Failure to prevent fraud: corporate prosecution guidance updated

“Now is the time to take action. Corporations must get their house in order or be ready to face investigation.”

Summary

Ahead of the entry into force of the ‘failure to prevent fraud’ offence (the “FTP fraud offence”) next week (1 September), the Crown Prosecution Service (“CPS”) and the Serious Fraud Office (“SFO”) published joint updated guidance setting out their common approach to the prosecution of corporate offending in England and Wales (the “Prosecution Guidance”). The Prosecution Guidance is a further reminder of the need for organisations that are in scope of the FTP fraud offence to ensure that they have in place procedures to prevent such offending.

The FTP fraud offence

Section 199 of the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) created the FTP fraud offence, which comes into force on 1 September 2025 and is modelled on similar offences contained in section 7 of the Bribery Act 2010 and sections 45 and 46 of the Criminal Finances Act 2017.

An in-scope organisation is potentially criminally liable if it fails to prevent a “fraud offence” (one of the offences contained in Schedule 13 of ECCTA) committed by a person associated with that organisation (an “associate” as defined). It is irrelevant whether the organisation was unaware of the misconduct. The principal defence an organisation has is if it can demonstrate that at the time the offence was committed it had in place reasonable fraud prevention procedures.

Our prior article on the scope and elements of the FTP fraud offence can be found here.

The Government published guidance in November 2024 that provides helpful clarifications and interpretive aids in relation to the FTP fraud offence and its scope. It sets out six principles that in-scope organisations should use to inform their fraud prevention framework. That guidance is advisory only meaning organisations cannot rely on strict compliance with it to as a defence to the FTP fraud offence.

Our prior article on the Government guidance can be found here and our prior article on UK Finance’s guidance can be found here.

The Prosecution Guidance: attribution and self-reporting

While the Prosecution Guidance does not add much to what is already known about the FTP fraud offence, it is a reminder that since 26 December 2023, it has been possible to attribute criminal liability to a body corporate or partnership where certain offences are committed by a “senior manager” acting within the apparent scope of their authority, without having to demonstrate that they were the “directing mind and will” of the organisation. Our article covering the changes to corporate criminal liability and the new "senior manager test" for establishing corporate criminal liability can be found here.

The press release accompanying the Prosecution Guidance emphasises the importance that prosecutors attach to organisations having in place “reasonable prevention procedures”, with Nick Ephgrave, Director of the SFO, saying that “corporations must get their houses in order or be ready to face investigation”.

Of particular note, albeit not new, is the emphasis that the Prosecution Guidance places on organisations proactively self-reporting wrongdoing and cooperating with any subsequent investigation.

• A failure to report wrongdoing within a reasonable amount of time and in a manner that properly and fully reflects the true extent of the wrongdoing are factors in favour of prosecution.
• Similarly, a proactive approach adopted by the organisation’s management when the offending is brought to their notice, involving self-reporting and appropriate remedial actions are factors against prosecution.

The emphasis on self-reporting is of further note given the SFO’s External Guidance on Corporate Co-Operation and Enforcement in relation to Corporate Criminal Offending published in April 2025. That sets out the SFO’s key considerations when deciding whether to charge a corporate or to invite it to Deferred Prosecution Agreement ("DPA") negotiations. If a corporate self-reports promptly to the SFO and co-operates fully, the SFO “will invite it to negotiate a DPA rather than prosecute unless exceptional circumstances apply”.

If you would like to discuss any issues concerning the FTP fraud offence, fraud risk assessments and the creation of "reasonable prevention procedures", or any related issues, please get in touch.