In November last year, the government released guidance on the new corporate criminal offence of failure to prevent (FTP) fraud. In the first of a series of four articles, we analysed what companies and their advisers need to know about this significant development.  In the second instalment, we explained how ESG fraud is likely to be a key vector of enforcement under the new offence, and in the third article we explained the extra-territorial scope of the offence. In this final instalment, we look ahead and explain what the compliance and enforcement impacts of the offence will be and what further reform is in the pipeline.

The compliance burden is high, the SFO is bullish and the risks to companies have been spelled out. Medium and large companies may need to spend heavily on risk assessments, then implement and monitor fraud prevention procedures to avoid potential enforcement action.  But a lot has been left to judicial interpretation: although the new offence is likely to lead to an increase in deferred prosecution agreements (DPAs), eventually there will have to be a courtroom showdown to determine what it means for fraud prevention procedures to be “reasonable”.

Impact of the FTP fraud offence and guidance

The FTP fraud offence, which applies to “large organisations”[1] and their subsidiaries and enters into force on 1 September 2025, is committed if someone associated with the company, such as an employee, agent or person providing services on its behalf, commits fraud with the intention of benefiting the company or its clients. The company has a complete defence if it can demonstrate that it had “reasonable” fraud prevention procedures in place.

It is envisaged the offence will have an impact on compliance culture and corporate crime enforcement.

Compliance culture

The “reasonable procedures” defence to FTP fraud creates a positive obligation on qualifying organisations to have reasonable fraud prevention procedures or risk prosecution for the fraudulent acts of employees, agents or anyone acting on their behalf. The government’s guidance has recommended that companies should implement procedures in accordance with the following six principles: top level commitment; risk assessment; proportionate procedures; due diligence; communication; and monitoring and review. The financial burden of complying with the guidance for UK businesses collectively is estimated to be a one-off cost of £500 million with an annual recurrent cost of £60 million.[2] 

In the short term, it is likely that the new offence, in conjunction with the FTP bribery and FTP tax evasion offences introduced in 2012 and 2017 respectively, will lead to a shift in compliance cultures.  Large corporates will already be well aware of the need for fraud prevention within their organisations, but there are many smaller businesses within scope of the offence, without sophisticated compliance functions, who are likely now considering fraud prevention for the first time.

In the long term, entrenching a change in corporate culture will require a steady stream of enforcement activity creating both deterrence and further guidance. This will help corporates focus on meaningful and cost-effective compliance procedures whilst ensuring the risks of non-compliance are apparent.

Criminal enforcement trends

The long-term culture shift envisioned by the government will only come if a credible enforcement threat exists. To create incentives to prevent fraud, corporates must believe that prosecutors will enforce the law.

To predict the enforcement trajectory of the FTP fraud offence, it might appear reasonable to  look at the use of the FTP bribery and FTP tax evasion offences already in force.  However, there has been limited activity from HMRC in relation to the FTP tax evasion offences (zero prosecutions, eleven live investigations), which is to be expected due to HMRC’s tendency to settle cases rather than prosecute. Whilst the Serious Fraud Office (SFO) and Crown Prosecution Service (CPS) have secured ten DPAs for the FTP bribery offence[3], bribery is far less common than fraud.  Therefore, these differences make comparisons unhelpful.

Fraud is the most common crime in the UK, accounting for over 40% of all crime in England and Wales.[4]  The government believes that a substantial proportion of this offending is facilitated by companies and, therefore, could be prevented by them.  The SFO has made it clear it has the appetite for enforcement and wants to set some early examples.  That said, for the offence to apply, the underlying fraud that the company failed to prevent would have to be committed after 1 September 2025, which might then take several months to detect even with the increased emphasis on whistleblowing.  Therefore, the first investigations are unlikely to start until 2026 and, allowing for the SFO’s customary lack of speed and court backlogs, any prosecutions may not come until 2027 and beyond.   However, once investigations are in train, the simplified theory of corporate criminal liability under the FTP model is likely to push organisations facing prosecution towards negotiating a DPA.  In addition, as any prosecution would be predicated on the company’s failure to have reasonable fraud prevention measures, DPAs are likely to be accompanied by strict conditions to implement stronger compliance procedures.

The sectors in which this increased enforcement activity occurs is likely to depend on the priorities of prosecuting authorities. In previous articles, we have noted the trend for regulators to be laser focused on ESG fraud as well as how the extra-territorial effect of the new offence could see overseas businesses (or UK businesses with an overseas presence) being subject to prosecution.   However, given the SFO’s stated intention to put at least one corporate head on a stick as soon as possible, it may initially be less picky about where it looks.

Future reform

The initial impetus for reform which led to the creation of the UK’s first FTP offence in 2010 was the Second Protocol to the Convention on the Protection of the European Communities’ Financial Interests 1997, which created an international law obligation for the UK to implement a legal mechanism against those who fail to prevent economic crime.

During the passing of the Economic Crime and Corporate Transparency Act 2023, several Labour MPs tabled amendments to broaden the FTP fraud offence to cover all economic crime, not just fraud. Stephen Kinnock MP stated “extending those ‘failure to prevent’ offences to a wider range of economic crimes is the logical and natural next step”.[5]

More broadly, the FTP reforms are part of a legal trend known as the “preventive shift in criminal law” whereby the criminalised conduct is increasingly inchoate from the core mischief targeted by an offence, and the targets are those considered most able to prevent it, rather than those most likely to commit it.  Such offences are attractive to lawmakers because they make prosecutions easier and shift the burden of policing to organisations.  Broadening the scope of the offence to all economic crime would place an even greater burden on qualifying organisations to have prevention measures in place, although it is unclear how much more compliance work a company would need to do to prevent anyone associated with it from committing economic crime if it already had reasonable fraud prevention measures in place.

Enlarging the scope of the FTP offence would be in keeping with other planned expansions for corporate criminal liability.  For instance, clause 130 of the 2025 Crime and Policing Bill is due to expand corporate criminal liability for the acts of “senior managers” from a limited selection of economic crime offences to all criminal offences.

Where does this leave businesses?

The government’s recently published guidance on the new FTP fraud offence provides businesses with helpful but high-level advice on how to implement “reasonable” fraud prevention procedures. The biggest flaw in the guidance is the lack of advice to businesses as to how their compliance obligations will differ depending on their size and operations.

Nonetheless, with five months before the new offence comes into force, companies should take this opportunity to examine their compliance frameworks for fraud prevention on the basis of the guidance’s six principles.[6] This is especially prudent as future reform may expand the FTP regime to cover all economic crimes.

The enforcement impact of the new offence is likely to be determined by the compromise brokered between the enforcement ambitions of the SFO and the legal interpretation of “reasonable procedures” by courts. Director Nick Ephgrave has promised the SFO will be “bold” in its use of the new FTP fraud offence, among other reforms, suggesting the SFO will aggressively investigate corporates who fail “to get their house in order” and that the prosecuting authority is ready and willing to litigate the meaning of “reasonable procedures” to do so.[7]  However, we may need to wait at least another 2-3 years to find out what it really means.

[1] Large organisations are defined by relevant legislation as an entity satisfying two of the following three criteria: more than 250 employees; more than £36 million turnover; or more than £18 million total assets.

[2] Hansard, Commons, 13.09.23, column 938

[3] An average of one per year since the introduction of the DPA regime in 2014.

[4] National Crime Agency, Fraud.

[5] Hansard, Commons, 25.01.23, column 1057

[6] Companies in the financial services sector are also advised to review guidance on FTP fraud produced by trade association UK Finance.  

[7] February 2024, Serious Fraud Office, Director Ephgrave’s speech at RUSI

November 2024, Home Office, New failure to prevent fraud guidance published