Last month, the government released guidance on the new corporate criminal offence of failure to prevent (FTP) fraud. In the first of a series of related articles, we analysed what companies and their advisers need to know about this significant development. In the second instalment, we explained how ESG fraud is likely to be a key vector of enforcement under the new offence. In this third article we explain the extra-territorial scope of the offence.

The intention behind the offence and its accompanying guidance is to protect the UK economy and citizens from fraud carried out by or through companies. Fraud is more globalised now than ever before, therefore, the offence can apply to overseas companies which fail to prevent fraudulent conduct aimed at or impacting the UK.

Scope of the offence

The FTP fraud offence, which applies to “large organisations”[1] and their subsidiaries and enters into force on 1 September 2025, is committed if someone associated with the company, such as an employee, agent or person providing services on its behalf, commits fraud with the intention of benefiting the company or its clients. The company has a complete defence if it can demonstrate that it had “reasonable” fraud prevention procedures in place.

The FTP fraud offence applies to organisations regardless of where they were incorporated or where they operate, provided that the underlying fraud offence is contrary to UK law. This requires a UK nexus, which may be satisfied where some of the fraudulent conduct or its effects occurred in the UK.

The definition of UK nexus in this context is principally derived from the “relevant event” test under the Criminal Justice Act 1993.[2] Under that test, an overseas company can be prosecuted for FTP fraud where part of the underlying fraud occurred abroad, provided that a “relevant event” occurred in the UK. A relevant event is any act, omission or other event, proof of which is required to secure conviction of the underlying fraud offence. We have used two case studies below to explain circumstances in which an overseas company may be liable under the FTP fraud offence.

Case Study 1: UK company perpetrates fraud on behalf of an overseas company

Company A is a multi-national software provider based in continental Europe. In recent years, it has sought to expand its market share in the UK. Company B is based in the UK and has agreed to act on behalf of Company A to deliver sales and support services for its products under the Company A brand. In order to win a lucrative government contract, Company B knowingly misrepresented the performance of Company A’s software. As a result, the software was not fit for use and the government suffered loss.

Has the FTP fraud offence been committed?

Company B commits a base offence of fraud by false representation because it dishonestly made a representation to the UK government it knew to be untrue or misleading and did so with the intent of securing a significant sale. Company B, although situated in a different jurisdiction to Company A, is associated with Company A because it was performing services on Company A’s behalf. The base fraud was committed with the intent of benefiting Company A as its purpose was to secure a major sale of Company A’s product. There is a UK nexus because Company B commits the underlying fraud within the UK. As a result, Company A will be criminally liable for failure to prevent fraud unless it can demonstrate that it had “reasonable” fraud prevention procedures in place.

However, even if the fraud had not been committed in the UK, so long as a gain or loss from the fraud occurred within the UK, this would be sufficient to have a UK nexus (see case study 2 below).

Case Study 2: Overseas company’s employee perpetrates fraud against UK victims

A manufacturer of healthcare products in Asia, Company C, is looking to expand its global distribution network. Meanwhile, UK hospitals are suffering an acute shortage of cardiology devices. While Company C has never sold or distributed its products to the UK before, an employee with responsibility for distribution to northern Europe finds that UK distributors are desperate for the devices, and he can make a large volume of sales with little resistance to his unsupported claims about the efficacy of the devices themselves. The UK distributors spend several million pounds on bulk orders of the devices but discover upon receipt that they are not fit for purpose and cannot be used.

Has the FTP fraud offence been committed?

The employee of Company C commits a base offence of fraud by false representation because they dishonestly made a representation about the efficacy of Company C’s products which they knew to be untrue or misleading. By reason of their employment relationship, the employee who perpetrated the fraud can be considered “associated” with Company C. The base fraud was committed with the intent of benefitting Company C as its purpose was to secure sales of Company C’s product in a new market. There is a UK nexus because loss from the fraud is suffered by UK victims (the UK distributors). As a result, Company C will be criminally liable unless it can demonstrate that it had “reasonable” fraud prevention procedures in place.

Case study 2 demonstrates that an overseas company can be criminally liable in the UK for FTP fraud even if the company itself and the fraudulent act took place entirely outside of the UK.

Similarly, the government’s guidance provides the example of an overseas company falsifying product efficiency tests to help a UK company meet thresholds required to receive UK government subsidies. As a result of the fraud, the product qualifies for government subsidies and the UK company benefits. Here the fraud itself occurs overseas, but a gain from the fraud occurs in the UK.

Reasonable procedures

To protect their exposure to liability, companies falling within the scope of the FTP fraud offence must implement reasonable fraud prevention procedures covering the government’s six principles of top-level commitment; risk assessment; proportionate procedures; due diligence; communication; and monitoring and review.

The extent to which overseas companies should implement such procedures is dependent on their connection to the UK, the nature of their business and the specific ways in which fraud risks might arise from that business. Nevertheless, as a general point, any sophisticated global business with a connection to the UK should perform a risk assessment to determine the nature and extent of its exposure to the risk of an associated person committing fraud which could render the company liable under the FTP fraud offence.

Where relevant companies form part of a group, the government’s guidance suggests it may be necessary to implement group wide policies or procedures. If only a limited part of a group is exposed to the UK, then it may only be necessary to focus compliance measures on that part of the business. However, if a group’s UK nexus is broader, then a group wide approach may be more proportionate.

Overseas companies should note that compliance with local audit or other regulatory requirements is unlikely to be sufficient to satisfy the “reasonable” fraud prevention procedures standard. This is especially relevant to overseas companies in regulated sectors.

Horizon scanning

The FTP fraud offence is an enforcement tool, and its effect will be partly dependent on how prosecutors seek to use it. The current director of the UK’s Serious Fraud Office has suggested his enforcement priority is large-scale and complex frauds that involve UK victims. Accordingly, overseas companies should assess their exposure to fraud risk which would cause loss to UK victims and determine whether they need to improve their fraud prevention procedures to mitigate the risk of criminal liability.

We will explore the likely impact of the FTP fraud offence and the potential for future corporate criminal liability reforms in the final instalment of this series of articles, due early in the new year.

[1] Large organisations are defined by relevant legislation as an entity satisfying two of the following three criteria: more than 250 employees; more than £36 million turnover; or more than £18 million total assets.

[2] Sections 1-2 of the Criminal Justice Act 1993.