Part 4: Professional risk – Failure to prevent fraud

Our risk partners Karen Eckstein Ltd give a summary on failure to prevent fraud within a professional context - and why firms may be more exposed than they realise.

The Government’s ‘failure to prevent fraud’ offence came into force on 1 September 2025 under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). This marks a major shift in how corporate fraud is prosecuted, and there is a concern that many professional services firms may not yet appreciate the risks it may create for them.

While it is true that the offence applies directly only to ‘large organisations’, the legislation can also apply to anyone performing services for those organisations, because of the need for large organisations to ensure that their supply chain also complies with the rules. Karen Eckstein Ltd calls this the ‘trickle down’ obligation, meaning that many professional advisers, accountants, tax professionals, consultants, lawyers and other service firms, might be affected by the ‘trickle down’ requirements, even if they are not a ‘large organisation’ themselves.

The concern is that those firms have a commercial risk that they may not have recognised if their large organisation clients ask them to provide evidence that they have reasonable prevention procedures in place - and do not renew contracts if they cannot do so. It is that commercial risk that many firms may not be prepared for - the risk of losing lucrative contracts they worked so hard to obtain because they have failed to prepare for ECCTA.

What does the new Failure to Prevent Fraud offence cover?

Section 199 of the ECCTA makes a large organisation criminally liable if an ‘associated person’ commits a fraud offence intending to benefit either:

• the organisation itself, or

• a client to whom the organisation provides services.

It is a strict liability offence. Senior management does not need to have known about or condoned the behaviour, and a defence is only available if the organisation can show that it had reasonable fraud prevention procedures in place.

What counts as a ‘large organisation’?

An organisation is ‘large’ if it meets two out of three statutory thresholds in its last financial year:

• more than 250 employees,

• turnover above £36 million, or

• total assets above £18 million.

This definition captures many corporates, large professional services firms, financial institutions, and increasingly large charities and international groups. However, as mentioned above, smaller businesses may have a commercial risk because of the definition of ‘associated person’- see below.

Who is an ‘associated person’?

The ECCTA defines an ‘associated person’ as:

“An employee or agent of the relevant body, or a person who otherwise performs services for or on behalf of the relevant body.”

This can include:

• employees and partners

• consultants

• subcontractors

• outsourced service providers

• professional advisers when advising a client that meets the size criteria.

It is this final category that creates the real risk for professional services firms.

Therefore, firms who have ‘large’ clients should consider putting reasonable fraud prevention procedures in place, so that they are able to satisfy their large clients that they have done so (as well as it being good risk management in any event!).

What counts as ‘reasonable prevention procedures’?

There is a lot of guidance on how to implement reasonable fraud prevention procedures on the government’s website and the procedures should be proportionate to the risk.

Aspects to consider include:

• a clear list of what policies and procedures firms have to combat fraud

• an up-to-date fraud risk assessment

• there is a clear and trusted escalation process for red flags

• effective supervision and monitoring

• a culture that encourages compliance rather than one which (inadvertently) encourages the opposite.

Patterns of behaviour matter

Some areas where firms can inadvertently ‘cross the line’ include:

• ‘Time dumping’ as a result of commercial pressure and unrealistic targets (charging a client for more than was actually done, if contractually firms are charging on an hourly basis, is technically fraudulent)

  
  

• Being ‘too helpful’ to clients and ‘turning a blind eye’ to errors in accounts or invoicing the wrong entity to minimise a VAT burden on a client (thus falling foul of PCRT and the relatively new criminal offence of facilitating tax evasion)

  
  

• Being nervous of having difficult conversations with clients and not being prepared to challenge them, on errors in their accounts for example, again which could fall foul of PCRT and ECCTA (helping a client benefit indirectly benefits the firm).

Reference:

Government website: Reasonable fraud prevention procedures