteria:

• more than 250 employees,
• turnover above £36 million, or
• total assets over £18 million.

Virtually every major bank with UK operations or clients will be in scope, regardless of where it is headquartered. Compounding this, the law also has some extraterritorial reach: fraud committed outside the UK may trigger liability if they cause harm or confer benefit within the UK. For global banks headquartered in the US but operating in London or serving UK clients, this is not a minor risk. This requires a review and assessment of your current systems worldwide.

What are Some Available Defenses (or “Oh #$%#, Need Help!”)

Like many offence-type statutes, the burden lies with the organization to disprove the alleged offence, and luckily the law outlines appropriate defenses. Specifically, the only statutory defense is to demonstrate that the organization had in place such policies and procedures as would be considered “reasonable in all the circumstances” to prevent fraud. Additional and extra-statutory guidance issued in April 2024 outlines six principles underpinning such procedures:

• proportionality,
• top-level commitment,
• risk assessment,
• due diligence,
• training and communication, and
• monitoring and review.

OK, so What Now? (or “OK, You Got My Attention”)

Most financial institutions, especially those already subject to UK Financial Conduct Authority (FCA) requirements, AML/CFT obligations, and whistleblowing regimes—may find that some elements of a fraud prevention framework already exist. However, alignment with this new offence is not automatic, and gaps in governance or documentation could prove costly if tested.

Not to pour gasoline onto the fire here, but the UK’s Serious Fraud Office (SFO) has already signaled that it is eager to use this tool, and views it as a powerful addition to the UK’s economic crime enforcement toolkit. Prosecutions may emerge from whistleblower reports, concurrent investigations, or referrals from other agencies. While some cases may be resolved through Deferred Prosecution Agreements (DPAs), exactly how and how strongly the UK SFO chooses to enforce will likely depend greatly on how seriously a company has worked to put reasonable procedures into place. Some suggest that the early stages of enforcement will begin with easy violators, but it is quite likely that larger institutions will face scrutiny if their procedures are not demonstrably robust within a short amount of time.

TLDR (Too Long, Didn’t Read)

For banks and financial institutions, the message is clear: have your house in order. That means conducting fraud risk assessments across business lines, reviewing third-party and subsidiary controls, updating internal policies, and delivering training that is practical and documented. With the law’s effective date already reached, the compliance window is narrowing and waiting for the first prosecution is not an effective strategy.

In sum, the new offence reshapes corporate liability and demands immediate attention. The key takeaways for banks and financial institutions are:

• Expanded Criminal Liability for Affiliate Misconduct
• Applies to Non-UK Banks with UK Nexus
• Heightened Need for Group-Level Fraud Controls
• Client Services = High-Risk “Benefit”
• Training and Policy Alignment Now Required
• Fraud Risk Assessments Must Be Formalised
• Policy Gaps = Legal Exposure
• Reputational & Regulatory Risk Beyond Prosecution