As of 1 September 2025, the Failure to Prevent Fraud offence came into force. Six months on from the enforcement of the offence, Thistle Initiatives Senior Manager, James Dodsworth, looks at what activity the regulators have taken, and how firms have been responding.
What is the Offence?
The failure to prevent fraud offence, introduced by the Economic Crime and Corporate Transparency Act 2023, makes large organisations criminally liable if they fail to stop employees, agents, or other “associated persons” from committing fraud that benefits the organisation. The only defence is that the organisation has reasonable procedures in place to prevent fraud, or that it was not reasonable to expect such procedures.
Even if your firm does not meet the thresholds, you may work with partners who do. We have seen an increase in enquiries from those partners for firms to demonstrate they have considered the offence and have a robust fraud management framework in place.
What is the FCA's focus?
Although six months into the offence going live, the FCA are taking a long-term view, not dissimilar to how the Failure to Prevent Bribery offence was implemented. However, it was over four years before the first successful prosecution under the Failure to Prevent Bribery offence, mainly due to the complexity of the cases and cross-border elements. The Failure to Prevent Fraud offence mainly deals with domestic high-volume fraud cases, and the offence is designed to be easier to prosecute than existing fraud laws. For example, not requiring the prosecution to prove knowledge of the offence to senior management. Therefore, it is expected that prosecutions will arrive sooner than they did with the bribery offence.
The main focus for 2026 will be that firms demonstrate a robust, data-driven fraud prevention framework.
These are some of the key elements firms will need to demonstrate:
Proportionality – are fraud controls proportionate to the firm’s risk profile? Firms should consider their size and resources, the nature of their activities, their geographical footprint, and their risk profile. The higher the risks, the more robust the controls need to be.
Data – using data-led monitoring to detect fraud patterns is becoming increasingly important, not least as the regulators themselves are moving to utilise these capabilities. Data can be used to monitor high-risk activities, identify unusual transactions and review third-party activities. It is a key element to demonstrate evidence of compliance with the reasonable procedures defence.
AI fraud detection – The FCA itself is utilising AI-enabled fraud detection systems and will expect that firms will also integrate this into their detection capabilities based on their risk exposure. AI fraud detection can be beneficial for firms offering products such as digital wallets, online banking, payment gateways, e-commerce, and insurance. AI can be utilised to improve detection and monitoring, working in real-time to spot unusual patterns and anomalies and reduce false positives. Additionally, it can be used to create dynamic fraud risk assessments based on data points.
Governance & accountability – The offence requires responsibility for fraud risks to be clearly evidenced. A senior manager or executive should be accountable for fraud prevention. The board should have oversight of fraud risk and receive regular fraud-related MI. This MI may include: time taken to investigate fraud alerts; patterns relating to suspicious transactions; number of suppliers assessed for fraud risks; and percentage of false positives. There should be clear escalation routes for suspected fraud with well-documented decision-making. Evidence of independent challenge could include: dedicated fraud risk committee; standing agenda item at risk committees, internal audit reviews or independent assessments of the fraud framework.
How Have Firms Been Responding?
Thistle has worked with a number of clients to help assess their fraud risk management frameworks in relation to the offence, providing an independent view on alignment with the guidance and FCA expectations. Six months in, the expectation is that firms have moved past the planning stage into active embedding of their fraud prevention framework. This includes:
Risk Assessments – Fraud-specific risk assessments completed with mapped controls to risks and updated based on the assessment or any incidents the firm may have seen.
Governance – Senior Manager or Executive in place overseeing fraud risk and controls. Board and/or committee reporting, and evidence of escalation and decision-making in relation to fraud risks.
Training – Firms should have delivered fraud-specific training, including enhanced training to higher-risk roles.
Monitoring and detection controls – Firms should have in place fraud monitoring tools, whether they be automated or manual, and utilise the MI and data to make sure alerts are working as expected.
Third-party due diligence - A key area that often arises is the level of detail to which they have assessed the risks related to associated parties – these need to be carefully considered, documented and appropriate risk-related controls put in place.
Testing and assurance – Six months in controls should begin to be embedded, which will allow for initial testing to identify any gaps and begin remediation where required. Looking further ahead, 12 months is a good point to consider an internal audit or an independent external review of the framework.
What Can We Expect for the Rest of 2026?
Whilst the FCA will continue to expect to see firms with well-structured and implemented fraud risk management frameworks, we may not see any enforcement action under the offence in the short term. Where it does occur, the FCA has set out that they will be more targeted and have faster resolutions.
Firms should expect to be able to actively demonstrate that their fraud management framework is operating effectively and not just based on policies.
Thistle can support forms with their fraud risk control frameworks in a number of ways, including:
- Reviewing or conducting fraud risk assessments
- Fraud framework design and enhancement
- Policy and procedure development
- Deliver training and awareness programs
- Third-party risk management support
- Review and assessment of fraud controls, alerts and MI
- Independent assurance and testing of fraud risk control frameworks
Meet the expert
James Dodsworth, Senior Manager 
James has worked in financial crime compliance across a range of sectors and firms for over 20 years.
As a certified fraud investigator, James has experience in all three lines of defence: conducting investigations, designing and delivering fraud controls and risk assessments, as well as creating and reviewing policies and procedures.