Business Law

Corporate Fraud Laws in London: What Business Owners Must Understand

Corporate fraud laws in London are changing fast. Here's what every business owner must know to stay compliant, avoid prosecution, and protect their company.

April 6, 2026
13 14 minutes read
Corporate fraud laws in London

Corporate fraud laws in London have entered a new and demanding era. If you run a business in the UK capital — or operate a company with any connection to the UK market — the legal landscape has shifted significantly under your feet, and not knowing about it is not a defence.

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced some of the most sweeping changes to corporate criminal liability in over a decade. These changes affect how fraud is investigated, how companies are prosecuted, and — critically — what your responsibilities are as a business owner when it comes to preventing fraud from happening inside your organisation.

The Serious Fraud Office (SFO) and the Crown Prosecution Service (CPS) are not quietly sitting on these new powers. They have made it clear, publicly, that prosecutions are coming. From September 2025, large organisations have no safe harbour if an employee or agent commits fraud for the benefit of the business, unless that business can demonstrate it had reasonable prevention procedures in place.

This article walks you through the seven most important things you need to understand about corporate fraud law in London: what the laws say, who they apply to, what the penalties look like, and how you protect yourself, your team, and your company from ending up on the wrong side of a criminal investigation.

1. Corporate Fraud Laws in London Have a New Foundation: The ECCTA 2023

Before anything else, you need to understand the piece of legislation driving most of the change: the Economic Crime and Corporate Transparency Act 2023.

The ECCTA received Royal Assent on 26 October 2023 and introduced a new corporate criminal offence for failing to prevent fraud, making large companies liable for fraud committed by their associates.

This was a deliberate and long-overdue reform. For decades, prosecuting a large corporation for fraud in the UK was exceptionally difficult. Prosecutors had to prove that the so-called “directing mind and will” of the company — essentially a very senior figure, often a director — was personally involved in the fraudulent act. The new offence changes this: prosecutors no longer have to show that the directing mind and will of a company were involved in the fraud.

That is a massive shift. It means the days of a company hiding behind a rogue employee or a mid-level manager are largely over. If someone acting on behalf of your business commits fraud that benefits the business, you could be criminally liable.

The Two Key Mechanisms Under ECCTA

There are actually two distinct but related ways ECCTA creates corporate liability:

You May Also Like

First, there is the Failure to Prevent Fraud (FTPF) offence under Section 199, which applies to large organisations and holds them responsible for not stopping fraud by associated persons.

Second, and less talked about, is Section 196, which expanded corporate criminal liability for a wider range of economic crimes. Under Section 196, companies of any size can be prosecuted if a senior manager commits any of a lengthy list of offences, including false accounting, forgery, and money laundering.

That second point is crucial. Even if your business is too small to fall under the FTPF provisions, Section 196 still applies. Many small and medium-sized business owners in London are unaware of this exposure.

2. Who the Failure to Prevent Fraud Offence Actually Applies To

One of the most common misconceptions about these corporate fraud regulations in the UK is that they only affect giant multinational corporations. That is partially true for the FTPF offence — but the threshold might be lower than you think, and the exemptions do not fully protect smaller businesses.

The “Large Organisation” Threshold

The offence can be committed by both UK and non-UK organisations that meet at least two of the following criteria in the year prior to the fraud offence: more than £36 million turnover, more than £18 million balance sheet total, and/or more than 250 employees.

So if your London-based business clears two of those three bars, you are in scope. This is not just the FTSE 100. A mid-sized professional services firm, a growing fintech, a regional manufacturing group — all could fall within scope depending on their financials.

What About Smaller Businesses?

Although the current focus is on large businesses, the Act does permit the scope to be extended in the future to cover small and medium-sized businesses. In practice, smaller and medium-sized businesses will still be impacted where they are part of a wider corporate group that meets the above criteria, or where they are working as associated persons.

In other words, if you are a smaller contractor or supplier working on behalf of a larger entity, your employees’ conduct could expose the larger organisation — and that creates pressure on you through contracts and commercial relationships, even if you are not directly liable under the FTPF provisions.

The Home Office has also explicitly encouraged smaller organisations outside the formal scope of the offence to review the guidance as best practice. That is not just a suggestion — it is a signal that the threshold may be lowered in future.

3. What Counts as a “Base Fraud Offence” Under UK Law

To understand when corporate liability for fraud kicks in, you need to know what fraud offences are actually covered. These are referred to as “base fraud offences,” and the list under the ECCTA is deliberately broad.

The relevant offences include:

  • Fraud by false representation under the Fraud Act 2006
  • Fraud by failing to disclose information under the Fraud Act 2006
  • Fraud by abuse of position under the Fraud Act 2006
  • Obtaining services dishonestly under Section 11 of the Fraud Act 2006
  • Participation in a fraudulent business under Section 9 of the Fraud Act 2006
  • False accounting under the Theft Act 1968
  • Fraudulent trading under the Companies Act 2006
  • Common law fraud, including Scots law offences of uttering and embezzlement

The issue of who is intended to benefit from the underlying fraud is key to determining whether a business can be held criminally liable for the failure to prevent fraud offence. The intention to benefit the business does not have to be the sole or dominant motivation for the fraud.

Here is a concrete example worth thinking through: a salesperson on commission uses misleading claims to close deals. They are primarily doing it for their own bonus. But the company’s revenue goes up too. Even though this is not the fraudster’s primary motivation, the intention to benefit the company can be inferred because the benefit to the salesperson is contingent on the benefit to the organisation.

That kind of scenario plays out across sectors — in financial services, in property, in retail. It is not hypothetical. It is the kind of case that regulators are actively looking for.

4. Who Is an “Associated Person” Under These Corporate Fraud Laws

This is one of the most critical definitions in the entire legislation, and it is broader than most business owners expect.

An associated person is essentially anyone providing services for or on behalf of the organisation, regardless of whether they are under contract or not, including employees, agents, and subsidiaries — all of whom are automatically regarded as associated persons.

The word “automatically” matters here. You do not have to have a formal employment contract with someone for them to count as an associated person. A freelance sales agent working on your behalf, a joint venture partner promoting your products, an overseas distributor selling under your brand — all of these could potentially qualify.

Those providing services to an organisation, rather than for or on behalf of it, are generally not considered associated persons — this includes external lawyers, valuers, accountants, or engineers.

So your outside legal counsel or accounting firm is not going to create this type of liability for you. But the internal or quasi-internal people working within your operations absolutely can.

Parent Company Liability

The offence will apply to a parent company if the group headed by it — defined as the parent and its subsidiaries — meets in aggregate two or more of the criteria above.

If you run a holding company structure in London with several operating subsidiaries, the liability assessment is done at the group level. A fraud committed by an employee of a subsidiary, intended to benefit that subsidiary, could expose the parent company to prosecution.

5. The Penalties for Corporate Fraud in London Are Severe

People sometimes talk about corporate fraud penalties as though fines are just a cost of doing business. That view is both legally uninformed and commercially dangerous.

Criminal Penalties

Under the FTPF offence, if your organisation is found guilty, the primary penalty is an unlimited fine. There is no cap. For a large organisation, a conviction could result in penalties running into tens or even hundreds of millions of pounds, depending on the scale of the fraud and the financial benefit obtained.

Repercussions for organisations that do not have reasonable measures in place to prevent fraud include unlimited fines, reputational damage, and regulatory scrutiny.

Beyond the fine itself, there are serious downstream consequences:

  • Debarment from public contracts — a criminal conviction can disqualify your business from tendering for government work, which for many London-based professional services and construction firms represents a significant part of revenues.
  • Regulatory consequences — businesses in regulated sectors (financial services, legal, accountancy) face additional consequences with their regulators, including potential licence revocations.
  • Director liability — while directors are not automatically personally liable under the FTPF offence, individual employees or associates who actually committed the underlying fraud can still be personally prosecuted. As a corporate offence only, directors and senior managers are not personally liable for a failure to prevent fraud within the organisation. However, any associated person who commits the underlying fraud offence may still be individually prosecuted for that offence.
  • Reputational damage — in London’s professional and financial markets, a corporate prosecution is front-page news. Clients, investors, and partners notice.

The Extraterritorial Reach of UK Fraud Law

One aspect that catches many international businesses off guard is the extraterritorial application of these laws. The offence has extraterritorial application, meaning the organisation does not need to be incorporated or conduct business in the UK for the offence to apply. It will be sufficient to establish jurisdiction if any act or omission that needs to be proved as part of the fraud occurs in the UK, or the intended loss or gain was due to take place in the UK.

If you are a foreign-headquartered company with a London office, or even just a business that regularly deals with UK clients, you may have exposure you have not yet accounted for.

6. The “Reasonable Procedures” Defence — Your Primary Protection

The good news — and there is genuine good news here — is that there is a defence available. The reasonable procedures defence is your primary protection against prosecution under the FTPF offence. The challenge is that you have to build it, document it, and be able to prove it to a court.

Organisations will have a defence if they can show that they have reasonable procedures in place to prevent fraud. Alternatively, if the organisation can demonstrate to the satisfaction of the court that it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures, then this can also qualify as a defence.

What does “reasonable procedures” actually mean in practice? The government has published guidance, but it is deliberately principle-based rather than prescriptive. The core elements are:

1. Risk Assessment

Each organisation must put reasonable procedures in place to address the particular risks it faces arising from the unique facts of its own business. This requires careful, comprehensive, and regular risk assessment, which considers the potential for fraud to be committed by any person who may be considered the corporate’s associated person or agent.

A generic fraud risk assessment copied from a template is not going to cut it. You need to look at your specific business model, your supply chain, your commercial relationships, and your incentive structures, and honestly assess where the fraud risks actually sit.

2. Policies and Controls

Once you know your risks, you need documented policies and internal controls to address them. These should include:

  • An anti-fraud policy with clear definitions and examples
  • Whistleblowing mechanisms that employees and agents can use confidentially
  • Due diligence processes for onboarding agents, intermediaries, and high-risk business partners
  • Financial controls including segregation of duties for payment approvals and contract sign-offs
  • Conflict of interest procedures for senior staff

3. Training

Disseminating the company’s fraud prevention policies is as important as implementing them. Management should arrange training for staff and other prospective agents to explain the scope of and risks associated with the failure to prevent fraud offence.

Training needs to be more than a compliance module that employees click through once a year. It should be role-specific, regularly updated, and documented with records of who attended, when, and what was covered.

4. Tone at the Top

No fraud prevention framework works without leadership commitment. If senior management treat these policies as a box-ticking exercise, employees will mirror that attitude. The guidance emphasises that the culture of the organisation — set by those at the top — is a key factor courts will consider.

5. Monitoring and Review

The risk assessment and the procedures that flow from it are not a one-time exercise. The risk assessment should be kept under review. If the risk assessment has not been reviewed recently enough, a court may determine that it was not fit for purpose.

7. How London’s Regulators Are Enforcing These Corporate Fraud Laws

Understanding the law is only useful if you understand how it is being enforced. In London, corporate fraud enforcement sits across several bodies, and they are increasingly co-ordinated.

The Serious Fraud Office (SFO)

The SFO is the primary agency for investigating and prosecuting serious or complex fraud in the UK. Nick Ephgrave, Director of the SFO, has said it is “very, very keen” to bring charges against companies under the new offence, noting that “come September, if they haven’t sorted themselves out, we’re coming after them.”

That is not the measured language of a regulator reluctant to act. The SFO has been building capacity and expertise for exactly this moment.

The Crown Prosecution Service (CPS)

The CPS and SFO published joint updated guidance for prosecutors around dealing with corporate prosecutions. The new failure to prevent fraud offence will make large organisations legally responsible for preventing fraud committed by their employees and other associated persons.

The CPS handles prosecutions across England and Wales more broadly. The joint guidance between the CPS and SFO is significant — it means both agencies are aligned on how to approach these cases, which creates a more predictable but also more determined prosecution environment.

The Financial Conduct Authority (FCA)

For businesses in regulated financial services — which covers a huge portion of London’s economy — the FCA operates in parallel. A fraud investigation or conviction can trigger separate FCA enforcement action, including fines, public censure, and the withdrawal of regulatory permissions. The FCA is also one of the bodies to which companies are encouraged to self-report when fraud is discovered internally.

Self-Reporting as a Strategic Consideration

The CPS and SFO encourage organisations to report fraud when they discover it. Organisations that self-report fraud demonstrate their commitment to responsible corporate governance.

This is not just about being cooperative — it is a legal strategy. Companies that self-report typically receive more favourable treatment in terms of any resulting prosecution, including the possibility of a Deferred Prosecution Agreement (DPA) rather than a full criminal conviction. DPAs have been used in a number of high-profile UK corporate cases and allow a company to acknowledge wrongdoing, pay a penalty, and implement reforms without receiving a criminal conviction.

For more detail on how the UK’s corporate prosecution framework operates in practice, the full CPS and SFO joint Corporate Prosecutions Guidance is publicly available and worth reading.

Practical Steps London Business Owners Should Take Right Now

Given everything above, what should you actually do? Here is a straightforward action plan:

  1. Map your fraud risks — Conduct a written risk assessment specific to your business, covering your people, your commercial relationships, your incentive structures, and your sector-specific vulnerabilities.
  2. Review your contracts with agents and intermediaries — If you use agents, distributors, or third parties who work on your behalf, your agreements should include fraud prevention obligations and audit rights.
  3. Implement or update your anti-fraud policy — Make sure it is current, clearly written, and actually distributed to staff and relevant third parties.
  4. Create a confidential reporting channel — Employees need a way to report concerns without fear of retaliation. An anonymous whistleblowing hotline or an independent reporting mechanism is part of reasonable procedures.
  5. Train your people — Not just a generic e-learning module, but role-specific training that shows employees what fraud looks like in the context of your actual business.
  6. Document everything — If you ever need to rely on the reasonable procedures defence, you will need evidence. Keep records of risk assessments, training completion, policy sign-offs, and any internal investigations.
  7. Take legal advice — Given the complexity and stakes involved, working with a solicitor who specialises in corporate crime and compliance in London is a sound investment. The Serious Fraud Office guidance portal is a good starting resource.

The Relationship Between Corporate Fraud Laws and Other Key UK Legislation

Corporate fraud law in London does not exist in isolation. It sits alongside, and sometimes overlaps with, several other important pieces of UK legislation that business owners need to be aware of.

The Fraud Act 2006

This is the foundational statute for fraud in England, Wales, and Northern Ireland. It defines fraud by false representation, fraud by failing to disclose information, and fraud by abuse of position. Most of the base fraud offences under the ECCTA trace back to this Act.

The Bribery Act 2010

The Bribery Act introduced the first “failure to prevent” corporate offence in the UK — specifically for bribery. The failure to prevent fraud offence is similar in structure to the schemes under Section 7 of the Bribery Act 2010 and Sections 45 to 46 of the Criminal Finances Act 2017.

If your business already has a Bribery Act compliance framework in place, that is a solid foundation — but it needs to be extended to cover fraud risks, as the two overlap but are not identical.

The Proceeds of Crime Act 2002

This statute governs money laundering in the UK and is directly relevant to fraud cases, since the proceeds of fraud are typically also the subject of money laundering charges. Businesses in regulated sectors have specific anti-money laundering (AML) obligations under this Act.

The Companies Act 2006

Fraudulent trading under the Companies Act 2006 is one of the base offences under the ECCTA. Directors who knowingly carry on business for fraudulent purposes face personal criminal liability as well as corporate exposure.

Common Types of Corporate Fraud That Surface in London Businesses

Understanding the legal framework is important, but so is understanding what these frauds actually look like in practice. The most common forms of corporate fraud in London that trigger investigations include:

  • Invoice fraud and mandate fraud — false or redirected payment requests, often targeting accounts payable teams
  • Payroll fraud — ghost employees, inflated salaries, or unauthorised bonus payments
  • Procurement fraud — kickbacks, bid-rigging, or conflicts of interest in supplier selection
  • Financial statement fraud — misrepresenting revenues, assets, or liabilities in company accounts
  • Mis-selling — selling financial products, property, or services on the basis of false or misleading information
  • Expense fraud — systematic falsification of expense claims by employees
  • Greenwashing fraud — making false or misleading environmental claims about products or services, which is explicitly mentioned in the ECCTA guidance as an area of exposure

Each of these categories has specific risk indicators and control requirements. A credible fraud risk assessment will work through each one in the context of your business.

Conclusion

Corporate fraud laws in London have never been more demanding, and business owners who treat compliance as someone else’s problem are taking on real, quantifiable criminal and financial risk. The Economic Crime and Corporate Transparency Act 2023 has fundamentally changed the rules: organisations can now face prosecution for fraud committed by employees and associates without prosecutors needing to prove board-level knowledge or involvement. The reasonable procedures defence offers genuine protection, but only to businesses that have built, documented, and maintained robust fraud prevention frameworks.

That means honest risk assessments, clear policies, meaningful training, proper reporting channels, and a leadership culture that takes this seriously. For London-based businesses — whether you are a mid-sized professional services firm, a financial institution, or a growing startup approaching the large-organisation threshold — the time to act is now, before a problem surfaces rather than after one does.

5/5 - (2 votes)

April 6, 2026
13 14 minutes read

You May Also Like

intellectual property protection for startups in Manchester

Intellectual Property Protection for Startups in Manchester: A Practical Guide

April 6, 2026
business partnership disputes in New York

Business Partnership Disputes in New York: How Courts Resolve Them

April 6, 2026
commercial lease agreements in Sydney

Commercial Lease Agreements in Sydney: Rights, Risks, and Legal Protections

April 6, 2026
Starting an LLC in California

Starting an LLC in California: Legal Steps, Costs, and Common Mistakes

April 6, 2026
Business contract disputes in London

Business Contract Disputes in London: What Every Entrepreneur Needs to Know

April 6, 2026
Register a small business in Texas

How to Register a Small Business in Texas: A Complete Legal Guide for 2026

April 6, 2026
Commercial law firms Adelaide

Commercial Law Firms Adelaide: Complete Guide to Business Legal Services

March 28, 2026
business lawyer in Milan

Top 12 Business Lawyers in Milan: Contract, Merger & Acquisition Specialists

March 13, 2026
Startup Legal Services in Berlin

Startup Legal Services in Berlin: How to Choose the Right Corporate Solicitor

March 13, 2026
Commercial law experts in Copenhagen

Commercial Law Experts in Copenhagen: Comprehensive Guide for Danish Businesses

March 13, 2026
Back to top button