Failure to Prevent Fraud at Eight Months: How the April 2025 Threshold Uplift Quietly Narrowed the Net

The corporate offence of failure to prevent fraud, introduced by section 199 of the Economic Crime and Corporate Transparency Act 2023, has now been in force for eight months. Commencement on 1 September 2025 ended a near-two-year wait between Royal Assent and operative law, during which the Home Office published its long-form guidance on what counts as 'reasonable procedures' (November 2024) and large UK corporates worked through the predictable Bribery-Act-shaped readiness exercise. What has been less discussed — and is the subject of this piece — is that an unrelated change to the Companies Act 2006 size brackets, the small-and-medium uplift effective for accounting periods beginning on or after 6 April 2025, has materially shrunk the population of organisations the new offence actually catches.

The offence in plain terms

Under section 199, a 'relevant body' (a body corporate or partnership that is a 'large organisation') commits an offence if a person associated with it commits a specified fraud offence intending to benefit, directly or indirectly, the relevant body, or a person to whom the associated person provides services on the body's behalf. The associated person can be an employee, agent, subsidiary, or anyone else performing services for the body.

Two features make it formidable. First, it is a true corporate offence: the prosecutor does not need to establish the so-called 'directing mind and will' of the relevant body, the test that has historically defeated UK corporate fraud prosecutions. Second, it is strict liability subject to a statutory defence: the only escape route is to show that the body had in place reasonable fraud-prevention procedures, or that it was reasonable in all the circumstances not to have any procedures in place.

Penalty on conviction in the Crown Court: an unlimited fine.

Who is a 'large organisation'? The threshold that quietly moved

Section 201 confines the offence to large organisations. The drafting routes through the Companies Act 2006: a large organisation is one that does not qualify as 'small' or 'medium-sized' under sections 382, 383, 465 and 466, tested across the group on a consolidated basis where the body is a parent.

That means the FtP Fraud threshold moves whenever the Companies Act size brackets move. They moved, with effect for accounting periods beginning on or after 6 April 2025.

Two of the three thresholds must be exceeded for the bracket above to apply, with the usual two-consecutive-years rule for transitions.

In practice, an organisation that was 'large' under the old thresholds — say, £42 million turnover, £21 million balance sheet, 280 employees — and was therefore squarely in scope on 1 September 2025 commencement, will fall back into the medium-sized bracket once it transitions onto the new thresholds for its 6-April-2025-onwards period. Once in that bracket for two consecutive years, it sits outside section 199 entirely. The Department for Business and Trade's impact assessment for the Companies (Accounts and Reports) (Amendment) Regulations 2024 estimated that approximately 13,000 UK companies would shift from medium to small, and around 5,000 from large to medium, as a consequence of the uplift. The large-to-medium movers are the relevant cohort for FtP Fraud purposes.

The result is a regime narrower in 2026 than it was on commencement, even though the statute itself has not been amended. The Home Office's 2024 economic note projected that around 16,000 UK organisations would be in scope. The honest re-estimate, post-uplift, is closer to 11,000 — give or take, depending on group-test outcomes for subsidiary structures.

The Schedule 13 offences

The offence does not catch all dishonesty. It is keyed to a closed list of specified offences set out in Schedule 13:

1. Fraud by false representation — Fraud Act 2006, s2
2. Fraud by failing to disclose information — Fraud Act 2006, s3
3. Fraud by abuse of position — Fraud Act 2006, s4
4. Obtaining services dishonestly — Fraud Act 2006, s11
5. Participation in a fraudulent business carried on by a sole trader — Fraud Act 2006, s9
6. False statements by company directors — Theft Act 1968, s19
7. False accounting — Theft Act 1968, s17
8. Fraudulent trading — Companies Act 2006, s993
9. Cheating the public revenue — common law
10. Aiding, abetting, counselling or procuring any of the above

Money laundering is not included. Bribery is not included. Tax-evasion facilitation is dealt with separately by the Criminal Finances Act 2017, which is not threshold-restricted. Sanctions evasion is not included. The Schedule 13 list can be amended by statutory instrument — section 199(13) gives the Secretary of State a regulation-making power. Nothing has yet been added.

The defence: reasonable procedures, on the Bribery Act template

Subsection 199(4) creates the only available defence: that the body had in place such prevention procedures as it was reasonable in all the circumstances to expect, or that it was reasonable in all the circumstances not to have any procedures in place.

The Home Office's November 2024 Guidance to Organisations on the Offence of Failure to Prevent Fraud sets out six principles, deliberately patterned on the Ministry of Justice's Bribery Act guidance:

1. Top-level commitment — board-level fraud-prevention culture, audit committee or equivalent oversight, an articulated tone-from-the-top.
2. Risk assessment — documented, periodic, sensitive to sector and geography. Most large corporates are running this against a fraud taxonomy aligned to Schedule 13 plus the predictable add-ons: invoice fraud, expenses fraud, channel-stuffing, mis-selling.
3. Proportionate risk-based prevention procedures — controls calibrated to risk, not maximalist. The guidance is explicit that procedures should not be 'tick-box'.
4. Due diligence — counterparty screening for associated persons, including agents, intermediaries and (importantly for groups) subsidiaries.
5. Communication, including training — typically an annual mandatory module for all employees, with role-specific deepening for finance, sales and procurement.
6. Monitoring and review — assurance via internal audit, with refresh of the risk assessment at least annually.

Operative readers will recognise this as essentially the same architecture as Bribery Act adequate procedures. The drafting difference: the Home Office wrote its principles knowing that fifteen years of Adequate Procedures practice has matured. Where a Bribery Act risk register treats third-party agents as the principal exposure, an FtP Fraud risk register has to confront the sharper question of internal employee fraud committed for the benefit of the company — channel-stuffing, premature revenue recognition, supplier-side kickbacks, false accounting in regulated returns.

How it sits alongside the other 'failure to prevent' offences

The UK now has three live failure-to-prevent corporate offences. They are not symmetrical.

The large-organisation carve-out is the new offence's defining political compromise. Parliament accepted that a ground-up fraud regime risked imposing disproportionate compliance costs on SMEs, and used the existing Companies Act size brackets to draw the line. That reliance on Companies Act definitions is what produced the unintended interaction with the April 2025 uplift discussed above.

Eight months in: enforcement signals so far

There have been no charges. This is not surprising. The Bribery Act's first section 7 prosecution — R v Sweett Group plc — landed in February 2016, four and a half years after commencement. Failure to prevent the facilitation of tax evasion has produced no published convictions at all, eight years in, although HMRC's published pipeline shows a number of live investigations.

What has changed in eight months is corporate behaviour rather than enforcement output. The offence has reached audit-committee agendas across the FTSE 350 and AIM 100 with consistency, and 2026 internal audit plans typically show FtP Fraud assurance as a discrete line item — sequenced after a 'current state' benchmark in Q1 and a residual-risk close-out in Q4. Insurer behaviour is the other signal. D&O and commercial crime policy renewals into early 2026 are pricing in management-liability scenarios where reasonable-procedures evidence is thin, and several insurers are now requesting fraud-prevention attestations at underwriting. That is broadly how the Bribery Act got operationalised at corporate level: not through prosecutions, but through insurance and procurement clauses.

The Companies House dimension

Companies House does not enforce the offence. The Serious Fraud Office, the National Crime Agency, the Financial Conduct Authority and HMRC do, depending on the predicate. But the register is increasingly the starting point for 'associated person' mapping. The PSC register, the ECCTA-driven director identity verification regime, and the Register of Overseas Entities collectively make it materially easier than it was five years ago to establish whether a counterparty is, in substance, an associated person of a large organisation. A board running a credible due-diligence programme is, in 2026, querying Companies House data — including PSC and director-history records — at a depth that pre-ECCTA programmes did not.

For organisations that have moved out of scope thanks to the threshold uplift: section 199 does not apply, but the predicate fraud offences absolutely do, and corporate criminal liability for those still bites under the identification doctrine as reformed by ECCTA section 196 (which lowered the attribution test to acts of 'senior managers'). The reasonable-procedures architecture remains a sensible governance investment whether or not section 199 catches you.

In summary

Eight months in, failure to prevent fraud has done what its sponsors hoped: it has materially raised the cost of running a UK large organisation without a credible fraud-prevention programme. It has not yet produced a prosecution, and on the Bribery Act timetable it should not be expected to for another two to three years. The most consequential development of the past twelve months has been not the offence itself but the interaction between its threshold definition and the April 2025 Companies Act size uplift — a quiet narrowing of scope that no minister has had to announce, and that has knocked an estimated 5,000 corporates out of the population the regime was originally designed to reach. The statute is the same. The reach is not.