Fraud and Malpractice

The Fraud Offences

The Fraud Act 2006 is the principal anti-fraud legislation in the UK. It replaced a fragmented set of deception offences with a single set of fraud offences:

Section 2 - Fraud by false representation - making a false representation, dishonestly, intending to make a gain or cause a loss
Section 3 - Fraud by failing to disclose information - failing to disclose information which there is a legal duty to disclose, dishonestly, intending to make a gain or cause a loss
Section 4 - Fraud by abuse of position - occupying a position of financial trust and abusing it, dishonestly, intending to make a gain or cause a loss
Section 9 - Participating in fraudulent business - knowingly being a party to a business carried on with intent to defraud creditors or for any other fraudulent purpose
Section 11 - Obtaining services dishonestly - obtaining services for which payment is required, by a dishonest act, without paying or intending to pay

The offences apply to any person, in any organisation, in any sector. Conviction carries up to 10 years' imprisonment. The dishonesty test follows the Ivey v Genting Casinos standard - whether the conduct was dishonest by the standards of ordinary decent people, judged objectively by reference to the defendant's actual knowledge and beliefs.

Sitting alongside the Fraud Act 2006 are older offences in the Theft Act 1968 that still apply - notably Section 17 (false accounting) and Section 18 (offences by directors). These are particularly relevant to corporate fraud, where dishonest entries in accounts or false statements by directors can themselves be substantive offences.

Failure to Prevent Fraud - The Corporate Offence

Section 199 of the Economic Crime and Corporate Transparency Act 2023 created a new corporate offence of failure to prevent fraud, in force from 1 September 2025. The structure mirrors the failure to prevent bribery offence in the Bribery Act 2010:

A large organisation is guilty of an offence if a person associated with it commits a specified fraud offence intending to benefit the organisation or its clients
The only defence is that the organisation had reasonable fraud prevention procedures in place at the time
The penalty is an unlimited fine

The offence applies to large organisations, defined as those meeting at least two of the following three thresholds in the financial year preceding the offence: more than 250 employees, more than £36 million turnover, more than £18 million in total assets. Group thresholds apply where the parent and subsidiaries together meet the criteria.

The offences caught by Section 199 are listed in Schedule 13 to the Act and include the Fraud Act 2006 offences (sections 1, 2, 3, 4, 6, 7, 9 and 11), false accounting under Section 17 of the Theft Act 1968, false statements by directors under Section 19 of the Theft Act 1968, fraudulent trading under Section 993 of the Companies Act 2006, and certain cheating-the-public-revenue offences. Aiding, abetting, counselling or procuring any of these is also caught.

The failure to prevent fraud offence is a meaningful change for organisations meeting the threshold. The Section 199 defence works the same way as the equivalent in the Bribery Act 2010 - if the organisation can demonstrate reasonable fraud prevention procedures, the strict liability does not attach. So the audit question becomes: what does reasonable look like? The Home Office guidance published in November 2024 sets out six principles, mirroring the bribery framework: top-level commitment, risk assessment, proportionate procedures, due diligence, communication and training, and monitoring and review. For organisations already operating to that framework for anti-bribery, the extension to cover fraud is incremental rather than transformational.

Below the threshold, the Section 199 offence does not apply, but the substantive Fraud Act 2006 offences still do. Directors and senior managers can be personally liable, and corporate fines under the substantive offences are unlimited. A proportionate fraud and malpractice framework is still a sensible control regardless of size.

Most fraud in normal businesses is internal. It is the bookkeeper who creates fictitious invoices over a few years, the warehouse manager who under-reports stock that disappears out the back door, the procurement officer with the cousin who happens to win every tender. None of these are headline financial scandals - they are just routine breaches of trust by people in positions to take advantage of weak controls. The single biggest fraud control in most organisations is segregation of duties: the person who approves the invoice is not the person who pays it, the person who orders the stock is not the person who books it in. Where one person can do both, the door is open.

Many organisations are asked by clients or insurers for a fraud and malpractice policy without quite knowing what it should contain. The core elements are consistent: a statement that fraud and malpractice are not tolerated, a definition that covers external fraud, internal fraud, bribery, corruption and dishonest conduct generally, the responsibilities on staff to report concerns through whistleblowing or directly to a named person, the steps the organisation takes to prevent fraud (segregation of duties, expense controls, supplier due diligence, approvals), and the consequences of breach including disciplinary action and reporting to authorities. The policy sits alongside the anti-bribery and anti-money laundering policies as part of an integrated financial crime framework.

The Six Principles of Reasonable Procedures

Home Office guidance to Section 199 sets out six principles for reasonable fraud prevention procedures, deliberately mirroring the framework used in the Ministry of Justice guidance to the Bribery Act 2010:

Top-level commitment - leadership establishes a culture in which fraud is not tolerated and is visibly committed to fraud prevention
Risk assessment - the organisation periodically assesses where its fraud exposure lies, by activity, function, third party, sector and other relevant factors
Proportionate procedures - the response matches the fraud risk the organisation faces and the size and nature of its business
Due diligence - proportionate checks on associated persons, particularly those in roles or relationships where fraud risk is heightened
Communication and training - the policy is communicated to all those who need to know about it, with training proportionate to the role and risk
Monitoring and review - procedures are monitored, reviewed and improved over time, including in response to incidents and changes in risk

Organisations meeting the threshold will typically extend their existing anti-bribery framework to cover fraud rather than building a separate one - the same six principles, the same risk assessment cycle, the same training, the same monitoring. The fraud-specific additions are mainly in the risk assessment (different fraud typologies and risk indicators) and in the financial controls (segregation of duties, approvals, expense oversight, accounts reconciliation).

Internal vs External Fraud

Fraud risk splits into two main categories:

Internal fraud - perpetrated by employees, directors or contractors against the organisation. Examples include false expense claims, fictitious invoices, payroll fraud, procurement fraud (steering contracts to connected parties), inventory theft and false accounting. Typical controls: segregation of duties, approval thresholds, supplier verification, periodic audit, exit checks, whistleblowing.
External fraud - perpetrated by third parties against the organisation. Examples include invoice redirection scams (where a fraudster impersonates a supplier and asks for bank details to be changed), CEO fraud (where a fraudster impersonates a senior executive and asks for an urgent payment), business email compromise, identity theft and procurement fraud by suppliers. Typical controls: bank detail change verification, dual approval for payments above a threshold, awareness training, technical email controls.

The failure to prevent fraud offence focuses on internal fraud committed for the organisation's benefit - frauds where someone associated with the organisation defrauds a customer, a competitor, the tax authority or another third party in a way that benefits the organisation. External fraud against the organisation is not caught by Section 199, though it is still relevant to the wider fraud and malpractice framework.

Reporting and Investigation

When fraud is suspected, the response needs to be proportionate and methodical. Common steps:

Preserve evidence - secure documents, computer access logs, accounting records and communications before the suspect is alerted
Take advice early - legal advice on the threshold for police involvement, HR advice on disciplinary procedure, and insurance advice on cover for losses and investigation costs
Decide on internal or external investigation - small matters can be handled internally; larger or more complex matters benefit from forensic accountants or specialist solicitors
Report to authorities where required - the National Crime Agency for money laundering implications, Action Fraud for general fraud reporting, the police where criminal prosecution is appropriate, the FCA or HMRC for regulated-sector or tax matters, and insurers for fidelity cover claims
Consider Section 173 of the Economic Crime and Corporate Transparency Act 2023 - which gives Companies House the power to require information from directors and others where economic crime is suspected

Where suspected fraud may amount to money laundering, a Suspicious Activity Report to the National Crime Agency may be required for organisations in the regulated sector, and a Defence Against Money Laundering request may be needed where the organisation needs consent to continue handling the funds.

International Context

Other jurisdictions take varied approaches to corporate fraud liability. The US relies on the broad federal mail and wire fraud statutes plus the Sarbanes-Oxley framework for public companies. France, under the Loi Sapin II 2016, requires anti-corruption compliance programmes that overlap substantially with anti-fraud requirements. Germany prosecutes corporate fraud through the substantive offences but does not have a strict-liability "failure to prevent" mechanism equivalent to the UK position - the German Corporate Sanctions Act has been under discussion for several years without enactment.

For organisations operating across these regimes, the practical answer is to design fraud prevention to the UK and US standards as a baseline, with local additions for jurisdiction-specific requirements. The UK Section 199 standard and the US Sarbanes-Oxley/FCPA standards together produce a control framework that satisfies most other regimes.

Practical Advice

For organisations meeting the Section 199 threshold, fraud prevention is now a strict-liability area requiring the same level of structured response as anti-bribery. The same six-principles framework applies, and most organisations extend their existing anti-bribery management system to cover fraud rather than building a separate one.

For organisations below the threshold, a proportionate fraud and malpractice policy supported by basic financial controls and a clear reporting route is the practical answer. The substantive Fraud Act 2006 offences still apply regardless of size.

alphaZ document	How to use it
ISO 37001 Anti-Bribery Toolkit	The financial crime management system toolkit. Built around ISO 37001, the leadership, risk assessment, due diligence, training and monitoring elements transfer directly to fraud prevention. The structural basis for an integrated bribery, AML, fraud and modern slavery framework.
P-10 Anti-Bribery and Corruption Policy	The companion anti-bribery policy. Most organisations adopt the bribery, AML and fraud policy stack together, with the same control framework underpinning all three. Where a standalone fraud and malpractice policy is needed, it follows the same structure.
P-107 Anti-Money Laundering Policy	The anti-money laundering policy. Suspected fraud frequently has money laundering implications - the AML policy provides the framework for SAR reporting and DAML requests where fraud proceeds may be involved.
ER9 Legal Register	The legal register entry for the Fraud Act 2006, the failure to prevent fraud offence in the Economic Crime and Corporate Transparency Act 2023, and related fraud and theft legislation.

Note: subscribers to alphaZ documents can download all of the documents above as part of the subscription.

Frequently Asked Questions

Does the failure to prevent fraud offence apply to my organisation?

Section 199 of the Economic Crime and Corporate Transparency Act 2023 applies to large organisations - those meeting at least two of three thresholds in the financial year preceding the offence: more than 250 employees, more than £36 million turnover, more than £18 million in total assets. Group thresholds apply where parent and subsidiaries together meet the criteria. Below the threshold, the substantive Fraud Act 2006 offences still apply but the strict-liability corporate offence does not. The offence has been in force since 1 September 2025.

What counts as malpractice?

Malpractice is a broader concept than fraud. It covers fraud, but also dishonest conduct that does not necessarily meet the criminal threshold - undisclosed conflicts of interest, abuse of position, breaches of professional standards, misuse of organisational resources for personal gain, manipulation of records short of false accounting, and similar. Most organisations use a fraud and malpractice policy to cover both. The disciplinary response is typically the same regardless of whether the conduct is criminal - the question is whether it breaches the organisation's standards.

What are the most common fraud risks for ordinary businesses?

For ordinary businesses, the most common internal fraud types are false expense claims, fictitious invoices created by staff in finance roles, payroll fraud (ghost employees or inflated hours), procurement fraud where contracts are steered to connected parties, and inventory theft. The most common external fraud types are invoice redirection scams (where a fraudster posing as a supplier asks for bank details to be changed), CEO fraud (where a fraudster impersonates a senior executive and asks for an urgent payment), and business email compromise. Segregation of duties and bank detail change verification are the highest-impact controls for most organisations.

Should I report suspected fraud to the police?

Reporting decisions depend on the nature and value of the suspected fraud. For most reportable fraud cases, Action Fraud (the UK's national fraud reporting centre, run by the City of London Police) is the standard route - reports go through to the National Fraud Intelligence Bureau which assesses whether police investigation is appropriate. For larger or more complex cases, particularly those involving directors or substantial sums, direct contact with the police, the Serious Fraud Office (in cases meeting their criteria) or specialist solicitors is usually advisable. Cases with money laundering implications also require a Suspicious Activity Report to the National Crime Agency. Insurers should also be notified promptly where fidelity cover may apply.

How does fraud prevention link to bribery and AML?

The three sit on the same control framework. Anti-bribery, anti-fraud and anti-money laundering all rely on the same elements - tone from the top, risk assessment, due diligence, financial controls, training, whistleblowing and monitoring. The strict-liability corporate offences for these (Section 7 Bribery Act 2010, Section 199 Economic Crime and Corporate Transparency Act 2023, and the regulated-sector AML offences) all use the same "reasonable procedures" defence concept. A well-designed financial crime management system addresses all three from a single set of policies, controls and audit activities.

UK Legislation

Further Resources