Associates of a large organisation

A large organisation commits an offence when a person associated with it commits an offence; this section provides guidance on who or what an ‘associated’ person is.

Note:

This guidance is advisory only. The guidance is not a substitute for reading the legislation or obtaining professional legal advice where appropriate or necessary.

Statutory guidance in relation to fraud prevention procedures is published by the Home Office at Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (accessible version) - GOV.UK. All organisations should review the Home Office Guidance when establishing and reviewing their fraud prevention procedures.

See Section 1.4 of the Home Office Guidance for any conflict between alternative sources of guidance.

For reference, Annex 1 of the Home Office Guidance provides a summary of the offence and sets out each scenario in terms of who commits the base fraud, who is intended to benefit and who could be prosecuted for failure to prevent the base fraud. It may be useful to refer to that annex when considering who are ‘associated’ persons in this section. Please also refer to section 2 of the NHSCFA guidance on the failure to prevent fraud offence.

What is an ‘associated’ person?

ECCTA, section 199 (7) defines who will be ‘associated’ with an organisation. The section says that a person will be associated with the organisation if—

  • The person is an employee, agent or subsidiary undertaking of the relevant body
  • The person otherwise performs services for or on behalf of the body.

A similar definition of ‘associated’ is used across all three ‘failure to prevent’ offences (failure to prevent fraud, failure to prevent bribery and failure to prevent the criminal facilitation of tax evasion – see section on similarities and differences to other failure to prevent offences).

Liability of ‘parent undertakings’ and ‘subsidiary undertakings’ and their ‘associated’ persons.

A subsidiary undertaking can be an ‘associated’ person of a large organisation and therefore where the subsidiary is guilty of fraud intending to benefit the organisation, the organisation guilty of the offence of failing to prevent fraud is the parent (the large organisation).

In addition, the subsidiary of a large organisation, which is not itself a large organisation, can be guilty of an offence if an employee of the subsidiary commits a fraud intending to benefit the subsidiary, as set out in section 199(2) of ECCTA. The subsidiary undertakings of large organisations should therefore adopt fraud prevention measures and these should form part of the measures adopted by the parent.

Liability can also attach to a parent undertaking, if a fraud was committed by the employee of a subsidiary, intending to benefit the parent company, if the parent did not take reasonable steps to prevent it. Therefore, as noted above, the parent should ensure that subsidiaries are required to adopt compliant fraud prevention measures which should be consistent with the parent’s measures.

We set out below the definition of parent and subsidiary undertakings for reference, however, where there is any doubt, organisations might take their own legal advice as to whether an entity with which it has a relationship is its parent or subsidiary undertaking.

Definition of subsidiary undertaking

A subsidiary undertaking is an undertaking that is controlled by another undertaking, known as the parent or holding company.

A ‘subsidiary undertaking’ has the meaning given in Section 1162 of the Companies Act 2006.

An ‘undertaking’ (defined at Section 1161 of the 2006 Act) is any body corporate or partnership (see section on the failure to prevent fraud offence under ECCTA for guidance on the nature of a body corporate) or an unincorporated association.

An undertaking is subsidiary to a parent where the parent:

  1. holds a majority of the voting rights in the undertaking;
  2. is a member of the undertaking and has a right to appoint or remove a majority of the directors; or
  3. has the right to exercise a dominant influence over the undertaking by virtue of the constitution of the subsidiary or a contract of control; or
  4. is a member of the undertaking and has an agreement with other shareholders or members which enables it to hold a majority of the voting rights in the undertaking.

Service providers

The Home Office Guidance at Section 2.3 provides some commentary on the meaning of a person who provides services for or on behalf of an organisation. The guidance says that suppliers providing services ‘to’ an organisation are excluded from the definition of associate. This seems a reasonable conclusion though the wording of ECCTA does not make that clarification. It is clear however that a sub-contractor, providing services where the NHS organisation has a contract to provide those services will be an associated person and NHS organisations should therefore consider how they will ensure that sub-contractors are within the scope of their prevention procedures.

For other contracting relationships organisations may wish to update standard wording to require compliance with fraud prevention policies along similar lines to references applied for the Bribery Act 2010 (see section on similarities and differences to other failure to prevent offences). Fraud prevention procedures should also address how the relevant measures will prevent fraud by service providers.

The NHS Standard Contract and the NHS Standard Sub-Contract for 2025/26 require any provider of services under the relevant contract to put in place and maintain appropriate measures to prevent, detect and investigate fraud, bribery and corruption having regard to NHSCFA requirements (See Service Condition SC24.1). The NHS Standard Contracts also require compliance with applicable law and good practice and for acute, mental health and community services a commissioner can require a provider of NHS services, or a sub-contractor to comply with any policies that it refers to at Schedule 2G of the Particulars.

NHS standard terms and conditions for the provision of services also include obligations variously on providers, their sub-contractors and suppliers to comply with NHSCFA guidance and to prevent fraud by suppliers and staff of suppliers.

Smaller organisations should be aware that they may be ‘associated persons’ while they provide services for, or on behalf of, large organisations. In these circumstances, they may be subject to contractual or other requirements imposed by the large organisations in respect of the offence of failure to prevent fraud.

Where an organisation is in doubt as to whether it is in scope for the offence it should take appropriate legal advice.

NHS Type examples of an ‘associated’ person

The Home Office Guidance has one example at Section 2.8 to illustrate who is the associated person. We note below some NHS type examples of an ‘associated’ person whose fraud may give rise to an offence on the part of a relevant NHS body in scope of the offence if it does not have reasonable fraud prevention procedures in place.

As stated generally elsewhere, it is the responsibility of the individual organisation to determine whether any party with which it has a relationship is an associated person for the purposes of the offence. These examples are for illustrative purposes only.

Employee or agent

See example 1 on page 18 of the Home Office Guidance under the heading ‘Examples of an indirect benefit’ for a healthcare example in relation to recruitment of staff eligible to work in the UK.

Subsidiary

A wholly owned subsidiary of a healthcare provider (a NHS Foundation Trust or a NHS Trust for example) being a limited company will be an ‘associated’ person of the NHS Trust. Such subsidiary companies may be set up to deliver facilities management services to the provider or to provide pharmacy services or alternatively to provide other back-office support services. The subsidiary is an ‘associated’ person and where any business of the subsidiary is carried out with an intent to defraud the subsidiary’s creditors and to deliver improved dividend payments to the NHS Trust (for example), or otherwise delivering a benefit to the NHS Trust, the NHS Trust will be liable for prosecution if its fraud prevention procedures applying to the subsidiary’s activities are not such as it is reasonable in all the circumstances to expect the NHS Trust to have in place.

It should be noted that the offence of failure to prevent fraud could be committed where a fraud is committed by the subsidiary undertaking committing the fraud to benefit the NHS Trust or to benefit any person the subsidiary provides services to. In addition, the offence would also apply where an employee of the subsidiary commits a fraud with the intention of benefitting the NHS Trust.

Sub-contractor

An NHS provider of healthcare services sub-contracts healthcare provision to a third party provider of clinical services: for example the delivery of imaging services within the scope of a pathway of care delivered by the NHS provider. The sub-contractor is likely to be an ‘associated’ person and a fraud by that sub-contractor which is intended directly or indirectly to benefit the NHS provider may result in prosecution of the NHS provider where its fraud prevention procedures do not extend to such sub-contracting.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close