Preventing Corporate Fraud: A Playbook for the New “Failure to Prevent Fraud” Law

From 1 September 2025, the UK’s new corporate offence failure to prevent fraud (FTPF) is in force. Large organisations will be
criminally liable if an associated person (employee, agent, subsidiary, or similar) commits a specified fraud intending to benefit the organisation or its clients, unless the company can show it had reasonable fraud-prevention procedures in place. The offence applies to organisations meeting at least two of the following: more than 250 employees, turnover above £36m, or assets above £18m. Penalties include unlimited fines and prosecution by the SFO or CPS. 

Fraud is the UK’s most common crime. The latest ONS survey shows a 31% year-on-year increase (to around 4.2m incidents, year ending March 2025), which is another reason boards cannot treat this as box-ticking. 

What the new law expects (in plain English) 

Government guidance sets out a principles-based defence. If you can evidence reasonable procedures, you have a defence. The guidance highlights six pillars: top-level commitment, risk assessment, proportionate and risk-based controls, due diligence, communication and training, and monitoring and review. Audits and regulatory status are not enough on their own. Document your risk assessment and keep it current. 

Scope and reach: The law applies to large organisations based in the UK and to bodies formed overseas with a UK nexus. Subsidiaries and franchise arrangements can also bring liability, depending on who benefits and who is “associated.” 

Common UK corporate fraud risks 

• False accounting, fraudulent trading, and false statements by directors (Fraud Act and Companies Act offences). Classic risks include revenue inflation, premature revenue recognition, capitalising expenses, or hiding losses. 

• Fraud by false representation, failure to disclose, and abuse of position (Fraud Act 2006). Examples include misleading investors or customers, falsifying KPIs to win contracts, or abusing access such as payroll or expenses. 

• Cheating the public revenue. This includes dishonest VAT schemes or grant fraud. 

• Market abuse and dishonest practices in financial markets. This can include benchmark manipulation, “printing or flying” quotes, or misleading statements to the market. 

Real UK cases and what they cost 

• Tesco (2017): Paid around £235m in penalties and compensation after false accounting. 

• Barclays (2012): Fined nearly £60m in the UK for LIBOR manipulation. 

• Serco (2019): Agreed to pay over £19m for fraud linked to electronic monitoring contracts. 

• G4S (2020): Paid over £38m plus costs, on top of £121m already repaid to the Ministry of Justice. 

• Carillion (2023): Would have faced a £37.9m fine for misleading market statements had it not collapsed. 

These cases underline that fraud not only leads to heavy financial penalties but also lasting reputational damage. 

A 90-day action plan 

Days 0–30: Rapid risk mapping and accountability 

• Appoint an executive sponsor such as the CFO or General Counsel and name functional risk-owners. 

• Run a documented fraud risk assessment covering group entities, products, sales practices, financial reporting, procurement, third parties, grants and tax, and market-facing communications. Record any decisions not to mitigate risks and who approved them. 

• Gap-check controls against the six FTPF principles. Do not rely solely on audits or regulated status. 

Days 31–60: Control build-out 

• Strengthen financial reporting controls such as journal reviews, cut-off checks, manual adjustments, and related-party checks.
• Put in place sales and marketing guardrails for claims, testimonials, ESG statements, and pricing, including pre-clearance for high-risk pitches.
• Improve third-party and subsidiary oversight, including risk-based due diligence, contract clauses on fraud, audit rights, data access, and flow-down obligations to agents and distributors.
• Enhance market abuse surveillance where relevant, aligned with FCA expectations.

• Provide training and communications targeted at finance, sales, procurement, and investor relations teams. Use scenario-based sessions and annual refreshers.
• Strengthen whistleblowing and speak-up channels with confidentiality and anti-retaliation protocols and extend these to third parties.
• Set up monitoring and review processes such as analytics on high-risk entries, exception dashboards, quarterly attestations, and biennial risk assessment reviews.
• Build an incident response plan that defines fraud incident thresholds, legal hold steps, regulator notification decisioning, and DPA considerations.
  
  

Practical control checklist 

• Financial reporting: pre-posting review of manual journals, segregation of duties for revenue recognition, reconciliation of non-GAAP metrics to audited figures. 

• Sales and customer: approval workflow for claims, substantiation records, pricing or discount overrides reviewed. 

• Procurement and expenses: vendor onboarding with bank detail verification, duplicate invoice detection, data-matched expenses and purchase cards. 

• Third parties: risk scoring, adverse media and sanctions screening, audit rights used, certification of compliance with your fraud policy. 

• Market conduct: surveillance for spoofing, printing or flying, and unusual quote activity. Suspicious transaction reports tested and tuned where relevant. 

• Culture and incentives: align variable pay with quality of earnings and conduct metrics, require management sub-certifications on fair presentation and completeness. 

• Evidence pack: keep a single source of truth that includes risk assessment, policy suite, training logs, control testing, exceptions, and investigations. This will be vital to demonstrate “reasonable procedures” if challenged. 

Note: This article is general guidance, not legal advice. For legal interpretation or case-specific questions, please consult your legal counsel.