Failure to Prevent Fraud — legal steps for financial services firms

02.09.2025

Overview

The corporate offence of Failure to Prevent Fraud (FtPF) in the Economic Crime and Corporate Transparency Act 2023 creates criminal liability for in scope organisations where an “associated person” (employees, agents, subsidiaries or others acting for or on behalf of the firm) commits a “specified fraud offence” intending to benefit the firm or its customers, unless the firm can demonstrate, on the balance of probabilities, that it had reasonable prevention procedures in place at the time or that it was not reasonable in all the circumstances to have any procedures. The offence comes into force on 1 September 2025.

This reform sits alongside wider changes to corporate criminal liability introduced by the Act, including the replacement of the “directing mind and will” test with an expanded “senior managers” test. Taken together, these changes materially lower the bar for prosecuting organisations and are likely to shift enforcement dynamics — in scale and scope — in a manner comparable to the UK Bribery Act when it was introduced.

Why this matters for financial services firms

Regulators and prosecutors (including the Home Office, Serious Fraud Office (SFO) and the FCA) have signalled a sustained enforcement focus on fraud prevention. The FtPF offence shifts emphasis from organisations as victims of inward fraud to potential culpability where fraud is committed for the organisation’s benefit (outward fraud). Non UK firms may be exposed where there is any UK nexus — meetings, communications, victims in the UK or gains/losses in the UK — and the jurisdictional reach can therefore be unpredictable on a facts basis.

Key legal features and likely enforcement outcomes

• Thresholds: the offence applies to “large organisations” that meet two or more thresholds in the prior financial year (>250 employees; >£36m turnover; >£18m balance sheet total) or to parent groups on aggregation.  
• Specified offences: the regime targets a defined list of fraud and false accounting offences (e.g., sections 2–4 and section 11 Fraud Act 2006; false accounting and related offences; cheating the public revenue). Dishonest intent remains a requirement for the underlying offence.  
• Burden of proof: firms must establish the defence of reasonable procedures on the balance of probabilities. Contemporaneous evidence is critical — controls designed with hindsight are unlikely to satisfy prosecutors.  
• Interaction with other regimes: overlap may arise with existing failure to prevent tax evasion provisions (Criminal Finances Act 2017) and with regulated activity requirements (AML, market conduct). Firms should plan how FtPF fits with those regimes. 
• Enforcement consequences: expect increased SFO and regulator investigations, a higher likelihood of DPAs or other resolution mechanisms, and potential private prosecutions and parallel civil claims.

What firms must do now  

The defence requires a documented, proportionate and continuously maintained programme. As the director of the SFO, Nick Ephgrave warned when the joint updated guidance for prosecutors was issued, “Now is the time to take action. Corporations must get their house in order to be ready to face investigation”. Legal and compliance should lead or be closely involved in each step. The following six principle framework sets out the immediate priorities firms should implement and evidence to demonstrate reasonable procedures.

1. Risk assessment
   Prepare a documented FtPF risk assessment mapping products, roles, distribution channels, geographies and third party relationships. Identify and nominate risk owners; maintain a risk register and update it on a scheduled basis and in response to trigger events (M&A, regulatory action, defined near misses). Ensure cross border activities are assessed for UK nexus.
   
   
2. Proportionate prevention procedures
   Adopt proportionate policies and operational standards that address identified risks. Reasonable measures frequently include segregation of duties for high risk processes, privileged access controls, dual approvals for significant transactions, independent confirmations and documented exception handling and remediation. Firms may rely on existing AML, market conduct and financial reporting controls where those remain appropriate to FtPF risks; document the read across.
   
   
3. Third party due diligence and contracting
   Apply tiered due diligence to third parties that perform services on the firm’s behalf, with enhanced measures for distributors, fund service providers, transfer agents and critical outsource suppliers. Where negotiable, seek contractual protections (representations, audit/management information rights, remediation and termination rights, and flow down obligations). If contractual change is not practicable, document compensating controls.
   
   
4. Communication, training and culture
   Record senior management statements of commitment and map accountabilities (including where appropriate to Senior Managers under Senior Manager & Certification Regime). Provide baseline FtPF awareness training for all staff and role specific training for higher risk functions. Maintain training records and evidence of completion and attestation. Maintain confidential whistleblowing arrangements consistent with FCA expectations.
   
   
5. Monitoring, surveillance and incident response
   Calibrate transaction, trade and behavioural surveillance to detect conduct that may indicate fraud intended to benefit the firm or its customers. Maintain management information and KPIs to support senior oversight. Establish an incident response playbook addressing preservation of evidence, internal investigation governance, legal and regulatory notification thresholds and post incident remediation.
   
   
6. Governance, assurance and evidential file
   Assign clear senior ownership and embed oversight in an appropriate committee. Apply a three lines of defence model and obtain independent assurance (internal audit or external review) of control design and operating effectiveness. Maintain an evidential FtPF pack — policies, risk assessments, due diligence records, training logs, surveillance outputs, incident reports and committee minutes — to demonstrate the state of defences at a particular time.

Exceptions

• Reasonableness exceptions: there are circumstances in which it may be reasonable not to impose certain procedures (for example, where an activity has no UK nexus, or where low proximity execution only providers or regulated distributors already operate under comprehensive statutory regimes). Any such decision should be documented and supported by legal and factual analysis.  
  
  
• M&A: include FtPF risk in transaction due diligence. Post acquisition, maintain a time bounded integration and remediation plan and document senior approvals for any staged implementation.  
  
  
• Data protection and foreign law: where local privacy or legal restrictions limit due diligence, document constraints and adopt documented compensating measures where reasonably practicable.

Practical next steps

Immediate actions we recommend:

• Complete or refresh a documented FtPF risk assessment focused on outward fraud.  
• Assemble a core evidential pack and schedule independent testing.  
• Brief senior management and the board on exposure and remediation priorities.  
• Review third party contracts for MI/audit rights and strengthen where necessary.  
• Design role specific training with practical case studies.

Authors 
Sara Teasdale (Managing Partner) and Arozo Gajia (Senior Associate) 

back to news and insights