Call it a case of ‘proactive prevention’ over ‘reactive detection.’

The financial services terrain is shifting underfoot as new regulatory frameworks demand a complete reimagining of fraud prevention. Detecting fraud after it occurs is now plainly characterized as a ‘failure.’ Nothing makes that point more sharply than the U.K.’s Failure to Prevent Fraud Offence, enforced as of September 1, 2025.

Unlike previous rules focusing primarily on detection and response after the fact, failure to prevent flips the script, requiring proactive measures to stop breaches before they occur. It’s a strategy built on preemption. Accountability is squarely on corporate shoulders now, whether the company is based in the U.K. or only transacts business there.

Failure to Prevent Fraud falls under the U.K.’s Economic Crime and Corporate Transparency Act of 2023. It applies to both financial institutions and corporates, but only those meeting the definition of a “large organization.” These are defined as meeting at least two of the following three criteria: annual revenues of £36 million or more, assets of more than £18 million, and over 250 employees.

The implications of Failure to Prevent Fraud extend far beyond mere compliance. It portends a paradigm shift in how banks, financial institutions, and corporates must structure their operations, technology, and oversight mechanisms.

Curiously, many organizations in the crosshairs of the new rule don’t seem ultra-concerned. But that sense of calm may begin to fade as the offense starts to sting.

“There’s been a lot of hype about it, but when we speak, mainly to financial institutions, nobody seems that concerned,” said Ruud Grotens, Head of Risk Solutions Consulting and Cyber Fraud and Risk Management at Bottomline. “I think they are waiting for the first fine.”

Any such lack of urgency around the punitive new rule is a mistake, he cautions, given the critical nature of this change. A regulation focusing on prevention rather than detection is a big departure from reactive strategies that have dominated payments for decades.

 

Understanding the Nuanced Definition of "Benefit"

One of the most complex aspects of the new regulation lies in its interpretation of what constitutes a "benefit" under the law. Grotens said this definition outdoes traditional ‘financial gains’ to encompass a broader range of advantages that organizations might derive from fraudulent actions. And those actions can be intentional or not.

For example, the U.K. Failure to Prevent Fraud Offence recognizes that benefits can be various non-financial gains, introducing a new wrinkle in how fraud is defined, not just penalized. This expanded definition creates both opportunities and challenges for financial institutions as they navigate compliance requirements.

Grotens noted that an offense might include "operational efficiencies and compliance with internal KPIs," highlighting how seemingly routine business improvements can now fall afoul of regulators. This nuanced interpretation means that actions previously considered standard business practice may now require far greater compliance evaluation.

The complexity becomes even more apparent when considering real-world scenarios.

A recent case involving a large U.K.-based global bank at the center of a high-profile internal fraud incident illustrates how the legal perspective on benefits can differ greatly from traditional interpretations. In short, organizations must develop better frameworks for evaluating the risks of their actions, and then methodically reduce that exposure.

 

The ‘Shadow AI’ Threat and Insider Risk

Modern organizations face an increasingly complex threat landscape that goes beyond traditional external attacks to include insider threats and unauthorized technology usage.

The emergence of so-called “shadow AI” where employees use advanced tools like ChatGPT for business tasks without proper oversight, is creating an entirely new fraud attack surface. It’s also a new category of risk. Many organizations are unprepared.

Grotens cited recent findings from IBM's ‘Cost of a Data Breach Report 2025: The AI Oversight Gap.’ It reveals the substantial financial impact and prevalence of insider threats, underscoring the need for more robust monitoring and governance frameworks. These threats are especially challenging as they often involve legitimate users with authorized access who may be acting outside established protocols or guidelines.

IBM found that 97% of organizations polled “reported an AI-related breach and lacked proper AI access controls,” and that “For the second year in a row, malicious insider attacks resulted in the highest average breach costs…” at USD $4.9 million per incident.

"Companies should adopt robust AI governance to mitigate these emerging risks," Grotens said, emphasizing the critical importance of comprehensive oversight mechanisms. “The challenge lies not just in detecting unauthorized AI usage,” he added, “but in creating frameworks that allow organizations to harness the benefits of these technologies while maintaining appropriate controls and visibility.”

He also noted that advanced threat types “…require organizations to move beyond traditional log file analysis toward more comprehensive behavioral monitoring approaches that can identify unusual patterns and activities across their systems.”

 

Compliance-Centered Digital Infrastructure

Regulatory changes are driving major transformations in how organizations approach digital infrastructure and modernization. Companies must now prioritize system visibility and control mechanisms to meet evolving compliance standards, fundamentally altering technology investment priorities.

The shift also encompasses authentication mechanisms, with growing emphasis on phishing-resistant authentication methods and enhanced access segmentation in cloud environments. Organizations are discovering that compliance with new regulations requires not just policy changes, but substantial technological upgrades to support the level of monitoring and control now expected. Many FIs and corporates are turning to Payment Service Providers (PSPs) to stay compliant in this highly changeable climate.

Grotens said companies need help focusing on "behavioral monitoring to identify and address unusual activities within systems," highlighting the need for better analytical capabilities. Gathering evidence to support security and compliance decisions is key.

As a result of the regulatory tsunami in payments, long-term implications suggest a gradual but fundamental change in corporate priorities. The ‘new normal’ will become preventing fraud, rather than reacting to incidents after they occur. According to Grotens, this will likely drive collaboration between regulatory bodies and private sector organizations as they work together on emerging digital challenges.

The future of fraud management lies in this proactive approach, Grotens said, where organizations must demonstrate not just an ability to detect successful breaches and hacks, but also a commitment to preventing them from occurring in the first place.