The United Kingdom’s Failure to Prevent Fraud (FTP) offense, which came into force in September under the Economic Crime and Corporate Transparency Act (ECCTA), marks a pivotal expansion of corporate criminal liability. The provision applies to any “large organization” meeting two of three criteria: over 250 employees, annual turnover exceeding £36 million, or total assets above £18 million — regardless of where the company is incorporated.
This wide scope means that U.S. parent firms and their non-U.K. subsidiaries could face prosecution if “associated persons” — a category spanning employees, agents, subsidiaries, or contractors — commit fraud linked in any way to the U.K.
The jurisdictional hook is equally broad. Companies can be charged if any part of the fraud occurred in the U.K., or if the gain or loss was realized there, even when the misconduct took place abroad. Legal experts say this reflects a clear intent by British lawmakers to dismantle jurisdictional loopholes long exploited by global corporations.
Redefining Compliance and Risk Across Borders
The only available defense under the new regime is for companies to prove they had “reasonable procedures” in place to prevent fraud. The U.K. government’s 44-page guidance details these expectations, outlining six foundational principles: top-level commitment, risk assessment, proportionate procedures, due diligence, communication and training, and ongoing monitoring.
Lawyers Simon Airey and Andrew Butel of McDermott, Will & Schulte note that global compliance programs cannot simply “rebrand existing controls.” Instead, they must rebuild frameworks from the ground up to align with the FTP fraud offense’s expanded definition of fraud — including deceptive reporting, market manipulation, greenwashing, and accounting misstatements that affect third parties.
Unlike the U.S. Sarbanes-Oxley framework, which focuses inward on protecting shareholders, the FTP law targets outward-facing misconduct that harms external stakeholders such as investors, customers, and regulators. “The U.K. model is shifting from detection to prevention — and it expects governance structures to evolve accordingly,” said one compliance expert.
Boardrooms Under New Pressure
The ECCTA’s design squarely places responsibility on corporate leadership. The board and senior executives are expected not only to endorse anti-fraud policies but to actively demonstrate engagement through oversight, communication, and resource allocation.
The guidance emphasizes that boards must enable direct reporting lines between compliance officers and the board, avoiding bureaucratic bottlenecks that could obscure misconduct. Organizations are urged to invest in training, whistleblower systems, and regular risk reviews that explicitly account for U.K. nexus scenarios.
In practice, this means that multinational corporations must embed U.K.-specific fraud considerations into global compliance playbooks — an endeavor likely to reshape internal audit and governance functions. “Passive compliance won’t be enough,” Airey and Butel write. “The government expects tangible evidence of anti-fraud culture at the top.”
Building Defenses in a Post-FTP World
For many companies, the biggest challenge lies not in identifying risk but in proving reasonableness after the fact. Regulators will judge the adequacy of compliance programs based on documentation, board minutes, and the speed and scope of internal investigations.
To that end, experts advise firms to adopt fraud-specific risk assessments that are dynamic, regularly updated, and designed to withstand prosecutorial scrutiny. Training those who triage whistleblowing reports to recognize “FTP red flags” is also critical, as is ensuring investigations are well-resourced and legally protected.
In essence, the FTP fraud offense pushes corporations toward a new model of accountability — one where ethical governance is as much a defense strategy as a moral imperative. For global companies operating in or with the U.K., compliance can no longer be a box-ticking exercise. It must become a living, documented proof of vigilance.
