.png)
The UK government officially published the much-anticipated failure to prevent fraud (FTPF) guidance on 6 November 2024, confirming that the FTPF offence will come into force in September 2025. To avoid financial penalties if investigated, companies will need to demonstrate reasonable fraud prevention controls were in place.
The UK government’s effort to prevent fraud focuses on holding organizations to account for fraud committed by employees or other associated individuals, which may benefit the organisation or, in some cases, their clients. In parallel, it also seeks to motivate more organisations to establish or enhance prevention measures, fostering a significant change in corporate culture to prevent fraud.
The Offence
Under the FTPF offence, an organization can be held criminally liable if an employee, agent, subsidiary, or other "associated person" who provides services on behalf of the organization commits fraud with the intent to benefit the organization or their clients, and the organization failed to implement reasonable fraud prevention procedures. The offence is strict liability, meaning the prosecution does not need to prove that the person had any criminal intent or acted recklessly - only that the offence occurred.
The offence extends to cover large, incorporated bodies and partnerships formed in the UK and those formed outside of the UK where a UK nexus is present, such as where an overseas based organisation commits fraud in the UK or targets victims in the UK.
Base Fraud Offence
The FTPF offence also applies to what the Guidance refers to as “base fraud” offences. This means where, for example, an employee commits false accounting (base fraud offence), the company will need to provide a reasonable defence against the failure to prevent fraud. Should the employee (associated person) be convicted of the base fraud offence, this conviction can be used as evidence in proceedings against the organization for failure to prevent fraud.
Risk Mitigation
- The FTPF guidance identifies six principles which are designed to be adaptable and result-oriented, thus allowing organizations to tailor their fraud prevention measures to their specific situations and risks, rather than imposing a “one size fits all” approach.
- These six principles align with those cited in the UK Bribery Act 2010 when establishing a risk-based approach to compliance.
An organization should first seek to conduct or update their existing risk assessment to ensure that fraud risk is considered and mitigated. The guidance highlights that failing to perform one will rarely be considered reasonable.
Organizations should:
- Identify areas of exposure, such as operations with UK connections or high-risk transactions.
- Tailor the assessment to the organization’s structure, geographic footprint, and activities (e.g. those in the waste sector) particularly when dealing with jurisdictions unfamiliar with UK laws.
- Consider sector-specific fraud typologies such as procurement fraud, financial misreporting, or third-party risks. Schedule 12 of the Economic Crime and Corporate Transparency Act 2023 lists other current legislation containing "relevant offences", including the Bribery Act, Fraud Act, Sanctions and Anti-Money Laundering Act, and several others.
Many of the controls required to address this risk will already exist and likely be in place, and organizations must demonstrate proactive measures to address these risks. There is an expectation that a company will have a well thought out formal investigations procedure in place, and learnings from their experiences and any sector specific investigations/enforcement actions are considered. Relying on audit results will not be considered a sufficient defence.
Looking ahead - preparing for September 2025
With less than a year until the FTPF offence takes effect, organizations must begin to review their compliance frameworks. This process does not have to be daunting. By combining investigation capabilities with proactive prevention measures, businesses can effectively assess risks, implement robust prevention measures, and leverage existing risk mitigation strategies where possible to reduce duplication.
The September 2025 deadline provides ample time for even large, complex organizations to make meaningful progress. With the right expertise and tools, organizations can achieve compliance efficiently, positioning themselves as leaders in ethical and responsible business practices.
.jpg)
.webp)
.webp)
