Failure to prevent fraud in the public sector

The Crime and Policing Bill, still in the early stages of Parliamentary process, includes provisions - particularly Clause 130 - that may impact corporate liability. It proposes that organisations could be held liable when a senior manager commits a criminal offence (of any type) within the scope of their actual or apparent authority. While not directly linked to the failure to prevent fraud, this reflects a broader move to increase corporate criminal responsibility.

Though difficult to quantify, public bodies should not assume immunity. The Serious Fraud Office (SFO) has indicated it intends to actively use the new offence, in contrast to its use of established bribery legislation to date, emphasising enforcement through deferred prosecution agreements (DPAs) and promoting early self-reporting. The SFO has also made it clear that public interest considerations will not exempt public sector bodies from prosecution.

Authorities should start by conducting a robust fraud risk assessment. This should guide the development of proportionate and risk-based fraud prevention frameworks. Guidance from the Public Sector Fraud Authority (PSFA) and practical resources, such as the counter-fraud strategy practice note, can help build strong procedures.

Organisations should review existing and future contracts to identify “associated persons” and ensure fraud prevention clauses are included. Contracts can require third parties to maintain reasonable fraud controls and allow for independent audits. KPIs and termination clauses, amongst other provisions, should be used to monitor and enforce compliance, reducing exposure to fraud risks.

The offence takes effect from 1 September 2025. It is not retrospective and will apply only to fraud committed on or after that date. However, organisations (particularly those close to the thresholds that determine a “large organisation”) must be vigilant about how financial year definitions interact with the offence to ensure clarity on when obligations begin.

The government’s intention is to avoid placing unnecessary burdens on small and medium enterprises (SMEs), aligning with goals to support economic growth. However, this scope could evolve over time, much like other regulatory frameworks such as the economic crime levy.

Emergency scenarios refer to situations like cyber-attacks or pandemics (e.g., COVID-19) that may disrupt controls or heighten fraud risk. The guidance advises organisations to consider such scenarios in their risk assessments and plan mitigating controls accordingly - the existence of an emergency scenario will not in and of itself provide a defence to the offence.

No, this is a corporate offence. While individuals may be operationally responsible for implementing controls, liability for this offence sits at the organisational level. This does not prevent any individual committing a separate fraud offence, under different legal provisions.

Yes, it is likely. Larger organisations may require suppliers and partners regardless of size to comply with fraud prevention standards in bids, tenders, and contracts. While not mandatory for smaller organisations, adopting these practices is considered best practice and may become a commercial expectation.