Failure to Prevent Fraud and the UK Fraud Strategy 2026

The Economic Crime and Corporate Transparency Act 2023 introduced a new corporate criminal offence: failure to prevent fraud. The offence came into force on 1 September 2025 and the only defence is to show that the organisation had reasonable procedures in place at the time of the underlying fraud.

The May 2026 Fraud Strategy Framework, published by the Home Office on 6 May 2026, signals a sharp uplift in enforcement. Insolvency Service powers expand to target phoenixism, and a Fraud Victims Charter is scheduled for launch by mid-2027.

For boards, finance directors and compliance leads, this sits alongside the existing failure to prevent bribery offence under the Bribery Act 2010 and the failure to prevent the facilitation of tax evasion offence under the Criminal Finances Act 2017. The same defence pattern, reasonable or adequate procedures, now extends to fraud committed by associated persons for the benefit of the organisation.

Sources: the Home Office guidance on the offence of failure to prevent fraud, the underlying Economic Crime and Corporate Transparency Act 2023, and analysis of the wider 2026-2029 strategy in The National Law Review.

What Is the Failure to Prevent Fraud Offence?

The offence makes a relevant organisation criminally liable where an associated person (an employee, agent, subsidiary or service provider acting on its behalf) commits a base fraud offence intending to benefit the organisation or its clients. There is no need to prove that directors or senior managers knew about it.

The base offences include cheating the public revenue, false representation under the Fraud Act 2006, false accounting under the Theft Act 1968, fraudulent trading, and false statements by company directors. Aiding, abetting, counselling or procuring any of these is also caught.

The single statutory defence is to show that the organisation had in place reasonable procedures designed to prevent the fraud, or that it was reasonable in the circumstances not to have any prevention procedures.

Who Is in Scope: the Large Organisation Test

The offence applies only to large organisations that meet two of three thresholds in the financial year before the offence:

• More than 250 employees
• More than £36 million in turnover
• More than £18 million in total assets

The test applies at parent-group level, not at individual entity level. A small subsidiary of a large group is in scope.

A standalone SME falling below all three thresholds is not directly liable, but will still feel the effect through procurement and supply chain expectations from larger customers. The test is applied based on the previous financial year, so organisations growing through the thresholds need to apply the offence prospectively from the start of the financial year in which they cross.

What the May 2026 Fraud Strategy Framework Changes

The Fraud Strategy Framework 2026-2029 sets the enforcement direction for the next three years. Three operational shifts matter for employers.

First, the Insolvency Service is to intensify action against phoenixism (the pattern of repeatedly liquidating a company and re-emerging through a new entity to escape liabilities). Powers to disqualify directors, claw back assets, and bring compensation orders are scheduled to be used more aggressively from 2026 onward.

Second, the Fraud Victims Charter, due by mid-2027, will set service expectations for how organisations respond to fraud affecting their customers or employees. This will feed into regulator expectations and procurement scoring.

Third, the framework signals a shift from reactive policing to systemic prevention, with public sector procurement using fraud prevention controls as an explicit eligibility criterion in larger contracts.

The Reasonable Procedures Defence

The Home Office guidance sets out six principles that organisations should follow when designing reasonable procedures:

1. Top-level commitment from the board and senior leadership.
2. Risk assessment that is documented, organisation-specific and refreshed.
3. Proportionate, risk-based prevention procedures matched to the risks identified.
4. Due diligence on associated persons including employees, agents, third parties and subsidiaries.
5. Communication and training across the organisation and supply chain.
6. Monitoring and review with documented response to issues.

Each principle is procedural, not technical. The defence stands or falls on whether the organisation can evidence what it did, not just what its policy said.

The pattern is deliberately aligned with the Bribery Act 2010 section 7 adequate procedures defence and the section 45 and 46 Criminal Finances Act 2017 reasonable procedures defence on facilitation of tax evasion. Organisations that already have a working anti-bribery framework can extend it to fraud rather than building a new framework from scratch.

How This Sits Alongside AML and Anti-Bribery

For organisations already running an anti-money laundering programme under the Money Laundering Regulations 2017 (as amended), the failure to prevent fraud offence does not replace AML obligations. It adds a separate procedural framework that overlaps in places (risk assessment, due diligence, training, monitoring) but reaches different conduct.

AML controls focus on the proceeds of crime moving through the organisation. The failure to prevent fraud offence focuses on fraud committed by associated persons intending to benefit the organisation. The same compliance function can run both, but the framework documents need to address each offence on its own terms.

The same logic applies to the anti-bribery and corruption framework under the Bribery Act 2010. The principles mirror each other. The risk register, training, due diligence and monitoring procedures can in many organisations be integrated into a single financial crime framework that covers bribery, tax evasion facilitation, sanctions and fraud.

Organisations regulated by the Financial Conduct Authority should align this with SYSC requirements on financial crime systems and controls, and the FCA financial crime guide for firms.

Phoenixism and Insolvency Service Enforcement

The Fraud Strategy Framework directs the Insolvency Service to focus on phoenixism. Practical signals that an organisation may attract scrutiny include:

• Repeated company insolvencies among directors of related entities
• Pre-pack administrations followed by re-emergence under similar trading names
• Transfers of assets at undervalue ahead of liquidation
• Customer and employee debts left in the dissolved entity while the trade continues

Directors should expect more disqualification proceedings, compensation orders under section 15A of the Company Directors Disqualification Act 1986, and clawback applications. Family-owned and SME group structures are particularly exposed where the same directors stand behind successive entities.

The Fraud Victims Charter (Mid-2027)

The charter, due by mid-2027, will set minimum service standards for how fraud victims are treated, including by the organisations whose systems or processes were used. Charter compliance is likely to feed into:

• Public sector procurement scoring criteria
• FCA Consumer Duty outcomes for regulated firms
• ICO assessments where personal data is involved
• Reputational risk where breach response is publicised

Even though the charter is not yet published in final form, the direction of travel is clear. Organisations setting their 2026 and 2027 fraud frameworks should design with charter expectations in mind.

What Employers Must Do Before 2026 Year End

The defence to a failure to prevent fraud charge is documented evidence of reasonable procedures. The practical steps for organisations in scope are:

1. Confirm scope. Test against the two-out-of-three large organisation thresholds on a group basis and identify any subsidiaries in scope.
2. Conduct a documented fraud risk assessment. Identify the fraud risks specific to the business model, the supply chain, the workforce mix and the geography.
3. Map associated persons. Employees, agents, intermediaries, distributors, joint venture partners and outsourced service providers all qualify. Each layer needs a documented due diligence approach.
4. Update prevention procedures. Refresh anti-fraud policies, expense controls, vendor onboarding, sales incentive design, whistleblowing routes and approval thresholds.
5. Train across the organisation. Tone from the top, role-specific training for finance, sales, procurement and frontline staff, and refresher cycles.
6. Set monitoring and audit cycles. Internal audit coverage of fraud risks, periodic effectiveness reviews, and a documented response when issues arise.
7. Document board-level oversight. Minute discussions of fraud risk, sign off on the risk assessment, and ensure the response to any reported concern is recorded.

Each step should be evidenced in a way that survives a future regulator or prosecutor file review.

Documentation That Evidences Reasonable Procedures

A defensible failure to prevent fraud file typically includes:

• Board-approved fraud prevention policy and tone-from-the-top statement
• Documented fraud risk assessment refreshed at least annually
• Due diligence records for associated persons (employees, agents, third parties)
• Training records by role, with completion rates and refresher dates
• Whistleblowing arrangements with independent reporting routes and case logs
• Monitoring and audit reports covering fraud risks
• Incident logs and documented responses, including matters that were investigated and closed
• Board minutes evidencing oversight and challenge

The point throughout is that procedures only count if they were operational at the time of the alleged offence. Updating policies after the event does not retrospectively rebuild the defence.

Common Gaps to Avoid

• Treating the offence as a single policy update. It is a procedural framework, not a document. A fraud prevention policy without supporting risk assessment, due diligence, training and monitoring is not a defence.
• Skipping the risk assessment. The Home Office guidance is clear that organisation-specific risk assessment is the foundation. Generic templates do not survive scrutiny.
• Ignoring associated persons in the supply chain. Third parties, agents, distributors and outsourced providers are all in scope. Vendor due diligence and contract clauses need to reflect this.
• No training records. A training programme without role-based design, completion records and refresher cycles cannot evidence the communication and training principle.
• Whistleblowing routes that are not used. A reporting line nobody trusts will not produce the documented evidence of issues being raised and addressed.
• No board oversight evidence. Board minutes that do not record fraud risk discussion, sign-off and response to issues leave a documentation gap.

Impact on SMEs Below the Threshold

Standalone SMEs falling below the large-organisation thresholds are not directly liable. The offence still reaches them indirectly through three routes.

Procurement clauses from larger customers increasingly require evidence of fraud prevention controls, often referencing the failure to prevent fraud offence directly. Supply chain due diligence from larger group customers extends down to sub-tiers. Public sector tendering scores include explicit fraud control criteria in larger contracts.

In practical terms, SMEs in larger supply chains need a proportionate framework even where they are not technically in scope. The same risk-based principles apply, scaled to the business.

Where the Failure to Prevent Fraud Offence Bites Hardest

The base fraud offences are broad, but the highest-risk scenarios for in-scope organisations cluster around a few recurring patterns:

• Sales teams mis-stating product features, pricing or eligibility to win business
• Procurement and finance teams approving inflated or duplicate supplier invoices
• Senior management mis-stating accounts, forecasts or KPIs to investors or lenders
• Agents or distributors making false statements to clients in markets where oversight is limited
• Outsourced customer service or sales operations using mis-selling scripts

Each pattern requires a specific procedural response (incentive design, segregation of duties, sign-off thresholds, channel monitoring, agent contracts) and each needs to be evidenced in the documentation file.

Wider Compliance Context for 2026

The failure to prevent fraud framework is one of several enforcement uplifts converging on UK organisations in 2026. The UK Cyber Resilience Pledge sets parallel expectations on cyber preventive controls. The Fair Work Agency consolidates employment enforcement. The Employment Rights Act 6 April 2026 changes expand worker protections.

Boards looking at 2026 compliance budgets should treat these together rather than as parallel one-off projects. The same monitoring, training and documentation infrastructure can serve multiple frameworks.

How Policy Pros Can Help

Policy Pros writes and reviews fraud prevention frameworks, anti-money laundering documentation, anti-bribery and corruption policies, and the integrated financial crime suite that sits behind them.

We help organisations evidence the six Home Office principles in a way that holds up under regulator and procurement scrutiny.

For the wider compliance context, see our compliance policies and procedures, anti-money laundering policies, anti-bribery and corruption policies and sanctions compliance policies. For reporting and protection frameworks, our whistleblowing policies page covers the related obligations.

If your existing financial crime documentation needs review, our policy review service can identify the gaps against the failure to prevent fraud framework and deliver updated documents on a fixed-price basis.