• 1000

From 1 September 2025, German companies may be liable to prosecution under UK law if they have not taken adequate precautions to prevent fraud. On 6 November 2024, the UK Home Office published comprehensive guidelines on what measures companies are expected to take in this regard, which should be observed by companies as good practice for effective compliance management even if they are not directly covered by the new criminal offence.

The new offence of "failure to prevent fraud"

A new corporate offence has been introduced in Section 199 of the UK Economic Crime and Corporate Transparency Act 2023 (ECCTA) to make it easier to hold companies accountable for committing serious criminal offences: For "Failure to prevent fraud", a company may be liable to prosecution in the UK from 1 September 2025 if certain economic offences were committed for its benefit and it had not taken reasonable precautions to prevent such offences.

The basic principle is also familiar from German law. Although there is no corporate criminal law in this country, a significant fine can be imposed on companies under Sections 30 and 130 of the German Administrative Offences Act (OWiG) if they have failed to prevent criminal offences committed by their employees by taking appropriate supervisory measures. The enormous practical relevance of Sections 30 and 130 of the German Administrative Offences Act (OWiG) in the prosecution of white-collar crime in Germany is illustrated by the major cases in recent years in which corresponding corporate fines in the (high) multi-digit million range and even up to one billion euros were imposed.

Although comparable in terms of the basic principle, there are also clear peculiarities and differences in the future British legal situation.

 

When companies are liable to prosecution under the new standard in the UK

Under Section 199 ECCTA, a company can only be liable to prosecution if it or its parent company qualifies as a "large organisation". A large organisation is any legal entity or partnership, including its subsidiaries, that meets at least two of the following criteria:

  • more than 250 employees,
  • more than £36 million turnover,
  • a balance sheet total of more than £18 million.

If only the parent company of the company in question is considered a large organisation, any fraud committed by its employees for the benefit of the company will in future be attributed to this subsidiary. If, on the other hand, the company itself is considered a large organisation, not only the acts of its own employees will be attributed to it, but also those of all other "associated persons" (e.g. agencies, representatives, subsidiaries and service providers acting on behalf of or in the name of the company). This is the case if they were committed for the benefit of the company or only for the benefit of its customers - the latter, however, only if the company in question was not itself the victim of the fraud. In none of the cases does it matter whether the company management ordered the offence or knew about it.

Incidentally, the term "fraud offence" in this context is not limited to the German understanding of fraud within the meaning of Section 263 StGB, but is to be understood much more broadly. Annex 13 of the ECCTA lists the offences covered by this - including various forms of fraud, embezzlement, misappropriation, false accounting and false statements by company directors - and could be expanded in future to include offences of a "similar nature". This also includes money laundering offences. In addition, aiding and abetting and incitement to the aforementioned offences fall under the concept of fraud. Overall, the term therefore covers a wide range of economic offences. The acting person can be prosecuted individually for the offence alongside the company. However, this is not a mandatory requirement for holding the company liable for not having prevented the offence.

However, criminal liability of the company is excluded if it can prove that at the time the fraud offence was committed it was

(1) had reasonable precautions in place to prevent such offences (see below), or

(2) if it could not reasonably have been expected to take such precautions in all the circumstances.

For the companies concerned, this ultimately results in a quasi-obligation to take "reasonable precautions" to prevent fraud (see below). Their absence cannot be sanctioned directly. However, if a fraud offence is committed, the company will be penalised for not having taken reasonable precautions to prevent it.

German companies may also be liable to prosecution

The offence not only applies to companies based in the UK, but also covers foreign companies. The only requirement for criminal liability is that the underlying fraud offence - the non-prevention of which forms the basis for corporate criminal liability - has a UK connection. Such a connection is always assumed if

  • an act that was part of the fraud offence took place in the UK,
  • the benefit from the fraud offence arose in the UK or
  • the loss caused by the fraud offence occurred in Great Britain.

A company based in Germany - or elsewhere outside the UK - which itself or its parent company meets the criteria of a large organisation may therefore be liable to prosecution under UK law in future if, for example

  • an employee resident in the UK (or, where applicable, another associated person) commits a fraud offence, or
  • if a fraud offence is committed from Germany, the victims of which are (also) in the UK and the company concerned has not taken reasonable precautions to prevent such offences.

Companies whose business has a UK connection - even if only because their customers, suppliers or other business partners are based in the UK - should therefore take appropriate preventive measures (see below) to sufficiently reduce the risk of criminal liability.

Smaller companies that do not directly fall within the scope of the criminal offence could also be indirectly obliged to take comparable preventative measures. This is particularly the case if they themselves are considered an associated person of a large organisation, for example because they provide services on its behalf or in its name. In this respect, it is to be expected that, as part of their own fraud prevention, large organisations will also impose certain requirements on their associated persons, for example on a contractual basis, which they may then in turn have to impose on their own subcontractors.

What are "reasonable precautions" for fraud prevention?

If a relevant fraud offence is committed for which a company could be prosecuted under the new criminal standard in the UK because it did not prevent it, the first question is whether criminal proceedings will be initiated against the company at all. A proactive approach to the criminal prosecution authorities and comprehensive co-operation with them can lead to such proceedings not being initiated. If criminal proceedings are initiated against the company, the decisive factor is whether it can prove that it had appropriate precautions in place at the time of the offence to prevent such acts. The guidelines published by the UK Home Office are intended to provide guidance to businesses on what precautions they are expected to take in this regard. As it is ultimately up to the courts to judge in each individual case whether the specific preventive measures were appropriate, deviations from the aforementioned guidelines do not automatically mean that appropriateness is denied. Conversely, the UK Home Office also expressly points out that following the guidelines does not necessarily provide a safe harbour, as there may also be specific risks that have not been taken into account by the guidelines, depending on the individual case.

The guidelines reflect the current good practice of an effective compliance management system (CMS) and illustrate this with numerous examples. They also show which questions companies should ask themselves in order to check whether the specific responsibility created by the new criminal standard and the related offences are adequately covered by their own CMS. Companies that already have a CMS in place that meets the requirements of established standards, such as IDW PS 980, are already in a very good starting position, as the guidelines also incorporate many of the elements already familiar from these standards. However, it should be borne in mind that existing CMSs are often primarily focussed on the company's own employees and sometimes only inadequately cover the fraud risks posed by third parties acting on behalf of the company, for example. Particularly in the case of large companies, which will have to accept responsibility for offences committed by these third parties under UK law in the future, there may therefore be a need to adapt the existing CMS accordingly.

The guideline describes six basic principles that companies should use to take "reasonable precautions" to prevent fraud:

Company management, or the "tone at the top", plays a decisive role in the fight against white-collar crime, which is why it is not surprising that the guidelines prioritise this aspect. The guidelines call for a commitment to combating fraud on the part of management and supervisory bodies, which is also expressed through an appropriately promoted corporate culture in which fraudulent offences are not accepted and profits made as a result are rejected. This should be implemented in a practical and verifiable manner both in the context of internal communication and in written regulations (training obligations, clear guidelines, reporting channels, regulated responsibilities for fraud prevention with reporting to management, etc.) as well as in the initial and long-term provision of the necessary resources.

Companies should assess the risks of employees or other associated persons committing relevant fraud offences according to type and scope, document this assessment and review it regularly and on an ad hoc basis. In practice, many companies will be able to draw on existing risk analyses and the methods and resources already used for this purpose. Nevertheless, even in these cases, extensions and adjustments will generally still need to be made in order to fully cover the offences and scenarios covered by the criminal standard. This can pose particular challenges for companies that are considered to be large organisations and are therefore also responsible for preventing fraud offences committed by other associated persons. Due to the broad definition of "associated persons", the first step of the fraud risk assessment to be carried out will often be to create typologies. These should include all third parties that provide services for the company or on its behalf. Depending on the company and the specific transaction, this may include a large number of business partners, which must therefore also be included in the risk assessment. The parties to be considered can each pose very different risks, which - as it is impossible to anticipate every conceivable scenario - must also be adequately mapped and classified using typologies to be developed.

Various sources of information should be utilised for the purposes of risk analysis. In addition to findings from previous audits and sector-specific information from associations and authorities, the guidelines emphasise the area of data analytics in particular. Targeted analyses of databases can identify signs of criminal activity as well as process and control weaknesses. New technical possibilities and methods, particularly in the field of artificial intelligence and machine learning, can significantly increase the efficiency and effectiveness of the procedure.

The procedures and measures taken to manage the identified fraud risks should be proportionate to the risks themselves and to the nature, scale and complexity of the organisation's activities and take into account the degree of control and supervision that the organisation can exercise over the relevant associated persons. The procedures and measures should also be clear, practical, accessible and effectively implemented and enforced. They should also be based on a prevention plan derived from the risk analysis, which has also been independently reviewed for effectiveness - for example, internally by a team not involved in its preparation or by external specialists.

In order to avoid duplication of effort, measures that the company may have already implemented for other reasons should also be taken into account, for example to implement sector-specific requirements, provided that these are also suitable for counteracting certain fraud risks. However, it should be checked to what extent these existing measures are actually suitable and effective for fraud prevention. This is because there is no automatism to the effect that "appropriate precautions for fraud prevention" are affirmed across the board simply because the company in question is particularly regulated due to the sector, for example. Rather, if a relevant fraud offence is committed, the competent court will examine whether the existing measures can be considered appropriate to prevent such offences. The specific precautions and measures to be taken are not prescribed to the companies - not even by the guidelines - but must be determined individually with regard to the respective company and its specific risk situation.

Companies are expected to apply procedures to fulfil risk-based due diligence in relation to relevant associated persons who pose a risk of fraud. This applies to the company's own employees and may also involve, for example, minimising excessive stress and unrealistic targets as factors that promote crime. However, checks should also be carried out, particularly with regard to third parties such as (potential) business partners or in the context of M&A transactions, which can be technically supported and ensure compliance with requirements through contractual agreements, among other things. If these are suitable for reducing the specifically identified risks, existing due diligence processes can also be utilised. The measures should also be reviewed regularly and in documented form for their effectiveness and possible need for adjustment.

In order to ensure that all relevant internal and, where applicable, external associated persons are sufficiently aware of the prevention strategies and procedures that have been established and that they understand and comply with them, regular and, if necessary, ad hoc fraud-specific training and awareness-raising measures are of central importance. These should be proportionate to the respective risk and relate both to the behaviour to be prevented and to the procedures for combating it. The effectiveness and timeliness of training programmes should be regularly reviewed. This also includes ensuring that communication takes place at all levels. After all, the best "tone at the top" is of little use if middle management actively ignores illegal behaviour by employees or even encourages them to circumvent the company's prevention measures.

In order to effectively prevent fraud, companies should have suitable regulations and structures in place for reporting misconduct, i.e. a functioning and independent whistleblower system, and ensure a corporate culture in which employees can communicate their concerns. This also includes ensuring that concerns raised and reports of misconduct are not ignored, but are investigated appropriately and promptly and that any violations identified are responded to.

In addition to the initial introduction or adaptation of preventive measures, it is important to ensure that these are continuously monitored, reviewed and, if necessary, improved. With regard to monitoring, the guidelines explicitly name three elements covered by this: Detecting (attempted) fraud, conducting investigations and monitoring the effectiveness of existing preventive measures. With regard to the latter, it should be examined, among other things, whether existing measures are primarily aimed at preventing offences directed against the company itself or whether they also effectively cover offences committed for the alleged benefit of the company or its customers. The experience and knowledge gained over time should be used to identify possible weaknesses and the need for adjustments and to make necessary changes, for example with regard to existing procedures, responsibilities, resources, reporting channels and documentation requirements. This should also take into account whether there are new possibilities for technical support, such as the use of AI solutions to recognise potential cases of fraud. The existing procedures should also be reviewed regularly and, if necessary, on an ad hoc basis to determine whether they need to be adapted to any changes in the company's risk situation.

Outlook

Companies should use the time until the new criminal offence comes into force to assess their exposure and develop or adapt and implement appropriate fraud prevention procedures. The offence will make it easier in future for British law enforcement authorities to hold companies, or those responsible in companies, accountable for white-collar crime, provided that the offences have some kind of UK connection. This also applies if the offence was committed by employees of the company or by third parties associated with them. German companies with customers or business partners in the UK should be aware of this risk and take appropriate countermeasures, especially if they meet the criteria to be considered a large organisation. However, smaller companies could also be affected by the new UK legislation - either directly, because they have a parent company that qualifies as a large organisation, or indirectly, because certain fraud prevention requirements are imposed on them by their business partners.

KPMG's experts have extensive and long-standing experience in conducting fraud risk assessments in an international context and in the customised development and optimisation of fraud management systems - both in relation to the internal compliance organisation and in the area of third-party risk management. With our corporate intelligence and forensic due diligence solutions as well as our data analytics services, we also offer comprehensive support in the screening of (potential) business partners, in the context of M&A transactions and in the targeted analysis of a company's own databases. If there are any indications of criminal offences or other compliance violations, we can help you to clarify the facts comprehensively and in a court-proof manner, including the precise derivation of effective follow-up measures to prevent recurrences in the best possible way.

Please feel free to contact us.