Considerations for Global Compliance Programs Under UK’s New Failure to Prevent Fraud Offense

Passed as part of the UK Economic Crime & Corporate Transparency Act (ECCTA), failure to prevent fraud (FTP fraud), a new strict liability corporate offense, came into force in the UK at the beginning of September. 

US companies with relevant links to the UK can now be prosecuted if they fail to prevent their “associated persons” — a classification that includes employees, subsidiaries, agents and anyone else who performs services for or on behalf of the company — from committing a wide range of economic crimes. This is a fact-sensitive test to be determined by reference to all relevant circumstances.

The only defense is for a company to prove that it had implemented reasonable procedures to prevent its associated persons committing fraud. The UK government has published 44 pages of detailed guidance as to what might constitute reasonable procedures.

Here, we explain the relevance of the FTP fraud offense to US companies and provide practical suggestions on three key aspects of reasonable procedures that illustrate how existing corporate compliance programs will require updating to effectively mitigate risk under the new offense.

Application & jurisdiction

The FTP fraud offense applies to all companies, wherever they are incorporated, that meet the “large organization” test in ECCTA. A company is considered a large organization if it satisfies two out of three criteria in aggregate across their corporate group:

• More than 250 employees
• More than £36 million turnover
•  More than £18 million in total assets

Applying the test can be complex in practice, as it requires the application of multiple UK company law provisions — for example, on the definition of “turnover” and identifying which entities fall within the relevant corporate group. Accordingly, the government guidance cautions that companies “should take professional legal advice” on the application of the large organization test.

Where a company does meet the test, the FTP fraud offense can capture the conduct of its associated persons anywhere in the world. The jurisdictional requirement is that the associated person must commit one of the relevant fraud offenses under UK law (more on that below).

In practice, this amounts to the existence of a UK nexus. This means that: (i) any of the acts or omissions forming part of the underlying fraud took place in the UK (e.g., through an agent engaging with the UK market); or (ii) gain or loss from the fraud occurred in the UK (e.g., there were UK-based victims).

There are many ways in which a UK nexus might arise in the context of multinational business. However, when potential wrongdoing first comes to light, it may not be clear whether there is, in fact, a UK nexus  — for example, an internal whistleblowing report may be based only on relatively limited or incomplete information available to the reporter. In many cases, resolving the key question of UK nexus will require further investigation and careful legal analysis.

Another key aspect of the offense is that, depending on the facts, liability can arise for a US parent company and/or its non-US subsidiaries. Broadly, liability can arise because of conduct at subsidiary level in the following cases:

• A parent company can be liable where a fraud is committed corporately by a subsidiary or by an employee of the subsidiary, in either case with the intention to benefit the parent.
• The subsidiary itself may be liable where: an employee of the subsidiary (which is not a large organization) commits a fraud that is intended to benefit the subsidiary; or the subsidiary is a large organization in its own right. In this case, the subsidiary is exposed to the full range of potential liability for the actions of its associated persons.

The overall effect is that the FTP fraud offense casts a very wide net across corporate groups. This is surely no accident, otherwise there would be a perverse incentive for (less scrupulous) companies to structure around the legislation. In practical terms, it would appear risky (or impractical) for a multinational to take a siloed, jurisdiction-specific approach in response. As discussed below in relation to reasonable procedures, a tailored approach effectively embedded in a company-wide compliance program is required.

Fraud

SFO’s ‘Cast-Iron Guarantee’ on Self-Reporting Comes With Fine Print

by Ben Boorer

July 7, 2025

Promised predictability in corporate resolutions still leaves room for miscalculation

Read moreDetails

‘Fraud’ offenses

The relevant “fraud” offenses are listed in Schedule 13 of the ECCTA and collectively capture a wide range of conduct that generally involves some form of manipulation, deception, concealment or other dishonesty. The focus is on fraud that impacts external parties (in other words, outward-facing fraud) rather than frauds against the company (such as fictitious expense claims or issues arising from employee conflicts of interest).

This may encompass behavior like providing misleading information to third parties (e.g., auditors, bankers, customers, insurers, investors, joint venture partners and regulators), making inaccurate statements in market disclosures (including greenwashing), “channel stuffing” and other revenue-recognition issues, failing to provision correctly, falsifying invoices and other accounting records and making false statements or declarations to tax or customs authorities.

These are behaviors that occur frequently in many corporate situations, but UK authorities previously lacked the tools to target companies (unless the board was involved). In a seismic change to the scope of UK corporate criminal liability, the FTP fraud offense means that is no longer the case.   

Reasonable procedures

As touched on above, the government guidance advises that reasonable fraud-prevention procedures should be informed by six key principles. These principles are familiar from previous UK guidance in relation to similar offenses under the UK Bribery Act 2010 (failure to prevent bribery) and Criminal Finances Act 2017 (failure to prevent the criminal facilitation of tax evasion). There is also some overlap with the principles underpinning the DOJ’s “Evaluation of Corporate Compliance Programs” guidance (ECCP). At a high level, the UK guidance and the DOJ’s ECCP share the view that effective compliance depends on proportionate, risk-based controls driven by strong leadership, embedded culture, clear communication and continuous review.

The six principles in the government guidance are:

• Top-level (board) engagement: The board and senior management communicate and demonstrate their commitment to rejecting fraud and fostering a culture of compliance.
• Risk assessment: The company assesses the nature and extent of fraud by its associated persons.
• Proportionate procedures: Policies and procedures are tailored to the output of the risk assessment and to the nature and complexity of the organization’s activities.
• Due diligence: Third-party due diligence procedures appropriately address the risk of third parties engaging in fraud intended to benefit the company.
• Communication (including training and whistleblowing): Policies and procedures are known about, understood and embedded throughout the company, and employees know how to raise concerns.
• Monitoring and review: Measures to detect attempted fraud, conduct investigations and review the effectiveness of fraud-prevention controls.

Despite the relative familiarity of the principles, it is clear from the government guidance that simply rebadging existing work product will not pass muster. The breadth and complexity inherent in the FTP fraud offense means that reasonable fraud-prevention procedures should be designed and implemented from the ground up, necessarily based on an understanding of English law principles and the expectations of the UK authorities. It may be appropriate to leverage existing controls as part of this exercise, but it should not be assumed that they will, without expansion or update, appropriately address the full spectrum of risk for FTP fraud purposes.

Three key examples of this theme relate to risk assessments, investigations and top-level (board) engagement; we explore these further below:

Risk assessment

An FTP fraud-specific risk assessment is a vital foundation of reasonable procedures. Fraud-prevention policies and procedures should be tailored to the output of the risk assessment. To that end, the government guidance states that “it will rarely be considered reasonable not to have even conducted a risk assessment.”

Further, the risk assessment should be documented and kept under review. While the frequency of review is ultimately for the company, the guidance notes that risk assessments are “typically conducted at consistent intervals (annually or bi-annually).” Companies should also be alert to factors that may trigger the need for an earlier review (e.g., entering higher-risk jurisdictions or enforcement activity against other organizations). A practical way of addressing this would be to ensure that FTP fraud considerations are incorporated into any regular horizon-scanning exercises conducted by legal, compliance or risk functions. Ultimately, if a company has not reviewed its risk assessment, there is a risk that it is deemed not fit for purpose.

Of course, companies may already undertake risk assessments relating to fraud and economic crime more generally. In such cases, they should extend those existing risk assessments to include the risks of fraud in the scope of the FTP fraud offense (see our discussion of fraud offenses above). An example applicable to US-listed companies would be risk assessments undertaken for the purpose of Sarbanes-Oxley compliance (SOX). The guidance explicitly cautions that such existing risk assessments “may not include all the fraud risks relevant to the offense of failure to prevent fraud.”

Accordingly, companies should carefully map any existing risk assessments against the full spectrum of FTP fraud risk. This may include, for example, considering whether previous risk assessments addressed: (i) the wide range of conduct that can be captured by the specified fraud offenses (noting, in particular, the focus on outward-facing fraud rather than fraud against the company); and (ii) the expansive scenarios in which liability can arise because of conduct at subsidiary level.

As to how companies may conduct a risk assessment, the government guidance suggests that they may begin by identifying typologies of associated persons, based on, for example, the nature of their role, where they perform it and the types of external parties they interact with. The exercise would then consider the risks of individuals in each typology attempting an in-scope fraud offense (bearing in mind the jurisdictional reach of the FTP fraud offense). To be most effective, this process may require input from multiple functions, including, for example, legal, compliance, HR, internal audit and the wider business.

It may be helpful to classify each identified risk based on its likelihood and impact, with a description of the rationale for the classification.

Companies should then ensure that they effectively implement proportionate policies and procedures in relation to each risk identified. Depending on the company’s existing control framework, this may involve introducing new measures and/or leveraging existing measures. The government guidance explicitly cautions that any decision not to implement procedures in relation to a specific risk should be documented, including the name and position of the person authorizing that decision.

The methodology for conducting a safe and reliable risk assessment is crucial to avoid certain common pitfalls, including around privilege risk. For example, when drafting a written risk assessment, it is important to avoid inadvertently creating a disclosable road map to key issues or describing matters or making recommendations in a way that unnecessarily highlights potential problems or weaknesses.

Investigations

The government guidance recognizes the importance of investigating and, as appropriate, remediating and learning from, allegations of fraud. In this respect, it states that investigations should be independent, appropriately “resourced, empowered and scoped (including through legal advice) and legally compliant” and notes that useful sources of information include the “Global Practitioners’ Guide to Investigations.” 

While companies may well have procedures for investigating potential wrongdoing, careful thought should be given to whether they are appropriately calibrated for FTP fraud purposes. The risk in failing to do so is that the company does not respond properly, or quickly enough, to effectively protect its position when facing corporate-level risk under the new offense.

Practical steps to consider in this respect include:

• Bespoke training for those who receive and triage whistleblowing reports, so that they can identify and quickly escalate any reports containing red flags for the FTP fraud offense.
• Updating policies and procedures to accommodate the new offense. This should ensure, for example, that reports are appropriately categorized so that accurate management information can be compiled and fed into those with responsibility for the organization’s anti-fraud controls (ultimately, the board and senior management). This may involve updating tagging criteria to reflect the broader concept of fraud relevant to the FTP fraud offense.
• Guidance for internal investigation teams on technical aspects of the FTP fraud offense that have a major impact on potential corporate (and individual liability). This includes the legal questions of UK nexus and whether any fraud was committed with the intention to benefit the company.

Top level (board) engagement

The government guidance makes clear that fraud prevention is ultimately a matter of corporate governance. It places responsibility squarely on boards and senior leadership to set the tone; they must allocate meaningful resources and embed anti-fraud values in decision-making, not merely pay lip service through broad statements or rhetoric. 

While the government guidance recognizes that senior-level involvement may manifest in different ways depending on the size and structure of a company, the message is clear that reasonable procedures require active, demonstrable steps from the very top. Four key themes in that respect are:

• Communicating and endorsing the organization’s anti-fraud stance: For example, articulating the positive business benefits of rejecting fraud (and accepting the possibility of short-term business loss or delays); endorsing the company’s relevant policies; and spelling out the consequences of breaching those policies. This may include publicizing anonymized case studies where disciplinary action has been taken after allegations have been investigated and substantiated.
• Ensuring clear governance in relation to the fraud prevention framework: While overall responsibility rests with the board, the detailed design and implementation of fraud-prevention measures, horizon-scanning, whistleblowing and investigations may be delegated to a head of compliance (or similar) who is already responsible for financial crime compliance. Notably, the guidance suggests that this person should have a direct line of access to the board (e.g., the audit committee) and/or the CEO as necessary, regardless of their day-to-day reporting line.
• Commitment to training and resourcing: Leadership should commit to allocating reasonable and proportionate resourcing for fraud prevention measures, including training, over the long term. The government guidance emphasizes that resourcing considerations should encompass not only personnel costs but also funding for technology.
• Leading by example, including fostering a culture where staff feel able to speak up: In essence, senior leaders must demonstrate their personal commitment to fraud prevention. This may involve proactively challenging fraud-rationalization arguments (e.g., the suggestion that fraud is a “victimless” crime, that “everyone does it” or that it is somehow immaterial) in leadership meetings, informal employee sessions or in writing (such as in the company’s code of conduct and related policies).

Conclusion

Companies should be cautious about depending on existing policies and procedures designed for different purposes. Properly understood, FTP fraud is an offense that is kaleidoscopic in nature and is likely to require a bespoke solution that builds on, but does not rely on, existing control frameworks.