Fraud and Financial Misconduct: How GCs are modernising control frameworks

The fraud threat facing UK businesses has never been more acute. The National Crime Agency’s 2025 National Strategic Assessment reported a 19% increase in fraud incidents, to 3.9 million in the year ending September 2024. At the same time, AI‑enabled deepfakes and voice cloning are now being deployed in increasingly sophisticated CEO‑fraud scenarios targeting large corporates.

Cifas, the UK’s leading fraud prevention service, recorded a record 421,000 fraud cases filed to the National Fraud Database in 2024 alone — a 13% year‑on‑year rise — while insider threat filings increased by 21%.

For General Counsel and in‑house legal teams, these trends are not simply operational risks. They translate directly into heightened board exposure, regulatory scrutiny and personal accountability for the adequacy of controls, oversight and investigative response.

Against this backdrop, the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023) has introduced The Failure to Prevent Fraud (FTPF) offence, under section 199, that materially reshapes corporate criminal liability—and significantly raises the stakes for those responsible for governance and compliance.

A new liability landscape

The ECCTA 2023 failure to prevent fraud offence applies to large organisations. It creates criminal liability where an employee, agent, subsidiary or other associated person commits a specified fraud offence intending to benefit the organisation, and the organisation did not have reasonable fraud prevention procedures in place to stop it

Critically, there’s no need to prove that directors or senior managers ordered – or even knew about the fraud. For GCs advising boards, this represents a clear shift away from fault‑based liability towards an assessment of systems, controls and culture.

The only statutory defence is to demonstrate that the organisation either had reasonable procedures in place to prevent the fraud, or that it was not reasonable to expect any such procedures at all.

The Home Office’s November 2024 statutory guidance sets out six principles that should inform those procedures:

• Top-level commitment
• Risk assessment
• Proportionate risk-based prevention procedures
• Due diligence
• Communication and training,
• Monitoring and review.

In parallel, the Serious Fraud Office’s (SFO) November 2025 guidance on evaluating corporate compliance programmes confirms that the effectiveness of an organisation’s compliance arrangements will be scrutinised at every stage — from prosecution decisions and deferred prosecution agreements through to sentencing.

The SFO has been explicit that it will “dig behind generalities and challenge high level assertions”. From an in‑house perspective, a paper‑based or generic compliance programme will offer little protection.

Closing the gap between Legal, Audit and Risk

One of the most significant shifts prompted by ECCTA 2023 is the expectation of closer integration between legal, internal audit, finance and risk functions.

The Home Office guidance is looking at designating responsibility for horizon scanning, developing and testing fraud detection and prevention measures, and ensuring that management information flows to the board.

The Home Office guidance places clear emphasis on accountability for horizon scanning, the development and testing of fraud controls and the quality of management information reaching the board.

For many organisations, it is the legal team who is best positioned to bridge silos that historically allowed procurement manipulation, expenses abuse or financial misreporting to sit below the rada.

In practice, this has increasingly placed the GC at the centre of fraud governance, coordinating inputs across functions and ensuring that risk assessments are current, coherent and defensible.

And it’s GCs who are increasingly leading the effort to embed fraud risk within the enterprise risk management framework — bridging silos that historically allowed procurement manipulation, expenses abuse and financial misreporting to go undetected.

This cross‑functional collaboration is essential to producing the dynamic, evidence‑based risk assessment that regulators now expect.

Practical steps towards Defensible governance

Building a defensible programme means going well beyond drafting updated policy documents.

Organisations should map fraud risk typologies across associated persons — from employees in sensitive finance or procurement roles, to contractors, intermediaries and agents within the supply chain and ensure that prevention measures are proportionate to the risk identified.

Financial controls such as segregation of duties, reconciliation processes and suitable sign-off arrangements should be stress-tested, not simply documented for audit purposes.

Whistleblowing arrangements must be clearly communicated and demonstrably effective. Training should be role-specific, regularly refreshed and monitored for completion and comprehension.

From a legal risk perspective, importantly, decisions not to implement particular controls should be formally recorded, together with the rationale and the senior individual authorising that approach. This audit trail may prove critical if the adequacy of procedures is later challenged.

Investigative readiness

When misconduct surfaces, speed and structure matter. The Home Office guidance makes clear that investigations should be appropriately scoped, adequately resourced and legally compliant. For in‑house teams, this means having clear protocols in place before an issue arises.

GCs should establish, in advance, decision‑making frameworks covering what triggers an investigation, who authorises it, when external counsel or investigators are engaged, how legal privilege is managed and how findings are escalated to the board.

The SFO’s cooperation policy and the joint CPS-SFO corporate prosecution guidance make clear that self-reporting, full disclosure and the quality of an internal investigation are weighty factors in prosecutorial decision-making.

An organisation that can demonstrate a genuinely proactive response — including making witnesses available and disclosing investigation details — is far better positioned when regulators come calling.

A continuing GC priority

The convergence of rising digital fraud, expanded corporate criminal liability and increasingly exacting enforcement standards means that fraud governance can no longer be treated as a periodic compliance exercise.

For General Counsel, it is now a continuously evolving operational priority, one that sits squarely at the intersection of legal risk, board assurance and organisational trust.

Those who act decisively now will be best placed to protect their organisations, not only in the boardroom, but, if necessary, before prosecutors and the courts.