The UK’s Economic Crime and Corporate Transparency Act (ECCTA) brings major change to the financial services ecosystem, namely, the highly punitive Failure to Prevent Fraud Offence. From September 1, 2025, companies will be criminally liable for employee fraud.
It’s a new era of accountability, and being non-compliant by deadline is asking for trouble.
During a recent webinar hosted by business news site FStech, experts from across the payments spectrum examined challenges posed by the UK’s ECCTA legislation, with a focus on the failure to prevent fraud offence that has financial institutions and corporates concerned.
A primary challenge is the sheer burden of the new rules. The only thing heavier, debatably, is the cost of non-compliance. But there’s no point in second-guessing the inevitability of the act, or the penalties it carries, as more regulations recalibrate around digital payments.
The UK’s Guidance to organisations on the failure to prevent fraud offence (2023) states: “…an organisation may be criminally liable where an employee, agent, subsidiary, or other ‘associated person’, commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place.” No need to prove senior executives were involved. No need to show the company benefitted at all.
It's a hefty new rule aimed at getting big companies in the payments, commerce, and trade spaces to modernise. According to UK.GOV, “the offence of failure to prevent fraud applies only to large organisations,” defined as meeting “two or three” of the following criteria:
- More than 250 employees
- More than £36 million turnover
- More than £18 million in total assets
By design, size offers no haven. Harry Holdstock, Partner, PwC UK, noted during the webinar that the volume and scope of offence under the new legislation present significant hurdles, especially for "large financial services groups with operations outside the UK." Failure to prevent fraud applies to foreign companies doing business in the UK as well.
To comply by September 1, 2025, financial institutions must now take "every possible measure to prevent their customers from being victims of fraud," Holdstock said.
Underscoring the value of preparation in a year where major technical deadlines are stacking up (ISO 20022 is just one example), FStech panel moderator Dalvinder Kular pointed to a survey conducted by Bottomline and FStech, finding that almost a quarter of financial institutions “lack sufficient data to determine the incidence of fraud."
That data gap highlights an urgent need for improved fraud detection and prevention systems. And there’s a ‘pay us now or pay us later’ finality to it all. Simply put, the failure to prevent fraud offence is designed to punish businesses that don’t protect customers well enough. With fraudsters using insiders more for data access and Gen AI to exploit that data, it’s a post-pandemic cybercrime wave. The crackdown is just beginning.
Now is the time for a meaningful audit of abilities and a fraud-fighting partnership.
The Subtle Patterns of B2B Payments Theft
Many existing fraud prevention systems focus primarily on external threats, overlooking potential internal risks. "Internal fraud often starts with subtle behaviours like unauthorised access or data manipulation," noted Rob Harrison, Aviva Group Financial Crime Director.
It shines a light on the need for more comprehensive fraud detection systems that can provide "solid proof of fraud incidents." Legacy systems and outdated fraud prevention tools are notoriously bad at this. Anti-fraud systems from the COVID era are even obsolete.
As Ruud Grotens, Head of Risk Solutions Consulting, Fraud, and Financial Crime at Bottomline, emphasized, "Fraud prevention should be more holistic, connecting dots between insider threats, external fraud networks, and emerging attack factors."
This approach requires a shift in thinking and, potentially, significant upgrades to existing systems. Bottomline has set itself apart by building an internal threat monitoring (ITM) capability that can dramatically reduce the damage done from within by bad actors.
Data collection and analysis present their own set of difficulties. PwC UK’s Holdstock pointed to the "cultural challenges of capturing and analysing data that may not be easily captured, or in a format that is easily analysed."
Financial institutions need to focus on "critical data sources and roles," he said, as well as a thorough risk assessment and discovery exercise “to identify proportionate controls."
Get Real About Compliance and Risk Mitigation
In building a comprehensive risk assessment, financial institutions and corporates should plan for the long haul. Harrison stressed the point, saying "Risk assessment is an ongoing process, not a one-off exercise."
This involves "integrating different approaches to understanding risk" and should include "workshops and involving front-line staff in risk assessments to identify potential threats and appropriate controls." Addressing human error is crucial.
Grotens urged that implementing "principles and clear guidelines for actions to differentiate between mistakes and fraud" will help mitigate risks. Additionally, "report and replay technology" is invaluable for "capturing interactions and providing forensic evidence." It underlies a truth: creating a supportive culture for reporting and whistleblowing is vital.
Emphasising that companies should strive for a "Speak Up environment where employees can report issues and collusion," Holdstock said this approach not only helps in fraud prevention, but also empowers employees to "comment on and improve processes."
Training and awareness programs play a pivotal role in this level of compliance. Harrison said there's a need for "training and awareness programs to ensure that employees understand the importance of their roles and the controls in place."
Special attention should be given to "roles at higher risk of errors," providing "additional training and support to these employees." And while the new legislation presents a significant workload, it’s an opportunity for financial institutions and corporates to strengthen fraud prevention measures.
By adopting a holistic approach and complying with failure to prevent fraud, leveraging advanced technologies, and fostering a culture of vigilance and reporting, companies can better protect themselves and their customers from a fraud threat that never sleeps.
See more information on complying with the UK Failure to Prevent Fraud Offence here.