New fraud offence: what Scottish law firms need to know now
The introduction of the corporate “failure to prevent fraud” offence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023), has prompted renewed attention on fraud across the legal sector.
For many Scottish law firms, particularly smaller practices, the initial reaction may be that the legislation does not apply directly to them.
Strictly speaking, that may be correct. The offence applies where an employee or agent of a large organisation (as defined in section 201, ECCTA 2023) commits a fraud where the organisation directly or indirectly benefits. Large organisations are defined in ECCTA 2023 as those who meet two out of three of the following criteria:
· Turnover of more than £36 million.
· Balance sheet total of more than £18 million.
· More than 250 employees.
However, a strict reading of the legislation only risks missing the more immediate and practical implications. It extends into supply chain expectations, meaning firms may be engaged, not as regulated entities in scope themselves, but as professional advisers to organisations that are. Section 199(1) of the Act attaches an offence to an organisation where it is committed by a person “who is associated” with the body. Section 199(7) includes Agents and persons who otherwise perform services for or on behalf of the body.
If a small firm has these types of relationship with a large organisation, they would be subject to statutory fraud prevention controls by the large organisation. These controls are expanded upon later.
The position is therefore less about avoiding prosecution and more about preparedness. Firms will be expected to demonstrate that fraud risk is understood, that proportionate controls are in place, and that those controls operate effectively in practice. In this context, the issue becomes one of defensibility, posture, and confidence, rather than criminal exposure alone.
Against that backdrop the question is not whether the offence applies, but whether firms are able to explain clearly and credibly how fraud risk is managed within their business.
Evolving expectations
Fraud is not a new risk. It has consistently been one of the most prevalent forms of crime in the UK and has long been a material exposure for law firms. What has changed is the focus of scrutiny. ECCTA 2023 does not introduce the concept of fraud risk into the legal sector; it reframes expectations around how that risk should be identified, managed, and evidenced.
Law firms are, in many respects, lower risk environments. They operate within a highly regulated framework, with established rules around client money, professional conduct, and supervision. However, this should not obscure the underlying exposure. The legal sector can be vulnerable to both external and internal fraud, and there have been high-profile examples involving employees and, in some cases, senior individuals within firms.
Internal fraud is the renewed focus under ECCTA 2023. It often develops gradually, within trusted relationships and informal processes. It is therefore less likely to be detected early and can be more difficult to explain after the event.
From a risk perspective, the distinction between internal and external fraud is of limited importance. The key issue is whether the risk was foreseeable and whether it was managed in a way that is proportionate to the firm’s size and complexity.
The question for firms is therefore a practical one - given what is now widely understood about fraud risk - what would a reasonable firm have done in the same circumstances?
Client money
Client money remains the most significant area of exposure for Scottish law firms. Most serious claims arise where client funds are lost or misdirected, whether through external manipulation or internal misconduct. This can of course result in the need for a firm to claim against their Master Policy professional indemnity insurance. Subject to its terms and conditions, the Master Policy will typically respond to any situation involving loss of client money that was in the control of the law firm, regardless of whether that loss has been caused by a fraud.
It’s also worth noting that clients can apply to the client protection fund (CPF) in cases of dishonesty by solicitors or their staff. Claimants will be required to pursue other available sources of recovery before a CPF grant will be considered. This includes the Master Policy, where cover may be available except in situations where there are no innocent principals (not implicated in the fraud).
Client money is a significant area of exposure for structural reasons. Law firms routinely handle large volumes of funds, often under time pressure, and frequently rely on a combination of people, process, and trust to deliver transactions. Where any of those elements weaken, the opportunity for fraud increases.
Recurring issues are well understood. These include unclear segregation of duties, over-reliance on individual staff members, informal workarounds during busy periods, and insufficient challenge where a transaction appears unusual but not obviously incorrect.
There is, however, a distinction in how these risks manifest across different firms.
In larger firms, the challenge tends to arise from complexity. Multiple systems, layered processes, and dispersed teams can create gaps in oversight or inconsistencies in how controls are applied. Fraud risk can emerge where responsibility is fragmented or where staff rely on process without fully understanding the underlying risk.
In smaller firms, a small number of individuals may have broad system access and significant autonomy. Processes may be undocumented, and oversight may be informal. Trust becomes a control in itself. That is effective until it is not.
In both cases, the underlying issue is not the absence of controls, but the presence of gaps between how those controls are expected to operate and how they operate in practice.
Unknown risks and reasonable measures
A more complex challenge arises where fraud occurs in ways that are not immediately visible. Direct benefit is straightforward - did a fraud occur which benefited the organisation?
Indirect benefit is more nuanced. The benefit to the organisation may be secondary or tertiary. For example, when an employee fabricates billing figures to meet performance targets and achieve bonuses. The firm is the secondary beneficiary where it has received income from the fraudulent billing.
This creates two potential risks. The first is under-identification, where firms fail to recognise the conditions in which fraud could develop. The second is over-identification, where controls are applied so broadly that they begin to affect commercial delivery or client service without a clear risk basis.
Government guidance on “reasonable procedures” is explicit on this point. Measures should be proportionate, risk-based and grounded in the nature of the organisation. There is no expectation that smaller firms replicate the control environment of large institutions.
The responsibility placed on firms is a fundamental one. Firms should be able to demonstrate that they have considered where fraud could occur, that they have implemented controls appropriate to those risks, and that those controls are subject to periodic review.
Some examples of proportionate fraud controls include:
· Only authorising specific employees or principals to hold banking passcodes for funds transfers.
· Ensuring that different individuals have responsibility for processing transactions and authorising transactions.
For a further discussion as regards standards of control for fraud prevention, firms can contact Lockton’s Master Policy team at [email protected].
Implementing the right controls is not an exercise in documentation for its own sake. It is about demonstrating judgement.
Best practice: practical reflections
In practical terms, effective fraud risk management is rarely defined by complexity. It is more often defined by consistency and clarity.
Top level commitment is the first control which requires careful interpretation. It is not established through policy statements alone. It is reflected in how decisions are made, how pressure is applied, and how behaviour is challenged.
A firm cannot reasonably assert a low tolerance for fraud risk while simultaneously operating an environment that incentivises short-term outcomes at the expense of process. If individuals feel that delivery is prioritised over control, they will respond accordingly.
There is also value in reflection (aka risk assessments). When was the last time the firm considered how fraud might occur? Would that discussion produce the same conclusions today as it did two years ago? You must take time to document where fraud might occur, how severe the fraud risk might be, and the steps taken to manage that; Linking it with monitoring against what is happening on the ground helps to maintain control.
Similarly, training and communication are only effective where they connect to day-to-day activity. Engaged staff need to recognise not just what fraud looks like in theory, but how it may present itself within their own roles.
Simple controls, applied consistently, are often more effective than complex frameworks. A foundation in strong Due Diligence of those who are performing services, enhanced by ongoing measures like clear authorisation processes, appropriate system access, and visible oversight of client account activity, remain fundamental.
The question is whether that framework is designed to mitigate your risks and to be followed in practice, particularly under pressure.
Finally, firms should consider how they would respond if an issue arose. Who would be informed? What would be reported? How quickly could the firm evidence its controls and decision-making?
These are not theoretical questions. They are the basis on which everyone will form a retrospective view - could and should the firm have prevented the fraud?
Looking ahead
The failure to prevent fraud offence is unlikely to represent a single, isolated development. The development of corporate criminal responsibility is increasing across the board, so making the “reasonable measures” approach muscle-memory is crucial.
For Scottish law firms, the implication is not that criminal liability is imminent, but that scrutiny is increasing. Firms will be expected to demonstrate not only that controls exist, but that they are understood, applied, and reviewed.
Firms that take the opportunity now to assess their position thoughtfully and proportionately will have a clear advantage.
Written by Michael Ross of Anderson Strathern.

This is an article provided by Lockton, the official insurance broker responsible for placing and administer the Master Policy of the Law Society of Scotland. Lockton is the direct point of contact for anything related to the Master Policy, including claims, practice changes and general enquiries.