What does the new offence under the ECCTA 2023 mean for corporate accountability and insurers?

What is changing?

The new offence of failure to prevent fraud (introduced by the Economic Crime and Corporate Transparency Act 2023) came into force on 1 September 2025. Companies may be criminally liable where an employee, agent, subsidiary or other associated person commits a specified fraud, intending to benefit the organisation or its clients. 

The organisation does not need to actually benefit for the offence to be made out. The intention to benefit the organisation also does not have to be the sole or dominant motivation for the fraud. The offence applies where a fraudster’s primary motivation is to benefit themselves, but their actions also benefit the organisation. For example, if a salesperson is on commission and engages in mis-selling to increase their own commission, they also increase the company’s sales. Another example is hiding important information from consumers or investors. 

If convicted, organisations face unlimited fines and significant reputational damage.

Which organisations are in scope? 

The offence applies to large organisations meeting two out of the following three criteria in the financial year preceding the fraud:

1. Over 250 employees; 
2. More than £36M turnover; and 
3. Over £18M in total assets. 

Whilst many businesses may be out of scope for now, they may find that other organisations they do business with expect fraud prevention measures to be enhanced.

Does the offence apply outside the UK?

The offence applies only where there is a ‘UK nexus’; i.e., where:

• the fraudulent act(s) took place in the UK; or
• the financial gain or loss from the fraud occurred in the UK.

The offence will, therefore, apply to overseas companies if fraud occurs in the UK or targets victims living in the UK. If a UK-based employee commits fraud, the employing organisation can be prosecuted, wherever it is based. The offence will not, however, apply to UK organisations whose overseas employees or subsidiaries commit fraud abroad if no fraud has taken place in the UK and no gain or loss occurs in the UK. 

Reasonable “prevention procedures”: The statutory defence

The offence is one of strict liability – meaning that an organisation can be criminally liable, even if no one at senior management level took part in or was aware of the fraud. 

An organisation has a defence if it can establish that, at the time the fraud was committed, reasonable fraud “prevention procedures” were in place. What prevention procedures are considered reasonable will vary between organisations; but it is vital that organisations bear in mind the six principles from the government's guidance when putting procedures in place:

• top level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review.

The government’s guidance says:

“In some limited circumstances, it may be deemed reasonable not to introduce measures in response to a particular risk. However, it will rarely be considered reasonable not to have even conducted a risk assessment. Any decision made not to implement procedures to prevent a specific risk should be documented, together with the name and position of the person who authorised that decision.”

What does this mean for insurers?

The introduction of this new offence increases the importance of robust fraud prevention procedures. 

Underwriters should consider if reasonable procedures are in place to prevent fraud in their review of risks. Insurers also need to consider their own sales practices. 

False or misleading statements about environmental impact or sustainability (greenwashing) are considered within the scope of this new offence. The Serious Fraud Office (SFO) considers companies inflating 'green' credentials to be a priority area for enforcement. It would be advisable for underwriters to carefully analyse this area of risk, particularly for companies which are large enough for the new offence to apply.

What all companies should be doing now

Organisations should consider (amongst others): 

• updated and regular risk assessments focused on fraud threats;  
• guidance on the topic including examples of fraud;
• improving whistleblowing and incident response mechanisms;
• considering types of ‘associated persons’ and tailoring prevention procedures accordingly;
• adjustments to corporate governance and senior management oversight;
• reviewing fraud prevention policies, these should be proportionate to the specific fraud risks identified;
• training on policies and procedures; 
• reviewing internal controls;
• due diligence on associated persons, particularly those in a role where there is a high of fraud; 
• monitoring and regular review of prevention procedures, to ensure their effectiveness; 
• top level commitment from senior management to establish a culture that does not tolerate fraud;
• structuring of remuneration; 
• if the organisation has subsidiaries, consider implementing group level policies and training;
• if the organisation has subsidiaries ensure that there is a nominated person responsible for fraud prevention in each subsidiary; and
• whistleblowing policies.