Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
27 May 2025
4 minutes read

Understanding the new “failure to prevent fraud” offence in the health and social care sector

The UK government’s new “failure to prevent fraud” offence introduced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) comes into force on 1 September 2025. The new law aims to hold large organisations (in both the public and private sectors) accountable if they stand to benefit from fraudulent activities conducted by their employees, agents, subsidiaries, or other associated persons.

Our fraud team has published an overview of the recent guidance on the new corporate criminal offence of "failure to prevent fraud" under the ECCTA, which you can read here.

In this article, we summarise the key points of the guidance and what this could mean for NHS organisations, private healthcare providers and care home operators.

What you need to know

To whom does this new offence apply?

  • The offence applies to “large organisations” which must meet at least two of the following criteria:
    • Turnover of more than £36million.
    • Balance sheet total of more than £18million.
    • More than 250 employees for the financial year preceding the year in which the fraud was committed.

  • The guidance clarifies the types of organisations to which the offence will apply, including:
    • Organisations incorporated under the Companies Act 2006
    • Royal Charter organisations.
    • Organisations incorporated under statute, for instance, certain Government Agencies, NHS organisations (such as integrated Care Boards or NHS Trusts).
    • Partnerships, including Limited Partnerships and Limited Liability Partnerships and unincorporated partnerships.
    • Societies under the Co-operative and Community Benefit Societies Act 2014.
    • Incorporated charities.

What’s the offence?

The new failure to prevent fraud offence will occur when an employee, agent, subsidiary or other “associated person” commits a fraud with an intention to benefit the organisation, and the organisation does not have adequate procedures in place to prevent the fraud.

It does not need to be shown that the organisation’s senior management or directors ordered or even knew about the fraud. An organisation will not commit the offence if it is the intended victim of the fraud.

This offence sits alongside existing law, so the individual may be prosecuted for fraud, and the organisation may be prosecuted for failing to prevent it. There is no individual criminal liability on employees for failing to prevent a fraud.

Penalties

Unlimited fines for organisations.

Is there a defence?

Yes, if organisations can show that they have reasonable procedures in place to prevent fraud.

Fraud prevention measures

Having reasonable fraud prevention measures in place will be a defence. The guidance outlines six principles to support organisations develop these procedures.

  1. Proportionality: Measures should be proportionate to the size, nature, and complexity of the organisation, taking into account the nature of the frauds it faces and how prevention can be effectively implemented.

  2. Top-level commitment: Senior management must be committed to preventing fraud, fostering a culture where “fraud is never acceptable”.

  3. Risk assessment: Regular assessments should be undertaken to identify and mitigate fraud risks.

  4. Due diligence: Thorough checks should be made on employees, agents, and business partners, using appropriate technology, and tailoring due diligence to the different types of risk that an organisation faces.

  5. Communication and training: Clear communication and regular training on fraud prevention should be given (and in particular, specific training for those in higher risk positions).

  6. Monitoring and review: Ongoing monitoring and periodic review of fraud prevention measures should be conducted, which should include consideration of: the effectiveness of the measures in detecting attempted fraud; and how an investigation into suspected fraud would be carried out.

For organisations in the NHS, the NHS Counter-Fraud Authority provides information on the Public Sector Fraud Authority requirements that are to be applied across the NHS and wider health group. It includes more specific information on fraud risk assessment in the NHS.

What next?

With just over three months until the offence comes into force, NHS organisations and private sector healthcare providers and care operators should examine whether they might be at risk of criminal liability. Now is the time to ensure your fraud prevention measures are in good shape.

How can we help?

We have a team of experienced lawyers ready to help you understand the implications of the ECCTA guidance so you can ensure your organisation is compliant.

Contact us to discuss how we can assist you develop and implement effective fraud prevention strategies.

As tackling fraud becomes a priority in both the private and public sectors, Mills & Reeve has launched a new fraud forum, Deception Diaries. This forum will keep you informed about the evolving landscape and offer expert advice on trending fraud topics.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.