We first reported the failure to prevent fraud offence in our December 2023 newsletter, when following royal assent in October 2023 of the new Economic Crime and Corporate Transparency Act 2023 (ECCTA). The aim of the offence is to hold organisations to account if they profit from fraud committed by their employees; it does not need to be demonstrated that directors or management knew about the fraud. The only defence is to have reasonable fraud prevention procedures in place.
On 1 September 2025 the new offence comes into force.
This offence will affect large incorporated charities. For this legislation large means meeting two out of three of the following definitions:
- More than 250 employees
- More than £36m of income
- More than £18m in total assets.
And incorporated means any corporate body so it will include entities such as:
- Charitable companies
- Charitable incorporated organisations
- Royal charter charities
Although the Companies Act 2026 size thresholds were amended by statutory instrument (SI2024/1303), published in December 2024, for accounting period commencing on or after 1 April 2025 it appears that thresholds within section 201 of the ECCTA were not amended for this change. Therefore charities will need to make sure that they are applying the appropriate thresholds when considering their responsibilities.
The Home Office published some detailed guidance on the offence of failure to prevent fraud on its website in November 2024. This includes a summary of the offence, which is set out below, and an indication of what are reasonable fraud prevention procedures.
*An associated person is an employee of the relevant organisation, an agent, a subsidiary (acting corporately) or any other person who provides services for or on behalf of the relevant organisation, regardless of whether the associated person is under contract or not.
*Individuals can already be prosecuted for committing, encouraging or assisting fraud so they are not considered in this summary.
The ECCTA also has a UK Nexus, which means that either the act (or part of) needs to have taken place in the UK or the gain or loss occurred in the UK. For example, a if an overseas based employee of a UK company commits fraud abroad there is no UK offence and the action would be a matter for law enforcement in the country concerned.
Reasonable fraud prevention procedures
The Home Office guidance sets out a framework of six principles to aid organisations in establishing a defence. We have set out the key principles of the guidance below:
Top level commitment
Senior management (trustees and the senior management team) should have a leadership role in relation to fraud prevention. Whilst actions may vary depending on the size and operations of the individual charity this is likely to include:
- Communication and endorsement of the charity’s stance on preventing fraud
- Ensuring there is a clear governance framework
- Committing to training and resourcing
- Leading by example, including encouragement of ‘speak-up’ policies
Risk Assessment
The extent to which further work will be required will depend on the risk assessments that the charity already maintains. It is likely that risk assessments covering fraud and other financial crime will need to be extended to ensure that they capture and address the full extent of risks. These risk assessments could be built firstly by understanding the types of associated persons engaged with the charity, as the definition of an associated person is wide. For example, charities will need to identify agents, contractors, volunteers as well as staff and trustees.
Having identified the types of associations, the charity will need to consider how it interacts with these groups and the opportunities for fraud. For example, false representation may be committed by a range of associated persons, whilst failures to disclose information, false accounting or abuse of position are more likely to be committed by those in certain roles.
Understanding the fraud triangle and likely effectiveness of any possible mitigation’s can help assess the organisational risk for certain types of associations.
- focus on the bigger mission (“someone needs to do this to save the business”)
- focus on responsibility (“it was a group decision”, “it’s the auditors’ job to catch this”, “everyone does it”)
- focus on the consequences of the act (“it is not material”, “I am levelling the field”)
- focus on the victim (“fraud is a victimless crime”, “it’s their duty to exercise proper due diligence”)
– Home office guidance 3.1.4 quoting common rationalisations.
Proportionate risk-based fraud prevention procedures
Procedures should be proportionate to the fraud risks and to the nature, scale and complexity of the organisation’s activities, as well as the risk and the potential impact. Therefore to prove that the procedures are proportionate; the risks need to be clearly defined. Depending on the risk assessment the need for mitigating controls or actions may be minimal. If trustees and management believe this to be the case the decision should be clearly documented by the trustees as a whole.
It may be that actions already taken to manage risks in other legislation, for example, regulations concerning financial reporting, environmental, health and safety or fundraising (Charities (Protection and Social Investment) Act 2016) will already address certain potential frauds. For example compliance with fundraising codes and reviews of fundraisers might be reasonably expected to prevent fraud by misrepresentation on the nature of the fundraising and use of the donations. However, a charity cannot assume that its existing procedures are appropriate for the specific fraud risks.
Due diligence
Charities are already likely to have due diligence procedures in place for to address organisational risks, for example enhanced DBS checks to address safeguarding risks. As detailed above, organisations cannot assume that these procedures will be sufficient to address the risk of fraud and they should be reviewed against the extended risk assessments.
Communication
Policies and procedures need to be regularly communicated, with training and retraining to ensure that staff understand the policies, procedures and what to do if they have concerns, for example the whistle-blowing procedures that should be followed.
Monitoring and review
A part of managing any risk it is important to monitor procedures, understand if they are effective, make improvements and learn. Therefore, to have reasonable procedures, there is an expectation of self-assessment, investigation and regular review to ensure that procedures fit new and evolving circumstances.
Next steps
The guidance gives more detail for each of the principles and in particular the procedures that might be expecting to demonstrate that these principles are being managed and the necessary fraud prevention actions are in place.
We recommend that management and trustees self-assess how their organisations match up against the best practice described.
This article was correct at the time of publishing.
