The new corporate criminal offence of failure to prevent fraud1 (the FTPF Offence) will come into force from 1 September 2025. The offence is intended to encourage organisations to build an anti-fraud culture, in the same way that failure to prevent bribery legislation has helped reshape corporate culture since its introduction in 2010.
There is work to be done, even for UK regulated financial services firms who already are required to have adequate policies and procedures to counter the risk that the firm may be used to further financial crime. Firms who have not commenced their preparations should do so now. Here we provide a practical guide to the steps UK financial services firms should be taking.
The new offence
A firm (a"relevant body") will be criminally liable if an "associated person" commits a fraud offence2 with the intention of benefitting the relevant body (directly or indirectly) or a person to whom, or to whose subsidiary, the associated person provides services on behalf of the relevant body.
"Associated person" includes employees, contract staff, subsidiaries and employees of subsidiaries. It can also include third party service providers, suppliers and contractors insofar as they are providing services to someone on behalf of the relevant body (as opposed to providing services to the relevant body).
A firm can be liable even if there is no evidence that the firm knew of, suspected or condoned the fraud. However, a firm will not be liable if it can prove that, at the time the fraud was committed, it had reasonable prevention procedures in place. A firm will also not be liable if it was, or was intended to be, a victim of the fraud offence.
The FTPF Offence only applies to large companies or partnerships.3
Reasonable prevention procedures
The starting point for developing reasonable prevention procedures will be to review the guidance that has been published by the Home Office (the "HO Guidance"), available here.
The HO Guidance emphasises that procedures to prevent fraud should be informed by six principles: top level commitment; risk assessment; proportionate risk-based prevention procedures; due diligence; communication; monitoring and review. The HO Guidance is helpful but it is not sector specific and for firms that are already highly regulated in the financial crime space it does not provide specific pointers about where gaps in their existing frameworks could lie.
Some industry bodies have provided more sector specific guidance for their members, for example the Guidance published by UK Finance in February 2025 available here.
Risk assessment and control mapping
In our view the most urgent thing UK regulated financial service firms should do is to complete a risk assessment exercise and then to map how existing controls mitigate those identified risks.
Firms who have not performed an adequate risk assessment will have difficulty in proving that they have reasonable prevention procedures for the FTPF Offence in place. The HO Guidance puts it this way, in bold type: "It is not necessary or desirable for organisations to duplicate existing work. Equally, it would not be a suitable defence to state that because the organisation is regulated its compliance processes under existing regulations would automatically qualify as “reasonable procedures” under the Economic Crime and Corporate Transparency Act."
Where to start: Firms can start with their existing risk matrix for financial crime and conduct risks and do the following:
- Identify and collate the risk controls already in place that will be mitigants for the FTPF offence
- Document that these controls are part of the firm's reasonable prevention procedures for the FTPF offence
- Identify any gaps in the existing risk control framework
- Where proportionate, develop mitigating controls to plug those gaps
- Document the formal risk assessment
- Document the control universe for the FTPF offence (which could in part be by tagging risks and controls within the existing risk framework)
Leveraging existing controls: Though a firm's financial crime controls and existing financial crime risk assessments are likely to have focussed upon the risks of fraud on the firm and its customers, as opposed to for their benefit, a UK regulated firm will typically have many other existing controls that can be leveraged as also being mitigants of the FTPF offence including:
- Existing controls to ensure that statements to customers and marketing material are fair, clear and not misleading are mitigants against the criminal offence of false misstatement
- Conflicts of interest policies and internal reporting requirements are a (at least partial) mitigant of opportunity and motivation to commit fraud offences for the benefit of the firm or a customer
- Anti-market abuse controls
- Conduct rules, fit and proper test and remuneration code under the Senior Managers and Certification Regime
- Whistleblowing procedures
- Controls preventing unauthorised payments or trading
- Due diligence on potential distributors of financial products and ongoing monitoring
Other mitigants
Training and awareness raising: this will also be a key mitigant and this will need to be delivered specifically in relation to the FTPF Offence. Though there may be scepticism about the extent to which training would deter an individual with the mindset to commit fraud, it does assist staff in a position to speak up/whistleblow. Further it will be a useful wake up call to remind staff that certain conduct that they generally think of as a "mere" potential regulatory breach (for example misleading marketing material) could also have a criminal dimension.
Contract clauses?: It has become common to have anti-bribery clauses in key commercial contracts as part of reasonable prevention procedures for the corporate criminal offence of failure to prevent bribery, for example contracts with distributors who will be associated persons. We do not see that a similar approach would be particularly beneficial for the FTPF Offence. It should be obvious, for example from a general obligation to comply with applicable laws, that criminal fraudulent behaviour is not permitted.
[1] Section 199 Economic Crime and Corporate Transparency Act 2023.
[2] A relevant fraud offence is an act which constitutes (a) an offence listed in Schedule 13 of the Act (cheating the public revenue; Theft Act 1968 section 17 -false accounting - and section 19 - false statements ; Companies Act 2006 section 993 – fraudulent trading; Fraud Act 2006 Section 1 – fraud – Section 9 and Section 11 – obtaining services dishonestly.)or (b) aiding, abetting, counselling or procuring the commission of a listed offence.
[3] A firm which fulfils at least two of the following criteria: more than 250employees; more than £36 million turnover; and/or more than £18 million in total assets.
