Are you ‘Fit For Fraud’ and the new ‘Failure to Prevent’ Rules?

‘Failure to Prevent Fraud’ was introduced under the Economic Crime and Corporate Transparency Act 2023, and covers fraud committed by someone acting on behalf of the company. The law applies from September 2025 to larger firms across all sectors – that’s organisations that meet two or more of the following criteria: more than £36 million in turnover, £18 million in total assets or more than 250 employees. As banking and financial services are at high risk of this type of fraud, firms will be under intense scrutiny to adhere to new guidance. 

The new rules hold organisations criminally liable if an ‘associated person’, such as an employee, agent or intermediary, commits fraud that benefits the business, and – crucially – where there were inadequate measures in place to prevent such fraud.  

You might be surprised at how lax many internal fraud prevention measures are today – if they exist at all. One report from the Association of Certified Fraud Examiners in 2022 reported that 29% of employee fraud occurred due to a lack of internal fraud prevention controls. 

From September, if probed, firms must prove they had ‘reasonable procedures’ in place to prevent fraud. It won’t be enough if senior management can prove they didn’t know that fraud was taking place – they’ll still be held criminally liable, and the organisation can receive an unlimited fine. 

Internal fraud isn’t new, but technology is making it more sophisticated, harder to detect, and more damaging. Fraudsters inside organisations understand internal controls and know how to bypass them, making prevention even more difficult. 

Internal fraud is no longer limited to just false claims, mis-selling, misreporting, tax evasion etc. From our experience at BeyondFS, emerging internal fraud risks include: 

• Insider-assisted account takeover, where employees collude with external fraudsters to exploit privileged access and bypass security controls. 

• ‘Data poisoning’, manipulating data fed into fraud detection systems to create blind spots or allow fraudulent activity to slip through. 

• Overpayment scams, where employees collaborate with customers to inflate refunds or overpayments, then siphon off the excess. 

• Credential sharing, where employees deliberately share system logins to obscure individual accountability in fraud schemes. 

• ‘Session hijacking’, exploiting unattended or insecure employee devices to perform unauthorised activities. 

• Collusive loan write-offs, approving loans for accomplices and writing them off as uncollectible without due process. 

As many firms are focused on the fight against external fraud, internal fraud prevention measures might have dropped down the priority list. But with the ‘Failure to Prevent’ rules approaching, firms could be facing huge fines if their procedures and strategy are not up to date. 

With new rules on the horizon, now is a perfect time to step back and review your organisation’s wider fraud strategy.  

While ‘Failure to Prevent’ focuses on preventing internal fraud, firms are still having to fight the growing threat of external fraud, with new technology such as AI deepfakes and synthetic identity fraud increasingly aiding criminals. In turn, regulators are dialling up their monitoring activities, checking that appropriate fraud prevention measures are in place. 

After all, climbing fraud levels, both internal and external, are often signs of wider issues in an organisation.  

One example, a BeyondFS client, is a major European banking group. The team approached us after a surge in payment fraud where they had seen more than 30,000 cases in one year, resulting in gross losses of over £11 million. As we got to know them, we realised how difficult a problem their fraud prevention strategy was to solve.  

Multiple areas in the bank needed to be involved, from Financial Crime to IT and Operations, as well as commercial functions. Each silo had their own approach, and there were several technology vendors working separately across the organisation solving similar issues.  

In most firms, each function saw the balance between friction, cost, and risk management differently, creating headaches for those trying to coordinate an overall approach. Firms that offer many products and work across different jurisdictions face an even tougher time. 

In the case of our European banking group client, our consultants’ experience meant we were well placed to come in and coordinate across teams. We helped the group develop a new three-year fraud strategy, including a phased rollout of advanced fraud detection tools. 

If you’re trying to tackle an outdated fraud prevention approach, particularly where there are multiple teams involved, you need to align your organisation behind a robust fraud strategy. At BeyondFS we’ve worked on many of these projects – here’s how we’d recommend you get started. 

1. Start with the big picture: Begin by running a thorough risk assessment, understanding the wider strategic context and constraints. Make sure to link fraud prevention projects to other organisational goals, such as customer experience, revenue and efficiency.
2. Identify key strategic goals: Your fraud strategy must balance three competing priorities: friction, cost, and risk. Agree on your organisation’s priorities going forward.
3. Assess the current state: Gather data to understand how fraud is being dealt with today. If there are gaps in the data available, make sure those are filled.
4. Prepare for action: Engage with a range of stakeholders and define key initiatives over the coming period (we find a three year horizon works well). Align strategy implementation with budget and approval cycles.
5. Keep the strategy adaptive: Fraud threats evolve rapidly, so flexibility must be a core principle. 

Want to learn more? Download our PDF guide to Fraud Strategy: Building a Successful Framework for Your Organisation.