The 02:47 Slack message that costs you the defence
Picture a head of sales in a London commercial property firm. At 02:47 on a Saturday she sends a Slack DM to a junior: "just sign this off, we will reconcile next week". The deal closes Monday. Six months later the SFO opens an investigation into client account churn at the firm. The first request the investigator makes is for the Slack export of that channel between January and March. The export is incomplete: the firm activated the 90 day retention default and the message is gone. With the message gone, so is the firm's ability to show that the senior leader corrected the junior, that training was refreshed, that the policy was enforced. The "reasonable procedures" defence under Section 199(4) of the Economic Crime and Corporate Transparency Act 2023 collapses around a single missing log line.
This is the new shape of corporate criminal risk in the United Kingdom in 2026. The offence is strict liability against the organisation. The only escape is contemporaneous, retrievable, dated evidence that the firm did what the Home Office guidance says it should have done.
Who counts as a "large organisation" and an "associated person"
Section 201 of the ECCTA fixes the threshold on a group wide basis. A company qualifies if, in the year prior to the fraud, it met two of the following three criteria across the whole group: turnover above GBP 36 million, balance sheet total above GBP 18 million, or more than 250 employees. Once the threshold is crossed, every UK and overseas entity in the corporate group inherits the obligation, even those operating in jurisdictions that have no equivalent law.
"Associated person" reaches further than employees. Section 199(7) captures any person performing services for or on behalf of the organisation, including agents, subsidiaries, secondees and certain contractors. A franchise marketing partner that mis-sells a product to benefit the franchise group falls within scope. So does an offshore introducer who falsifies KYC information so that the parent can onboard a high net worth client.
The six Home Office principles, translated into documents you must keep
The Home Office guidance of 6 November 2024 sets out six fraud prevention principles. Each one maps to a retention obligation that most UK DMS estates do not yet meet by default.
- Top level commitment: signed board minutes naming the senior officer accountable for the fraud prevention framework, refreshed at least annually.
- Risk assessment: a written, dated risk register that lists fraud typologies relevant to the business, with version history showing how the register evolved after each new product launch or acquisition.
- Proportionate procedures: the policies themselves, with proof of distribution to every associated person and proof of acknowledgement.
- Due diligence: KYC packs, supplier integrity checks and counterparty screenings retained for the full duration of the relationship and at least six years after.
- Communication and training: course rosters, completion certificates, sample test results and refresher dates per associate.
- Monitoring and review: internal audit reports, whistleblowing logs, near miss registers and management responses, including the dates on which the board was briefed.
What the SFO will ask for in the first request letter
SFO request letters under the failure to prevent regime follow a predictable pattern. Expect the first letter to demand: a copy of the latest fraud risk assessment with its full revision history, the board minute approving the current procedures, the training matrix for the relevant business unit with attendance records for the prior 36 months, all whistleblowing reports referencing the conduct or its category, the internal audit programme for the prior three years with the reports themselves, and counterparty diligence files for the named clients. Anything that exists only in a personal mailbox, a deleted Teams chat or an unbacked up laptop drive is treated as if it never existed.
Sector heatmap: who is first in the firing line
The SFO's public messaging through Q1 2026 points at three sectors where exposure is highest. Estate agents and property service firms are exposed because mis-described properties, undisclosed conflicts and rent-roll inflation can benefit the firm. Recruitment and labour supply companies are exposed because false candidate credentials placed into client roles can win the firm a fee. Software resellers and SaaS marketplaces are exposed because over-stated usage figures, padded contracts and side letter discounts that move revenue forward can benefit the platform. In each case the typical evidence gap is the same: managers communicating on personal phones, ad-hoc spreadsheets that never made it into the DMS, and approval flows that ran in email threads later auto-deleted.
A 90 day documentation hardening plan for finance, sales and procurement
Days 1 to 15: extend retention on all corporate communication platforms (Slack, Teams, Google Chat, Outlook) to seven years for finance, sales, procurement and legal users. Document the policy change in writing and circulate the update.
Days 16 to 30: re-version the fraud risk register, dating each entry. Add a board sign off page. Store the file in a write once area of the DMS so the version history cannot be edited.
Days 31 to 60: re-run training for every associated person above the threshold. Capture attendance, test results and acknowledgement of the policy in machine readable form. Push the records into the same write once area.
Days 61 to 90: open the counterparty file for every client, supplier and introducer onboarded in the last 24 months. Confirm KYC, sanctions and PEP checks are filed against the contract. Where a file is incomplete, request the missing item and log the request. The log itself is part of the evidence chain.
The Failure to Prevent Fraud offence rewards organisations that can produce a tidy, dated, hash linked evidence stack on demand. It punishes organisations whose records sit on laptops, in personal mailboxes and in messaging tools with aggressive retention defaults. 2026 is the year that the SFO discovers which UK companies actually built the archive.
