Smaller firms largely unaware of the perils of association with fraud

The new Failure to Prevent Fraud (FTPF) Act came into effect on 1 September 2025 with the aim of making it easier to hold businesses to account for fraud committed by employees or other associated persons, which might benefit the organisation.

It applies to large organisations, defined as meeting two of the following three criteria – having more than 250 employees; turning over more than £36 million; and holding more than £18 million in total assets.

These criteria might lead the owners of smaller concerns to breathe a sigh of relief, assuming that they cannot be caught up in an investigation because of their size. However, they would be wrong.

It is important to note that a relevant fraud could be committed by a ‘person associated with the relevant body’.

This includes individuals or entities who perform services for or on behalf of the organisation while acting in that capacity, such as employees, agents, contractors, subsidiaries and partners in a partnership.

Smaller firms that could fall into any of those categories should therefore be aware of the FTPF rules.

There is likely to be an increase in the number of investigations by the Serious Fraud Office (SFO), so being aware of the policies and procedures needed to stay on the right side of the law is key.

Roger Isaacs, National Technical Director of NIFA, said, “What tends to catch smaller firms out is not deliberate wrongdoing, but a lack of visibility over how fraud can arise through everyday commercial relationships. We regularly see cases where a business becomes exposed because an employee, contractor or agent has acted dishonestly in a way that indirectly benefits the organisation, even if senior management seemingly had no knowledge of it.

“Informal arrangements, undocumented controls or assumptions based on trust offer very little protection once matters are examined in detail. Investigators will often focus on what the business did to identify and manage that risk. If there is little evidence of training, oversight or basic checks, that absence can become a problem in itself. Smaller firms do not need complex systems, but they do need to show and document that fraud risks have been considered and addressed proportionately.”

Sources: Gov.UK