Home
/ Insights
/ Articles
/ Taking on Compliance Challenges with the “Failure to Prevent Fraud” Regime in the UK

Taking on Compliance Challenges with the “Failure to Prevent Fraud” Regime in the UK

On September 1 2025 the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) will add the Failure to Prevent Fraud (“FtPF”) to the UK’s “Failure to Prevent” offences, and large incorporated bodies and partnerships across all sectors will face potential criminal liability where an “associated person” commits fraud with a UK nexus for the benefit of the organisation or, in some cases, its clients.¹

Failure to prepare leaves firms exposed to:

Criminal liability and unlimited fines,
Severe reputational harm, and
Heightened regulatory and stakeholder scrutiny.

The Serious Fraud Office (“SFO”) has already signalled its readiness to prosecute. In February 2024, Director Nick Ephgrave described FtPF as a “landmark moment” and warned: “Come September, if they haven’t sorted themselves out, we’re coming after them. … I’m very, very keen to prosecute someone for that offence.”²

The only defence will be to show that “reasonable procedures” were in place to prevent such conduct, and while Home Office and UK Finance guidance offer some direction on what “reasonable procedures” may look like, many firms struggle with the foundational step of conducting an Associated Persons Typology Assessment.³ In this piece, we provide a summary of the three recurring blockers and suggested practical strategies for overcoming them as informed by our work helping those in the banking sector prepare.

Single View: Centralising Fragmented Relationships

The Blocker: The ECCTA’s definition of “associated persons” is deliberately broad and nuanced, covering employees, agents, subsidiaries, contractors, and any party performing services for or on behalf of the organisation. Whether, for example, a broker is considered an “associated person” depends on the circumstances of their appointment. For financial institutions with diverse products and services offered across global networks, mapping these relationships is daunting. Even mature institutions often lack a consolidated view, leading to protracted debate on which parties should be in scope.

Our Approach: Establish a structured, centralised process and cross-functional working committee to identify, map, and risk-assess all associated persons. This should go beyond simple record-keeping and become a dynamic framework that supports decision-making, oversight, and regulatory defensibility. Key elements include:

Central Registry: Develop a database with defined taxonomy to classify and assess employees, contractors, subsidiaries, and third parties.
Cross-Functional Validation: Run workshops across business lines and geographies to ensure completeness and accuracy of assessment. Establish a governance forum to oversee updates and ensure that both existing and new relationships are assessed consistently.
Data-Enabled Visibility: Use analytics to identify higher-risk clusters across products, services, and jurisdictions.

Firms gain a single, defensible view of who acts on their behalf and with what incentives. Fraud risk considerations are embedded into day-to-day business decisions, oversight becomes proactive rather than reactive, and boards are better positioned to demonstrate compliance with FtPF obligations.

From Theory to Reality: Translating Typologies into Business-Specific Cases

The Blocker: Generic fraud typologies provide little insight into how risks play out in practice, a gap which enforcement agencies are unlikely to overlook. To be meaningful, assessments must reflect how fraud could realistically occur across roles, jurisdictions, and transaction flows. Yet many institutions face practical barriers: siloed data, fragmented systems, and incomplete records, particularly between group entities. As a result, risk assessments often rest on assumptions rather than evidence. Without clarity on the opportunities, motivations and rationalisations of “associated persons”, leadership risks underestimating vulnerabilities for example in incentive structures, local intermediaries/agents, or outsourced providers. This ultimately limits boards’ and senior managements’ ability to judge whether current controls would hold up under real-world stress.

Our Approach: Translate broad fraud typologies into realistic, business-specific scenarios that test whether existing controls hold up in practice. Use internal and external data to shape plausible fraud scenarios as well as assess the likelihood and impact of these. Data should be supplemented by the judgement and understanding of appointed representatives from across the business and support functions.

Beyond the Papering: Embedding Governance and Accountability in Daily Practice

The blocker: FtPF compliance requires more than well-drafted policies and a documented risk assessment. It demands a demonstrable and organisation wide cultural shift towards proactive governance and accountability. Leadership needs to set the tone, yet many firms still rely on static policies with limited oversight and senior engagement across UK and overseas operations, creating inconsistent practices.

Our Approach: Leadership should drive a governance framework that embeds accountability across the business. This could include:

Enterprise-Wide Reporting: Implement a fraud-reporting hotline with clear escalation protocols, accessible to staff across all geographies.
Visible Leadership: Deliver training and regularly awareness raising campaigns and communications led by senior management to set expectations consistently across jurisdictions and empower staff.
Third-Party Accountability: Include anti-fraud obligations in contracts with third parties and enforce them through audits, monitoring, and updates.

The Way Forward

From 1 September 2025, “we didn’t know” will no longer be a defence. In our experience, adequate preparation requires nothing short of a fundamental recalibration of how firms think about and understand fraud exposures across their operations and value chains.

Business and Compliance Leaders Should Already Be Asking:

Do we have a clear, up-to-date view of all associated persons and their fraud risks?
Are our risk assessments grounded in realistic, data-driven scenarios?
Does our governance framework foster accountability, or are we still relying on outdated policies?

FTI Consulting is a trusted partner to leading financial institutions. Drawing on deep expertise in financial crime compliance, operations, governance, and regulatory risk management, we have supported clients in designing and implementing fraud risk assessments and strengthening fraud prevention frameworks aligned with the FtPF regime.

Our independent perspective, combined with hands-on delivery experience, means we help firms meet today’s regulatory expectations and build resilience for tomorrow’s challenges.

To learn more about how we can support your organisation, visit: https://www.fticonsulting.com/uk/industries/financial-services or contact us directly to arrange a consultation to discuss immediate needs.