Failure to Prevent Fraud Training: What ECCTA Actually Requires
ECCTA s199 makes fraud prevention training a statutory defence. Here's what the Home Office expects, what won't hold up, and what good training looks like.
Since 1 September 2025, large UK organisations face a new criminal offence: failure to prevent fraud. Section 199 of the Economic Crime and Corporate Transparency Act 2023 means that if an employee, agent, or subsidiary commits fraud intending to benefit the organisation, the organisation itself is criminally liable — unless it can prove it had reasonable fraud prevention procedures in place.
Training is central to that defence. The Home Office statutory guidance identifies six principles that should inform an organisation's fraud prevention framework. Training appears explicitly in three of them.
This is not a future obligation. It is already law. And the gap between what most organisations currently do and what the legislation actually requires is significant.
What Section 199 Actually Says
The offence applies to "large organisations" — those meeting at least two of the following thresholds in the preceding financial year:
- Turnover exceeding £36 million
- Total assets exceeding £18 million
- More than 250 employees
If a person "associated" with the organisation commits a specified fraud offence intending to benefit the organisation (or any person to whom the organisation provides services), the organisation is guilty of a criminal offence. The penalties are unlimited fines, plus potential deferred prosecution agreements and court-imposed compliance programmes.
The only defence is proving that the organisation had "reasonable fraud prevention procedures" in place at the time of the offence — or that it was not reasonable to expect such procedures.
The statutory guidance published by the Home Office in November 2024 sets out six principles that define what "reasonable" means.
The Six Principles — And Where Training Fits
Principle 1: Top-level commitment. Senior management must foster a culture where fraud is not tolerated. This includes communication — ensuring employees understand the organisation's position and their responsibilities. That communication requires training, not just a policy document sitting on an intranet.
Principle 2: Risk assessment. The organisation must assess the nature and extent of its exposure to fraud risk. While this is primarily an analytical exercise, the people conducting risk assessments need to understand fraud typologies. That understanding comes from training.
Principle 3: Proportionate prevention procedures. Procedures must be proportionate to the risks identified. The guidance explicitly states that procedures should include training and communication to ensure that fraud prevention policies are embedded across the organisation — not just documented.
Principle 4: Due diligence. Applies to associated persons, including agents, contractors, and subsidiaries. Training extends to anyone acting on the organisation's behalf who could commit fraud.
Principle 5: Communication and training. This is the most explicit principle. The guidance states that organisations should seek to ensure that their fraud prevention policies and procedures are communicated, embedded, and understood throughout the organisation through internal and external communication, including training.
Principle 6: Monitoring and review. Prevention procedures must be monitored, reviewed, and updated. This includes reviewing whether training remains effective and current.
Training is not a supplementary consideration. It is woven into the fabric of the defence.
What Won't Hold Up
If the SFO or CPS prosecutes under section 199, the organisation's fraud prevention procedures will be scrutinised. Based on the statutory guidance and precedent from the Bribery Act 2010 (which uses the same "adequate procedures" framework), certain approaches are unlikely to satisfy the "reasonable" standard.
A policy document alone. Having a fraud prevention policy that employees are expected to read and acknowledge does not constitute a procedure. The guidance distinguishes between having policies and embedding them through communication and training.
A generic annual e-learning module. A 15-minute module covering all compliance topics superficially — with a multiple-choice quiz at the end — does not demonstrate that employees understand fraud risks specific to their role or organisation. The guidance requires proportionality: training should be calibrated to the risks the organisation actually faces.
One-off training with no refresh. Fraud risks change. New suppliers are onboarded. Business processes evolve. Staff turnover means new employees arrive who were not part of the original training programme. A single training event, no matter how thorough, does not satisfy the ongoing monitoring and review requirements of Principle 6.
Training that cannot be evidenced. If you cannot demonstrate who completed what training, when they completed it, and what content they covered, you cannot prove the training happened. This is the same evidentiary standard that applies to Bribery Act adequate procedures and GDPR accountability requirements.
Training that doesn't change behaviour. The statutory guidance uses language like "embedded" and "understood" — not "distributed" or "completed." A slide deck that employees click through while doing something else may generate a completion record, but it does not embed understanding of fraud risks or test whether employees know how to respond to them.
What "Reasonable" Training Actually Looks Like
The guidance does not prescribe a specific training format. But reading the six principles together, a reasonable fraud prevention training programme would have several characteristics.
Role-specific content. Procurement staff face different fraud risks than finance teams, who face different risks than sales teams. A proportionate programme delivers content relevant to each group's actual exposure, not a one-size-fits-all overview.
Scenario-based decision-making. Employees who practise making decisions in realistic fraud situations — where they face the same pressures and ambiguities they encounter in their actual roles — develop applied understanding rather than theoretical knowledge. This is the difference between knowing what fraud is and recognising it when it happens.
Evidence of comprehension. Not just completion rates. Assessments that demonstrate employees understood the material and can apply it. Scenario-based evaluations generate stronger evidence than multiple-choice quizzes because they require applied reasoning, not recall.
Regular refresh. Annual training at minimum, with additional training triggered by changes in risk profile, business processes, or regulatory guidance. New employees should receive fraud prevention training during onboarding, not at the next scheduled annual cycle.
Documentation and audit trail. Every training event — who attended, what content was delivered, what assessment results were recorded — should be documented and retained. This is the evidence that supports the "reasonable procedures" defence.
Connection to the broader framework. Training should not exist in isolation. It should connect to the organisation's fraud risk assessment, whistleblowing procedures, reporting channels, and investigation processes. Employees who complete training should know not just what fraud looks like, but what to do when they encounter it.
What the Fraud Scenarios Actually Look Like
We built an ECCTA scenario-based training module that puts employees in the position of a procurement coordinator at a mid-size UK company. The fraud is not obvious — it starts with a routine instruction from a line manager that looks like a minor process shortcut.
The learner faces realistic decisions: process the questionable invoice as instructed, push back and ask for written confirmation, or escalate through the fraud reporting line. Each choice branches into different consequences — legal exposure, investigation outcomes, and regulatory analysis tied to the actual ECCTA framework.
This is not a hypothetical example. The scenario is based on the types of invoice fraud, procurement kickbacks, and supplier collusion that the SFO has prosecuted in recent years. The setting is designed to mirror the pressure dynamics that make fraud difficult to challenge in practice: a trusted manager, an upcoming performance review, a team culture of "just get it done."
The module generates documented evidence of how each employee responded — which supports the evidentiary requirements of the reasonable procedures defence.
The Bribery Act Precedent
Section 199 is not the first UK corporate offence built on a "reasonable procedures" defence. Section 7 of the Bribery Act 2010 created a nearly identical framework for bribery prevention — and the enforcement history of that provision is instructive.
In Bribery Act cases, prosecutors and courts have examined the quality of organisations' prevention procedures in detail. Organisations that had policies but no training were found wanting. Organisations that had generic training but no risk-specific content were found wanting. Organisations that could not produce training records were found wanting.
The standard that has emerged from a decade of Bribery Act enforcement is essentially the standard that section 199 will apply to fraud prevention. Organisations that have invested in proportionate, documented, role-specific training for bribery prevention are well positioned to extend that approach to fraud. Those that have not should recognise that the bar is already established — and it is higher than a slide deck.
Who Should Act Now
Any UK organisation meeting the size thresholds — £36M turnover, £18M assets, or 250+ employees — is within scope today. But the guidance also notes that smaller organisations should consider adopting reasonable procedures as best practice, even if they are not legally required to do so.
The practical first steps are straightforward.
Conduct a fraud risk assessment. Identify the fraud typologies most relevant to your organisation's operations, sector, and supply chain. This assessment informs everything else — including what training content is needed.
Map your associated persons. The offence covers employees, agents, subsidiaries, and contractors. Identify who could commit fraud for the organisation's benefit and ensure training reaches all of them.
Evaluate your current training. Does it exist? Is it specific to fraud (not bundled into generic compliance training)? Is it proportionate to identified risks? Is it documented? Can you evidence comprehension, not just completion?
Build or procure a proportionate programme. If your current training does not meet the standard described above, develop one that does. Scenario-based approaches generate the strongest evidence of applied understanding.
Document everything. Training records, completion data, assessment results, refresh schedules. If you cannot prove it, it did not happen.
The offence is already in force. The SFO can investigate. The first prosecutions will establish precedent. Organisations that can demonstrate a documented, proportionate, role-specific training programme will be in a defensible position. Those relying on a PDF and a tick box will not.
Our failure to prevent fraud training module is built for this standard — scenario-based, decision-driven, and fully documented. If you are reviewing your organisation's fraud prevention training, it is worth five minutes to see what the alternative to a slide deck looks like.
For a structured assessment of your current compliance training posture, the compliance training diagnostic provides a starting point.