Table of Contents >> Show >> Hide
- What Is the UK FTPFO (Failure to Prevent Fraud Offense), Exactly?
- Are You “Large” Under FTPFO? The Threshold Test That Matters
- What Fraud Is Covered? “Base Fraud Offenses” in Real-World Terms
- The “Reasonable Prevention Procedures” Defense: Your Best Friend (If You Treat It Well)
- 1) Top-level commitment (a.k.a. the board can’t outsource integrity)
- 2) Risk assessment (your fraud map should match your business, not your wishful thinking)
- 3) Proportionate, risk-based prevention procedures (controls that fit, not controls that cosplay)
- 4) Due diligence (because “trust me, bro” is not a control)
- 5) Communication and training (policies don’t work if nobody reads them)
- 6) Monitoring and review (set it, forget it, regret it)
- How to Build an FTPFO-Ready Program Without Burning Down Your Calendar
- What Happens If You Get This Wrong?
- A Quick FTPFO Readiness Checklist
- Conclusion
- Experience Section: 10 Real-World Lessons From FTPFO Prep (The Stuff That Actually Moves the Needle)
- 1) The fastest wins come from fixing incentives, not rewriting policies
- 2) Middle managers are the make-or-break layer
- 3) Third-party risk is where companies discover their own blind spots
- 4) “We already have SOX controls” helps, but it’s not a free pass
- 5) The best risk assessments don’t live in spreadsheetsthey live in workshops
- 6) Data analytics can be lightweight and still powerful
- 7) Speak-up channels work only if retaliation is handled like an emergency
- 8) Contract clauses matter, but enforcement matters more
- 9) Post-acquisition integration is a fraud risk sprint, not a marathon
- 10) The most persuasive evidence is boring evidence
If you work in compliance, risk, legal, finance, sales ops, procurement, or any other department that regularly hears
“we’re moving fast” right before something goes sidewayswelcome. The UK’s new corporate offense known as the
Failure to Prevent Fraud (often shortened to FTPF or FTPFO) is here, it’s real,
and it’s not impressed by your “but that was a rogue employee” speech.
Think of FTPFO as the UK’s way of saying: “Congrats on being a large organization. Here’s your new responsibility:
stop fraud committed for your benefit by people connected to your businessor be prepared to explain to prosecutors
why your controls were basically a motivational poster.”
This article breaks down the official UK guidance in plain American English, adds practical steps you can actually execute,
and points out the traps that make otherwise competent companies look like they were managed by three raccoons in a trench coat.
What Is the UK FTPFO (Failure to Prevent Fraud Offense), Exactly?
The core idea: corporate liability without the “directing mind” gymnastics
Under the UK’s Economic Crime and Corporate Transparency Act 2023 (ECCTA), a large organization
can be criminally liable if an associated person commits a specified fraud offense intending to benefit
the organization (or, in some cases, the organization’s clients) and the organization did not have
reasonable fraud prevention procedures in place.
Translation: prosecutors don’t need to prove the board personally typed the fake invoice. They look at whether your business
had a sensible prevention framework for your risk profileand whether you can show it actually existed before things went bad.
“Associated person” is broader than you want it to be
Employees are the obvious category, but FTPFO risk doesn’t stop at your payroll. Depending on how you operate, “associated persons”
can include agents, contractors, intermediaries, and other parties performing services for or on behalf of the business.
In modern organizations, that can cover a lot of people, across a lot of time zones, using a lot of “urgent” WhatsApp messages.
Why US companies should care (even if you don’t have a Union Jack in the lobby)
FTPFO is built for a global economy. If there’s a UK nexusmeaning part of the underlying fraud happens in the UK,
or the gain/loss occurs in the UKan overseas company can still be in scope. So if you sell into the UK, have UK customers,
use UK-based employees, route transactions through the UK, or run UK-facing operations, FTPFO should be on your radar.
Are You “Large” Under FTPFO? The Threshold Test That Matters
The offense applies to large organizations only. “Large” is defined (generally) as meeting two out of three
thresholds: more than 250 employees, more than £36 million turnover, and more than
£18 million in total assets. The measurement is tied to the financial year preceding the year of the underlying fraud.
For groups, pay attention to how turnover is calculated and how subsidiaries are treated. A subsidiary can be prosecuted in its own right,
and group structures can change how your “large” status is assessed. If your org chart looks like a plate of spaghetti, build extra time into
your scoping analysis.
What Fraud Is Covered? “Base Fraud Offenses” in Real-World Terms
FTPFO doesn’t cover every bad thing humans can do with a spreadsheet. It’s tied to a set of specified
base fraud offenses (listed in legislation) and also captures aiding/abetting-style participation in those offenses.
The UK guidance calls these “base fraud offenses” and includes, for example:
- Fraud by false representation (lying to obtain a gain or cause loss)
- Fraud by failing to disclose information (withholding what must be disclosed)
- Fraud by abuse of position (using a role of trust dishonestly)
- Participation in a fraudulent business
- Obtaining services dishonestly
- False accounting and related financial statement manipulation behaviors
- Cheating the public revenue (a serious tax-related common law offense)
If those labels sound abstract, here’s what they can look like in corporate life:
a salesperson misrepresents product capabilities to close deals; a finance manager inflates revenue recognition to “smooth the quarter”;
a procurement intermediary creates kickback arrangements; a contractor fabricates performance data to qualify for a program; an agent lies to win work.
In each case, if the intent is to benefit the organization (even indirectly), you’re in FTPFO territory.
The “Reasonable Prevention Procedures” Defense: Your Best Friend (If You Treat It Well)
The UK guidance makes the defense practical: you can avoid liability if you can show you had
reasonable fraud prevention procedures in place, or that it was unreasonable to expect any procedures in the circumstances.
The point isn’t to build a museum exhibit called “Compliance.” The point is to reduce the risk of fraud and be able to prove what you did.
The official framework is organized around six principles. They’re flexible, risk-based, andimportantlyauditable.
If you can explain them clearly and show evidence, you’re doing it right.
1) Top-level commitment (a.k.a. the board can’t outsource integrity)
Leadership needs to set a tone that rejects profit built on fraud. That means visible support, real resourcing, and governance that
doesn’t treat fraud controls like a speed bump. In practice, top-level commitment looks like:
- Clear anti-fraud statements that apply even when targets are “ambitious”
- Defined ownership for fraud risk (not “everyone” and not “no one”)
- Budget, staffing, and authority for compliance and financial crime teams
- Proof of oversight: minutes, reporting, decisions, remediation tracking
2) Risk assessment (your fraud map should match your business, not your wishful thinking)
A solid FTPFO risk assessment identifies where fraud could realistically happen, who could do it, and why it might slip through.
The UK guidance leans on the classic fraud triangle: opportunity, motivation, and rationalization.
Those factors show up everywhereespecially in high-pressure environments with weak controls.
Practical risk assessment steps:
- List your fraud exposure by business line, product, geography, customer type, and transaction flow
- Identify “associated person” typologies: sales agents, distributors, contractors, outsourced finance, labs, call centers
- Map incentives: sales targets, procurement savings, bonus structures, “growth at all costs” OKRs
- Document and refresh regularlyespecially after major changes (acquisitions, new markets, new systems)
3) Proportionate, risk-based prevention procedures (controls that fit, not controls that cosplay)
“Reasonable” doesn’t mean identical everywhere. It means the level of prevention matches the level of risk.
High-risk areas deserve stronger controls; low-risk areas still need baseline guardrails.
Examples of proportionate controls:
- Sales: deal approval thresholds, discount controls, truth-in-marketing checks, contract deviation reviews
- Finance: segregation of duties, journal entry controls, reconciliation discipline, analytics for anomalies
- Procurement: vendor onboarding rules, conflict-of-interest declarations, competitive bid requirements
- Grants/program eligibility: verification of test data, independent review of certifications, audit trails
4) Due diligence (because “trust me, bro” is not a control)
Due diligence should focus on the people and entities who can create fraud risk for your organizationespecially third parties who sell,
source, test, certify, or otherwise act on your behalf. The guidance emphasizes risk-based diligence and recognizes that
“one-size-fits-all” questionnaires don’t magically prevent fraud.
Practical due diligence building blocks:
- Risk-tier your third parties (high/medium/low) with clear criteria
- Use screening and verification appropriate to the risk (including adverse media where appropriate)
- Contract clauses: audit rights, compliance obligations, termination triggers, training requirements
- M&A diligence: assess the target’s fraud controls and plan post-close integration fast
5) Communication and training (policies don’t work if nobody reads them)
FTPFO readiness requires that policies are communicated, embedded, and understoodnot just posted on an intranet page no one visits.
Training should be tailored to risk: the people who touch high-risk decisions need more specific, scenario-based training.
Training that actually helps:
- Role-based modules (sales, finance, procurement, customer success, operations)
- Short scenario drills: “What do you do if a client asks you to ‘just tweak’ the numbers?”
- Clear reporting channels and whistleblowing reminders
- Reinforcement through leadership messaging and middle-manager accountability
6) Monitoring and review (set it, forget it, regret it)
Risks evolve. Controls degrade. People find creative ways around rules. Monitoring and review are how your program stays alive.
This includes tracking training completion, testing controls, monitoring third-party compliance, and updating procedures when the business changes.
Monitoring ideas that don’t require a moon base budget:
- Quarterly control testing on the highest-risk processes
- Data analytics on payments, refunds, discounts, write-offs, and manual journal entries
- Third-party reviews (contract compliance, commissions, performance certifications)
- Post-incident reviews that lead to real changes (not just “remind everyone again”)
How to Build an FTPFO-Ready Program Without Burning Down Your Calendar
Step 1: Scope your exposure with ruthless honesty
Start with three questions:
(1) Do we meet the “large organization” thresholds?
(2) Where do we have a UK nexus (operations, customers, employees, transactions, impacts)?
(3) Which associated persons could plausibly commit base fraud offenses for our benefit?
Step 2: Map FTPFO to what you already have
Many companies already run anti-fraud controls, SOX controls, anti-corruption programs, and third-party risk management.
Don’t duplicate everything. Instead, map existing controls to FTPFO risks and identify gaps:
- Does your risk assessment cover the specific base fraud behaviors and incentive structures?
- Do third-party controls extend to agents who can commit fraud for your benefit?
- Do you have evidence (not vibes) that controls operate effectively?
Step 3: Focus on the “fraud-for-benefit” scenarios
FTPFO cares about fraud that benefits the organization (or clients in some scenarios). So prioritize:
revenue-generating processes, cost-saving pressure points, eligibility/certification workflows, and financial reporting touchpoints.
Example: a sales rep drafts a misleading customer letter to help secure financing for your company’s benefit.
Example: an overseas lab falsifies performance data so your product qualifies for a UK-linked incentive program.
Example: a contractor misrepresents staffing eligibility so your UK operations stay fully staffed.
These aren’t exotic edge casesthey’re “Tuesday” in many industries.
Step 4: Document like you expect to be questioned (because you might be)
“We had a program” is not a defense if you can’t show it. Keep:
risk assessments, training records, due diligence files, policy approvals, audit trails, monitoring results, and remediation logs.
If a control exists only in someone’s head, it doesn’t exist.
Step 5: Pressure-test the program
Run tabletop exercises:
a fake invoice scheme; a mis-selling scenario; a third-party certification fraud; a “creative accounting” push at quarter-end.
Ask: Would our controls detect or prevent this? Would someone speak up? Would leadership back them?
What Happens If You Get This Wrong?
FTPFO is a criminal offense with serious consequences. Enforcement risk includes prosecution, major financial penalties,
reputational damage, and multi-year remediation commitments. The UK guidance also notes that
deferred prosecution agreements (DPAs) are available for this offense in England and Wales (not in Scotland or Northern Ireland),
which makes prevention programs even more important: DPAs tend to reward companies that can show credible controls, cooperation, and remediation.
One more reality check: an audit is not a fraud-prevention shield. Financial statement audits can help surface risks, but they are not designed to
catch everything and are not a substitute for prevention procedures tailored to FTPFO exposure.
A Quick FTPFO Readiness Checklist
- Threshold: Confirm whether you qualify as “large” (and how group entities are treated)
- UK nexus: Identify where UK-linked acts, gains, or losses could occur
- Associated persons: Map employees, agents, contractors, and service providers who can create risk
- Risk assessment: Document fraud-for-benefit scenarios and update regularly
- Controls: Implement proportionate procedures in high-risk processes
- Due diligence: Risk-tier and verify third parties; strengthen contracts
- Training: Provide role-based, scenario-driven training and reinforce speak-up culture
- Monitoring: Test controls, use analytics, track remediation, and keep evidence
Conclusion
The UK’s FTPFO guidance is a blueprint for a modern anti-fraud program: leadership-owned, risk-based, practical, and provable.
If you’re a large organization with any meaningful UK touchpoints, preparation isn’t optionalit’s the difference between a manageable compliance project
and a very expensive lesson in corporate accountability.
The good news: you don’t have to invent a brand-new universe. Start with your highest-risk fraud-for-benefit scenarios,
strengthen third-party and sales/process controls, train the people who need it most, and document everything.
FTPFO doesn’t demand perfection. It demands reasonablenessand evidence that you took fraud prevention seriously before anyone forced you to.
Experience Section: 10 Real-World Lessons From FTPFO Prep (The Stuff That Actually Moves the Needle)
Below are practical “experience-based” patterns that show up when companies get serious about FTPFO. Not theorypatterns.
If you’ve ever watched a compliance rollout collide with the real world, you’ll recognize these immediately.
1) The fastest wins come from fixing incentives, not rewriting policies
Teams often sprint to update policies because it feels productive and measurable. But the biggest fraud drivers are usually incentive structures:
aggressive sales targets, procurement savings mandates, or quarter-end finance pressure. The most effective programs don’t just say “don’t commit fraud”;
they adjust the environment that makes fraud feel “necessary.” One company reduced high-risk discounting behavior more in 60 days by tightening deal
approval rules and removing a toxic KPI than it did in the previous year of policy refreshes.
2) Middle managers are the make-or-break layer
Senior leadership statements matter, but middle management behavior is where the culture becomes real.
When managers quietly reward “results at any cost,” fraud controls turn into a game of “how not to get caught.”
Effective FTPFO prep includes manager toolkits: how to respond to red flags, how to handle target pressure, and what to do when a top performer
is also a top-risk. If you only train front-line staff and executives, you’re skipping the layer that shapes daily behavior.
3) Third-party risk is where companies discover their own blind spots
Many organizations have third-party due diligence, but it’s often designed for bribery risk, sanctions, or onboarding hygienenot fraud-for-benefit.
FTPFO prep forces a sharper lens: who can falsify data, misrepresent services, manipulate eligibility criteria, or generate fake documentation that
benefits the company? The “aha” moment for many teams is realizing that fraud can be committed by vendors you’ve trusted for yearsespecially those
whose outputs you don’t independently validate (certifications, testing results, sales lead sources, or outsourced documentation).
4) “We already have SOX controls” helps, but it’s not a free pass
SOX-style financial controls are valuable, especially around approvals, reconciliations, and segregation of duties.
But FTPFO risk shows up outside traditional financial reporting: sales representations, product claims, client communications, eligibility statements,
and third-party certifications. Teams that succeed treat SOX as a foundation and then build targeted fraud controls where fraud-for-benefit actually happens.
That might be a marketing substantiation workflow, a review of customer letters drafted by sales, or a validation check on performance data used in bids.
5) The best risk assessments don’t live in spreadsheetsthey live in workshops
The most useful fraud risk assessments come from structured sessions with the people who run the processes:
sales ops, finance controllers, procurement, customer success, and regional leaders. When you ask “How could someone cheat to help us hit our numbers?”
you get real scenarios. When you send a spreadsheet, you get generic answers and a lot of “N/A.” The workshop approach also creates ownershippeople are
more likely to support controls they helped design.
6) Data analytics can be lightweight and still powerful
You don’t need a Hollywood “fraud AI” to spot patterns. Simple analyticsduplicate vendors, round-dollar invoices, unusual refund spikes, discount outliers,
rapid vendor bank-account changes, or manual journal entry clusterscan surface issues quickly. Teams that succeed pick a handful of high-risk indicators,
run them consistently, and route findings to a defined triage process. The value is consistency and follow-through, not complexity.
7) Speak-up channels work only if retaliation is handled like an emergency
Companies love to announce hotlines. Employees love to notice when nothing happens.
Mature programs protect reporters, communicate outcomes (without oversharing), and discipline retaliation decisively.
Under FTPFO, a speak-up culture is part of the practical defense story: did you create realistic pathways for people to flag suspicious activity early?
One organization improved reporting by simply publishing “what happens after you report” and showing anonymized examples of actions taken.
8) Contract clauses matter, but enforcement matters more
Adding audit rights and compliance clauses to third-party contracts is important. But the real question is:
do you ever use them? Companies that treat clauses as living toolstriggering audits for red flags, enforcing termination rights for serious breaches,
and requiring remediationbuild credibility fast. Companies that never enforce contract controls end up with paper defenses and practical exposure.
9) Post-acquisition integration is a fraud risk sprint, not a marathon
M&A introduces new systems, new incentives, and new peopleoften with uneven control maturity.
Strong FTPFO prep includes an integration plan that prioritizes fraud risk in the first 90–180 days: onboarding to policies, targeted training,
third-party diligence refresh, and control alignment for high-risk processes. Waiting a year to harmonize controls is how “legacy practices” become
“current liabilities.”
10) The most persuasive evidence is boring evidence
If you ever need to demonstrate “reasonable procedures,” flashy slide decks won’t carry the day alone.
The most persuasive evidence is boring: dated risk assessments, documented control testing, training completion logs, diligence files,
approval records, monitoring reports, and remediation tracking. Boring is beautiful because boring is provable.
Bottom line: FTPFO readiness is less about reinventing compliance and more about aligning incentives, strengthening high-risk controls,
managing third parties like grown-ups, and documenting the reality of what you do. If you treat the guidance as a practical operating system
(not a legal memo), you’ll reduce fraud risk and improve governanceeven beyond the UK.
