Failure to prevent fraud offence to impact on construction sector

The new offence, which is part of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) (376 pages / 3.7 MB), comes into force on 1 September 2025 and will make organisations criminally liable when their associated persons engage in fraudulent conduct with the intention of benefitting the organisation or its customers. It covers a wide variety of common law and statutory fraud offences.

The failure to prevent fraud offence only applies to “large” organisations with two or more of the following: a net turnover for the financial year of over £36 million, a balance sheet of over £18 million and/or more than 250 employees. It will make these kinds of organisations criminally liable for the acts of “associated persons” (persons performing services for or on behalf of the organisation) where those associated persons commit an offence with the intention of benefitting the organisation or its customers/clients. The intention to benefit the organisation does not have to be the only or even the main motivation for the offence to committed. Organisations will not be liable where they are the victim of the offence.

Those operating in the construction sector may be perceived as facing a higher risk in relation to fraud than many other sectors. As such it is important that they consider where their business might be at risk of falling foul of this offence. There are a variety of circumstances where those operating in the construction sector could potentially receive a benefit arising from some form of fraudulent conduct. For instance, passing on fraudulently inflated subcontractor costs or false timesheets to a client, falsifying test or performance results, making fraudulent misrepresentations in tender processes, failing to pass on rebates received from suppliers to customers where the contract requires this, or making false statements in financial or environmental, social and governance (ESG) reporting.

It will be a defence to the failure to prevent fraud offence if the organisation in question can prove that it had reasonable prevention procedures in place, or that it was not reasonable in all the circumstances to expect it to have had any procedures in place. Statutory guidance was published on 6 November. The guidance anticipates that parent companies will take steps to prevent fraud by subsidiaries, including by implementing group level policies and training. 

The reasonable procedures guidance follows a six principles of compliance model:

• top level commitment – senior leaders within an organisation taking ownership of managing fraud risk;
• risk assessment – assessment of the risk of associated persons carrying out fraud for the benefit of the organisation (including its group) or its customers/clients;
• proportionate risk-based fraud prevention procedures – putting in place procedures that are tailored to and appropriately address the risks identified through the organisation’s risk assessment. At the heart of this should be a fraud prevention plan;
• due diligence – high risk counterparties should be identified through the risk assessment, and these parties need to be subject to due diligence tailored to those risks;
• communication – communication within the organisation alongside training of personnel to identify how these offences could materialise in practice. The communication principle also extends to ensuring whistleblowing processes are working well;
• monitoring and review – monitoring and reviewing the programme put in place to assess its effectiveness and to make sure that the risk assessment remains up to date and appropriate. The guidance makes clear that organisations are expected to have effective fraud detection and investigation procedures in place.

All businesses that come within the scope of the legislation need to carry out a risk assessment that considers their “exposure to the risk of employees, agents and other associated persons committing fraud in the scope of the offence”. The risk assessment will inform the business as to what measures it is proportionate for it to put in place to address the risks identified.

Construction businesses will already have in place compliance programmes relevant to fraud prevention and will have undertaken risk assessments in respect of other crimes - such as bribery, failure to prevent facilitation of tax evasion and modern slavery – and there is no need to re-invent the wheel. The most appropriate first step may be to revisit those programmes and risk assessments with a view to identifying gaps in these existing controls where the failure to prevent fraud offence would apply.

Where the risk assessment identifies areas that need to be strengthened in an organisation’s compliance programme, it may be a case of extending existing procedures or putting in place new procedures. These procedures could include, for example, a documented risk assessment which is monitored and updated, a fraud prevention plan, a code of conduct, compliance procedures, whistleblowing procedures, and communications and training. It should also include more holistic consideration as to how to reduce the opportunity for people to commit fraud in practice, for example considering how employee or customer incentivisation programmes and bonus schemes are structured.

Useful starting points for construction companies

Using the statutory guidance as a framework:

• factor in sectoral risks to risk assessment exercises (supply chains, contracting models, pressures on margins, public works projects, etc);
• ·organise board-level ECCTA briefings and designate responsibilities;
• involve stakeholders across legal, risk, compliance, finance, audit and HR in the fraud prevention plan;
• carry out enhanced fraud awareness training for senior managers and those in control functions;
• plan audits of fraud controls and detection tools

Previous changes to corporate criminal liability

As well as the forthcoming failure to prevent fraud offence, ECCTA has already introduced other changes to how criminal liability can be attributed to corporates for a wide range of economic crimes, including fraud.

Since 26 December 2023, if a senior manager commits a relevant offence under the Act, a corporate can be criminally liable for the senior manager’s conduct. A senior manager is not restricted to board-level individuals – it can include anyone who plays a significant role in managing or organising activities in a substantial part of a business. Divisional leadership teams and those responsible for service lines, functions, branches, regions or other geographies may fall within scope.

Compliance steps focused on senior managers are therefore essential to mitigate this further aspect of corporate criminal risk.

Neil McInnes of Pinsent Masons also contributed to this article.