The failure to prevent fraud offence

This section summarises the failure to prevent fraud offence and when it applies. The offence of failure to prevent fraud comes into effect on Mon 01 September 2025.

Note

Note: This guidance is advisory only. The guidance is not a substitute for reading the legislation or obtaining professional legal advice where appropriate or necessary.

Statutory guidance in relation to fraud prevention procedures is published by the Home Office at Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (accessible version) - GOV.UK All organisations should review the Home Office Guidance when establishing and reviewing their fraud prevention procedures.

See Section 1.4 of the Home Office Guidance for any conflict between alternative sources of guidance.

Background and aim of the legislation

The Economic Crime and Corporate Transparency Act 2023, section 199 created a new corporate criminal offence of ‘failure to prevent fraud’.

Under the legislation, an organisation will be criminally liable where:

  • a fraud offence is committed by an employee, agent or other ‘associated’ person, with the intention of deriving a benefit for the organisation or a related body; and
  • the organisation did not have ‘reasonable’ fraud prevention procedures in place

It does not need to be shown that company managers ordered or knew about the fraud.

The offence applies to:

all large incorporated bodies and partnerships including:

  • large not-for-profit organisations such as charities if they are incorporated; and
  • incorporated public bodies

In the event of prosecution, an organisation would have to demonstrate to the court that it had reasonable fraud prevention measures in place at the time that the fraud was committed.

The offence sits alongside existing law; for example, the person who committed the fraud may be prosecuted individually for that fraud, while the organisation may be prosecuted for failing to prevent it. The fraud committed must be one of the fraud offences identified in the Act (at Schedule 13).

The offence will make it easier to hold organisations to account for fraud committed by employees, or other associated persons, which may benefit the organisation, or, in certain circumstances, their clients. The offence will also encourage more organisations to implement or improve prevention procedures, driving a major shift in corporate culture to help prevent fraud.

The offence will come into effect on the 1st September 2025.

The Home Office guidance to organisations on the offence of failure to prevent fraud summarises the offence and when it applies. Organisations should refer to this guidance for an overview of the offence together with the Economic Crime and Corporate Transparency Act 2023 legislation.

It is important to note that both the Home Office guidance and this guidance are advisory only and that organisations might need to take legal advice on how the offence affects them.

Which organisations are in scope?

The offence applies to large, bodies corporate and partnerships irrespective of the sectors of the economy in which they operate. A ‘body corporate’ is an entity that has been incorporated by statute (for example the Companies Acts or the National Health Service Act 2006), or by a specific statutory order (as is the case for NHS Trusts) or by Royal Charter.

What is meant by ‘bodies corporate and partnerships’?

In the context of the NHS the following is a non-exhaustive list of entities that are bodies corporate and which will be in scope for the offence provided they also qualify as ‘large organisations’ as referred below:

  • NHS Foundation Trusts [Section 30 NHS Act 2006 30(1) ‘an NHS foundation trust is a public benefit corporation’; 30(2) ‘a public benefit corporation is a body corporate’];
  • NHS Trusts [Established by the Secretary of State by order pursuant to Section 25 of the NHS Act 2006; Paragraph 1 of Schedule 4 of the NHS Act 2006 ‘Each NHS trust is a body corporate’];
  • Integrated Care Boards; [Established by the Integrated Care Board (Establishment) Order 2022 by NHS England pursuant to Section 14Z25 of the NHS Act 2006 – constitutions published in accordance with Schedule 1B paragraph 17 ‘An integrated care board is a body corporate’]

Bodies corporate and partnerships are in scope for the offence wherever they were incorporated or formed (including if they were formed outside the UK). [Section 199(13) of ECCTA ‘relevant body’ means a body corporate or a partnership (wherever incorporated or formed)].

What is meant by ‘large organisations’?

In order to be criminally liable for the offence, the relevant body corporate or partnership must be a ‘large organisation’. This is defined in Section 201 of ECCTA in relation to individual entities and in Section 202 in relation to organisations comprising groups of entities. In each case the organisation must meet two or more of the following criteria:

  • more than 250 employees
  • more than £36 million turnover
  • more than £18 million in total assets

These conditions apply to the financial year of the organisation that precedes the year of the base fraud offence; where the base fraud offence is the offence committed by an associate of the organisation which the organisation failed to prevent.

As noted by Section 202, these criteria apply to the organisation itself and also, where the organisation is part of a group, to the whole group, including subsidiaries, regardless of where the organisation is headquartered or where its subsidiaries are located (see section on Associates of a large organisation). In the case of a group, the criteria are applied in aggregate across the group.

The definition of a group is given by reference to the definitions of parent undertakings and subsidiary undertakings in the Companies Act 2006 section 1162.

The definitions are broadly stated to catch a range of different entities which may have been established as a subsidiary of the parent.

An undertaking is a parent undertaking in relation to another undertaking, a subsidiary undertaking, if—

  • it holds a majority of the voting rights in the undertaking;
  • is a member of the undertaking with the right to appoint or remove a majority of the board of directors;
  • or has control of the entity by way of a contract or by way of an agreement with the other members.

Turnover is calculated as follows:

  • ‘turnover’ means the amount derived from the provision of goods and services, after deduction of a) trade discounts b) value added tax and c) any other taxes based on the amounts so derived
  • where the organisation is part of a group, turnover will be calculated in aggregate for all members of that group.

Where an entity is a body corporate or a partnership (see What is meant by ‘bodies corporate and partnerships’ above) and where they meet the criteria (alone or as part of a group) for a ‘large organisation’ they will be within the scope of the offence of failure to prevent fraud. Given the large range of legal structures for organisations in the health sector, this guidance cannot provide details on exactly how the criteria apply to each case.

Organisations will need to determine whether they are a body corporate and whether they fall into the definition of a ‘large organisation’ (alone or taking into account any group entities) as set out in sections 201-202 of the ECCTA.

How is the offence committed?

The offence of failing to prevent fraud will be committed:

  1. by a large body corporate where:
    1. a person associated with it (an employee, an agent or a subsidiary of the relevant body) commits a specified fraud offence; and
    2. the person committing the offence did so with the intention of benefitting the relevant body either directly or indirectly; or
    3. the person committing the offence did so with the intention of benefitting any entity which the person provides services to on behalf of the relevant body.
      4. [Section 199(1)]
  2. By a body corporate (not being a large organisation) where:
    1. a specified fraud offence is committed by an associate with the intention of benefitting that body (directly or indirectly);
    2. the offence is committed at a time when the relevant body is subsidiary of a body which is a large organisation. [Section 199(2)]

Who is an ‘associate’?

As noted above the relevant fraud offence will be committed by a person ‘associated’ with the relevant body. An associated person is an employee, an agent or a subsidiary of the relevant body. It can also be a party who is performing services for or on behalf of the relevant body. The Home Office guidance at section 2.3 states that this does not include a body providing services ‘to’ the relevant body. This would suggest that it applies to subcontractors rather than suppliers. Where there is any concern as to whether a party is an associate of a relevant body on the basis that it supplies services for or on behalf of the relevant body legal advice might be taken on the construction of the arrangement for service provision.

What is meant by ‘intending to benefit’?

Section 2.4 of the Home Office guidance describes how intention to benefit from the underlying fraud is key to determining whether a relevant organisation can be held accountable for the offence of failure to prevent fraud.

An organisation does not need to actually receive any benefit for the offence to apply - since the fraud offence can be complete before any gain is received. It is enough that the organisation was intended to be the beneficiary. The same applies if the intention was to benefit the clients to whom the associated person provides services for or on behalf of the relevant organisation.

The intention to benefit the organisation does not have to be the sole, or dominant motivation, for the fraud. The offence can apply where a fraudster’s primary motivation was to benefit themselves, but where their actions will also benefit the organisation. The same applies if the intention was to benefit the client to whom the associated person provides services for or on behalf of the relevant organisation.

The benefit may be financial or non-financial.

What if the relevant body is the victim of the fraud?

ECCTA, section 199 (3) states that the relevant body is not guilty of an offence under subsection (1)(b) if the body itself was, or was intended to be, a victim of the fraud offence.

Whilst ‘victim’ is not defined in ECCTA, according to the Home Office guidance this defence would apply if the loss caused, or intended to be caused, by the fraud would be borne by the organisation, or the fraud was committed with intent to harm the organisation.

Offences in scope

The offence of failure to prevent fraud applies to a number of specific fraud offences, which are listed in Schedule 13 of the ECCTA. Aiding, abetting, counselling, or procuring the commission of any of the listed offences would also qualify as a fraud offence under ECCTA section 199(6)(b).

The offence list can be updated through secondary legislation in future, although any new offences added would be limited to economic crime.

Offence list for England and Wales

  • Fraud offences under section 1 of the Fraud Act 2006 including:
    • Fraud by false representation (section 2 Fraud Act 2006)
    • Fraud by failing to disclose information (section 3 Fraud Act 2006)
    • Fraud by abuse of position (section 4 Fraud Act 2006)
  • Participation in a fraudulent business (section 9, Fraud Act 2006)
  • Obtaining services dishonestly (section 11 Fraud Act 2006)
  • Cheating the public revenue (common law)
  • False accounting (section 17 Theft Act 1968)
  • False statements by company directors (section 19 Theft Act 1968)
  • Fraudulent trading (section 993 Companies Act 2006)

These offences are referred to by the Home Office as ‘base fraud offences’.

Relevant organisations can be prosecuted if the associated person’s conduct constitutes a base fraud offence, even if the associated person is prosecuted for an alternative offence or is not prosecuted at all. If the associated person has been convicted of the base fraud offence, this can be used as evidence in proceedings against the organisation for failure to prevent fraud.

However, if the associated person is not prosecuted, then the prosecution must prove, to a criminal standard, that the associated person did commit the base fraud offence before the organisation can be convicted of failure to prevent fraud.

Money laundering offences are not included because relevant organisations are already required by law to have anti money laundering procedures in place and be regulated by the Financial Conduct Authority, who can order large fines against entities that fail to do so.

Will the offence apply across the UK?

The offence will apply across the UK with equivalent offences in Scotland and Northern Ireland included in the base offence list, with a power for the relevant minister in Scotland or Northern Ireland to amend the list with regards to offences they are responsible for (devolved offences).

Summary of the offence

The Home Office guidance at Annex 1 provides a useful summary table showing how the offence of failure to prevent fraud can be committed in a number of different ways. The table sets out each scenario in terms of who commits the base fraud, who is intended to benefit, and who could be prosecuted for failure to prevent the base fraud.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close