What Due Diligence Should Be Carried Out in Business Sales After the Failure to Prevent Fraud Offence?

Introduction

The introduction of the failure to prevent fraud offence under sections 199–209 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023) has materially altered the risk landscape for acquisitions of corporate entities in England and Wales. This offence, which came into force on 1 September 2025, imposes criminal liability on “large organisations” where an associated person commits a fraud offence intending to benefit the organisation, and the organisation has failed to implement reasonable fraud prevention procedures. The offence draws explicit structural inspiration from the failure to prevent bribery model under section 7 of the Bribery Act 2010 but extends the corporate criminal liability net considerably further, given that fraud is far more pervasive in commercial life than bribery. The critical thesis of this essay is that the failure to prevent fraud offence demands a fundamental recalibration of due diligence practice in business sales — not merely an incremental expansion of existing anti-bribery checks — because the offence creates a form of successor liability risk that conventional transactional due diligence has historically been poorly equipped to identify or quantify. The nature of the statutory defence (proving that “reasonable procedures” were in place, or that it was not reasonable to have any procedures) requires acquirers to investigate not only whether fraud has occurred within a target company, but whether the target’s compliance architecture is structurally adequate to prevent future liability attaching to the acquiring entity post-completion. This essay examines the scope and mechanics of the offence, analyses the due diligence implications across share sales, asset sales and group reorganisations, evaluates the practical challenges of investigating compliance cultures, and considers the interplay between the offence and contractual risk allocation mechanisms in sale and purchase agreements.

The Offence: Scope, Structure and the Reasonable Procedures Defence

Section 199 of ECCTA 2023 provides that a “large organisation” commits an offence if a person associated with it commits a specified fraud offence with the intention of benefiting the organisation, or any person to whom services are provided on behalf of the organisation. The fraud offences triggering liability are listed in Schedule 13 and include offences under the Fraud Act 2006 (fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, obtaining services dishonestly), as well as common law conspiracy to defraud, false accounting under the Theft Act 1968, false statements by company directors under the Companies Act 2006, and fraudulent trading under both the Companies Act 2006 and the Insolvency Act 1986. This is a wide catalogue, capturing conduct ranging from sophisticated financial statement manipulation to relatively mundane misrepresentations made in the course of ordinary commercial dealings.

The jurisdictional reach is significant: the offence applies where the associated person’s fraud offence occurs in the United Kingdom, but also where it occurs abroad provided the organisation has a sufficient UK nexus, namely being incorporated or formed under UK law or carrying on business in the United Kingdom (section 199(1)–(3)). The definition of “associated person” under section 200 is broad, encompassing employees, agents and subsidiaries, as well as persons who perform services for or on behalf of the organisation. This mirrors, with certain modifications, the approach under section 8 of the Bribery Act 2010, though the government guidance issued under section 205 ECCTA 2023 elaborates on the relationship between subsidiary conduct and parent company liability.

The sole statutory defence is found in section 202: the organisation must prove, on the balance of probabilities, that it had “reasonable procedures” in place designed to prevent persons associated with it from committing the relevant fraud offence, or that it was not reasonable in all the circumstances to expect the organisation to have any such prevention procedures in place. This defence framework is critical to the due diligence enquiry because it means that a purchaser acquiring a target company inherits not only historic fraud exposure but also the target’s structural capacity — or incapacity — to invoke the defence going forward.

The offence applies only to “large organisations” as defined by section 201, requiring the body corporate to meet at least two of three threshold conditions in the financial year preceding the year in which the fraud offence is committed: turnover of more than £36 million, a balance sheet total of more than £18 million, or more than 250 employees. However, as the government guidance notes, these thresholds are assessed at group level for subsidiaries of large groups, meaning that an acquisition target which is itself small may nevertheless fall within scope once it becomes part of a larger acquiring group. This has direct implications for due diligence: a purchaser must assess not only whether the target currently meets the threshold but whether post-completion integration will bring the target within scope.

Why the Offence Demands a Recalibration of Transactional Due Diligence

Traditional due diligence in business sales has long encompassed anti-bribery compliance checks, particularly following the Bribery Act 2010. The Ministry of Justice guidance on adequate procedures under that Act established six principles — proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training, and monitoring and review — which became the template for compliance investigations in M&A transactions (Ministry of Justice, 2011). However, the failure to prevent fraud offence presents qualitatively different due diligence challenges for several reasons.

First, the range of predicate offences is far broader than bribery. Fraud by false representation under section 2 of the Fraud Act 2006 can be committed in contexts as varied as insurance claims, sales negotiations, regulatory filings, marketing representations, and financial reporting. The due diligence investigation must therefore cast a wider net across the target’s operations than an anti-bribery review, which typically concentrates on procurement, government-facing activities, intermediary relationships and hospitality. Second, the “associated person” concept, when applied to fraud, captures a larger class of potential perpetrators: any employee who makes a false representation in the course of business, intending to benefit the company or its clients, could trigger the offence. Third, unlike bribery — which is inherently covert and transactional — certain forms of fraud may be woven into the target’s standard business practices or revenue recognition policies, making them harder to detect through document review alone.

Critically, the question for a purchaser is not only whether historic fraud has occurred but whether the target’s internal controls, compliance framework, training, reporting mechanisms and governance structures are adequate to constitute “reasonable procedures.” If the answer is no, the acquirer faces a choice: remediate before completion, negotiate price adjustments, seek indemnity protections, or walk away. The practical challenge is that the adequacy of procedures is a qualitative and contextual judgment, not a binary checklist exercise, and this introduces significant uncertainty into the due diligence process.

The Government Guidance and Its Implications for Acquirers

Section 205 of ECCTA 2023 requires the Secretary of State to publish guidance about procedures that relevant bodies can put in place to prevent persons associated with them from committing fraud offences. The government published this guidance in November 2024, and it is modelled on the six-principle framework from the Bribery Act 2010 adequate procedures guidance, adapted to the fraud context. The six principles are: (i) top-level commitment; (ii) risk assessment; (iii) proportionate risk-based prevention procedures; (iv) due diligence; (v) communication and training; and (vi) monitoring and review (Home Office, 2024).

For acquirers, this guidance serves a dual function. On the one hand, it provides a benchmark against which the target’s existing fraud prevention framework can be assessed during due diligence. On the other hand, it establishes the standard that the acquirer’s own post-acquisition compliance integration must meet. The guidance explicitly acknowledges that risk-based procedures will vary according to the nature, scale and complexity of the organisation’s activities, and that what is “reasonable” depends on all the circumstances. This contextuality is both helpful — it avoids rigid prescriptivism — and challenging for transactional lawyers, because it means that two advisers may legitimately reach different conclusions about the adequacy of the same compliance programme.

Principle (ii) — risk assessment — is particularly important for due diligence. The guidance states that organisations should conduct periodic and event-driven assessments of the nature and extent of the fraud risks arising from their operations and associated persons. In the M&A context, the acquisition itself is arguably an “event” that should trigger a reassessment by the acquirer, both of its own fraud risk profile as expanded by the acquisition and of the target’s historical and prospective risks. Principle (iv) — due diligence on associated persons — has direct transactional relevance, as it implies that the acquirer’s own compliance obligations extend to understanding the fraud risks presented by the target’s employees, agents, intermediaries and counterparties.

Structuring the Due Diligence Investigation: Key Areas of Enquiry

Governance and Compliance Architecture

The starting point is an assessment of the target’s corporate governance framework as it relates to fraud prevention. This encompasses board-level oversight of fraud risk, the existence and mandate of audit and risk committees, the appointment of compliance officers with specific fraud prevention responsibilities, and the quality of internal audit functions. The government guidance emphasises “top-level commitment” as the first principle, requiring that senior management demonstrate and communicate a culture of fraud prevention. Due diligence should therefore seek evidence of board minutes, compliance committee reports, risk register entries, and policy approval records demonstrating active senior engagement with fraud prevention. Mere possession of a written anti-fraud policy, without evidence of implementation and enforcement, is unlikely to satisfy the reasonable procedures defence (Home Office, 2024).

The acquirer should also investigate whether the target has designated a senior individual as responsible for fraud prevention oversight. By analogy with the Senior Managers and Certification Regime (SMCR) applicable to financial services firms under the Financial Services and Markets Act 2000 (as amended by the Financial Services (Banking Reform) Act 2013), the allocation of individual accountability for compliance functions strengthens the argument that reasonable procedures were in place. Although SMCR does not apply outside regulated financial services, its underlying logic — that compliance culture requires identifiable human accountability — is reflected in the government guidance and is likely to influence judicial interpretation of what constitutes reasonable procedures.

Internal Controls and Financial Reporting

False accounting under section 17 of the Theft Act 1968 and fraudulent trading under section 993 of the Companies Act 2006 are both Schedule 13 predicate offences. Accordingly, due diligence must extend to the integrity of the target’s financial controls. This includes examination of the target’s revenue recognition practices, journal entry controls, segregation of duties, approval hierarchies for payments and commitments, management override controls, and the adequacy of external audit coverage. Where the target has received qualified audit opinions, management letter points identifying internal control weaknesses, or regulatory findings relating to financial reporting, these should be treated as material red flags.

The practical difficulty is that forensic financial due diligence of sufficient depth to identify embedded fraud risk is expensive and time-consuming, and sellers may resist intrusive investigations into accounting practices, particularly in competitive auction processes. Acquirers must therefore make risk-based judgments about the depth of financial controls testing, informed by the target’s sector, size, geographic footprint and historical compliance record. Industries with higher inherent fraud risk — such as financial services, insurance, construction, defence contracting and healthcare — will warrant deeper investigation.

Whistleblowing and Reporting Mechanisms

The government guidance identifies communication and training as a core principle and emphasises the importance of mechanisms through which associated persons can report suspected fraud without fear of retaliation. Due diligence should investigate whether the target operates a confidential whistleblowing hotline or reporting channel, how reports are triaged and investigated, whether the target has a written whistleblowing policy compliant with the Public Interest Disclosure Act 1998, and — critically — the historical record of whistleblowing reports and their outcomes. A target that has received no whistleblowing reports over several years may not be a clean company; it may be a company whose reporting culture is so deficient that wrongdoing goes unreported. This is a nuanced judgment that cannot be made from documents alone and may require management interviews and, where possible, confidential discussions with compliance personnel.

Training and Awareness

Principle (v) of the government guidance requires that the organisation communicate its fraud prevention policies and procedures to associated persons and provide appropriate training. Due diligence should examine training records, the content and frequency of anti-fraud training modules, completion rates, and whether training is tailored to roles with higher fraud exposure. Generic annual e-learning modules that are not specific to the fraud risks relevant to the target’s operations are unlikely, on their own, to constitute reasonable procedures. The acquirer should assess whether training has been updated to reflect the ECCTA 2023 offence itself, as failure to educate employees about the new offence and its implications may suggest inadequate compliance culture.

Third-Party and Supply Chain Risk

Because associated persons include agents and persons performing services on behalf of the organisation, the target’s third-party relationships require scrutiny. Due diligence should examine the target’s processes for onboarding and monitoring agents, distributors, consultants, intermediaries and outsourced service providers. The relevant questions include whether the target conducts background checks on third parties, whether contracts with intermediaries contain anti-fraud representations, warranties and audit rights, whether the target monitors third-party activities on an ongoing basis, and whether there are any unusual commission or fee structures that might indicate fraud risk. This is an area where lessons from anti-bribery due diligence directly transfer, though the range of relevant fraudulent conduct is wider (Raphael, 2010).

Historic Investigations, Litigation and Regulatory Action

Due diligence should include a comprehensive review of any past or pending internal investigations, regulatory enquiries, civil litigation or criminal proceedings involving fraud or dishonesty. This includes Serious Fraud Office investigations, Financial Conduct Authority enforcement action, HMRC investigations for tax fraud, and Trading Standards proceedings. The acquirer should also review any deferred prosecution agreements entered into by the target, as these may contain ongoing compliance obligations and monitoring requirements that will survive a change of control. The Crime and Courts Act 2013, Schedule 17, governs deferred prosecution agreements, and any such agreement should be reviewed for provisions addressing corporate transactions.

Litigation searches and disclosure schedules are standard in M&A due diligence, but the failure to prevent fraud offence requires a more searching enquiry than merely identifying pending proceedings. The acquirer should investigate the target’s record of internal investigation outcomes, disciplinary actions for fraud or dishonesty, and any decisions not to report suspected fraud to law enforcement. A pattern of internal resolution without external reporting may be relevant to whether the target’s procedures are “reasonable” in the statutory sense.

Share Sales versus Asset Sales: Differential Risk Profiles

The form of the transaction materially affects the acquirer’s exposure to the failure to prevent fraud offence. In a share sale, the acquirer purchases the entire corporate entity, and the target company’s historic liabilities — including potential criminal liability — transfer with it. If an associated person committed a fraud offence prior to completion for which the target could be prosecuted under section 199, that liability crystallises against the company now owned by the acquirer. The acquirer does not itself become the defendant (the target company does), but the economic consequence — reputational damage, fines, remediation costs, management distraction — falls on the acquirer as shareholder. Moreover, any deficiency in the target’s fraud prevention procedures that predates completion will be relevant to the statutory defence, meaning the acquirer inherits both the historic risk and the compliance gap.

In an asset sale, by contrast, the acquirer purchases specific assets and liabilities, and criminal liabilities of the selling entity do not ordinarily transfer (Courtney, 2020). However, the acquirer must be alive to the risk that employees transferred under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) become associated persons of the acquiring entity, potentially carrying with them practices, cultures or relationships that create fraud risk. Furthermore, if the acquirer assumes contracts with third parties — agents, consultants, distributors — who were complicit in or facilitative of fraud, those third parties may become associated persons of the acquirer. The due diligence required in asset sales is therefore different in focus: less concerned with historic corporate criminal liability and more concerned with the prospective fraud risk profile of the transferred workforce, contracts and operations.

Group reorganisations and intra-group transfers present further complications. Where a target company is brought into a large group post-acquisition, it may cross the section 201 threshold for the first time, meaning that conduct which previously fell outside the offence’s scope becomes potentially criminal. The acquirer must plan for this contingency by ensuring that adequate fraud prevention procedures are implemented within the target before or immediately upon completion of the integration.

Contractual Risk Allocation in Sale and Purchase Agreements

Due diligence findings must be translated into appropriate contractual protections. In the context of the failure to prevent fraud offence, several mechanisms are relevant.

First, the seller’s warranties in the sale and purchase agreement (SPA) should be expanded to cover compliance with ECCTA 2023. Standard warranty packages have long included representations concerning compliance with the Bribery Act 2010 and anti-money laundering legislation; these should now be supplemented with specific warranties that: no associated person of the target has committed a Schedule 13 fraud offence intending to benefit the target; the target has implemented reasonable fraud prevention procedures consistent with the government guidance; there are no pending or threatened investigations by the Serious Fraud Office, Crown Prosecution Service, or other prosecuting authorities concerning fraud by or on behalf of the target; and the target has not been the subject of a deferred prosecution agreement or other resolution in relation to fraud.

Second, specific indemnities should be sought for losses arising from pre-completion fraud by associated persons. A warranty provides a contractual claim for breach, but an indemnity provides a pound-for-pound recovery mechanism without the need to prove loss of bargain. Given that criminal fines themselves are not recoverable as damages for breach of warranty (since a court may regard such recovery as contrary to public policy following the principle in Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472), the indemnity should be carefully drafted to cover ancillary costs: legal fees, investigation costs, remediation expenses, regulatory costs, and reputational damage costs. Whether an indemnity for the fine itself would be enforceable remains uncertain, and legal advice on this point should be taken on a transaction-specific basis.

Third, conditions precedent to completion may be appropriate where due diligence reveals material compliance gaps. The acquirer might require the seller to implement specified remedial measures — such as appointing a compliance officer, conducting a fraud risk assessment, introducing whistleblowing procedures, or terminating relationships with high-risk intermediaries — before the transaction completes. This approach is more common in private equity transactions, where the acquirer has greater leverage over the deal timetable.

Fourth, the SPA should address the allocation of responsibility for cooperation with any post-completion investigation by prosecuting authorities into pre-completion conduct. The seller should covenant to cooperate with the target and the acquirer in responding to any investigation, to preserve and make available relevant documents, and to make former employees available for interview where reasonably required.

The Practical Limits of Due Diligence and the Problem of Compliance Culture

There is an inherent tension between the theoretical scope of due diligence required by the failure to prevent fraud offence and the practical constraints of transactional processes. Competitive auction processes may afford only limited access to management, abbreviated data room periods, and resistance from sellers to intrusive compliance enquiries. Even in bilateral negotiations with full access, fraud — by its nature — is concealed, and no due diligence exercise can guarantee detection of all historic wrongdoing.

More fundamentally, the reasonable procedures defence depends not merely on the existence of written policies and procedures but on the effectiveness of the organisation’s compliance culture. The government guidance makes this clear: top-level commitment means that senior management genuinely prioritise fraud prevention, not merely that they have signed off on a policy document (Home Office, 2024). Assessing compliance culture through transactional due diligence is exceptionally difficult. It requires an understanding of behavioural norms, management attitudes, the tone from the top, the degree to which employees feel empowered to challenge wrongdoing, and the extent to which compliance is integrated into business decision-making rather than treated as a separate and subordinate function.

Sullivan and Cromwell’s analysis of the analogous challenge in anti-bribery due diligence under the Bribery Act 2010 highlighted that document-based review is necessary but insufficient and that management interviews, site visits and, where possible, confidential discussions with compliance and internal audit personnel are essential to forming a meaningful view of compliance culture (Wells, 2014). The same reasoning applies with greater force to fraud prevention, given the broader range of relevant conduct and the fact that fraud risk may be embedded in operational practices rather than concentrated in discrete third-party relationships.

Practitioners have suggested that acquirers should consider engaging forensic accountants to conduct targeted testing of financial controls, data analytics experts to screen for anomalous transactions, and compliance specialists to benchmark the target’s procedures against the government guidance (Gentle and Keenan, 2024). The cost of such investigations must be weighed against the magnitude of the risk, and there is a legitimate debate about proportionality. Nevertheless, the potential consequences of failing to identify material fraud risk — criminal prosecution of the acquired entity, substantial fines, deferred prosecution agreements with ongoing monitoring obligations, reputational damage, and management distraction — provide a strong commercial justification for investment in thorough pre-acquisition due diligence.

Post-Completion Integration and Ongoing Compliance Obligations

Due diligence does not end at completion. The government guidance’s sixth principle — monitoring and review — requires that fraud prevention procedures be kept under periodic review and updated in response to changes in risk. An acquisition is precisely such a change: it alters the organisation’s risk profile, introduces new associated persons, and may bring previously out-of-scope entities within the section 201 threshold. Acquirers should therefore prepare a post-completion compliance integration plan as part of the transaction planning process.

Key elements of such a plan include: conducting a fresh fraud risk assessment for the combined entity; aligning the target’s fraud prevention policies with the acquirer’s group-wide compliance framework; extending whistleblowing and reporting mechanisms to the target’s employees; delivering ECCTA 2023-specific training to the target’s workforce; reviewing and, where necessary, renegotiating the target’s contracts with third-party intermediaries to include anti-fraud provisions; and establishing a monitoring programme to test the effectiveness of fraud prevention controls in the acquired business. The timeline for implementation should be realistic but prompt: a prolonged failure to integrate compliance frameworks post-completion could itself undermine the acquirer’s ability to rely on the reasonable procedures defence in respect of the acquired entity’s operations.

The Serious Fraud Office’s guidance on corporate cooperation, and its approach to self-reporting, also inform post-completion practice. Where the acquirer discovers, through post-completion integration work, evidence of historic fraud by the target’s associated persons, the acquirer faces a strategic decision about whether to self-report. The SFO’s published guidance indicates that self-reporting is a factor that weighs in favour of a deferred prosecution agreement rather than prosecution, though it does not guarantee any particular outcome (Serious Fraud Office, 2019). The decision to self-report must balance the potential benefits of cooperation credit against the risk of triggering an investigation that might otherwise not have occurred.

The Relationship Between the Failure to Prevent Fraud Offence and the Identification Doctrine

One contextual point that deserves attention is the relationship between the new offence and the pre-existing law of corporate criminal liability. Before ECCTA 2023, corporate criminal liability for fraud generally required proof under the identification doctrine that the fraud was committed or directed by the “directing mind and will” of the company — typically a senior officer or director (Tesco Supermarkets Ltd v Nattrass [1972] AC 153). This high threshold made it practically very difficult to prosecute large companies for fraud committed by middle-ranking or junior employees, even where the company benefited from and arguably facilitated the conduct.

ECCTA 2023 addresses this gap in two ways. First, section 196 reforms the identification doctrine for economic crimes by providing that, for the purposes of the specified offences, the conduct and mental state of a “senior manager” acting within the actual or apparent scope of their authority can be attributed to the organisation. This expands the identification doctrine beyond the board and the managing director. Second, sections 199–209 create the failure to prevent fraud offence, which bypasses the identification doctrine entirely: there is no need to attribute the associated person’s fraud to the organisation through the directing mind principle. Instead, liability attaches unless the organisation proves reasonable procedures.

For due diligence purposes, the dual reform means that acquirers must investigate both types of liability risk. The reformed identification doctrine creates liability for fraud committed by senior managers; the failure to prevent offence creates liability for fraud committed by any associated person. Due diligence must therefore examine conduct at all levels of the target’s organisation, not merely at board level, and must investigate both the substance of the target’s business dealings and the procedural architecture designed to prevent fraud.

Comparative Observations: Lessons from the Bribery Act 2010 Experience

The Bribery Act 2010 has now been in force for over a decade, and the transactional due diligence practices that developed in response to section 7 (failure to prevent bribery) provide a useful, if imperfect, template. Several lessons are transferable.

First, the experience under the Bribery Act demonstrates that the existence of government guidance on adequate procedures, while valuable, does not eliminate uncertainty. Despite the Ministry of Justice guidance (2011), there has been limited judicial consideration of what constitutes adequate procedures, and much of the practical interpretation has been driven by prosecutorial practice and deferred prosecution agreements rather than contested trials. The same pattern is likely under ECCTA 2023: acquirers will need to monitor SFO and CPS enforcement practice to understand the evolving expectations regarding reasonable procedures.

Second, the Bribery Act experience shows that the “failure to prevent” model encourages companies to invest in compliance infrastructure, but also creates a compliance industry in which form can diverge from substance. The risk — identified by academic commentators including Lord (2014) and Yeoh (2012) — is that companies develop elaborate paper-based compliance programmes that satisfy formal requirements but do not change actual behaviour. Due diligence must look beyond the paper trail to assess whether the target’s fraud prevention procedures are genuinely embedded in its operations.

Third, the limited number of prosecutions under section 7 of the Bribery Act might suggest that the due diligence burden is disproportionate to the enforcement risk. However, this reasoning is flawed for two reasons: the range of predicate offences under the failure to prevent fraud offence is considerably wider than bribery, increasing the probability of triggering conduct; and the political and institutional momentum behind ECCTA 2023, which was enacted specifically to address the perceived failure of the identification doctrine, suggests that prosecuting authorities will be more active in enforcing the new fraud offence.

Proportionality and the Risk-Based Approach

The government guidance rightly emphasises that fraud prevention procedures should be proportionate to the risks faced by the organisation. This principle has direct implications for due diligence: the depth and scope of the acquirer’s investigation should reflect the risk profile of the target. A due diligence exercise for the acquisition of a domestic professional services firm with a small number of employees and straightforward client relationships will differ substantially from the investigation required for a multinational manufacturing group with extensive supply chains, agent networks and government contracts.

Nevertheless, proportionality should not become an excuse for superficiality. The minimum due diligence for any acquisition of an entity that is or will be within scope of the offence should include: a review of the target’s written fraud prevention policies and procedures; an assessment of governance structures and compliance resourcing; a review of training records; enquiries into whistleblowing arrangements and historic reports; examination of internal and external audit findings; a review of any regulatory correspondence, investigations or enforcement actions relating to fraud; and assessment of third-party risk management processes. Where the target operates in high-risk sectors or jurisdictions, additional forensic and data analytics work should be considered.

Conclusion

The failure to prevent fraud offence under ECCTA 2023 represents the most significant expansion of corporate criminal liability in England and Wales in decades. For acquirers of corporate entities, it creates a form of inherited compliance risk that is qualitatively different from, and broader than, the anti-bribery due diligence that has become standard practice since 2010. The statutory defence of reasonable procedures places the adequacy of the target’s compliance architecture at the centre of the due diligence enquiry, requiring investigation not merely of whether fraud has historically occurred but of whether the target’s governance, internal controls, training, reporting mechanisms, and third-party management are sufficient to prevent the offence from being committed by associated persons in the future.

The due diligence required is extensive and must go beyond document review to encompass assessment of compliance culture, management attitudes, and the operational reality of fraud prevention controls. It must be tailored to the transaction structure — share sale, asset sale, or group reorganisation — and must address both pre-completion liability and post-completion integration planning. Contractual protections in SPAs should be updated to address the specific risks created by the offence, including expanded warranties, specific indemnities, and cooperation covenants.

The strongest conclusion is that the failure to prevent fraud offence does not merely add a new item to the due diligence checklist; it requires a structural shift in how acquirers conceptualise transactional risk. The offence transforms fraud prevention from a matter of internal governance into a transactional liability issue, and acquirers who treat it as a routine compliance box-ticking exercise — rather than a substantive investigation into the target’s capacity to defend a criminal prosecution — do so at considerable peril.

References

• Bribery Act 2010, c.23.
• Companies Act 2006, c.46.
• Crime and Courts Act 2013, c.22, Schedule 17.
• Economic Crime and Corporate Transparency Act 2023, c.56, ss.196, 199–209, Schedule 13.
• Financial Services (Banking Reform) Act 2013, c.33.
• Financial Services and Markets Act 2000, c.8.
• Fraud Act 2006, c.35.
• Insolvency Act 1986, c.45.
• Public Interest Disclosure Act 1998, c.23.
• Theft Act 1968, c.60.
• Transfer of Undertakings (Protection of Employment) Regulations 2006, SI 2006/246.
• Tesco Supermarkets Ltd v Nattrass [1972] AC 153 (HL).
• Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472.
• Home Office (2024) Failure to Prevent Fraud Offence: Guidance on Reasonable Fraud Prevention Procedures. London: Home Office.
• Ministry of Justice (2011) The Bribery Act 2010: Guidance about Procedures which Relevant Commercial Organisations Can Put into Place to Prevent Persons Associated with Them from Bribing. London: Ministry of Justice.
• Serious Fraud Office (2019) Corporate Co-operation Guidance. London: SFO.
• Courtney, W. (2020) The Law of Private Mergers and Acquisitions. Oxford: Oxford University Press.
• Lord, N. (2014) ‘Regulating Corporate Bribery in International Business: Anti-corruption in the UK and Germany.’ Crime, Law and Social Change, 62(4), pp.415–439.
• Raphael, M. (2010) Blackstone’s Guide to the Bribery Act 2010. Oxford: Oxford University Press.
• Wells, C. (2014) Corporations and Criminal Responsibility. 2nd edn. Oxford: Oxford University Press.
• Yeoh, P. (2012) ‘The UK Bribery Act 2010: Contents and Implications.’ Journal of Financial Crime, 19(1), pp.37–53.
• Gentle, S. and Keenan, B. (2024) ‘The Failure to Prevent Fraud Offence: Implications for M&A Transactions.’ Compliance Officer Bulletin, Issue 134.