New focus for compliance work: preventing internal fraud (“inside-out”)
On 1 September 2025, the “Failure to Prevent Fraud” offence (FTPF Offence) under the Economic Crime and Corporate Transparency Act 2023 came into effect in the United Kingdom. It establishes a new, far-reaching regime of sanctions. Also, large organisations in Germany with a nexus to the United Kingdom might now be required to take appropriate preventive measures to ensure that “associated persons” do not intentionally commit fraud (also) for the benefit of the organisation. A failure to prevent such fraudulent actions can be sanctioned as a distinct corporate offence, punishable by significant fines (“unlimited fines”). Sanctions can also lead to the usual consequences of non-compliance, such as exclusion from tenders, reputational damage, civil law claims, and difficulties in securing finance.
For many compliance departments, this focus on fraudulent conduct emanating from within the company itself (“inside-out”) will be new. Traditionally, compliance efforts have centered on preventing corruption and competition law violations, as well as anti-money laundering and data protection – fraud, by contrast, has typically been seen as an “outside-in” risk, hence an external attack on the company, with only general demands for legal compliance by employees. Now, German companies – where the UK Act applies – should adopt measures with a clear focus on “inside-out” fraud prevention.
What does the law cover?
The law applies to fraud committed intentionally by an “associated person” for – at least partly – the benefit of the company. This includes fraud offences under the Fraud Act 2006 as well as certain other economic crimes (theft, false statements, fraudulent accounting, and specific tax offences).
The term “associated person” refers to any natural or legal person acting for or on behalf of the company, whereas the actual circumstances are decisive, not just the formal contractual arrangements. Thus, “associated persons” include the company’s own staff and subsidiaries, as well as – depending on how their activities and representative powers are structured – agents, commercial representatives, suppliers, service providers, consultants, intermediaries, and also freelancers and temporary workers.
The law requires that the associated person acts “dishonestly and knowingly”. This person (or their organs/bodies) must be aware of the deception and must (at least partly) intend to benefit their company. For example, this would apply if a salesperson issued false invoices, fully aware that the service was not provided, to secure an illegitimate payment for their company, or if an agent deliberately manipulated shipping documents submitted to UK authorities to reduce import duties. Pure negligence, lack of supervision or administration without intent to deceive or enrich do not fall under this act.
The challenging assessment of the scope of application
Large organisations
The wording of the law seems (at first glance) straightforward: it applies to corporations and partnerships meeting at least two out of three criteria (more than ₤36 million turnover, more than ₤18 million in total assets, more than 250 employees). It is sufficient if a multinational group headquartered outside the United Kingdom exceeds these thresholds globally, provided there is a UK nexus.
However, key questions include which group company is intended to benefit from the fraudulent action, which company the perpetrator is “associated” with, and whether that company itself qualifies as a “large organisation”.
UK nexus
The situation is complicated further by the fact that the scope can be triggered even without a subsidiary in the UK – provided a UK nexus exists. This nexus could be affirmed where the fraudulent action relates to
UK markets, business partners, customers, banks, or digital platforms. Companies should review the law’s applicability whenever products are sold to UK businesses or consumers – directly, via third parties, or via digital platforms – or when services or digital products are offered to UK users online.
Implications for compliance organisation
Extensive versus minimal CMS adaptation
A German group with UK business links is now faced with the question:
- whether to conduct a detailed assessment of whether, and which, group entities fall within the scope of the FTPF Offence and focus their fraud prevention measures on these entities; or
- whether to enhance the global compliance management system (CMS) with elements targeting fraud prevention.
The appropriate approach will depend on the specific circumstances, including the risk profile.
Compliance defence (“reasonable procedures”)
A company’s liability can be reduced or excluded if it can demonstrate that it has implemented and continuously developed a risk-based, effective compliance management system. The UK Home Office describes these “reasonable procedures” in a detailed guidance. Many aspects will be familiar, for example, from IDW PS 980 (the German Institute of Auditors’ standard) – but this time, the focus is on “inside-out” fraud, so there are some specifics to note. The authorities stress that “paper compliance”, hence mere documentation, is worthless: effectiveness, up-to-dateness, proper documentation, and practical implementation count.
Top-level commitment and governance
Effective fraud prevention – as with other governance and compliance matters – requires clear and consistent leadership from management and the board, visibly modeling compliance (“tone at the top”) and shaping the compliance culture. It is equally important for leadership at all organisational levels – especially middle management (“tone in the middle”) – to actively set an example and communicate the importance of integrity and compliance through their conduct.
Risk assessment as a foundation
Conducting a risk analysis is cited as another “reasonable procedure”. Companies should analyse all relevant business units, products, markets, and associated third parties (associated persons) for potential links to the United Kingdom. More importantly, they should consider the new focus on “inside-out” fraud when designing and conducting compliance risk analyses. This may mean including departments in the risk assessment traditionally seen as low risk, beyond classic, higher-risk areas like sales and procurement; e.g., the central ESG, accounting, or controlling functions may hold red flags for fraud committed by employees in other units.
Clear policies and adequate procedures
Preventing and combating “inside-out” fraud requires specific internal guidelines and processes. It may also be appropriate to anchor the issue in related policy documents (such as ESG, accounting, controlling, etc.).
Control mechanisms
Companies may need to adapt their internal controls for fraud prevention, involving other governance functions (e.g., controlling, accounting). The use of advanced technologies (such as AI-based data analysis or compliance tools) can enhance monitoring and documentation.
Business partner approval process for “associated persons”
Systematic screening of “associated persons” is essential. Companies must first identify those individuals or businesses acting on their behalf and thereby qualifying as “associated persons”. A risk-based due diligence and monitoring process focused on fraud prevention should be implemented, possibly as part of existing business partner approval procedures. Companies should also ensure that contractual compliance and control obligations are included in all relevant business relationships and are regularly monitored.
Training, awareness, and communication
Companies should provide regular, tailored training to both key employees and external third parties considered “associated persons” and communicate effectively about the topic.
Whistleblowing and reporting systems
The UK Home Office emphasises the importance of reporting systems. Since implementation of the EU Whistleblowing Directive, most businesses already have such systems in place.
Monitoring, review and continuous improvement
Continuous improvement of the compliance management system is a recurring theme in UK Home Office expectations and is not new either.
Conclusion
The “UK Failure to Prevent Fraud” Offence requires, within its scope, international companies to implement a systematic, demonstrable, and effective approach to fraud prevention. The main challenge is not the substance of new principles themselves, but the consistent design of practical, measurable, and documented systems, covering all possible areas of UK nexus – even if direct contact with the United Kingdom appears negligible.
