FAQs

The following questions were received by NHSCFA either as part of our failure to prevent fraud webinar held on 15th July 2025 or via our dedicated failure to prevent fraud email inbox (ftpfo@nhscfa.gov.uk).

We will update this page at regular intervals.

Q – Do Independent Health Providers fall within scope of this act?

A – Yes, if they meet the requirements of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) as either large organisations, subsidiaries of large organisations or associated persons of large organisations.

Independent Health Providers will need to consider ECCTA with reference to the Home Office Guidance and legal advice where necessary to determine whether they fall within the scope of the offence as a large organisation or a subsidiary of a large organisation.

Independent Health Providers may fall within scope of the ECCTA as an ‘associated’ person of another entity such as an NHS Trust or Foundation Trust where they provide services as a subcontractor to that organisation. In addition to falling within the scope of the offence as an associate of the large organisation, they may also be subject to contractual or other requirements imposed by the ‘large’ organisation in respect of the prevention of fraud (see for example the reference to the NHS Standard Contract in the answer below).

Where an organisation is in doubt as to whether it is in scope of offence of failure to prevent fraud under ECCTA, they should take legal advice.

Please refer to the section on Associates of a large organisation for further guidance and information on this.

Q – Will wholly owned subsidiary companies be required to comply with ECCTA’s requirements and therefore have their own bespoke procedures or will they be covered by the hosting NHS organisation’s procedures?

A - A subsidiary of a large organisation is that organisation’s ‘associated person’ (Section 199(7) of ECCTA) and its fraud may lead to the parent being guilty of the offence of failure to prevent fraud.

A subsidiary of a large organisation is also potentially liable itself, as a relevant body under Section 199(2) of ECCTA, for the offence of failure to prevent fraud where its employees commit a fraud.

However, any individual organisation will need to consider the definition of ‘subsidiary’ in ECCTA to determine whether any party with which it has a relationship is an associated person for the purposes of the offence and whether any subsidiary undertaking is potentially within scope of the offence as a result of its relationship with the parent undertaking. Please refer to the section on Associates of a large organisation for further guidance on the definition of subsidiary undertakings.

Therefore, a subsidiary of a large organisation will need to have its own fraud prevention procedures in place in relation to its liability for the offence under Section 199(2) of ECCTA and the parent will need to have procedures in place in relation to the subsidiary in the context of its liability under Section 199(1) of ECCTA for the actions of its subsidiary as its associated person.

Accordingly, an NHS organisation needs to satisfy itself both that its procedures adequately cover the actions of its subsidiary as its associated person; and that the subsidiary has its own fraud prevention procedures in place.

Q – Could an organisation be criminally liable if a colleague was found to be committing fraud for personal interest or gain?

A – The key test is whether the fraud was committed with the intention of benefitting the organisation or any person to whom the organisation provides services. If the fraud was purely for personal enrichment – with no intent to benefit the organisation or any person to whom the organisation provides services – then the organisation is not liable for the ECCTA offence. The colleague may be prosecuted personally.

Under the legislation, an organisation will be criminally liable where:

• a fraud offence is committed by an employee, agent or other ‘associated’ person, with the intention of deriving a benefit for the organisation or a related body or person; and
• the organisation did not have ‘reasonable’ fraud prevention procedures in place

However, if the organisation is itself a victim of the relevant fraud it will not be in scope of the offence (ECCTA, section 199(3))

Q – The Local Counter Fraud Specialist (LCFS) role focuses on the NHS organisation benefiting from fraud not being the victim of fraud. With this in mind, under this legislation, does the responsibility for prevention work and FRAs sit with the LCFS? Should the LCFS be responsible for extended measures at the organisation?

A - The responsibility sits with the organisation not the LCFS.

The organisation is responsible for the risk assessment and the fraud prevention procedures. The LCFS is the subject expert in fraud and so they are there to support this.

Q - Do you have some materials directly for board members, to help explain and highlight the importance? Do you do reviews to help trusts improve? Do you have a case study of how a trust has gone through this improvement process?

A – Whilst we don’t have materials specifically for board members on the Failure to Prevent Fraud Offence (FTPFO), board members can access and use our guidance. The guidance has been created for all professionals in the healthcare sector with responsibility for management, finance, risk, governance and compliance. Our guidance will help board members to understand the impact of the new legislation and sets out the actions and next steps that NHS organisations should consider to mitigate the possible risk of prosecution.

As this is a new offence, which has only recently been implemented, we are not able to provide any case studies or reviews.

However, NHSCFA does engage with NHS organisations about all aspects of counter fraud work, including FTPFO, via engagement visits and attendance at audit committee to offer support and assistance.

The Stakeholder Engagement Team assesses the effectiveness of the counter fraud effort across the health sector with the goals of increasing good practice and driving up standards. The team analyses data such as that gathered by the annual Counter Fraud Functional Standard Return and data held on the case management system to compare health body performance with national counter fraud standards. Its findings, including learning points, good practice and recommendations, are shared with the health bodies, counter fraud service suppliers and the wider health sector in an ongoing process of engagement.

Q - How many instances of in scope offences have been prosecuted in recent years?

A –The offence of ‘failure to prevent fraud’ only came into effect on 1 September 2025 as such there have not been any prosecutions under this offence to date.

Q – Would there need to be a prosecution in order for the corporate offence of failure to prevent fraud to apply?

A – No, the key principle is that underlying fraud must be proven, not prosecuted. Therefore, relevant organisations can be prosecuted if the associated person’s conduct constitutes a base fraud offence, even if the associated person is prosecuted for an alternative offence, or is not prosecuted at all.

Q - Will the NHS Standard Contract be updated to make specific reference to this legislation?

A – The NHS Standard Contract is written and published by NHS England and therefore they would need to provide a response to this question. Whilst we are not aware of any plans to make specific reference to the ECCTA legislation within the NHS Standard Contract, we note that Service Condition 24 of the NHS Standard Contract 2025/26 makes provision for compliance with NHSCFA requirements and requires providers of services to have in place and to maintain appropriate measures to prevent, detect and investigate fraud, bribery and corruption. However, those requirements are separate and additional to the provisions of ECCTA.

Q - Would an ICB be liable for a base fraud originating from an actor within a Trust, which benefits the Trust and, by association the ICB?

A – It isn’t possible to give a definitive answer to this question as liability would depend on a number of factors specific to the individual organisation.

The issues of who is an ‘associated person’ and who is intended to benefit from the underlying fraud are key to determining whether a relevant organisation can be held accountable for the offence of failure to prevent fraud. See section on failure to prevent fraud offence for guidance on intention to benefit.

Relevant organisations can be prosecuted if the associated person’s conduct constitutes a base fraud offence, even if the associated person is prosecuted for an alternative offence or is not prosecuted at all. If the associated person has been convicted of the base fraud offence, this can be used as evidence in proceedings against the organisation for failure to prevent fraud.

An ‘associated person’ includes a relevant body’s employees, agents, and subsidiary undertakings and any person otherwise performing services for or on behalf of the relevant body.

In the context of this question, a Trust may be an associated person of the ICB on the basis that the Trust is acting as agent for the ICB or is performing services for or on behalf of the ICB in a relevant matter. The Trust should consider the Home Office Guidance on associated persons as well as the NHSCFA guidance.

If:

• a Trust were an associated person of an ICB; and
• the ICB were a large organisation in scope for the offence; and
• the Trust committed a base fraud offence with ‘intent to benefit’ the ICB directly or indirectly; then
• the ICB may be in scope for the FTPFO.

Ultimately each organisation will need to consider whether it requires its own legal advice in order to determine its position in relation to the specific relationships that apply to it.

For reference, Annex 1 of the Home Office guidance provides a summary of the offence and sets out each scenario in terms of who commits the base fraud, who is intended to benefit and who could be prosecuted for failure to prevent the base fraud.

Q - Should we expect an updated fraud, bribery and corruption policy reflective of ECCTA?

A - We are currently updating the documents 'Fraud proofing local policies: a guide for LCFSs' and the 'Template local counter fraud, bribery and corruption policy' to reflect the ECCTA legislation. We will let you know once these have been updated. These documents currently sit within the Counter Fraud Manual.

The Counter Fraud Manual is a restricted online resource available to Local Counter Fraud Specialists, Counter Fraud Champions, Directors of Finance/Chief Financial Officers and Audit Committee Chairs on our secure website NGAGE. If you have not been supplied with login credentials, are experiencing difficulties with access or you have forgotten your password, please contact our Service Desk by emailing servicedesk@nhscfa.gov.uk

Q - Who will be responsible for investigating offences under the new Act?

As this is a new offence, we are making further enquiries into this and will publish further guidance accordingly.

Q – What are the differences between the failure to prevent fraud offence and the failure to prevent bribery offence?

A – See section on Similarities and differences to other failure to prevent offences.

NHSCFA’s guidance on failure to prevent bribery can be found in the Counter Fraud Manual.

The Counter Fraud Manual is a restricted online resource available to Local Counter Fraud Specialists, Counter Fraud Champions, Directors of Finance/Chief Financial Officers and Audit Committee Chairs on our secure website NGAGE. If you have not been supplied with login credentials, are experiencing difficulties with access or you have forgotten your password, please contact our Service Desk by emailing servicedesk@nhscfa.gov.uk

Q – Could a supplier who provides a service to an NHS organisation be classed as an associated person? For example, a recruitment agency or payroll providing a service to the NHS.

A - Recruitment agencies and payroll providers may fall under scope of the offence if they are sub-contractors providing a service for or on behalf of the NHS organisation. Generally, it is expected that organisations providing services ‘to’ a large organisation would not be associated persons of the large organisation. The requirement is that a person will be an associated person if they are providing services ‘for and on behalf of’ the relevant large organisation.

See the Home Office Guidance at paragraph 2.3 on ‘who commits the base fraud and in what circumstances’, together with the section in NHSCFA’s guidance on Associates of a large organisation. See also example 1 on ‘indirect benefit’ at paragraph 2.8 of the Home Office Guidance. This references a recruitment agency but in that example the recruitment agency is not the relevant ‘associated person’.

Q - Could service users of large organisations be classed as clients?

The term ‘client’ is not used in the ECCTA legislation.

Section 199(1)(b) of ECCTA specifies that an offence is committed where there is a benefit to ‘the relevant body’ or to ‘any person to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the relevant body’.

The Home Office Guidance on failure to prevent fraud uses the term ‘client’ to refer to a party to whom services are provided and thus being in scope of Section 199(1)(b) of ECCTA.

The Home Office Guidance refers to a ‘person to whom the associate provides services for or on behalf of the relevant body’ as a possible client of the relevant body (in a commercial context) and as a person who receives services, for example, a patient (in a non-commercial context).

The Home Office Guidance states that it uses the term ‘client’ for simplicity, regardless of whether there is a commercial contract.

In summary, a patient (service user) could be classed as a person to whom, or to whose subsidiary undertaking, the associate provides services on behalf of the relevant body.

Q - If an NHS employee committed fraud which benefited service users (or patients), and the organisation did not have reasonable procedures in place to prevent fraud, could it be prosecuted?

A - Yes, if an employee committed fraud which benefited service users, and the organisation did not have reasonable procedures in place to prevent fraud, it could risk prosecution. Note that the organisation can be prosecuted even if senior management had no knowledge of the fraud.

The issue of who is intended to benefit from the underlying fraud is key to determining whether a relevant organisation can be held accountable for the offence of failure to prevent fraud.

An organisation does not need to actually receive any benefit for the offence to apply - since the fraud offence can be complete before any gain is received. It is enough that the organisation was intended to be the beneficiary. The same applies if the intention was to benefit the clients to whom the associated person provides services for or on behalf of the relevant organisation.

The intention to benefit the organisation does not have to be the sole or dominant motivation for the fraud. The offence can apply where a fraudster’s primary motivation was to benefit themselves, but where their actions will also benefit the organisation. The same applies if the intention was to benefit the client to whom the associated person provides services for or on behalf of the relevant organisation.

However, the relevant organisation is not liable if the organisation itself is a victim or intended victim of a fraud that was intended to benefit the persons to whom the associated person provides services for or on behalf of the organisation (section 199(3)). This might include service users or patients.

In summary, NHS organisations that meet the ECCTA criteria could be prosecuted for failure to prevent fraud if an associated person commits a fraud intended to benefit the organisation or its service users, and the organisation lacks reasonable procedures to prevent such fraud. Liability does not require actual benefit or management knowledge—only intent. However, NHS bodies are not liable if they are the intended victim of the fraud. To mitigate risk, NHS organisations must implement proportionate, well-documented fraud prevention procedures aligned with statutory guidance and tailored to their operational context.

Q - Can the legislation be applied retrospectively?

A – No

Q – In the ‘Next Steps – How to Comply’ section, what is meant by the action ‘Thinking about whether internal investigation mechanisms need to be updated’?

A - These bullet points need to be considered in the context of ‘Monitoring and review’ (the sixth principle outlined in the Home Office Guidance). We are suggesting that NHS organisations monitor and review their fraud detection and prevention procedures and make improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.

It might also be worth noting that these checklists are not exhaustive and have been prepared for advisory purposes only. Organisations are responsible for preparing their own fraud prevention procedures in the context of their particular circumstances and in accordance with ECCTA.

Q – In the ‘Next Steps – How to Comply’ section, what is meant by the action ‘Ensuring that fraud prevention procedures address how the relevant measures will prevent fraud by service provision’?

A - The bullet point that you reference needs to be considered in the context of the other points from the checklists on ‘Proportionate Risk Based Prevention Procedures’ and ‘Fraud Risk Assessment’.

The next steps set out as part of ‘Proportionate Risk Based Procedures’ are about ensuring that an organisation’s procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities.

The point that you highlight refers to ensuring that the ‘associated persons’ identified by the organisation (for example, employees, agents, subsidiaries or other persons ‘who provide services for or on behalf of the organisation’) are considered within the scope of fraud prevention procedures.

It is important to note that these checklists are not exhaustive and have been prepared for advisory purposes only. Organisations are responsible for preparing their own fraud prevention procedures in the context of their particular circumstances and in accordance with ECCTA. Each organisation will need to consider its own position and what fraud prevention procedures it is reasonable for that organisation to have in place. NHS organisations are advised to assess whether fraud prevention measures would be sufficient to prevent each of the fraud risks identified in the risk assessment.

Q - An organisation may be criminally liable when fraud is committed by ‘associated persons’ intending to benefit that organisation. The offence applies not just where the intention is that the relevant organisation benefits directly, but also where the intention is that the organisation benefits indirectly. What is meant by benefits ‘indirectly’?

A – Under section 199 (1) of ECCTA, a relevant body is guilty of an offence if a person associated with the relevant body commits a fraud offence intending to benefit (whether directly or indirectly) the relevant body or any person to whom the associated person provides services on behalf of the relevant body.

The Home Office guidance gives three examples of indirect benefit, one at paragraph 2.3 of the guidance and two in the ‘Examples’ section at 2.8. These are possible examples of a benefit which is not the immediate result of the fraud but is a consequence of the fraud having been committed.

Q - For the offence to be proven, would it be necessary to establish whether the primary intent of the ‘associated person’ committing the underlying/base offence was to benefit the organisation, not the individual? What if the benefit to the organisation was an ‘unintended’ consequence of their actions?

A - As stated above, the intention to benefit the organisation does not have to be the sole, or dominant motivation, for the fraud. The offence can apply where a fraudster’s primary motivation was to benefit themselves but where their actions will also benefit the organisation.

The Home Office guidance gives the circumstance of a salesperson mis-selling to increase sales and therefore their commission. The intention is to increase sales for the relevant body and thereby to increase commission to the salesperson. The benefit to the relevant body is not the primary motivation but it is the natural requirement or consequence of achieving another benefit.

Q - Does the ‘benefit’ have to benefit the organisation ‘as a whole’? What if it only benefits a ward, or a department, or a function, or one set of performance measures – is that sufficient to trigger the offence?

A - The benefit to the relevant body is just that, a benefit, there is no further qualification beyond it being direct or indirect. Accordingly, the benefit can be large or small and apply to a particular portion of the relevant body.

Q - If the requirements are being updated then will the Counter Fraud Functional Standard Return (CFFSR) be changed for next year?

A - Yes. The functional standard return changes whenever we make changes to the requirements, as the text is in the functional standard return. This last happened for the 24-25 functional standard return issue.

Q - How and what does assurance look like for the thousands of suppliers in the NHS?

A - We do not deal with thousands of suppliers. Under the terms of the NHS Standard Contract, NHSCFA requirements must be complied with by organisations who have signed up to the NHS Standard Contract to deliver services and who also have a provider licence (previously known as a Monitor licence). That means that the smaller organisations, whether NHS or not, must have regard to NHSCFA requirements but are not obliged to comply with those requirements. They do not, for example, send in functional standard returns. So, while they will need to comply with the legislation, they will not need to report to us that they have done so, although they may report to others.

Q - If we are already compliant with the NHS requirements then are we compliant with what is required for the new legislation, or will the requirements be amended/updated to reflect the new legislation?

A - The requirements will be updated to reflect the new legislation. All organisations are responsible for ensuring that they are compliant with their legal obligations pursuant to ECCTA or otherwise.

Q - You mentioned in your presentation that the CFA are consistently identifying new modus operandi and risks of fraud. Please can you outline how this is currently/or going to be communicated to the CFS community as these new risks would directly link to our FRA's and assist in preventing organisations being victim of fraud?

A - We identify emerging fraud risks and modus operandi through our system weakness reporting function. Historically, reporting levels were low, and fraud prevention notices were issued on a case-by-case basis. In recent years, we have strengthened this function by aligning it with the Fraud Investigation Model’s (FIM) four prevention questions and encouraging a cultural shift towards timely and accurately reporting to enable prevention and disruption to be considered at earlier in the investigative process.

Frequent and accurate reporting of system weaknesses enhances our ability to produce meaningful prevention intelligence. We have been exploring ways to share this intelligence with the sector. One way includes a development of a regularly updated space on our extranet, where we will publish identified trends in control failures and vulnerabilities, along with relevant prevention advice.  This is currently in development and more information will be available via the extranet shortly.

To support consistent and effective reporting, we have produced a video resource demonstrating how to record a system weakness on the NHS Fraud Case Management System, Clue. This video also explains the recent integration of the FIMs four prevention questions, introduced in April 2025.  You can find it on the ‘how to report a system weakness’ guidance page of the Counter Fraud Manual.

Q - Given that the ICB includes Clinical professionals, can you advise on the impact to primary care and how this could be reflected in the context of the Guidance, particularly as GPs are independent providers.

A - Given the large range of legal structures for organisations in the health sector, we cannot provide details on exactly how the criteria apply in each case.

Where an entity is a body corporate or partnership and where they meet the criteria for a ‘large organisation’, they will be within the scope of the failure to prevent fraud offence.

GPs are independent contractors within the NHS. They have contractual agreements with the NHS which outline the services they must provide. It is the responsibility of the individual organisation to determine whether any party with which it has a relationship is an ‘associated person’ for the purposes of the offence. Independent contractors may fall within scope of the ECCTA as an ‘associated’ person. In these circumstances, they may also be subject to contractual or other requirements imposed by the ‘large’ organisation in respect to the offence of failure to prevent fraud.

Organisations will need to use the ECCTA legislation and the Home Office Guidance to identify whether they fall within scope of the act. Where an organisation is in doubt as to whether it is in scope of the act, they should take legal advice.

Q - Roles and Responsibilities: Could we clarify the accountability structure within the ICB in relation to FTPFO? For example:

• Board level CFO
• Counter Fraud Champion
• Role of the Audit Committee

A - We would recommend referring to the ‘Next steps – How to comply’ section of the guidance as this sets out the actions and next steps that organisations might take when preparing for the offence. This includes the role of senior management (see ‘Top level commitment’).

Please also refer to the six principles identified in the Home Office Guidance, which are reflected in the NHSCFA Requirements, which in turn derive from the Government Functional Standard Gov 013 for counter fraud.

Q – Please can you be more explicit about the timeframe for the next steps?

A - The failure to prevent fraud offence came into effect on 01 Sept 2025 and organisations should have considered any steps required by that date.  This includes reviewing fraud prevention approach and assessing if it meets the scope of ECCTA. Organisations can use NHSCFA’s resources to build their organisation’s response.

Q - Do regular internal audits of finance systems cover some of the requirement of an LPE as they would be reporting on controls and systems access, or would it need to be done separately

A - Absolutely. Fraud prevention work is all about collaboration and our ‘Guidance for planning, designing, and conducting Local Proactive Exercises’ (in the Counter Fraud Manual), explores many different ways in which an LPE calls upon different teams to contribute.

Counter fraud professionals should maintain close links with key NHS departments (such as finance, procurement, human resources and internal audit) and providing expertise to develop and implement high-quality, professional prevention activities.

LPE work should be informed by internal and external audit reports and informing your proactive approach with the work of audit ensures a fuller understanding with minimal duplication. In some instances, your LPE and an internal audit may cross over in the testing of internal controls within specific fraud risk areas, therefore, it may prove beneficial to agree a joint work plan.

Q - How often should our organisation update the FRA to remain compliant?

A - In line with GCFP standards and best practice, the FRA should be reviewed at last annually or sooner if there are significant organisational changes, new fraud risks emerge, or an incident or audit highlights weaknesses.

Q - Who owns the fraud risk in an NHS organisation?

A - While Local Counter Fraud Specialists (LCFS) facilitate the FRA, fraud risk is owned by the organisation. It requires input and support from senior leadership, service leads, operational teams such as finance, HR, procurement teams, risk management & internal audit. Ultimate accountability rests with the Board or senior executives.

Q - How does the FRA link with other risk management frameworks in NHS organisations?

A - The FRA shouldn’t be a standalone exercise. It should be embedded into the organisation’s risk and governance structures, feeding into the corporate risk register, and aligning with internal audit, governance, and assurance processes to avoid duplication and ensure cohesive risk oversight.

Q - Are there any recent best practices you can share, given limited updated guidance over the last few years?

A - Yes. From our engagement with the counter fraud community including NHS organisations, and central government, we’ve developed updated guidance and templates aligned to NHS and Government Counter Fraud Profession (GCFP) standards. These will be available to download following the Failure to Prevent webinar.

Q - Will the NHSCFA’s list of 120+ fraud risks be updated, particularly to reflect ICBs?

A - Yes, we plan to review and refresh the descriptors in due course. However, fraud risk assessments should be proactively developed by each organisation using their own local intelligence. Centrally maintained lists are intended to be a reference, not a substitute for local risk identification. Local information streams such as reported allegations, system weaknesses, audits, and quarterly threat updates should feed into your FRA. Risks should also reflect the organisation’s own fraud risk appetite and tolerance.

Q - Will there be training or webinars on how to complete fraud risk assessments (FRAs)?

A - Yes, this is a key priority for us this financial year and will continue going forward. Following the release of the updated guidance and templates, we’ll be hosting a Failure to Prevent specific drop in session that will also cover how the FRA process supports FTPFO. We’re also planning a series of FRA workshops in Q3 and Q4 of financial year 2025 – 2026, to:

• Refresh understanding of NHS/GCFP standards
• Cover the fraud risk management cycle
• Share practical and practitioner-led approaches to completing FRAs

Q - Many LCFSs don’t have a risk management background. How can FRA reviews be kept manageable?

A - FRA updates should be proportionate, and risk based. They should be reviewed annually or sooner if needed, but that doesn’t mean every risk must be fully reassessed each year. The updated FRA template includes a management decision field to help guide review frequency. For example:

• If a risk is marked for ‘Treatment,’ it should be reviewed after the intervention
• If a risk is ‘Tolerated,’ it may not require annual review unless something changes

Any decisions around review frequency should align with your organisation’s risk management policies. FRA responsibility shouldn't sit solely with the LCFS, fraud risk management is a shared responsibility and must be built into the organisation’s wider governance framework. Best practice shows that a range of skill sets are needed, and our updated guidance outlines who should be involved in each of the five stages of the FRA process, based on the GCFP standards. This reflects a shift in thinking: while responsibility is shared, ownership must be clear. Fraud is now widely recognised as a strategic risk, not just a counter fraud issue, and that narrative is increasingly being embedded across NHS trusts.

Q - Are you planning to host an FRA session for Fraud Champions and DoFs to set out the importance of properly resourcing fraud risk assessment and response work?

A - Yes. We are planning to include this topic in our Q3/Q4 workshops, where we will highlight the critical importance of adequately resourcing fraud risk assessment and response activities. These sessions will be tailored for Fraud Champions, Directors of Finance, and other key stakeholders. We strongly encourage all those involved in Fraud Risk Management to attend, as the workshops will provide practical insights, shared insights, and strategic guidance on building effective, well supported fraud controls.

Q - Are you planning to update the fraud risk descriptors to align with Ambulance Trusts?

A - Yes, we do plan to review our existing fraud risk descriptors, including considering how they might be better tailored to specific sectors. However, we strongly encourage organisations to apply critical thinking at a local level to adapt and develop fraud risks that are truly reflective of their unique operational environment. While national descriptors provide a useful starting point, they are most effective when interpreted in the context of your Trust’s specific services, systems, and vulnerabilities. This local tailoring is key to ensuring that fraud risks are meaningful, relevant, and actionable.

Q - Will the fraud risk descriptors be updated to reflect where the organisation might also be benefiting from the fraud under the Failure to Prevent Fraud Offence liability?

A - Yes, the fraud risk descriptors are being reviewed and will be updated to reflect evolving requirements, including consideration under the Failure to Prevent Fraud Offence. Currently, the fraud risk taxonomy register is aligned with categorising risks by crime type. However, going forward the fraud risk register will be redesigned to align more closely with funding streams and areas of operational exposure. This shift will better highlight where an organisation may be at risk of benefitting from fraud whether knowingly or unknowingly, which is central to the new corporate liability offence. By aligning fraud risks with funding rather than crime type, we can support a more strategic allocation of resources and ensure more targeted risk-based approach to prevention and response.

Q - Can you elaborate on what the Q3/Q4 2025 - 2026 FRA sessions will be based on?

A - The FRA sessions will take a practical, hands-on approach aimed at helping practitioners compile effective and compliant fraud risk assessments aligned with GCFP and NHS standards. We’ll be using the updated FRA template that we’re providing to walk you through, step by step, how to complete a meaningful assessment that’s tailored to your organisation. The sessions will include guidance on who to speak to, when to engage them, and how to gather the right information. We’ll also cover how to apply the scoring criteria aligned to GCFP and share real examples of how other trusts have integrated these assessments into their wider risk management process. You’ll see what ‘good’ looks like and hear practical tips and tricks to overcome common challenged. These sessions are designed to be much more than a presentation, they’re an opportunity to learn by doing. If you’re involved in FRAs in any way, we strongly encourage you to attend.

Q - Do you think this is ‘late in the day’ to provide, given the implementation date of September 2025?

A - We understand the concern around timing, particularly given the scale of work involved in developing robust FRAs and the time required for internal policy ratification. However, it’s important to note that fraud risk assessment should already be embedded within your organisation’s risk management framework as part of standard good practice and compliance with existing NHS Counter Fraud Standards. What we are doing now is providing updated guidance and a new template to support you in refining and aligning your existing FRA work with the requirement of GCFP and the new corporate offence under the Failure to Prevent legislation This is not about starting from scratch but rather enhancing existing processes to meet evolving expectations. Our aim is to help organisations take a practical, structured approach to FRA implementation by offering tools, examples, and hands-on support through our upcoming sessions, so you can more forward confidently and compliantly.

Q – In relation to the ‘Next Steps – How to Comply’ action ‘Checking what anti-fraud procedures are currently in place and assessing whether they are sufficient to counter the risks identified in the risk assessment’, is this referring to a risk assessment for the FTPFO, or is it in relation to an overarching assessment of all counter fraud risks at the organisation?

A - The guidance specifically relates to fraud risks that are impacted by the FPTFO legislation. That said, a robust assurance programme is also a requirement under Government standards so this would be a good opportunity to review and provide assurance that proportionate counter fraud procedures are in place.

Q - Either way, who is this task aimed at? Who will decide whether the counter fraud work taking place at an organisation is sufficient to counter the risks identified?

A - This task is aimed at the organisation in general. The respective SRO or accountable Board member will need to be assured that the fraud risks have a proportionate response plan in place. The fraud risk management decision, whether it be treated, tolerated, terminated or transferred should be recorded with a rationale captured on why the decision was made.

Q - Has NHSCFA sought any legal advice in respect of the definition of senior manager (under ECCTA s196) and who within NHS management could be classed as senior managers?

A - We included a section within our guidance on the ‘Identification doctrine’ (see section on The Economic Crime and Corporate Transparency Act 2023) and this includes a general definition of senior manager. It is the responsibility of the organisation to determine whether senior managers fall within this definition for the purposes of this offence.

We were also advised to add a point in the ‘next steps’ section asking NHS organisations to consider the changes made to the ‘Identification doctrine’ under ECCTA and to consider whether current RAs cover senior manager risk.

We would like to develop this section further and will let you know once this part of the guidance has been updated. We note that Section 196 is relevant to an offence committed by a body corporate and specifies where the body corporate may be guilty of an offence committed by a ‘senior manager’.

Q – Responsibility for counter fraud activities in relation to delegated primary care services largely sits with the NHS England Counter Fraud Team.  Where does responsibility for failure to prevent fraud sit in relation to delegated primary care services?

A (answer provided by NHS England) - NHS England retains the accountability for primary care services, with ICBs being delegated to manage these services on behalf of NHS England.

The interaction and division of responsibilities between the counter fraud functions of ICBs and NHS England are described in the ICB counter fraud statutory guidance.

NHS England undertakes activities which contribute to reasonable fraud prevention procedures, these include:

• investigations relating to primary care services delegated to ICBs,
• Fraud Risk Assessments (FRA) in relation to primary care services which have been nationally agreed.   These FRAs include national level information, including the work of NHSBSA, they do not include the individual processes of each ICB, and
commissioning NHSBSA to undertake some Provider Assurance Services.

However, ICBs would need to ensure they have reasonable fraud prevention procedures in place to govern the activity undertaken by the ICB and its staff.  For example:

• Top level commitment within the ICB
• Risk assessment of local ICB arrangements relating to the management of primary care services.
• Due diligence in relation to contract management activity undertaken by the ICB
• Communication (including training) of ICB staff
• Monitoring and review of ICB processes