Fraud Prevention in Digital Grantmaking

Grant fraud is a persistent threat to the UK charitable sector, but the good news is that most of it is preventable with proportionate, well-designed controls. Funders who move from paper-based processes to digital grantmaking gain a significant advantage: the ability to build verification, monitoring and audit trails directly into their workflows, rather than bolting them on as afterthoughts.

The challenge is getting the balance right. Overly burdensome checks slow down grant rounds, deter legitimate applicants and disproportionately affect smaller organisations with fewer resources. Too few controls leave funders exposed to financial loss, reputational damage and regulatory scrutiny. The most effective fraud prevention sits in the middle: automated where possible, proportionate to the risk, and transparent to everyone involved.

According to the BDO Charity Fraud Survey 2025, 34% of UK charities reported experiencing fraud or attempted fraud in the previous twelve months, down from 42% in 2024 (BDO, 2025). Of those affected, 73% suffered a financial loss. Meanwhile, the Charity Commission opened 603 cases relating to fraud and a further 99 relating to cyber crime in 2024-25 (Charity Commission Annual Report 2024-25). These figures make clear that fraud prevention is not optional — it is a core governance responsibility for every funder.

What types of fraud affect grantmaking?

Grant fraud takes several distinct forms, and understanding each one helps funders design controls that target real risks rather than hypothetical ones.

Internal fraud remains the largest category. The BDO Charity Fraud Survey 2024 found that 50% of detected fraud was committed by people within the organisation — staff, volunteers or trustees — with misappropriation of cash or assets accounting for 40% of all cases (BDO, 2024). For funders, this means that fraud can occur not just at the applicant end but within their own teams.

Payment diversion fraud (also called mandate fraud or business email compromise) affected around a third of charities surveyed in 2024. Fraudsters impersonate a grantee and request that payment details be changed, diverting funds to a new account (Prevent Charity Fraud).

Application fraud includes fabricated identities, forged supporting documents, inflated project budgets, and duplicate applications submitted to multiple funders under different names. The Association of Charitable Foundations (ACF) notes that common warning signs include copy-and-paste narratives, templated documents, and multiple applications from the same IP address or postal address (ACF, Tackling Grant Fraud, 2020).

Grant misuse occurs after an award is made, when a grantee spends funds on purposes not covered by the grant agreement. This is harder to detect without effective monitoring and reporting processes.

What does proportionate fraud prevention look like?

The ACF's guidance on tackling grant fraud emphasises that controls should be proportionate to the level of risk, not a one-size-fits-all checklist (ACF, 2020). A small community grant of a few hundred pounds does not warrant the same depth of due diligence as a multi-year award of several hundred thousand.

Proportionate fraud prevention means scaling controls based on three factors:

• Grant size: Higher-value awards justify more detailed verification, including financial analysis, site visits and multi-stage reporting.
• Risk profile: New applicants, organisations without a track record, or those operating in higher-risk geographies may warrant additional checks. Established grantees with a clean history may need lighter-touch verification.
• Grant type: Unrestricted grants carry different risk profiles from capital grants or payments tied to specific deliverables.

The Charity Commission's own approach reflects this principle. In its 2024-25 annual report, it noted that it focuses its regulatory action on the most serious cases and encourages charities to apply risk-based approaches to governance and financial management (Charity Commission, 2024-25).

Crucially, proportionate does not mean optional. Every grant, regardless of size, should have at minimum: confirmation of the applicant's legal identity, a check against the OFSI sanctions list, and a clear audit trail of the decision.

How should funders verify applicant identity and eligibility?

Identity and eligibility verification is the first line of defence against application fraud. In the UK, funders have access to several public registers that can be checked systematically.

Charity Commission register: Confirms registration status, charitable objects, trustee names, filing history and any regulatory action. Late filing of accounts can be an early warning sign of governance issues.

Companies House: Verifies company status, directors, registered office and filing compliance for CIOs, CICs and charitable companies.

OFSI Consolidated List: The Office of Financial Sanctions Implementation maintains a searchable list of designated persons and entities. Screening against this list is a legal requirement — it is a criminal offence to make funds available to a designated person, and this applies to charities and their staff regardless of whether they receive government funding (OFSI, 2020).

OSCR (Scotland): The Scottish Charity Regulator maintains a separate register for Scottish charities.

Manual checking across multiple registers is time-consuming and error-prone. Automated due diligence systems that pull data directly from these registers can complete checks in seconds rather than hours and create a timestamped record of every verification.

Tools like Plinth integrate Charity Commission, Companies House and OFSI checks into a single workflow. When an applicant submits their registration number, the system automatically verifies their status, retrieves trustee and director information, checks sanctions lists, and flags any discrepancies — all before a grants officer opens the application. The results are saved to the case record as a permanent audit trail.

How can funders detect duplicate and fraudulent applications?

Duplicate and fraudulent applications are a specific risk in digital grantmaking, where the ease of online submission can make it simpler for bad actors to submit multiple bids under different names or to recycle content across funders.

Common red flags include:

• Identical or near-identical text across multiple applications, suggesting copy-and-paste submission
• Matching contact details — the same email address, phone number or postal address appearing on different applications
• Suspiciously generic language — with the rise of generative AI, some funders have reported well-written but impersonal applications that lack specific detail about the applicant's community or track record
• Mismatched registration details — for example, a charity number that does not correspond to the named organisation, or a governing document that carries a different organisation's name

Effective duplicate detection requires cross-referencing new applications against existing records. This is difficult to do manually when processing hundreds of applications. Plinth uses AI-powered fuzzy matching across applicant names, email addresses, phone numbers, postcodes and registration numbers to surface probable duplicates automatically. The system highlights matching fields so grants officers can quickly assess whether a new application is genuinely from a different applicant or a resubmission.

Document analysis adds another layer of protection. AI can read uploaded governance documents, safeguarding policies, accounts and bank statements to identify red flags such as template documents with the wrong organisation name, outdated policies, financial irregularities, or statements that appear fabricated. This does not replace human judgement — it surfaces issues that a reviewer might otherwise miss when processing high volumes.

What internal controls should funders have in place?

Even the best applicant-facing checks will not prevent fraud if a funder's own internal processes are weak. The BDO Charity Fraud Survey consistently finds that a significant proportion of charity fraud is internal, making robust internal controls essential.

Segregation of duties: No single person should be able to approve an application, authorise a payment and reconcile the accounts. Separating these functions creates natural checkpoints that make fraud harder to commit and easier to detect.

Dual authorisation for payments: All grant payments — and particularly any changes to payee bank details — should require approval from at least two people. Payment diversion fraud exploits situations where a single person can update bank details and approve a payment without independent verification.

Role-based access controls: Staff should have access only to the systems and data they need for their role. A programme officer does not need access to payment processing, and a finance officer does not need the ability to change application scores.

Clear policies and training: Staff and trustees should understand their responsibilities for fraud prevention. The ACF recommends that trustees take ultimate responsibility for anti-fraud measures, while staff implement the day-to-day controls (ACF, 2020). Regular training helps staff recognise phishing attempts, social engineering and other common tactics.

Whistleblowing procedures: A confidential, well-publicised channel for reporting concerns is essential. Staff, volunteers and grantees should all know how to raise concerns without fear of retaliation.

Why are audit trails essential for fraud prevention?

An audit trail is a chronological record of every action taken within a grant management process — who did what, when, and what data changed. In fraud prevention, audit trails serve three critical functions.

First, they deter fraud by making it clear that all actions are recorded and reviewable. Staff and applicants who know that every change is logged are less likely to attempt manipulation.

Second, they support detection. When irregularities surface, a complete audit trail allows investigators to trace the sequence of events, identify who accessed or modified records, and establish a timeline. Without this evidence, investigations stall.

Third, they satisfy regulatory requirements. The Charity Commission expects charities to be able to demonstrate how decisions were made and how funds were managed. In the event of a serious incident report — which charities must file for any significant financial loss or suspected fraud — a clear audit trail provides the evidence needed to show that the funder responded appropriately (Charity Commission, Serious Incident Reporting).

Effective audit trails in grant software should capture: application edits and who made them, assessment scores and reviewer comments, approval decisions, payment authorisations, changes to payee details, and monitoring report submissions. All entries should be timestamped and immutable — meaning they cannot be retrospectively altered or deleted.

Plinth records a complete audit trail across the grant lifecycle, from initial application through due diligence checks, assessment, approval, payment and reporting. Every AI-generated analysis, registry check and document review is saved to the case record, so reviewers can see exactly what was checked and what was found.

What are the legal and regulatory requirements?

UK funders operate within a tightening regulatory framework for fraud prevention. Understanding the key requirements helps ensure that controls are not just good practice but legally compliant.

Charity Commission reporting: Charities with annual income above GBP 25,000 must declare whether any serious incidents occurred during the year as part of their annual return. Fraud, theft and cyber crime all qualify as serious incidents that must be reported. In 2024-25, the Commission received 264 serious incident reports relating to fraud (Charity Commission, 2024-25).

OFSI sanctions compliance: As noted above, it is a criminal offence to make funds available to a designated person under UK financial sanctions regulations. This applies to all charities regardless of size. OFSI has published specific guidance for charities and NGOs, emphasising the need for routine screening against the UK Sanctions List (OFSI Guidance for Charities).

Economic Crime and Corporate Transparency Act 2023: This Act introduced a new corporate offence of "failure to prevent fraud", which came into effect on 1 September 2025. Large organisations — including large charities meeting two of three thresholds (more than 250 employees, more than GBP 36 million turnover, more than GBP 18 million in total assets) — can face unlimited fines if an employee or associated person commits fraud for the organisation's benefit and the organisation did not have reasonable fraud prevention procedures in place (GOV.UK, ECCTA Factsheet). Even smaller funders should take note: the Act signals a direction of travel toward greater accountability.

UK GDPR: Fraud prevention involves processing personal data, including sensitive data such as financial records. Funders must ensure that data collection is lawful, proportionate and secure, and that data is retained only for as long as necessary. Privacy notices should explain how applicant data is used for verification and fraud prevention purposes. For more detail, see the guide on GDPR and grantmaking.

How should funders respond when fraud is detected?

Having a fraud response plan before you need one is far more effective than improvising under pressure. The ACF recommends that every funder has a documented procedure covering the steps from initial suspicion through to resolution (ACF, 2020).

Immediate steps:

1. Secure evidence — preserve relevant records, emails and system logs before anything is altered or deleted.
2. Suspend payments to the affected grantee while the investigation is underway.
3. Report to relevant authorities — Action Fraud (0300 123 2040), the Charity Commission via a serious incident report, and your bank if payment diversion is involved.

Investigation:

• Assign a lead investigator who is independent of the affected grant.
• Record all investigation activity, evidence reviewed and conclusions reached.
• Maintain confidentiality to protect both the reporter and the subject of the investigation.

Resolution:

• Where fraud is confirmed, pursue recovery of funds where possible.
• Consider whether criminal prosecution is appropriate — the Charity Commission expects charities to consider this.
• Review and strengthen controls to prevent recurrence.
• Report the outcome to trustees and, where required, to the Charity Commission.

Learning and sharing: Where lawful and appropriate, share patterns and lessons with sector partners. The ACF and Prevent Charity Fraud both facilitate information-sharing among funders to help identify serial fraud risks.

How can technology strengthen fraud prevention?

Digital grantmaking platforms offer fraud prevention capabilities that are simply not possible with manual, paper-based processes. The key advantage is consistency: automated checks run every time, for every application, without the variability that comes with human-only review.

Technology does not replace human judgement. It handles the routine, repeatable verification so that grants officers can focus their expertise on the cases that need it — the unusual patterns, the borderline decisions, the contextual knowledge that no algorithm can replicate. This is sometimes described as a human-in-the-loop approach.

Plinth brings these capabilities together in one platform. Registry checks, document analysis, duplicate detection and reputation screening run automatically when applications are submitted. Results are presented as a structured report with risk flags, severity ratings and evidence links — not a black-box score. Grants officers review the findings, add their own professional judgement, and record their decision. Every step is saved to the audit trail, creating a complete, reviewable record. Plinth offers a free tier, making these tools accessible to smaller funders who may previously have relied on manual checks alone.

Building a fraud-resilient grantmaking culture

Technology and controls are necessary but not sufficient. Lasting fraud prevention requires a culture where transparency is expected, concerns are taken seriously, and learning from incidents is treated as an opportunity rather than a source of shame.

The BDO Charity Fraud Survey 2025 found that over half of charities surveyed (52%) expect the threat of fraud to increase in 2026 (BDO, 2025). This expectation reflects growing sophistication in fraud methods — including the use of AI to generate convincing but fabricated applications — and the increasing volume of digital transactions.

Funders can build resilience by:

• Reviewing fraud risk annually as part of the board risk register, updating controls to reflect emerging threats
• Training all staff who handle applications or payments, not just senior managers
• Sharing intelligence with other funders through networks such as ACF and Prevent Charity Fraud
• Conducting post-incident reviews when fraud is detected, to identify what controls failed and what can be improved
• Communicating openly with applicants about what checks are carried out and why, which builds trust and deters opportunistic fraud

The Charity Commission has been clear that reporting fraud is not a sign of failure. Charities that identify and address fraud demonstrate stronger governance than those that simply fail to detect it. The same principle applies to funders: a well-designed fraud prevention framework is a sign of responsible stewardship, not a lack of trust in grantees.

FAQs

Will stronger fraud checks slow down our grantmaking?

Not if they are well automated. Automated registry checks, sanctions screening and duplicate detection typically complete in seconds. The time savings from eliminating manual searches usually outweigh any additional processing, and grants officers can focus their time on substantive assessment rather than routine verification.

Do we need to screen against the OFSI sanctions list?

Yes. It is a legal requirement under UK financial sanctions regulations. Making funds available to a designated person or entity is a criminal offence, regardless of whether the funder receives government money. OFSI publishes specific guidance for charities and NGOs (OFSI, 2020).

How do we avoid penalising small community groups with excessive checks?

Apply a risk-based approach. A small award to a well-established local group with a clean track record warrants lighter-touch verification than a large, multi-year grant to a newly formed organisation. The key is to document your risk appetite and apply your framework consistently.

What should we do if we suspect a grantee has misused funds?

Secure the evidence immediately, suspend further payments pending investigation, and report the matter as a serious incident to the Charity Commission. Assign an independent investigator, maintain confidentiality, and pursue recovery of funds where appropriate.

Does the "failure to prevent fraud" offence apply to our foundation?

The offence under the Economic Crime and Corporate Transparency Act 2023 applies to large organisations meeting two of three thresholds: more than 250 employees, turnover above GBP 36 million, or total assets above GBP 18 million. Most foundations fall below these thresholds, but the principles of reasonable fraud prevention procedures are good practice for all funders.

How do we verify bank details before making a payment?

Always verify bank details using a known, trusted contact method — not the details provided in an email requesting a change. Call the grantee on the phone number you already have on file. For first payments, consider sending a small test payment and confirming receipt before releasing the full amount.

Should we share fraud intelligence with other funders?

Where lawful and proportionate, yes. ACF and Prevent Charity Fraud both facilitate sector-wide information-sharing. Sharing patterns — such as serial applicants using fabricated identities — strengthens protection across the sector. Ensure you comply with UK GDPR requirements when sharing personal data.

Do we need a whistleblowing policy?

Yes. A confidential, clearly publicised channel for reporting concerns is essential. It should be available to staff, trustees, volunteers and grantees. The Charity Governance Code recommends that all charities have a whistleblowing procedure, and the BDO survey data consistently shows that organisations with such policies detect fraud earlier.

Recommended next pages

• How to Automate Due Diligence in Grantmaking — Streamline registry checks, sanctions screening and document analysis into a single workflow.
• Audit Trails in Grant Software — Why digital records matter for accountability and assurance across the grant lifecycle.
• GDPR and Grantmaking — Data protection requirements for collecting and processing applicant information.
• Risk Management in Grantmaking — How to assess, monitor and mitigate risk across your grant portfolio.
• Grant Compliance Guide — Essential UK compliance requirements and practical controls for funders.

Last updated: February 2026