Join HEPI and Huron for a webinar 1pm-2pm Tuesday 10 February examining how mergers, acquisitions and shared services can support financial sustainability in higher education. Bringing together a panel of speakers, the session will explore different merger models, lessons from the US and schools sectors, and the leadership and planning required to make collaboration work in practice. Discover our speakers and sign up now.
This blog was kindly authored by Dr Rasha Kassem, Senior lecturer and Fraud Research Group (FRG) leader and Stuart Wills, Head of Risk and Assurance and FRG member. Both of Aston University.
UK higher education has rarely been viewed through the lens of corporate fraud risk. Universities are widely perceived as public-spirited institutions, driven by educational and societal missions rather than commercial gain. Yet the introduction of the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act (ECCTA) challenges this assumption. For the first time, large higher education institutions may face criminal liability not because senior leaders authorised wrongdoing, but because organisational systems failed to prevent it.
This change raises important questions for the sector. How exposed are universities to the new offence? Do prevailing governance arrangements and control environments reflect the reality of modern higher education operating models? And what might ‘reasonable prevention’ look like in institutions characterised by academic autonomy, devolved authority and increasing commercial activity?
This blog explores how the offence applies to higher education institutions, why universities may face particular exposure, the types of fraud risk that warrant attention, and what ‘reasonable procedures’ might look like in a university context.
Does the offence apply to higher education institutions?
The failure to prevent fraud offence applies to large organisations in any sector that meet at least two of the following thresholds: more than 250 employees, turnover exceeding £36 million, or assets above £18 million. Many UK universities meet these criteria comfortably.
The legislation does not exempt charities, statutory bodies or non-commercial entities. Legal form is therefore less relevant than organisational scale and structure. Liability arises where fraud is committed by an associated person – including employees, agents, contractors, subsidiaries or others performing services for the organisation – and where the fraud was intended to benefit the organisation or its clients.
For universities, this definition captures a wide range of relationships, from recruitment agents and research collaborators to spin-out companies and overseas partners.
Why universities should not assume low fraud risk
Universities have often been regarded – and have often regarded themselves – as operating in environments where trust, professional norms and shared values reduce the likelihood of fraud. While these characteristics are central to the sector’s identity, they may also contribute to an underestimation of fraud risk.
The failure to prevent fraud offence does not assess organisational culture or intent. Instead, it focuses on whether fraud risks were foreseeable and whether proportionate systems were in place to address them. Reliance on institutional ethos alone, without demonstrable prevention frameworks, is unlikely to provide a sustainable defence.
Changing operating models and increased exposure
Over recent decades, the operating model of UK higher education has evolved significantly. While income from home undergraduate students has historically been centralised and relatively low risk, universities have increasingly diversified into international recruitment, franchised delivery, overseas campuses, commercial subsidiaries and asset-based income generation. These activities often involve third parties, delegated authority and cross-border operations, raising questions about how fraud risk is managed and oversight exercised.
As universities expand into these areas, the number of associated persons capable of triggering liability under ECCTA increases, as does the challenge of evidencing effective control.
Structural features that heighten risk
Universities typically operate with devolved governance structures, significant academic autonomy and dispersed decision-making. Authority may be shared across faculties, research centres, professional services and overseas operations, creating challenges for consistent oversight.
At the same time, financial pressures have intensified. A prolonged period of stagnant tuition fees, rising costs and increased competition has led many institutions to pursue diversification and cost-containment strategies at pace. These conditions may increase the motivation, rationalisation, and opportunity for fraud, particularly where control environments have not evolved alongside institutional complexity.
Under the failure to prevent fraud offence, the absence of senior leadership knowledge does not, in itself, determine liability. Instead, attention is likely to focus on whether governance arrangements and systems were adequate given the organisation’s structure and activities.
Fraud risks that warrant attention
No organisation is immune from fraud risk, and higher education is no exception. While vice-chancellors are formally accountable for institutional oversight, and heads of department and school play a key role in reporting risks upward, visibility in practice depends on how effectively information is identified, aggregated and escalated through the organisation. In universities and other non-profit settings, strong cultures of trust, devolved decision-making and uneven awareness of financial fraud risk can lead to underestimation of exposure at multiple levels, resulting in fragmented oversight and allowing misconduct or misrepresentation to go undetected. Areas that may warrant particular attention include:
- Research funding and grants, including misrepresentation in applications, misuse of restricted funds or inaccurate reporting of costs and outputs.
- Student recruitment and admissions, particularly in international markets and where commission-based agents are involved.
- Academic integrity, performance and outcomes data
Fraud risk may arise where known weaknesses in academic integrity or assessment assurance are not addressed and grades or outcomes are relied upon in marketing, league table submissions or regulatory reporting. Continued presentation of such data as robust despite known limitations may amount to fraud by false representation. - Research integrity and external representations
Fraud risk may arise where unreliable or falsified research data is relied upon in grant applications, funder reporting or external communications for institutional benefit, raising questions about whether reasonable preventive steps were in place. - Third-party relationships, such as franchise partners, contractors and collaborators performing services on behalf of the university.
- Subsidiaries, spinouts and joint ventures, where oversight arrangements may be less mature than in core institutional activities.
- Procurement and payroll, where weak controls or excessive delegated authority may expose wider governance issues.
Control maturity and historic assumptions
Many universities have invested heavily in controls designed to prevent academic misconduct, reflecting the core risks of a traditionally education-focused operating model. By contrast, financial and commercial control environments – particularly in areas such as procurement, partner management and subsidiary oversight – have often developed more slowly.
As universities pursue growth through commercialisation and internationalisation, control frameworks that were adequate in more stable environments may be difficult to defend. Under ECCTA, historic assumptions about low fraud risk will carry limited weight if systems have not evolved in line with institutional activity.
What ‘reasonable procedures’ might look like for universities
The Act provides a defence where an organisation can demonstrate that it had reasonable procedures in place to prevent fraud. This is not a checklist exercise. For universities, reasonable procedures are likely to be context-specific and proportionate to institutional complexity and risk profile.
Key considerations may include clear ownership of fraud risk at governing body and senior management level; targeted fraud risk assessments that go beyond generic risk registers; gap analysis to identify where existing controls may no longer align with current activities; systematic identification of associated persons whose actions could expose the institution; and proportionate anti-fraud training to raise awareness among staff and students of fraud risk, reporting routes and expectations. Particular attention may be warranted in higher-risk areas such as international recruitment, research funding, third-party partnerships and subsidiary operations.
For governing bodies and senior leaders, the offence reframes fraud risk as a matter of institutional accountability and public trust, rather than solely an operational or legal concern. Courts and prosecutors are unlikely to be persuaded by policy statements alone; what will matter is whether procedures were implemented, monitored and reviewed in practice, and whether effective challenge and escalation were evident. A more detailed analysis of the failure to prevent fraud offence, including its legislative background and broader application beyond higher education, is discussed in a separate article published in the Fraud Magazine.
Conclusion
The failure to prevent fraud offence represents a significant development for UK higher education. It shifts attention away from individual intent at senior levels and towards the adequacy of systems, governance and oversight across increasingly complex institutions.
Universities may not see themselves as typical targets for fraud legislation, yet their scale, diversity of activity and reliance on third parties place many firmly within scope. Whether the offence leads to substantive change across the sector, or simply prompts a reassessment of institutional risk tolerance, will depend on how universities understand and respond to their responsibilities under this new framework. Nevertheless, the significance of the offence lies not in legal compliance alone, but in what it reveals about institutional resilience. Unaddressed fraud risk threatens reputation, public trust and the individuals – staff, students and partners – who depend on universities to act with integrity. Seen in this light, the offence is less a legal imposition than a prompt to reflect on how well institutions protect the systems, values and people that underpin their mission.