ARTICLE
20 February 2026

When Insider Risk Becomes Corporate Risk: How Corporations May Be Held Liable For The Fraud Of Others

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
It has never been more important for organisations to invest in technology to combat against cyber-crime and fraud.
Australia Corporate/Commercial Law
Tania Gray,Merryn Quayle,Azaara Perakath
+2 Authors
 Your Author LinkedIn Connections
Tania Gray’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Corporate/Commercial Law topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in United States
  • with readers working within the Business & Consumer Services, Insurance and Media & Information industries

It has never been more important for organisations to invest in technology to combat against cyber-crime and fraud. However, are organisations expected to do more to protect their customers against corporate fraud? The UK government has made it clear that its answer to this question is yes. Relevantly, on 1 September 2025, the "failure to prevent fraud" offence came into force in the UK, placing additional obligations on large organisations to prevent fraud in the UK. Failure to comply could result in significant fines. We can expect Australian governments to closely monitor enforcement outcomes and the extent to which organisations improve their fraud prevention procedures in the UK, to determine if an equivalent offence should be introduced in Australia.

Current state of the law

Under the current state of the law in Australia, an organisation can be held liable for fraud in the following circumstances:

  1. Vicarious liability: Its employee commits fraud "in the course of their employment". Given that intentional wrongful acts such as fraud would not ordinarily be committed in the course of employment, the High Court in Prince Alfred College Inc v ADC (2016) 258 CLR 134 have said that vicarious liability might be established for criminal wrongs if the employee's role gave "occasion" for the wrongful act (not merely the opportunity). This will turn on the specific facts of the case, including any special role assigned to the employee.
  2. Attribution of criminal liability: Its employee commits criminal fraud whilst "acting within the actual or apparent scope of his or her employment", save for where the offence provision precludes the application of section 12 of the Criminal Code as a means of attributing liability to an organisation. Like vicarious liability, the fact that fraud is an intentional wrongful act does not remove it from the scope of an employee's actual or apparent authority. The fault element of intention, knowledge or recklessness will be attributed to the company if it can be shown that the company permitted the commission of the offence (whether expressly, tacitly or impliedly).
  3. Accessorial liability: The organisation knowingly receives a benefit or participates in a breach. Accessorial liability can arise where the offence is committed by an employee, customer or third party. It is a necessary precondition to liability that the person who committed the fraud be found liable for the fraud.

Failure to prevent fraud offence in the UK

On 1 September 2025, a new offence of "failure to prevent fraud" was introduced in the UK, under section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA). It is a strict liability offence which applies if an "associate" of an "in scope" organisation commits one of the specified fraud offences for the direct or indirect benefit of the organisation.

A body corporate or limited partnership is "in-scope" if it is a "large organisation". That is, if the organisation meets two of the following criteria: (i) more than 250 employees; (ii) more than £36 million annual turnover; or (iii) more than £18 million in total assets. An "associate" is defined broadly to include employees, agents, subsidiaries or persons who perform services for, or on behalf of the organisation. The list of relevant fraud offences is extensive and includes:

  • offences under the Fraud Act 2006 (UK), including fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, obtaining services dishonestly and participation in a fraudulent business;
  • false statements by company directors under section 19 of the Theft Act 1968 (UK);
  • fraudulent trading under section 993 of the Companies Act 2006 (UK); and
  • aiding, abetting, counselling or procuring any of the above.

If the key components of the underlying offence are made out, the onus falls upon the defendant organisation to prove that it had reasonable fraud prevention procedures in place, or that it was unreasonable to expect it to have such procedures. Statutory Guidance provides for examples of good practice, including a commitment by the Board/senior management to preventing fraud, conducting risk assessments, implementing proportionate risk-based prevention measures and undertaking due diligence on associated persons to mitigate fraud risks, communication of fraud prevention policies (including training), and regular monitoring and review.

The maximum penalty for an organisation's failure to prevent fraud is an unlimited fine.

There is no equivalent offence to the failure to prevent fraud offence in Australia at present. However, there are close similarities between the new offence and the offence of "failure to prevent foreign bribery" under section 70.5A of the Criminal Code Act 1995 (Cth), which was based on the UK equivalent. We expect Australian governments and regulators to monitor the outcomes from the "failure to prevent fraud" offence closely and to consider if an equivalent offence should be introduced here. Notably, ASIC's enduring priorities include scam disruption, systemic compliance failures by large financial institutions which result in widespread consumer harm.

Potential risks

The new "failure to prevent fraud" offence expands the scope of liability for organisations with a nexus to the UK. The wrongdoing of an employee, agent or contractor will automatically be attributed to an organisation where it was undertaken for the benefit or gain of the organisation (irrespective of whether any such gain or benefit materialised). It will not matter whether the conduct was sufficiently connected to the scope of employment or authority. The strict liability nature of this offence places the burden on organisations to implement (and be able to demonstrate) "reasonable" fraud prevention procedures or explain why such procedures were unreasonable.

Further, the introduction of the failure to prevent fraud offence might encourage plaintiffs to seek to hold organisations liable for the fraud of its employees through vicarious liability claims, or for the fraud of others via accessorial liability claims. Cases arising out of the UK which establish the steps that an organisation ought to take for fraud prevention might also influence the development of the law and policy in Australia. One such case is Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363 which established the "Quincecare duty", requiring banks to refrain from executing payment instructions if they have reasonable grounds to suspect fraud by an agent of the customer. Importing such concepts to Australia might result in greater obligations on organisations to have systems in place to detect and act upon suspicious transactions or instructions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.



[View Source]
Authors
Photo of Tania Gray
Tania Gray
Photo of Merryn Quayle
Merryn Quayle
Person photo placeholder
Lauren Perkins
Photo of Azaara Perakath
Azaara Perakath
Photo of Vanessa Luong
Vanessa Luong
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More