As part of the Economic Crime and Corporate Transparency Act 2023, a new ‘failure to prevent fraud’ offence comes into force on 1 September 2025.
Under the new legislation, all incorporated not-for-profit organisations that meet at least two of these criteria – more than 250 employees, £36m of income or £18m in total assets, will be criminally liable where:
- A specified fraud offence is committed by an employee, agent or other ‘associated person’, for the organisation’s benefit; or
- The organisation did not have ‘reasonable’ fraud prevention procedures in place.
The Charity Commission have published a regulatory alert to charities that may be impacted by the new offence.
Stay alert to fraud
Even if your charity does not sit within the remit of being criminally liable, it is increasingly important to be vigilant to the threat of fraud and cyber crime, ensuring you have appropriate prevention measures in place.
According to statistics published by The Charity Commission in November 2024, there were ‘603 cases relating to fraud and a further 99 cases relating to cyber crime issues in the last year.’
Cyber crime key area of concern
Cyber crime continues to be a significant issue for organisations processing money and personal data, with the most prevalent type of fraud being phishing attempts – whereby the victim is tricked into visiting a malicious website by clicking a link in an email or text message.
Having a recognisable, online presence is now customary for most charities. A website is an effective way to raise awareness of a charity’s work and fundraising campaigns. However, an established online identity can present an element of risk, as fraudsters have been known to assume the image and reputation of a charity to create unlawful fundraising sites.
Safeguarding assets through training and education
It is sometimes the case that there are simply not the resources to have rigorous fraud security policies in place within a charity. Educating trustees, employees and volunteers on the common threats can be a very effective frontline defence.
There are numerous resources available to help raise awareness of fraud within your organisation. The National Cyber Security Centre (NCSC) has produced the Small Charity Guide, including key information and tools to protect your charity. You can also check your cyber security status, with the NCSC’s free online service – helping to identify any vulnerabilities in emails, websites or your web browser.
The NCSC runs free online cyber security training for beginners. The training is easy to use and takes less than 30 minutes to complete.
Medium and large charities, with more complex IT systems and perhaps a specific trustee or team to manage their cyber security, may want to take a look at the NCSC’s 10 Steps to Cyber Security or join the Cyber Essentials Scheme to certify that your charity is cyber secure. There is also a NCSC cyber security toolkit for boards to help trustees understand and discuss the risks of cyber crime and a list of certified training courses.
Internal financial controls
New guidance has been added to The Charity Commission’s internal financial controls on how to protect your charity from fraud.
Internal financial controls are essential checks and procedures to help protect funds and assets from fraud; make informed decisions about your financial position; and ensure the quality of financial reporting. It is advisable to keep refreshed with the latest guidance on internal financial controls, this can be found here.