The Failure to Prevent Fraud Offence (introduced under the Economic Crime and Corporate Transparency Act 2023) introduces new regulatory expectations around fraud and the “failure to prevent fraud” offence offers charities an opportunity to strengthen governance, build confidence at board level, and protect the organisation’s mission.
At the same time, developments in the Crime and Policing Act reinforce the direction of travel by strengthening the attribution of the corporate criminal liability through senior managers, increasing the importance of clear accountability for fraud prevention at a leadership level.
The challenge when it comes to compliance with this legislation is not understanding that fraud risk exists, most finance leaders and trustees already recognise this. The challenge is translating broad legal expectations into something practical and actionable. What do “reasonable procedures” actually look like in a charity context? Moving beyond compliance as a tick-box exercise
For many organisations, compliance is still seen as reactive and is usually triggered by incidents, auditor recommendations or regulatory pressure. That approach often leads to fragmented controls and inconsistent oversight.
The failure to prevent fraud framework encourages a different mindset. It asks organisations to take a proactive, organisation wide view of fraud risk, focusing on prevention rather than response. This includes actively identifying fraud risk indicators and using continuous or regular data analysis to detect emerging issues at an early stage, rather than waiting for concerns to crystallise.
Crucially, this is not about asking organisations to reinvent the wheel. Instead, it is about building on and strengthening existing control frameworks, ensuring that fraud risk is explicitly considered and embedded within them.
Done well, this is not about creating more policies. It is about expanding existing controls and procedures and embedding clarity and accountability. For example:
• Do we understand where fraud risk genuinely sits in our organisation?
• Are controls designed around those risks, or inherited over time?
• Is there clear ownership of fraud prevention at senior management and trustee level? When these questions are addressed, compliance stops being a burden and becomes a source of assurance for management, trustees and stakeholders.
What “reasonable procedures” look like in practice
There is no one size fits all answer. What is “reasonable” depends on the size, complexity and risk profile of the charity. The guidance released by the Home Office in November 2024 states that procedures should be “risk-based and proportionate”. To have an effective approach to the implementation of a robust fraud prevention framework organisations should consider the following characteristics of their plan:
1. Risk-led, not policy-led The starting point is to ensure there is a focused fraud risk assessment. The Home Office guidance states that “it will rarely be considered reasonable not to have even conducted a risk assessment1”. This assessment should go beyond generic risks (e.g. procurement fraud or payroll fraud) and consider how fraud could realistically occur within your specific operations such as within fundraising, grant distribution, partnerships or overseas activity.
2. Proportionate controls that work in reality Controls should reflect how the organisation actually operates. For example, segregation of duties may not be feasible in a smaller charity, but alternative controls such as independent review or trustee oversight can still mitigate risk.
3. Clear accountability and oversight Fraud prevention should sit clearly within governance structures. This might include regular reporting to the audit committee, defined roles for senior management, and visible trustee engagement with fraud risk.
4. Culture and awareness Most fraud risks are not purely technical, they involve behaviour, judgement and opportunity. Staff and volunteers need to understand both expectations and escalation routes. This is as important as any formal control.
5. Monitoring and evolution “Reasonable procedures” are not static. They should be reviewed and adapted as the organisation evolves, particularly where there are changes in funding models, partnerships or delivery structures.
Anonymised case study: strengthening confidence through structure
A medium-sized organisation operating across multiple locations had experienced several low-value but recurring control issues. Examples of these issues were expense irregularities, inconsistent procurement approvals, circumvention of procurement procedures and limited oversight of local operations.
There was no single significant fraud incident that occurred, but the cumulative effect raised concerns at board level. The organisation began to ask itself when the new failure to prevent fraud offence went live: “would our existing framework meet expectations under the new offence?”
A targeted review identified that the issue was not a lack of controls, but a lack of consistency and clarity. Controls differed between teams, risk ownership was unclear, and escalation and reporting were limited.
In response, the organisation:
• carried out a focused fraud risk assessment aligned to its operating model;
• standardised key financial controls across teams;
• updated existing policies to ensure consistency across the organisation;
• communicated updates to processes and policies to all employees;
• introduced clearer reporting on fraud risk to the audit committee; and
• delivered practical training to operational staff.
The result was not a dramatic overhaul, but a more consistent, coherent and transparent framework. Board members reported increased confidence in their oversight, and management had greater clarity on fraud risk exposure.
Turning change into opportunity
The failure to prevent fraud offence may feel like an additional regulatory pressure. But it provides a useful lens through which to reassess existing arrangements.
For charity finance leaders and trustees, the key question is not “are we compliant?”, but “do we genuinely understand and manage our fraud risks?”.
Organisations that take the opportunity to answer that question will not only strengthen their compliance position but will also build resilience, improve decision-making, and protect the resources entrusted to them.