27
Fri, Dec
48 New Articles

How the UK’s New Corporate Criminal Offence Could Impact EU Businesses

Romania
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The UK government recently unveiled guidance on a major update to its corporate fraud laws: the “failure to prevent fraud” offence, introduced through the 2023 Economic Crime and Corporate Transparency Act (ECCT). Taking effect on September 1, 2025, this law could have serious implications for companies operating within the EU.

WHAT DOES IT SAY?

Under the ECCT, large organizations can be held liable if an employee, agent, subsidiary, or other “associated person” commits fraud with the intent to benefit the organization, and the organization fails to implement reasonable fraud prevention measures.

What is meant by ‘large organizations?

The offence of failure to prevent fraud applies only to large organizations.  A ‘large organization’ is defined in section 201 as meeting at least two of the following criteria:

  • more than 250 employees
  • more than £36 million turnover
  • more than £18 million in total assets

These conditions apply to the financial year of the organization that precedes the year of the base fraud offence. These criteria apply to the whole organization, including subsidiaries, regardless of where the organization is headquartered or where its subsidiaries are located.

In certain scenarios, the offence also applies when fraud is committed with the intention of benefitting a client of the organization. Notably, it is not necessary to prove that directors or senior managers authorized or were aware of the fraudulent activities.

While individuals who commit fraud will be held accountable, the organization itself may also face prosecution for failing to prevent the offence.

The new offence will take effect on September 1, 2025, giving organizations time to develop and implement robust fraud prevention procedures.

Small organizations, while exempt from direct liability, should remain vigilant as they may be considered “associated persons” when providing services for or on behalf of larger entities.

WHY ARE WE LOOKING AT IT?

Although the offence primarily applies in the UK, it has extra-jurisdictional reach in certain circumstances. For instance, prosecution may occur if there is a UK connection (nexus), such as fraud resulting in financial gain or loss within the UK. For example:

  • A subsidiary or franchise meeting the “large organization” threshold may be deemed a “relevant organization” and held liable for its own actions. However, parent companies are not liable for unrelated fraudulent acts by subsidiaries, particularly when the fraud does not benefit the parent organization;
  • A UK-based employee committing fraud could result in the employing organization being prosecuted, regardless of where the organization is based;
  • Overseas organizations may face prosecution if fraud is committed in the UK or targets UK victims.

On the other hand, fraud committed abroad by overseas employees or subsidiaries with no UK nexus does not fall under this offence.

Therefore, EU-based companies operating in the UK, or engaging with UK clients or employees, could be prosecuted by UK authorities unless they demonstrate that reasonable fraud prevention procedures were in place.

HOW TO PREVENT “FAILURE TO PREVENT FRAUD”. THE UK GOVERNMENT GUIDANCE

The newly published guidance, issued under Section 204 of the ECCT, provides recommendations on fraud prevention procedures. It emphasizes that organizations can defend themselves in essence by demonstrating the existence of reasonable fraud prevention measures.

In any case, organizations should align their fraud prevention frameworks with six principles:

  1. Top-level commitment – Leadership must prioritize anti-fraud measures.
  2. Risk assessment – Identify and evaluate fraud risks within the organization.
  3. Proportionate, risk-based procedures – Develop tailored prevention measures.
  4. Due diligence – Vet individuals and entities involved in business operations.
  5. Communication – Foster awareness including through training and whistleblowing channels.
  6. Monitoring and review – Continuously assess and improve fraud prevention measures. Also, conduct investigations if fraud is detected or suspected, investigations which should be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice), and legally compliant. 

These principles are flexible and outcome-focused, enabling organizations to adapt the procedures to their circumstances.

The UK’s introduction of the “failure to prevent fraud” offence underlines the importance of robust fraud prevention measures for organizations operating in or engaging with the UK. The extraterritorial implications mean that EU companies could be prosecuted under this law if a UK connection is established. As the offence takes effect in September 2025, businesses should act now to assess and strengthen their fraud prevention frameworks.

By Andrei Croitoru, Partner, Act Legal