We do not exit when complexity enters. We stand by our clients through every regulatory shift, audit, and challenge. Unwavering support is the foundation of our firm.
We use cookies to ensure our website functions properly and to understand how you interact with our site. Privacy Policy
Since 1 September 2025, a large organisation is criminally liable under section 199 ECCTA 2023 where an associated person commits a fraud intended to benefit it. The only defence is reasonable fraud prevention procedures. For a UK-UAE-Ireland corridor group, the UK nexus reaches conduct abroad.
The market read of the failure to prevent fraud offence is that it criminalises fraud. It does not. Fraud was already criminal under the Fraud Act 2006, the Theft Act 1968, the Companies Act 2006, and the common law. What section 199 of the Economic Crime and Corporate Transparency Act 2023 criminalises is the organisation's failure to have reasonable procedures in place to prevent an associated person committing one of those offences for the organisation's benefit. The base fraud is the trigger. The offence is the governance gap.
That distinction is the whole point for a corridor group. The organisation does not need to have committed the fraud, known about the fraud, or benefited from the fraud in fact. It needs only to have an associated person who committed a base fraud offence intending to benefit it, and to lack reasonable prevention procedures. Liability is strict: once the base offence and the intention to benefit are established, the organisation is guilty unless it can prove, on the balance of probabilities, that it had reasonable procedures in place, or that it was reasonable in the circumstances to have none. The penalty is an unlimited fine, and the reputational consequence of a corporate fraud conviction is frequently worse than the fine.
The offence came into force on 1 September 2025. The Home Office statutory guidance that defines what reasonable procedures look like was published on 6 November 2024, giving organisations the run-up to commencement to build the defence. For a UK-UAE-Ireland corridor group the timetable has already passed: the procedures had to be in place by 1 September 2025, and the question now is not whether to build them but whether the procedures already in place would survive scrutiny. The Serious Fraud Office has signalled its intention to prosecute, and its revised guidance on evaluating corporate compliance programmes includes an ECCTA scenario.
This article walks the statutory frame in section 199 ECCTA, the large-organisation threshold, the associated-person and base-offence definitions in Schedule 13, the UK nexus that gives the offence extraterritorial reach across the corridor, the six-principle reasonable procedures defence, the senior-manager attribution change that sits alongside it, the five recurring corridor traps, and the sequencing with the SAO regime, the corporate criminal offences for tax evasion, and the wider corridor governance architecture.
The offence sits across the Act, the commencement, and the statutory guidance.
The Act. The Economic Crime and Corporate Transparency Act 2023 received Royal Assent on 26 October 2023. Section 199 creates the failure to prevent fraud offence. A relevant body is guilty of the offence where a person associated with it commits a fraud offence (a base offence listed in Schedule 13) intending to benefit the relevant body, or any person to whom, or to whose subsidiary undertaking, the associated person provides services on behalf of the relevant body. The organisation's own knowledge or intention is not an element of the offence; the associated person's conduct and intention are.
The defence. Section 199 provides that it is a defence for the relevant body to prove that, at the time the fraud offence was committed, it had in place such prevention procedures as it was reasonable in all the circumstances to expect it to have, or that it was reasonable in all the circumstances not to have any prevention procedures in place. The burden is on the organisation, to the civil standard. The defence is the only route to acquittal once the base offence and the intention to benefit are made out.
Commencement. The offence came into force on 1 September 2025. The lead time between the publication of the guidance (6 November 2024) and commencement was the window in which organisations were expected to design and implement reasonable procedures.
The guidance. The Home Office published statutory guidance under section 204 ECCTA on 6 November 2024, "Guidance to organisations on the offence of failure to prevent fraud". The guidance is advisory rather than legally binding, but it is the reference against which the reasonableness of an organisation's procedures will be assessed, and it sets out the six principles developed below. It is the third iteration of the "six principles" model used for the Bribery Act 2010 adequate-procedures defence and the Criminal Finances Act 2017 reasonable-procedures defence, and it is more prescriptive than either.
The penalty on conviction is an unlimited fine. There is no custodial element for the organisation (the offence is committed by the body, not by an individual), but the base fraud remains separately prosecutable against the individual associated person, and the senior-manager attribution change addressed below expands the organisation's exposure to the conduct of its senior managers.
The offence applies only to large organisations, and to entities connected to them. Section 201 ECCTA sets the threshold by reference to the Companies Act 2006 large-company tests.
An organisation is large if, in the financial year preceding the year of the fraud offence, it met at least two of the following three conditions:
The test is applied at the level of the organisation and, where the organisation is a parent undertaking, on a group basis (aggregating the group to determine whether the group meets the large thresholds). Two structural consequences follow for a corridor group.
The group is tested as a whole. A UK-UAE-Ireland corridor group whose aggregate position meets two of the three thresholds is a large organisation for the purpose of the offence, even where individual entities within it are small. The threshold is not a per-entity carve-out for the smaller members.
Small entities are caught through association. A smaller organisation that is a subsidiary of a large organisation, or that is itself an associated person of a large organisation, is within the practical scope of the offence: the large parent is liable for a fraud committed by an associated person (which can include a subsidiary or its employees) intending to benefit the parent. A corridor structure that places operating activity in a small UAE or Irish subsidiary of a large UK-headed group does not remove the group from the offence; it locates the associated person whose conduct triggers the parent's liability.
The threshold is a moving test applied year by year. A corridor group that crosses two of the three conditions through growth or acquisition becomes a large organisation for the following financial year and must have reasonable procedures in place from that point. The Head of Tax, General Counsel, or Finance Director of a group at or near the threshold needs a current assessment of large-organisation status, not a one-off determination.
Two definitions determine when the offence bites: who is an associated person, and what is a base fraud offence.
Associated persons. A person is associated with a relevant body if they are an employee, agent, or subsidiary of the body, or otherwise perform services for or on behalf of the body. The definition tracks the Bribery Act 2010 associated-person concept and is deliberately wide. For a corridor group it captures UK employees, UAE and Irish subsidiary employees, agents and introducers, and outsourced service providers performing services for or on behalf of the group. The breadth of the definition is the reason the offence reaches conduct across the corridor: an associated person need not be a UK person.
The base offences (Schedule 13). The offence is triggered only by one of the fraud offences listed in Schedule 13 ECCTA. The principal base offences are:
The list matters because it defines the perimeter of the offence. Two categories within it are particularly live for a corridor group. False accounting (section 17 Theft Act 1968) captures the overstatement of results, the misstatement of asset values, and the manipulation of management or statutory accounts. Cheating the public revenue (common law) captures conduct intended to deprive a revenue authority of tax. Both are offences that a corridor group's own finance or tax function could commit, intending to benefit the group, in the ordinary course of aggressive reporting.
Outward, not inward, fraud. The offence targets fraud committed for the organisation's benefit (outward fraud), not fraud committed against the organisation (inward fraud). This is the conceptual shift that catches groups whose existing controls were built to protect the organisation from being defrauded. A compliance framework designed to detect a rogue employee stealing from the company addresses inward fraud; it does not, without more, address an employee overstating profits or understating tax to make the company look better, which is the outward fraud the offence targets. The guidance is explicit that procedures may need to be extended from inward to outward fraud.
The failure to prevent fraud offence has extraterritorial reach, and the reach is the reason it matters for a UK-UAE-Ireland corridor group rather than only for a domestic UK business.
The offence applies where there is a UK nexus to the base fraud. A UK nexus exists where one of the acts that was part of the base fraud offence took place in the UK, or where the gain or loss resulting from the fraud occurred in the UK. The organisation and the associated person need not be UK-resident or UK-incorporated. A non-UK organisation that meets the large-organisation threshold can commit the offence where its associated person's fraud has the requisite UK nexus.
For a corridor group the practical consequences are precise.
UK gain or loss brings non-UK conduct into scope. Where an associated person in the UAE or Ireland commits a base fraud offence, and the gain or loss occurs in the UK (for example, a UK creditor, a UK investor, or HMRC as the deprived revenue authority), the UK nexus is satisfied and the offence is engaged. The conduct is abroad; the gain or loss anchors it to the UK.
UK conduct brings non-UK organisations into scope. Where any act that was part of the base fraud took place in the UK (a document signed in London, a representation made to a UK counterparty, a UK bank account used in the scheme), the UK nexus is satisfied even where the organisation and most of the conduct sit in the UAE or Ireland.
Cheating the public revenue is jurisdiction-sensitive. The common-law offence of cheating the public revenue protects the UK revenue. A corridor group whose tax-reporting conduct deprives HMRC has a UK nexus by virtue of the UK revenue being the victim. The corridor's tax architecture, designed to allocate profit and tax across three jurisdictions, is precisely the area where an aggressive position taken by an associated person to benefit the group could constitute a base offence with a UK nexus.
The corridor reading is that the offence cannot be escaped by locating the associated person, the conduct, or the organisation outside the UK. So long as the group is large, an associated person commits a base offence intending to benefit it, and the conduct or the gain or loss touches the UK, the offence is engaged and the only answer is the reasonable procedures defence. The defence, not the geography, is the protection.
The Home Office guidance structures the reasonable procedures defence around six principles. They are the same six principles used for the Bribery Act and the Criminal Finances Act, applied to fraud. The guidance is outcome-focused and proportionate: the procedures must be reasonable in the circumstances of the organisation's fraud risk, not identical across organisations.
Principle 1: top level commitment. The board and senior management must be committed to preventing fraud committed for the organisation's benefit, and must foster a culture in which fraud is not tolerated even where it would benefit the organisation. The guidance looks for visible, documented leadership engagement, not a delegated policy. For a corridor group this means board-level ownership across the jurisdictions, not a UK-only compliance statement.
Principle 2: risk assessment. The organisation must assess the nature and extent of its exposure to the risk of associated persons committing fraud for its benefit. The guidance introduces the Fraud Triangle as the analytical model: opportunity (weak controls and inadequate oversight), motivation (financial stress and target pressure), and rationalisation (a culture in which manipulation is normalised). The guidance gives the worked example of an accounting department overstating profits to attract investment: the base offence is false accounting, the associated person is the relevant employee, and the organisation is exposed unless it can prove reasonable procedures, even if the investment was never secured. A decision not to address a specific identified risk must be documented with the name and position of the person who authorised it.
Principle 3: proportionate risk-based prevention procedures. The procedures must be proportionate to the risk identified and to the nature, scale, and complexity of the organisation's activities. The guidance is explicit that being regulated does not automatically make existing compliance processes reasonable procedures; a regulated corridor group cannot rely on its regulatory compliance as a substitute for fraud-specific procedures.
Principle 4: due diligence. The organisation must apply due diligence procedures to its associated persons, proportionate to the fraud risk they present. For a corridor group with agents, introducers, and outsourced service providers across three jurisdictions, the due diligence extends to the associated persons most able to commit a base offence for the group's benefit.
Principle 5: communication and training. The prevention procedures must be communicated, and training provided, so that associated persons understand them. The guidance contemplates whistleblowing procedures, clear reporting channels, and training calibrated to the outward-fraud risk. Communication that addresses only inward fraud (protecting the organisation from being defrauded) does not discharge the principle.
Principle 6: monitoring and review. The organisation must monitor and review its prevention procedures and improve them where necessary. The guidance extends existing fraud-investigation procedures (typically built for inward fraud) to cover outward fraud, and asks that investigations be independent, appropriately resourced, empowered, scoped, and legally compliant, with documented decisions on who authorises an investigation and whether it is internal or external.
The guidance's recurring theme is that procedures must be living and evidenced, not paper policies. It asks who authorised each decision, by name and position, and looks for procedures that persist when key personnel are on leave or leave the organisation. The reasonable procedures defence is, in substance, an evidence file: a documented, current, board-owned, risk-calibrated programme that an organisation can produce to demonstrate it took the fraud risk seriously before the base offence occurred.
Sitting alongside the failure to prevent fraud offence is a second ECCTA change to corporate criminal liability that compounds the corridor group's exposure.
Historically, a corporation could be criminally liable for an offence requiring proof of a mental state only where the offence was committed by a person who was the "directing mind and will" of the company, a narrow test that in practice protected large organisations because no single individual at the apex could be shown to have the requisite state of mind. ECCTA changed this. From 26 December 2024, a body corporate or partnership can be criminally liable where a senior manager, acting within the actual or apparent scope of their authority, commits a relevant economic crime offence. The senior-manager test is materially wider than the directing-mind-and-will test.
The two changes operate together. The senior-manager attribution change makes it easier to attribute a base economic crime offence (including fraud, false accounting, money laundering, and others) to the organisation directly, on the conduct of a senior manager. The failure to prevent fraud offence makes the organisation liable for an associated person's fraud regardless of attribution, subject to the reasonable procedures defence. A corridor group therefore faces two routes to corporate criminal liability for the same underlying conduct: direct attribution through a senior manager, and the failure to prevent offence through any associated person. The reasonable procedures defence answers the second route but not the first; the answer to the first is the governance culture and control environment that the procedures evidence.
For a corridor group the senior-manager change is particularly material because senior managers are frequently distributed across the jurisdictions. A senior manager of a UAE or Irish subsidiary, acting within the scope of their authority, can expose the group to direct corporate criminal liability for an economic crime offence, on a test that the old directing-mind-and-will analysis would not have reached.
Five patterns recur in corridor groups as the failure to prevent fraud offence beds in after the 1 September 2025 commencement.
Trap 1: treating the offence as inward-fraud risk. The most common error is to assume that an existing anti-fraud framework, built to protect the organisation from being defrauded, addresses the new offence. It does not. The offence targets outward fraud committed for the organisation's benefit. A control environment designed to catch a rogue employee stealing from the company does not address an employee overstating profits or understating tax to benefit the company. The architectural answer is to re-scope the fraud risk assessment to the outward-fraud perimeter, using the Fraud Triangle to identify where an associated person might commit a base offence to benefit the group.
Trap 2: assuming regulation equals reasonable procedures. A regulated corridor group frequently assumes that its existing regulatory compliance framework discharges the reasonable procedures requirement. The guidance forecloses this directly: being regulated does not automatically make existing compliance processes reasonable procedures under ECCTA. The architectural answer is a fraud-specific reasonable procedures programme built against the six principles, cross-referenced to (but not substituted by) the regulatory compliance framework.
Trap 3: scoping the offence to UK entities only. A corridor group with operations in the UAE and Ireland sometimes assumes the offence is a UK-entity problem. The UK nexus reaches conduct abroad where an act of the base fraud, or the gain or loss, touches the UK, and the large-organisation test is applied to the group. A UAE or Irish associated person committing a base offence with a UK nexus exposes the group. The architectural answer is a corridor-wide programme covering associated persons in all three jurisdictions, not a UK-only programme.
Trap 4: leaving risk-acceptance decisions undocumented. The guidance permits an organisation to decide, in limited circumstances, not to implement procedures against a specific risk, but requires that decision to be documented with the name and position of the person who authorised it. A corridor group that makes implicit risk-acceptance decisions (declining to extend due diligence to a particular category of agent, for example) without documenting them, and without naming the authoriser, has no evidence of a reasoned decision and forfeits the benefit of the guidance's flexibility. The architectural answer is a documented risk-acceptance register with named authorisers.
Trap 5: building the procedures as policy, not as evidence. The recurring failure across all of the failure-to-prevent offences is the polished policy with no evidence of execution. The guidance asks for living procedures: board engagement that is minuted, training that is delivered and recorded, due diligence that is performed and documented, monitoring that produces findings and actions, and investigations that are authorised and scoped on the record. A corridor group with a fraud-prevention policy document but no evidence that the procedures operated through the year cannot discharge the reasonable procedures defence, because the defence is an evidence file, not a policy library.
The common feature of the five traps is that the offence is treated as a documentation exercise rather than as a governance programme that must be designed for outward fraud, scoped across the corridor, owned at board level, and evidenced through the year. Treated as documentation, the policy sits on the shelf. Treated as governance, the procedures are the defence.
The failure to prevent fraud offence does not stand alone. It is one layer of a UK governance architecture that a corridor group must operate as an integrated whole.
The corporate criminal offences for tax evasion (CCO). Sections 45 and 46 of the Criminal Finances Act 2017 created the corporate offences of failure to prevent the facilitation of UK and foreign tax evasion. They use the same architecture as the failure to prevent fraud offence: an associated person, a base offence, strict liability, and a reasonable procedures defence built on the same six principles. A corridor group has operated CCO reasonable procedures since 2017. The failure to prevent fraud offence extends that architecture to fraud, and the two evidence files should share substrate: the same risk assessment methodology, the same due-diligence procedures, the same training and monitoring infrastructure, cross-referenced to the two regimes. A group that built a CCO programme has the foundation for the fraud programme, with the principal extension being the outward-fraud perimeter.
The Senior Accounting Officer regime. For a UK group at the SAO threshold, the UK SAO regime under Schedule 46 FA 2009 requires the senior accounting officer to take reasonable steps to maintain appropriate tax accounting arrangements. The SAO evidence file and the fraud-prevention evidence file overlap substantially: governance, process documentation, control monitoring, and risk identification populate both. False accounting and cheating the public revenue are base offences under Schedule 13 ECCTA and are precisely the conduct that defective tax accounting arrangements could produce. A corridor group should build the SAO evidence pack, the CCO programme, and the fraud-prevention procedures from a single governance substrate rather than as three separate compliance silos.
The CARF and transparency architecture. For the family-office side of a corridor structure, the UK CARF crypto-reporting framework and the wider automatic-exchange regimes create the transparency layer against which fraud and tax-evasion conduct becomes visible. A false self-certification under CARF or CRS, or an understatement that the reported data contradicts, is the kind of conduct that can constitute a base offence under Schedule 13 or a CCO base offence. The transparency architecture and the failure-to-prevent architecture are two sides of the same governance problem: the data that the transparency regimes report is the data against which the failure-to-prevent offences are tested.
The integrated governance position. For a corridor group the failure to prevent fraud offence is the third instance of the same governance demand that runs through the SAO regime and the CCO: a documented, board-owned, risk-calibrated, evidenced programme that survives the prosecutor's or the tax authority's scrutiny. The group that maintains a single governance substrate (risk assessment, controls, due diligence, training, monitoring, and documented decisions) and cross-references it into the SAO, CCO, and failure-to-prevent-fraud regimes has built the defence to all three. The group that treats each regime as a separate policy exercise has built three policy libraries and the evidence for none.
The failure to prevent fraud offence under section 199 of the Economic Crime and Corporate Transparency Act 2023 came into force on 1 September 2025. ECCTA received Royal Assent on 26 October 2023, and the Home Office published the statutory guidance defining reasonable procedures on 6 November 2024, giving organisations the lead time to commencement to build their procedures. The offence applies to base fraud offences committed on or after 1 September 2025.
The offence applies to large organisations. Under section 201 ECCTA, a large organisation is one that meets two or more of three conditions in the preceding financial year: more than 250 employees, more than £36 million turnover, and more than £18 million total assets. The test is applied on a group basis where the organisation is a parent undertaking. A smaller organisation is caught where it is a subsidiary of, or an associated person of, a large organisation, so small corridor entities within a large group are within scope.
A large organisation is guilty where a person associated with it commits a base fraud offence intending to benefit the organisation, or a person to whom the organisation provides services. The organisation's own knowledge is not an element; liability is strict once the base offence and the intention to benefit are established. The only defence is that the organisation had reasonable fraud prevention procedures in place at the time, or that it was reasonable not to have any. The burden is on the organisation to the civil standard, and the penalty on conviction is an unlimited fine.
Schedule 13 ECCTA lists the base offences: fraud by false representation, failing to disclose information, and abuse of position (sections 1 to 4 Fraud Act 2006); obtaining services dishonestly (section 11 Fraud Act 2006); participation in a fraudulent business (section 9 Fraud Act 2006); false accounting and false statements by company directors (sections 17 and 19 Theft Act 1968); fraudulent trading (section 993 Companies Act 2006); cheating the public revenue (common law); and aiding, abetting, counselling, or procuring those offences. The offence targets fraud committed for the organisation's benefit (outward fraud), not fraud committed against the organisation.
Yes, where there is a UK nexus. The offence applies where one of the acts that was part of the base fraud took place in the UK, or where the gain or loss occurred in the UK. The organisation and the associated person need not be UK-resident or UK-incorporated. A corridor group with associated persons in the UAE or Ireland is within scope where the conduct or the gain or loss touches the UK, including where the UK revenue is the victim of the base offence (cheating the public revenue). The offence cannot be escaped by locating the associated person or the organisation outside the UK.
The Home Office statutory guidance structures reasonable procedures around six principles: top level commitment, risk assessment, proportionate risk-based prevention procedures, due diligence, communication and training, and monitoring and review. The procedures must be proportionate to the organisation's fraud risk, documented, board-owned, and evidenced through the year. The guidance is explicit that being regulated does not automatically make existing compliance processes reasonable procedures, and that a decision not to address a specific risk must be documented with the name and position of the person who authorised it. The risk assessment should use the Fraud Triangle (opportunity, motivation, rationalisation) to identify where an associated person might commit a base offence to benefit the organisation.
ECCTA made two changes to corporate criminal liability. From 26 December 2024, a body corporate or partnership can be criminally liable where a senior manager, acting within the actual or apparent scope of their authority, commits a relevant economic crime offence, replacing the narrower directing-mind-and-will test. From 1 September 2025, the failure to prevent fraud offence makes the organisation liable for an associated person's fraud, subject to the reasonable procedures defence. A corridor group faces two routes to liability for the same conduct: direct attribution through a senior manager, and the failure to prevent offence through any associated person. The reasonable procedures defence answers the failure-to-prevent route; the senior-manager route is answered by the governance culture and controls that the procedures evidence.
All three use the same architecture: an associated person or responsible officer, a base obligation, and a reasonable-steps or reasonable-procedures standard built on the same governance principles. The corporate criminal offences for tax evasion (sections 45 and 46 Criminal Finances Act 2017) have used the six-principle reasonable procedures defence since 2017; the failure to prevent fraud offence extends it to fraud. The Senior Accounting Officer regime under Schedule 46 FA 2009 requires reasonable steps to maintain appropriate tax accounting arrangements, and false accounting and cheating the public revenue are Schedule 13 base offences. A corridor group should build the SAO evidence pack, the CCO programme, and the fraud-prevention procedures from a single governance substrate, cross-referenced into each regime, rather than as separate compliance silos.
Fraud was already a crime. What changed on 1 September 2025 is that the organisation's failure to prevent it became one too. For a corridor group the defence is not geography, and it is not the absence of knowledge; it is a documented, board-owned, evidenced programme that was in place before the base offence occurred.
From 1 January 2026, UK reporting cryptoasset service providers must run due diligence on every user under the Cryptoasset Reporting Framework. The first report is due by 31 May 2027. For a family office holding crypto through trusts, FICs, or holding companies, the look-through to controlling persons is the exposure.
Read AnalysisThe UK Senior Accounting Officer regime under Schedule 46 Finance Act 2009 applies to UK-incorporated companies whose turnover exceeds £200 million or whose balance sheet exceeds £2 billion, aggregated across the UK 51% group. The duty is not a certificate. It is the architecture of tax accounting controls.
Read Analysis