Support
approvalmax-logo
approvalmax-logo
Explore ApprovalMax Accounts Payable Software > Start a free trial >
Approvals
Workflows
multi-level-approvals Multi-level approvals
purchase-orders Purchase orders
vendors Vendors
invoices Invoices
approvals-channels Approval channels
credit-notes Credit notes
custom-workflows Custom workflows
expenses Expenses
Financial Controls
bill-to-po Bill-to-PO matching
audit-readiness Audit readiness
segregation-duties Segregation of duties
platform-security Platform security
budget-controls Budget controls
Payments
OCR
pay-capture ApprovalMax Pay
pay-capture ApprovalMax Capture
Integrations
integrations Xero
integrations QuickBooks Online
integrations Netsuite
integrations All integrations
Explore ApprovalMax Accounts Payable Software > Start a free trial >
By accounting software
integrations Xero
integrations QuickBooks Online
integrations NetSuite
By function
finance-leaders-1 Finance leaders
finance-teams-1 Finance teams
outsourced-accountants-1 Outsourced accountants
Resources
blog-learn Blog
guides-templates Guides & templates
help-center Knowledge base
product-content Product content
video-recorder Webinars
play-circle How to videos
customer-stories-1 Customer stories
Pricing
integrations Xero
integrations QuickBooks Online
integrations NetSuite

Failure to Prevent Fraud: The supplier-side question your biggest customer is about to ask you

A practical guide to the UK's Failure to Prevent Fraud offence, and what it means for businesses that supply larger organisations.
ApprovalMax
ApprovalMax
May 19, 2026 5 min read accounts payable audit & fraud control
card-image
take the product tour
Explore with AI
Ask ChatGPT Perplexity Ask Perplexity

If you supply a large UK organisation, the Failure to Prevent Fraud offence is about to land on your desk - whether or not the law itself applies to your business. On 1 September 2025, the UK's new corporate offence came into force under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). It's the biggest shift in UK anti-fraud law in more than a decade, and while it formally targets only large organisations, the commercial fallout is already reaching their suppliers.

Read the headlines and you'd be forgiven for thinking it doesn't apply to you. The offence only catches "large organisations" - those that meet at least two of these three criteria in the preceding financial year:

  • More than 250 employees

  • More than £36 million in turnover

  • More than £18 million in balance sheet total

If you're sitting inside an SME of somewhere between 50 and 250 people, you are, on the face of it, out of scope.

But here's why your business size isn't a good reason to stop reading.

Why the Failure to Prevent Fraud offence affects suppliers, even smaller ones

The Home Office's statutory guidance is explicit on one point: large organisations are expected to push fraud prevention requirements down through their supply chains. They have to, because under the new offence they can be criminally liable for fraud committed by an "associated person" under ECCTA - a definition broad enough to include anyone providing services for or on behalf of them.

In the months since the offence took effect, three things have started happening at the larger end of UK business:

  1. Supplier contracts are being rewritten to include explicit fraud-prevention clauses, warranties, and audit rights.
  2. Vendor due diligence questionnaires are being refreshed at renewal, asking suppliers to describe their own anti-fraud controls.
  3. Onboarding processes for new suppliers now include a fraud-controls assessment alongside the familiar checks on insurance, GDPR, and modern slavery.

Smaller suppliers may be considered "associated persons" of their larger customers and can be subject to contractual requirements those customers impose to help prevent fraud. You may not be in scope of the offence itself. But you are very much in scope of your biggest customer's compliance response to it.

"The question is no longer 'could we get prosecuted?' It is 'could we lose our largest contract because we can't answer six questions about how we control fraud risk?

The reframe is straightforward: this isn't a legal problem, it's a commercial one. The question is no longer "could we get prosecuted?" It is "could we lose our largest contract because we can't answer six questions about how we control fraud risk?"

Are you exposed? A quick supplier diagnostic

Run through this short check before reading on. Score yourself yes / no / unsure for each:

  • Do you supply, or hope to supply, any UK organisation with more than 250 staff, £36m+ turnover, or £18m+ on the balance sheet?
  • Do any of your largest customers operate in professional services, construction, SaaS, or financial services - sectors where the supply-chain trickle-down is most pronounced?
  • Are any of your supplier contracts up for renewal in the next 12 months?
  • If a customer sent you a fraud-controls questionnaire tomorrow, could you produce evidence of how invoices are approved, who can approve what, and an audit trail showing it happened?
  • Do you have a single, named owner for fraud prevention in your business - and could a customer's procurement team find that person quickly?

If you've answered "no" or "unsure" to two or more of these, your existing controls are unlikely to satisfy a refreshed supplier questionnaire. It is worth doing the work now, before a renewal cycle forces you into a rushed response.

What a Failure to Prevent Fraud supplier questionnaire will actually ask

The Home Office guidance sets out six principles of "reasonable" fraud prevention procedures. Large organisations are translating these directly into supplier questions. Expect to see:

  1. Top-level commitment. Who in your senior team owns fraud prevention? Is there a named individual at director or board level?
  2. Risk assessment. Have you formally assessed where fraud could occur in your business - and when did you last review it?
  3. Proportionate procedures. What controls are in place to prevent fraud in your finance, procurement, and sales processes? Are approval limits documented?
  4. Due diligence. How do you vet your own employees, suppliers, and agents?
  5. Communication and training. How do staff know what's expected of them? Do you have a whistleblowing route?
  6. Monitoring and review. How do you check the controls are working - and how often?

Sitting underneath every one of these is the same expectation: you can produce evidence. Not policies in a folder - evidence that the controls operate in practice.

"You may not be in scope of the offence itself. But you are very much in scope of your biggest customer's compliance response to it."

How to answer it: a five-step plan for SME suppliers

You don't need an in-house compliance team. You need a credible, proportionate response. Work through these five steps and you'll have one.

Step 1 - Appoint an owner. Pick a single person, ideally the FD or operations director, and put fraud prevention in writing as part of their remit. This satisfies "top-level commitment" with a single line in a job description.

Step 2 - Run a one-page fraud risk assessment. Map out where money moves in or out of the business: invoice payments, expense claims, payroll changes, supplier bank-detail amendments, refunds. For each, note who could commit fraud, how, and what currently stops them. Keep it to one side of A4. Date it. Diarise the next review.

Step 3 - Tighten your highest-risk control. For most businesses, this is invoice approval - the area procurement teams probe hardest. They want to know three things: who approves what, what the limits are, and whether you can prove an approval actually happened. Email chains and forwarded PDFs won't pass that test. A documented, enforced approval workflow with thresholds, segregation of duties, and a timestamped audit trail will.

This is the gap ApprovalMax is built to close. It enforces your approval matrix in software - every invoice routed to the right approvers based on value and category, segregation of duties hard-coded, and every action timestamped to produce the audit trail a procurement team will ask to see. The controls you describe on the questionnaire become the controls that actually operate, evidenced automatically. For SME finance teams used to running approvals on email, it's the single highest-leverage change you can make to be ready for a refreshed supplier questionnaire.

Step 4 - Write three short policies. A fraud prevention policy, a whistleblowing policy, and a supplier onboarding policy. Each can be a page or two. Circulate them and ask staff to acknowledge they've read them. Save the acknowledgements.

Step 5 - Schedule a review. Put a recurring quarterly calendar entry in to revisit the risk assessment and check the controls are still being followed. Customers want to see that the framework is alive, not installed and forgotten.

Why this matters now

The Failure to Prevent Fraud offence has only been live since September. Most large organisations are still working through their first wave of supplier renewals under the new regime. Accountants are only now starting to brief mid-market clients on the trickle-down effect. The supplier questionnaire that lands on your desk in the next 12 months will not be a tick-box exercise - it will be a procurement team trying to satisfy their own board that the supply chain is defensible.

"Suppliers who can answer it cleanly will keep their contracts. Suppliers who can't will not."

Suppliers who can answer it cleanly will keep their contracts. Suppliers who can't will not.

The good news: the steps above are the same steps that protect your own business from fraud. The offence has simply turned a "should do" into a "have to demonstrate." Get ahead of the question now, and the answer becomes a competitive advantage rather than a scramble.

hero
FAQ

This section addresses the most common and immediate questions from suppliers regarding the Failure to Prevent Fraud offence, covering who is in scope, what is meant by an "associated person" under ECCTA, and the practical steps needed to satisfy compliance requirements from larger customers.

Does the Failure to Prevent Fraud offence apply to small businesses?

No - the offence applies only to "large organisations" meeting at least two of the ECCTA criteria (250+ employees, £36m+ turnover, or £18m+ balance sheet total). However, smaller suppliers can be considered "associated persons" of their larger customers, and those customers are now passing fraud-prevention requirements down their supply chains through contracts and questionnaires.

What is an "associated person" under ECCTA?

An associated person is an employee, agent, subsidiary, or anyone else providing services for or on behalf of an organisation. The definition is deliberately broad, and is what creates the trickle-down effect onto suppliers of large organisations.

Do overseas suppliers need to comply?

The offence has extraterritorial reach. Non-UK companies can be prosecuted if there's a UK nexus - for example, if part of the fraud occurred in the UK, the loss was suffered in the UK, or a UK-based employee was involved. Practically, overseas suppliers selling into UK-linked large organisations are likely to face the same supplier questionnaires as their UK peers.

What evidence will customers want to see?

Procurement teams will look for documented and dated evidence: a fraud risk assessment, a delegation of authority matrix, a sample of approved invoices showing the audit trail, signed policies, training records, and the dates of recent control reviews. Policy documents alone aren't enough - they want proof the controls work in practice.

How long does this take to put in place?

A proportionate framework for an SME can be built in six to twelve weeks of focused work. The five steps above are sequential but most can be run in parallel by an FD and Ops Director working together.