Contact us

      Starting on 1 September 2025, Swiss companies may face criminal liability under UK law if they fail to implement adequate anti-fraud procedures.

      The UK Home Office published guidance on 6 November 2024 guidelines, offering directions on how to comply. Even businesses not directly subject to the law should view them as best-practice guidelines for effective compliance and risk management.

      This development underscores the growing importance of compliance, particularly with regard to ethical standards, public accountability and regulatory adherence. Publicly listed companies should evaluate whether their internal policies, internal control systems (ICS) and corporate governance frameworks align with applicable legal standards.

      Bob Dillen
      Bob Dillen

      Partner, Head of Forensic

      KPMG Switzerland

      The new offense: failure to prevent fraud

      The Economic Crime and Corporate Transparency Act of 2023 (ECCTA) introduces, under Section 199, a new corporate offense of failure to prevent fraud. A company may now be held criminally liable where an economic crime is committed for its benefit and it did not have adequate anti-fraud procedures in place.

      Swiss law provides a similar mechanism: under Article 102 of the Swiss Criminal Code, a company can be prosecuted if a criminal offense cannot be attributed to an individual due to poor organization. In certain cases – such as money laundering, bribery or corruption – companies can be held liable even where the perpetrator is known, provided that internal safeguards were lacking.

      While the Swiss model emphasizes organizational fault, the UK regime marks a paradigm shift by requiring evidence of proactive and effective prevention measures.

      At KPMG Switzerland we help clients prevent, discover and handle misconduct to protect organizations with our expert forensic consulting services.
      Discover more about our services

      When a company is held liable under UK law

      The new offense applies only to organizations that qualify as “large organizations”, either directly or through their parent company. This classification is met when at least two of the following thresholds apply:

      • More than 250 employees
      • More than GBP 36 million in turnover
      • More than GBP 18 million in total assets

      Definition of fraud under the ECCTA


      The ECCTA adopts a broad definition of fraud, going beyond the scope of Article 146 of the Swiss Criminal Code. Schedule 13 of the ECCTA includes offenses such as:

      • Fraud, embezzlement and misappropriation
      • False accounting and false statements by company officers
      • Aiding and abetting
      • Money laundering

      The company can be held liable even if the individual perpetrator is not prosecuted – emphasizing systemic responsibility.

      Attribution of liability


      1. If only the parent company qualifies as large, the subsidiary is liable for fraud committed by its own staff.

      2. If the company itself qualifies as large, it is also liable for fraud committed by associated individuals (e.g. agents, representatives or contractors).

      Importantly, management knowledge or involvement is not necessary to establish liability. Compliance failures, such as a breach of the Code of Conduct or lack of control, are sufficient.

      Defenses: how companies avoid liability

      A company will not be held liable if it can either:

      1. demonstrate that it had adequate procedures in place to prevent the offense, or

      2. show that it was unreasonable to expect such procedures under the circumstances.

      These criteria effectively create an obligation to implement a robust Compliance Management System (CMS) as part of sound corporate governance.

      Why Swiss companies should pay attention

      The offense also applies to foreign companies with a UK nexus. This includes situations where:

      • part of the offense took place in the UK
      • the benefit of the offense arose in the UK
      • the harm occurred within the UK

      For example, a company in Switzerland may be held liable if:

        • an employee commits fraud while in the UK
        • a fraud committed from Switzerland affects a victim in the UK

        Smaller companies may also be exposed when acting as associated entities for large organizations, such as within supply chains. These compliance obligations can be imposed through contracts and passed down the value chain.

          What constitutes “adequate procedures”?

          Whether a case goes to court depends on its specific circumstances. Acting early and cooperating fully with the authorities can help avoid prosecution.

          If an investigation is launched, a company can defend itself by proving that it had effective preventive measures in place at the time of the offense. While the UK Home Office guidelines serve as guidance, they do not offer guaranteed legal protection. Ultimately, the courts will decide based on the facts of each case.

          For companies, this means: prevention is the best protection. The guidelines follow internationally recognized standards for Compliance Management Systems (CMS) and are similar to the Swiss auditing standard 980. A well-established CMS generally puts companies in a strong position.

          But it’s not enough to focus solely on internal risks. The system must also address external threats, including those from third parties or affiliated companies.

          The UK Home Office guidelines outline six key principles that organizations should follow to ensure their procedures are considered adequate.

          1. Top-level commitment


          The leadership sets the tone. Senior management must take a clear stance against fraud, corruption and money laundering – and embed it into the company culture.

          This commitment should be reflected in policies, training, reporting channels, clearly defined compliance roles and regular reporting.

          Adequate resources must be allocated to support these efforts.

          2. Risk assesment


          Any and all fraud risks must be identified, documented and reviewed regularly. Existing risk assessments can be adapted and reused as needed.

          Large organizations should also assess risks related to third parties — such as partners, suppliers and service providers. Fraud typologies help structure and prioritize risks. Internal audits, industry warnings and technologies such as AI and machine learning can improve the quality of the analysis.

          3. Risk-based procedures


          Anti-fraud procedures should match the company’s size, risk profile and operational complexity. They should be clear, practical and effective as well as based on a robust, independently reviewed prevention plan.

          Measures under laws such as the Anti-Money Laundering Act (AMLA) can be included, provided they meet compliance standards. But whether they are legally “adequate” is for courts to decide – there is no automatic approval.

          4. Due diligence


          Risk-based due diligence is required for all associated individuals who may pose a fraud risk – both internal and external. This also includes avoiding factors that could facilitate crime, such as excessive performance pressure or unrealistic targets.

          Thorough due diligence is especially vital in M&A transactions and complex supply chains. Existing systems may be incorporated if they demonstrably reduce risk.
           

          5. Communication and whistleblowing


          Compliance strategies only work when people understand and practice them. Regular training and clear communication across all levels are key. Ethics & Compliance Services

          Even strong leadership messages will fall flat if middle management tolerates or encourages misconduct. An effective whistleblowing system that complies with the EU Whistleblower Directive is mandatory.

          All reports must be taken seriously and investigated quickly. Any violations must be consistently sanctioned in line with public expectations and legal obligations.

          6. Monitoring and forensic investigation


          All preventive measures must be regularly reviewed and improved. This includes:

          1. Detecting actual or attempted fraud

          2. Conducting internal investigations

          3. Evaluating the effectiveness of existing measures

          Modern AI tools can help identify gaps and refine processes, responsibilities, resources, reporting lines and documentation.
           

          Impact on Swiss companies: opportunities and risks

          The law does not apply solely to companies based in the United Kingdom. Foreign companies may also be affected. The decisive factor is whether the fraudulent offense has a connection to the UK.

          Such a connection exists if:

          • An act that was part of the offense took place in the UK
          • The benefit from the offense arose in the UK
          • The loss caused by the offense occurred in the UK

          Swiss companies must ensure that their corporate governance policies align with the new requirements. A strong internal control system (ICS) is essential to minimize criminal liability risks and ensure compliance.

          Outlook

          The new UK law strengthens the enforceability of corporate criminal liability, including on a cross-border basis. This has implications for many Swiss companies, both directly and indirectly, particularly in the context of global supply chains, M&A transactions and client relationships.

          Preventing fraud and money laundering is not only a legal obligation – it’s critical to protecting reputation and public trust.

          How KPMG can support

          We help companies:

          • conduct fraud risk assessments
          • develop tailored fraud management systems
          • assess and screen business partners (e.g., in M&A transactions)
          • use data analytics to detect risks

            Meet our expert

            Bob Dillen
            Bob Dillen

            Partner, Head of Forensic

            KPMG Switzerland

            Related articles and more information

            The Forensic Fraud Barometer reveals Swiss firms need to embrace whistleblowing measures in detecting and preventing white-collar crime.
            Read more

            This blog gives an overview of the new PCI DSS standard and the details on the new requirements.
            Read more

            Explore the latest fraud trends in Switzerland and discover actionable insights to protect your business.
            Read more