Organisations can now be held liable for employee fraud - here's how to avoid it

Note 3/9/25: This is an updated version of an article that originally appeared on this page on 14/3/25

A new corporate criminal offence became effective from 1 September 2025 as part of the planned implementation timetable of the Economic Crime and Corporate Transparency Act 2023 (ECCTA). By way of background, ECCTA received Royal Assent on 23 October 2023; however, its changes will come into force in stages. ECCTA overhauls the UK’s existing corporate legal framework with its 3 key aims which (broadly) are: firstly, to prevent organised crime from using corporate entities to abuse the UK’s open economy, secondly, to strengthen the powers of UK law enforcement and criminal detection whilst encouraging transparency of data sharing within the financial sector, and thirdly, to improve the reliability of Companies House data. The latest stage of ECCTA’s implementation – and one which is making the headlines – is the introduction on 1 September of a new corporate offence holding organisations to account if they profit from fraud committed by their employees. We report on what this new offence – and unlimited fines – means for organisations and what steps they need to take to be prepared.

What is the new offence?

The offence is intended to hold organisations to account if they profit from fraud committed by their employees. Employees of companies and other organisations can commit fraud in a wide variety of ways including by dishonest sales practices, hiding important information from consumers or investors, or dishonest practices in financial markets.

Under the new offence, an organisation will be liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place.

Further information and guidance on the new office and ECCTA can be found in the accompanying Government detailed guidance.

Which organisations will be in scope?

The offence applies to large, incorporated bodies and partnerships across all sectors of the economy. The offence applies to organisations incorporated or formed by any means. This includes, but is not limited to incorporation by:

• The Companies Act 2006

• Royal Charter

• Statute (for example NHS Trusts)

• The Limited Liability Partnerships Act 2000,or

• The Co-operative and Community Benefit Societies Act 2014.

What is a “large organisation”?

Under ECCTA, a “large organisation” is defined as one meeting at least two of the following three criteria:

• More than 250 employees

• More than £36 million turnover

• More than £18 million in total assets.

These conditions apply to the financial year of the organisation that precedes the year of the base fraud offence.

What about group companies?

If resources held across a parent company and its subsidiaries cumulatively meet the size threshold, that group of companies will be in scope of the failure to prevent fraud offence.

Liability can be attached to whichever individual entity within the group was directly responsible for failing to prevent the fraud. Liability can alternatively be attached to the parent company, if a fraud was committed by a subsidiary employee, for the benefit of the parent company, and the parent company did not take reasonable steps to prevent it.

What is the penalty if convicted?

An organisation can receive an unlimited fine. The courts will take account of all the circumstances in deciding the appropriate level for a particular case. Whilst senior management will not be held individually liable and prosecuted for failure to prevent fraud, it should be noted that individuals within companies can already be prosecuted for committing, encouraging, or assisting fraud. There may also be internal processes and consequences such as disciplinary.

What do organisations need to do?

The Government guidance confirms the expectations on business. Notably, the fraud prevention framework put in place by relevant organisations should be informed by the following six principles:

Top level commitment

Responsibility for the prevention and detection of fraud rests with those charged with the governance of the organisation. The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud. They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud.

Risk assessment

The organisation should assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The risk assessment needs to be dynamic, documented and kept under regular review.

Proportionate risk-based prevention procedures

An organisation’s procedures to prevent fraud by persons associated with it should be proportionate to the fraud risks it faces and to the nature, scale, and complexity of the organisation’s activities. The procedures also need to be clear, practical, accessible, effectively implemented, and enforced.

Due diligence

The organisation should apply due diligence procedures. These should take a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.

Communication (including training)

The organisation should ensure that its prevention policies and procedures are communicated, embedded, and understood throughout the organisation, through internal and external communication. Training and maintaining training are key.

Monitoring and review

The organisation should monitor and review its fraud detection and prevention procedures and make improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.

The key point is that organisations will be able to avoid prosecution if they have reasonable procedures in place to prevent fraud.