“We Didn’t Know” Is No Longer Enough: What Does Failure to Prevent Fraud Introduce?

Why Was the Failure to Prevent Fraud (FTPF) Offence Introduced, and What Does It Require from Companies?

In many organisations, the reflex when “fraud” is discussed is usually the same: “A few rogue employees did it; the company had no knowledge of it.”

For many years in the UK, in order to hold a company criminally liable for fraud at the corporate level, prosecutors generally had to prove that senior management was involved in, or aware of, the misconduct. In the absence of evidence showing senior management involvement, it was often difficult to penalise the company, even where the fraud had taken place within the organisation or for its benefit. This meant that companies were not being held sufficiently accountable for areas such as systemic weaknesses, misaligned incentives, and weak oversight.

It is precisely because of this enforcement gap that the UK introduced the Failure to Prevent Fraud (FTPF) offence under the Economic Crime and Corporate Transparency Act 2023. The official guidance expressly states the need to make companies more effectively accountable for serious economic crime.

1 September 2025: The “We Didn’t Know” Defence Has Weakened

 The FTPF offence came into force on 1 September 2025.

The critical threshold under this regime is as follows: if an employee, agent, subsidiary, or another associated person or entity commits fraud with the intention of benefiting the company, the company may be held criminally liable if it did not have reasonable fraud prevention procedures in place.

What Does It Introduce, and What Does It Aim to Achieve?

At its core, FTPF shifts fraud out of the realm of an “isolated bad actor” problem and into the sphere of organisational responsibility. The aim is not merely to punish fraud after it occurs, but to compel organisations to establish preventive systems. In the guidance, this approach is framed as seeking “a significant shift in corporate culture by encouraging the introduction of fraud prevention procedures.”

In other words, FTPF is not interested in hearing “we have a policy.” It wants an answer to a more fundamental question:

Is the organisation actually preventing fraud in practice, or merely claiming that it is?

Who Does It Apply To? (The Large Organisation Threshold)

FTPF applies only to “large organisations.” According to the guidance, an organisation is considered “large” if, in the previous financial year, it met at least two of the following criteria:

• More than 250 employees
• Turnover exceeding £36 million
• Total assets exceeding £18 million

These criteria may be assessed on a group basis so as to include subsidiaries and may also capture entities outside the UK.

Does It Affect UK-Owned Companies in Türkiye or Turkish Companies with UK Links?

Under the FTPF offence, a UK-owned company operating in Türkiye, or a Turkish company with links to the UK, does not automatically fall within scope. However, if certain conditions are met, a risk of corporate criminal liability may arise in the UK.

From a Türkiye perspective, the most critical issue is the question of UK nexus. According to the guidance, for the offence to apply, the underlying fraud must have a connection recognised by UK law; for example, where part of the conduct took place in the UK, there is a victim or loss in the UK, or an unlawful gain arises in the UK.

Accordingly, a UK-owned company operating in Türkiye may be exposed to risk if the relevant misconduct scenario has a legal or factual connection to the UK. Similarly, a Turkish company operating with links to a UK subsidiary, customer, investor, bank, regulator, public fund, or market may also fall within the scope of this regime for the same reason. By contrast, a purely local fraud incident occurring in Türkiye, with no UK connection whatsoever, would not automatically trigger FTPF liability merely because the company has an English shareholder.

What Should Companies Do? How Can a “Genuine Anti-Fraud Culture” Be Demonstrated?

Under FTPF, the central defence is the existence of reasonable fraud prevention procedures. The UK guidance clearly sets out the main pillars expected in the design of such procedures: top-level commitment, risk assessment, proportionate risk-based procedures, due diligence, communication and training, and monitoring and review.

If this is translated into a practical roadmap for companies with Türkiye-UK links, the priorities would be as follows:

1) Ownership: The Board Must Own the Anti-Fraud Agenda

The spirit of FTPF is not that fraud risk should be delegated to a single department, but that it should be owned at board level. This means regular fraud risk reporting, robust challenge, follow-up on actions, and ongoing oversight.

2) Risk Assessment: Answering “Where and How Could This Happen?” with Data

The guidance specifically warns that where risk assessments are not kept up to date, a court may conclude that reasonable procedures were not in place. The goal here is to develop concrete fraud scenarios in areas exposed to risk, such as sales, procurement, finance, marketing, investor relations, and third-party management.

3) Third Parties: “They Are Not Our Employees” Is No Longer Reassuring

Through the concept of the “associated person/entity,” FTPF extends the risk perimeter beyond employees to external actors such as agents, intermediaries, and, in certain circumstances, subsidiaries. For that reason, risk-based due diligence, contractual protections, monitoring, and, where necessary, termination decisions become critical.

4) Incentives: Do KPI and Bonus Structures Encourage Fraud?

This is often the most difficult area. Fraud does not arise only from bad intent; it can also emerge from a combination of distorted incentives and weak controls. If targets are measured without regard to how they are achieved, the risk may increase.

5) Speak-Up and Internal Investigations: A Reporting Channel on Paper Is Not Enough

The independent review of reports and the escalation of findings to the board are evidence of a genuine anti-fraud culture. The guidance emphasises that investigations should be conducted independently, competently, and by the right people.

Conclusion

FTPF no longer asks companies only, “Did fraud occur?” It now asks, “What did you actually do to prevent it?” For large organisations, especially those with UK links, the issue is no longer whether policies exist on paper, but whether the company can demonstrate the existence of a functioning fraud prevention system that covers employees, third parties, and incentive structures in practice. In the post-1 September 2025 environment, the strength of the defence will depend less on saying “we did not know” and more on showing that “we took reasonable steps to prevent it.”