Managing Your Fraud Prevention Program: From Legal Obligation to Practical Action

Why This Matters: From Fraud Act to Failure to Prevent Fraud

Although fraud has long been criminalised in the UK, most notably under the Fraud Act 2006, that Act focuses on the conduct of individuals and requires proof of dishonest intent in making representations, omission of information, or abuse of position. Historically, corporate liability depended on linking senior directors’ conduct directly to the company for liability (Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud).

The offence of failure to prevent fraud shifts the landscape by introducing strict liability for organisations: even where senior management did not know of or approve the fraud, the organisation can be prosecuted if it did not have reasonable fraud prevention procedures in place at the time. Importantly, there is a defence available if the organisation can demonstrate it had such procedures, or that it was not reasonable in all the circumstances to expect them to have such procedures (Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud).

The goal of this blogpost is to explore how to do so.

Who Must Prepare?

The offence applies to large organisations (including incorporated bodies, subsidiaries and large not-for-profit entities). While the legislation itself does not define “large”, prosecutorial guidance and commentary (e.g., from the Crown Prosecution Service and Serious Fraud Office) reference similar thresholds used elsewhere (such as 250+ employees or turnover and balance sheet size used in other failure to prevent contexts) (Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud).

Guidance and Enforcement Signals

On 6 November 2024, the UK Government published official guidance on what constitutes reasonable procedures companies should adopt to protect themselves from liability under the new offence. This guidance was developed with input from the Crown Prosecution Service (CPS), the Serious Fraud Office (SFO), HM Treasury and other enforcement bodies (New failure to prevent fraud guidance published).

The Director of the SFO emphasised that “time is running short for corporations to get their house in order or face criminal investigation” a clear call to action for organisations to strengthen internal fraud prevention frameworks ahead of the offence’s commencement (TLT - Government issues failure to prevent fraud guidance).

In August 2025, the CPS and SFO jointly reminded large organisations of the imminent enforcement date and encouraged preparation, including putting in place systems, training and controls to prevent fraud (Crown Prosecution Service - Press ReleaseFraud and economic crime CPS).

What “Reasonable” Fraud Prevention Looks Like

The guidance outlines that reasonable procedures should be proportionate to the size and nature of the business and informed by a documented fraud risk assessment. Core elements include:

• Fraud risk identification: understanding where fraud could occur in the organisation’s operations, products, services, geographies, channels and third-party relationships. 
• Documented controls: clearly articulated, documented policies and processes designed to prevent or detect fraud.
• Ownership and governance: assignments of risk and control owners, with escalation paths to senior management and the board.
• Monitoring and review: routine assessment and testing of controls for effectiveness.
• Training and communication: ensuring all relevant personnel understand fraud risks and their role in prevention (Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud).

The guidance itself explicitly states that failure to conduct any risk assessment, or failure to review risk assessments periodically, can undermine a company’s ability to prove that reasonable procedures were in place at the time of the fraud (Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud).

Why a Fraud Risk Assessment Is Now Central to Compliance

A fraud risk assessment is no longer just good practice, it is the cornerstone of a legal defence to a criminal offence that carries potentially unlimited fines and reputational risk in the UK. Without documented assessments and an evidence-backed fraud prevention framework, organisations risk being unable to demonstrate to courts or prosecutors that they took appropriate steps to mitigate risks.

This is a sharper legal obligation than traditional internal audit or risk management exercises, as it requires organisations to:

• Proactively identify and prioritise fraud risks
• Tailor prevention procedures to those risks
• Document both the design and effectiveness of controls
• Continuously review and update risk assessments as the business evolves

SFO / CPS Enforcement Context

Although the SFO and CPS have not yet prosecuted under the new failure to prevent fraud offence, statements from senior enforcement officials underscore that this will be a priority area. As noted in official government communications, corporate fraud remains one of the most common crime types (40% of crimes), and the new offence is intended to drive a culture shift towards proactive prevention rather than reactive enforcement. (New failure to prevent fraud guidance published).

The SFO has also signalled its broader enforcement strategy on fraud, emphasising the value of self-reporting and early engagement in investigations. Companies that detect potential fraud and engage with authorities (including preserving evidence) may be eligible for tools such as Deferred Prosecution Agreements (DPAs), which can mitigate enforcement consequences (Reuters - UK fraud office encourages firms to self-report wrongdoing).

Turning Legal Obligation Into Practical Action: Running your Fraud Risk Assessment with Ethical by Upryt

Implementing a structured, transparent and auditable fraud risk assessment is the foundation of reasonable prevention procedures, and that’s where Ethical by Upryt adds real value for compliance teams.

Ethical by Upryt is a Governance & Reporting Platform that enables organisations to:

Launch group-wide fraud risk assessments in weeks, not months

• Deploy a structured, scalable assessment framework across all entities and business units, enabling rapid coverage without sacrificing depth or consistency.

Ensure no material fraud risk is overlooked

• Apply a systematic risk taxonomy and assessment methodology that provides confidence all relevant fraud scenarios, processes and exposure points are identified and evaluated.

Assign clear ownership and maintain oversight

• Define and document ownership for each fraud risks and related controls in each Business Unit, with tracked review cycles, outcomes, and accountability at both local and group level.

Enable local risk assessment with central visibility

• Allow regions and subsidiaries to assess fraud risks in line with their operational realities, while headquarters retains a consolidated, real-time view across the group.

Link fraud risks directly to policies, controls and training

• Create a clear line of sight between identified fraud risks, the controls designed to mitigate them, and your overall fraud program.

Generate reporsts on demand

• Produce clear, defensible reporting that demonstrates governance, control effectiveness and ongoing oversight to senior leadership and, where required, external authorities.

This approach helps organisations align not only with the guidance on reasonable procedures but also with broader governance expectations such as those in the UK Corporate Governance Code which requires Boards to report on material compliance controls and their effectiveness.

Beyond Risk Assessments: Organising and Evidencing Your Fraud Prevention Programme with Ethical by Upryt

However, regulators will not assess fraud risk assessments in isolation. They will examine whether fraud prevention is embedded and managed as a program, particularly in complex groups with multiple business units and international operations.

Beyond risk assessments, Ethical by Upryt supports the organisation and ongoing management of your entire fraud prevention programme.

Through Ethical by Upryt, organisations can:

• Centralise and deploy all fraud-related controls across all business units in a single platform
• Maintain a complete, group-wide view of controls, avoiding fragmentation and gaps
• Assign and track control ownership, ensuring accountability at both local and group level
• Monitor and evidence control effectiveness over time, rather than relying on one-off attestations
• Demonstrate oversight clearly and efficiently, including through board-ready reporting

This capability is particularly critical where fraud controls are decentralised or embedded within operational functions. Ethical by Upryt allows organisations to demonstrate that fraud prevention procedures are coherent, consistently applied, and actively monitored, not merely documented.

Conclusion

The introduction of the failure to prevent fraud offence on 1 September 2025 marks a fundamental shift in UK corporate liability. For large organisations, it is no longer sufficient to hope that fraud won’t occur, they must be able to demonstrate that they actively identified, analysed, mitigated and tested fraud risks.

A structured, documented fraud risk assessment, supported by evidence of control effectiveness, is essential not only to reduce the likelihood of fraud but also to provide a legal defence if challenged. 

Tools like Ethical by Upryt help organisations operationalise this process in a way that is defensible, auditable and scalable. We'd love to show you what we do.