A new era of accountability has arrived. The UK’s “failure to prevent fraud” offence shifts responsibility from investigation to prevention, demanding proof that organisations took active steps to stop internal fraud before it occurred. At Futurum Risk, we explore how this legislation redefines corporate responsibility and why background checks, employee vetting, and HR-led culture controls are now the evidence of compliance, rather than just the paperwork behind it.
When Fake Employees Commit Real Crimes: How the UK’s New Fraud Law Redefines Corporate Responsibility
The global shift to remote work has rewritten the rules of recruitment, and in doing so, opened a new front in the war against corporate fraud. Across industries, fraudulent remote IT workers are infiltrating companies with forged identities, stolen credentials, and AI-polished CVs that pass traditional screening. Some are proxy hires, where another person performs the work. Others are complete fabrications, ghost employees who exist only on payroll, siphoning salaries or inserting malicious code into company systems.
These schemes are not isolated. They are part of a growing pattern of employment-based fraud that quietly damages balance sheets, compromises data, and undermines trust. The unsettling reality is that the scam often appears to benefit the organisation, at least at first, by meeting targets, filling critical tech roles, or keeping projects on schedule.
That illusion of benefit is exactly what the UK’s new “failure to prevent fraud” offence aims to address. Effective 1 September 2025, under the Economic Crime and Corporate Transparency Act 2023 (ECCTA), large organisations can be criminally liable if an employee, contractor, or any “associated person” commits fraud that benefits the business, even if leadership did not know of it.
The only defence is proof that the company had “reasonable fraud prevention procedures” in place. This is where employee background checks become more than a formality; they become a legal safeguard. Robust identity verification, credential validation, and lifecycle monitoring are no longer just HR best practices; they are the foundation of compliance under the new law.
While this legislation is being implemented in the United Kingdom, it carries significant implications for South African companies. The South African regulatory environment has often mirrored the UK’s approach to anti-corruption and corporate governance. Experts believe South Africa is likely to follow suit with a similar “failure to prevent fraud” offence, making now the time to align with the UK’s “reasonable procedures” framework.
The hidden threat: fraudulent remote workers
Behind a well-polished CV and a confident video interview, it’s become increasingly easy for fraudsters to slip through digital hiring processes. Fake identities. Forged qualifications. Stolen reference templates. Even AI-generated interview responses.
Some cases involve individuals posing as software engineers, data analysts, or IT administrators, roles that grant them access to sensitive systems and code repositories. Others involve “ghost employees”: profiles that exist only on payroll spreadsheets, quietly billing hours through falsified credentials.
They appear real. They deliver just enough to stay unnoticed. And in many cases, their activity, at least on paper, benefits the organisation. That benefit is exactly what activates the new law.
Under ECCTA, if that “employee” or “associated person” manipulates data, commits invoice fraud, or facilitates unauthorised payments that make your company appear more profitable, your business could be held accountable for failing to prevent fraud. It’s not about intent anymore. It’s about systems, and the absence of them.
The purpose of the law: shifting responsibility to prevention
The failure to prevent fraud offences is designed to close a long-standing loophole. Historically, proving that senior management knew about or intended fraud was difficult.
Under this reform, prosecutors no longer need to show intent at the top. They only need to show that an associated person committed a relevant fraud offence that benefited the company, and that the company didn’t have adequate procedures to prevent it.
The UK Home Office guidance sets out six core principles for “reasonable procedures”: proportionality, risk assessment, due diligence, communication and training, top-level commitment, and monitoring and review. But in practice, these principles translate into something much more tangible: employee lifecycle integrity.
Every point of entry into your organisation, every job application, interview, or contractor agreement, becomes a potential weak spot. The vetting decisions made by HR or procurement aren’t just operational choices anymore; they’re now part of a company’s liability framework.
Employee background checks: the first and strongest line of defence
Employee background checks are often seen as administrative. Under ECCTA, they are evidence of reasonable fraud prevention.
A comprehensive background screening process builds the first barrier between an organisation and a potential liability event. Done right, it doesn’t just protect against fake hires; it protects against regulatory prosecution.
1. Identity verification that can stand up in court
Modern fraudsters are skilled at impersonation. Digital tools make it easy to forge passports, edit PDFs, and spoof reference calls. “Reasonable procedures” demand more. Organisations must verify that the person they hire is who they claim to be. This means implementing multi-layered ID verification: document authentication, video liveness checks, biometric validation, and verification against government or corporate databases.
2. Reference and credential validation
The classic “trusted reference” model doesn’t work when remote applicants can set up false reference emails in minutes. Fraud prevention procedures should include direct, synchronous verification with references, via official company channels or recorded video calls, and independent validation of qualifications with issuing institutions.
3. Role-based risk profiling
Not every role carries the same fraud risk. A junior marketing assistant and a remote DevOps engineer don’t have the same access or influence. “Reasonable” means proportionate. Firms should categorise roles by their fraud exposure and scale vetting accordingly. High-risk positions, especially those with system, data, or financial access, warrant advanced checks, multi-stage verification, and probationary audits.
4. Continuous monitoring and lifecycle oversight
Fraud prevention doesn’t stop at hiring. Once an employee or contractor is inside the network, ongoing validation is key. Behavioural anomalies, such as sudden data downloads, invoice irregularities, or system access from unexpected locations, should trigger review workflows. Periodic re-verification of identity and activity confirms the continued legitimacy of remote staff.
5. Embedding HR into the fraud prevention framework
This new offence not only affects legal and compliance teams, but it also fundamentally reshapes the expectations placed on HR and recruitment functions. Under the UK’s guidance, organisations must be able to show that fraud prevention is part of everyday operations, not a once-a-year compliance exercise. That means clear communication of a zero-tolerance stance on fraud, mandatory fraud awareness training for all employees, and structured reporting mechanisms for concerns.
Most critically, recruitment processes should include enhanced pre-employment screening and background checks, particularly for roles with access to financial systems, data, or procurement authority. Ongoing vetting for high-risk positions and regular policy updates will help build the evidence trail that regulators now expect. In practice, this moves HR to the centre of the organisation’s fraud defence strategy, the first line in demonstrating that prevention procedures are both reasonable and real.
Real-world scenario: the ghost in the code
Picture A UK-based software firm hires a remote backend developer who claims years of experience at reputable tech companies. The screening process is light: a CV, a virtual interview, and a short coding test. The developer’s work looks solid, deadlines are met, and invoices are paid.
Six months later, the company discovers malicious code embedded in its system, a backdoor used to reroute customer payments. The “developer” has vanished. Their references were fake. Their LinkedIn profile was AI-generated.
Because the fraudulent activity inflated the firm’s performance metrics and revenue, even temporarily, the fraud benefited the organisation.
Under ECCTA, prosecutors could pursue the company for failing to prevent fraud unless it can prove it had reasonable background-check procedures and post-hire controls.
This is not theoretical. It’s the type of exposure modern compliance teams must anticipate.
How to operationalise “reasonable procedures” across the employee lifecycle
Below is a practical blueprint for organisations preparing ahead of the last quarter of 2025:
Pre-employment
- Conduct tiered background screening proportional to the fraud risk of the role.
- Apply digital identity verification with liveness checks and document authentication.
- Validate all education, professional, and reference claims directly with institutions and employers.
- Flag inconsistencies and require written explanations before onboarding.
Onboarding
- Capture employee acceptance of the organisation’s fraud prevention policy and code of conduct.
- Link verified identity to a single device, email domain, and system access credential.
- Assign fraud-awareness training as a mandatory onboarding step.
In-role monitoring
- Implement access controls based on least privilege and escalate permissions gradually.
- Audit system use, payment activity, and vendor relationships for anomalies.
- Conduct random verification checks on remote roles with privileged access.
- Encourage employees to report suspicious behaviour through protected whistleblower channels.
Exit and offboarding
- Re-verify identity before final payments or references.
- Revoke access immediately on termination.
- Retain a record of all background checks and control evidence for a defined retention period to support any later investigation.
These steps are simple, measurable, and most importantly, defensible. When prosecutors ask what “reasonable procedures” you had in place, this evidence can become the difference between liability and exoneration.
Why South African organisations should take note
While this legislation is being implemented in the United Kingdom, it carries clear implications for South African companies. Its regulatory environment has historically followed the UK’s lead on anti-bribery, corruption, and corporate governance frameworks. Experts anticipate that a similar “failure to prevent fraud” offence could be considered locally in the future, especially as corporate fraud and cyber-enabled deception continue to rise. Forward-thinking organisations in South Africa would be wise to begin aligning their internal controls and background-screening procedures with the UK’s “reasonable procedures” framework now. Those that do will already meet international best-practice standards if (or when) similar requirements are adopted here.
The deeper lesson: prevention is the new compliance
The new offence doesn’t just create another legal hurdle. It sets a new standard for what it means to manage corporate risk in an age of remote and digital workforces.
Fraud no longer lives in shadowy financial schemes alone; it lives in job applications, digital onboarding systems, and the cloud-based workflows that define modern business. The very technologies that make hiring faster and more flexible also create the perfect cover for deception.
Employee background checks are not simply a hiring tool anymore. They are a fraud-prevention mechanism. They are an organisation’s first layer of defence under a law designed to punish complacency
The call to action
With the failure to prevent fraud offences taking effect on 1 September 2025, organisations have less than a year to close their exposure gaps.
Start by asking:
- Can we prove that our employee vetting processes meet the threshold of “reasonable procedures”?
- Have we documented our risk assessments and applied proportional screening by role?
- Do HR, Legal, and Compliance teams understand how hiring and fraud liability now intersect?
- Are we equipped to detect and respond to fraudulent behaviour by remote staff and contractors?
The time to prepare is now. Fraud is not only an external threat, it’s an internal one.
And in the eyes of the law, failing to prevent it is no longer a mistake. It’s an offence.
Prevention is the proof
The purpose of this legislation is to make fraud prevention mandatory. It represents a shift in how accountability is measured, moving the focus from reacting to fraud to proving that every reasonable step was taken to stop it. Fraud rarely begins with falsified invoices or shell companies; it begins with fake people, false credentials, and unchecked access.
Background checks, digital identity verification, and continuous employee oversight are no longer optional compliance steps. They are now central to demonstrating due diligence under the law. Every organisation will need to show that its hiring, onboarding, and monitoring processes actively work to detect and prevent internal fraud, not just that policies exist on paper. In 2025, “reasonable” will be measured in evidence. Make sure your organisation can produce it.
