Skip to content
New technology Fraud cases

UK failure to prevent fraud law: what businesses must know

by Edu Gonzalez 9 min read

UK corporate law shifted in September 2025 in a way that should be keeping compliance teams awake at night. A new offence rewrites the rules on corporate fraud liability: companies can now be criminally prosecuted not for committing fraud, but for failing to prevent it.

The Serious Fraud Office (SFO) is already warning businesses to get their house in order. Insurance Times reported in January 2026 that the first prosecutions under the new regime are being pursued.

We have been tracking this law for over a year at VerifyPDF. It matters to us because the “reasonable procedures” the statute demands are exactly the controls we build into client workflows every day: automated document verification with a full audit trail. If your business meets the size threshold (and a lot of mid-market firms do without realising it), you do not have a choice anymore. Here is what the law actually requires and how to bake it into how you operate.

What is the failure to prevent fraud offence?

The offence sits in Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), and it took effect on 1 September 2025.

The core idea is simple. If an employee, agent or subsidiary commits fraud for the benefit of a large organization, that organization is guilty of a criminal offence unless it can prove it had “reasonable procedures” in place to prevent fraud.

The key word is “unless.” This is a strict liability offence with a single statutory defence. Either you had reasonable procedures, or you did not. No middle ground, no points for trying.

Who does it apply to? Any body corporate or partnership that meets at least two of these three criteria in the financial year preceding the fraud:

  • More than 250 employees
  • More than ÂŁ36 million in annual turnover
  • More than ÂŁ18 million in total assets

That covers a lot of ground. We are not just talking about FTSE 100 firms here. Mid-market companies, fast-growing fintechs, professional services firms, insurers and property management groups often hit the threshold without realising it. If you have ever told yourself “this is for big companies, not us”, you should probably check the latest set of accounts.

Why this law changes everything for UK businesses

Before ECCTA, prosecuting companies for fraud committed by their employees was very difficult. Prosecutors had to prove that a senior officer (the “directing mind”) was personally involved in or aware of the fraud.

In practice, that let large companies insulate themselves. A junior employee could forge documents to hit targets, and the company would shrug and say it had no idea. The structure rewarded ignorance.

That defence is gone. Under the new offence, it does not matter whether the CEO knew. If a sales rep inflates revenue with fake invoices, if an underwriter accepts forged bank statements to close a deal, if a mortgage broker fabricates payslips to push through an application, the company is liable. The only question prosecutors will ask is: did you have reasonable procedures to prevent this?

The SFO has made clear that it intends to use this power. Its 2025 guidance on evaluating corporate compliance programmes reinforces the Home Office’s six statutory principles, which mirror the existing Bribery Act framework:

  1. Top-level commitment from senior management
  2. Risk assessment identifying where fraud can occur
  3. Proportionate procedures based on the risks identified
  4. Due diligence on employees, agents and third parties
  5. Communication and training across the organization
  6. Monitoring and review of procedures on an ongoing basis

Notice something? Principles 3, 4 and 6 all point at the same problem. You need systems that actually catch fraud, not policies that say you are against it. A poster in the breakroom is not a procedure.

To make this concrete, picture a mid-size mortgage brokerage. An employee realises they can earn higher commissions by pushing through borderline applications. They start altering payslip PDFs to inflate salaries by 15-20%. Nothing dramatic, just enough to clear affordability thresholds.

Under the old rules, when regulators uncovered the scheme, the company could argue it had no knowledge. Under ECCTA, the question is different: did the company have reasonable procedures to catch document manipulation? If the honest answer is “we trusted our staff to eyeball the payslips,” that is not going to fly.

How ECCTA fits alongside existing fraud obligations

The failure to prevent fraud offence does not exist in isolation. UK businesses already deal with overlapping fraud rules: the Bribery Act 2010, Money Laundering Regulations, FCA Consumer Duty, GDPR and sector-specific rules. ECCTA adds a criminal offence that sits on top of all of them.

Some good news: a lot of the plumbing you have already built is reusable. If you already run strong anti-money laundering (AML) document checks, you are part of the way there.

But AML procedures typically focus on identity verification, not document integrity. Confirming a bank statement belongs to the right person is not the same as confirming the statement itself has not been tampered with. Many compliance teams miss this distinction. We see it almost every week.

Kennedys Law noted in May 2025 that businesses should run a gap analysis against the six ECCTA principles rather than assume existing frameworks are sufficient. In our experience, the document verification gap is consistently the largest hole.

The document verification gap most companies have

Here is where it gets uncomfortable. Most companies we talk to have anti-fraud policies. They have compliance teams. They have training modules employees click through once a year, mostly while doing something else.

But when we ask a simple question, “What happens when someone submits a forged bank statement or a manipulated payslip?”, the answer is usually silence. Or worse: “Our team reviews them manually.”

Manual review does not meet the bar for “reasonable procedures.” Not in 2026. As we covered in our analysis of why 90% of fake documents are invisible to the human eye, modern forgeries are built with tools that produce pixel-perfect output. A compliance officer staring at a PDF on screen cannot see metadata tampering, hidden editing layers or font substitutions. And criminals know this. They are counting on it.

The gap sits between what companies think their process catches and what it actually catches. If document review means a human opens a PDF, gives it a visual once-over and ticks a box, you have a gap the SFO could drive a prosecution through.

What “reasonable procedures” actually look like in practice

The government’s guidance avoids prescribing specific technologies (it always does). But the six principles map to concrete operational requirements. Here is how we break it down for the companies we work with.

Risk assessment that includes document fraud. Most fraud risk assessments focus on financial controls, IT security and employee background checks. Few include a specific assessment of document-based fraud risk: forged bank statements in lending, manipulated payslips in HR onboarding, fake invoices in procurement. If your risk register does not list these, it is incomplete.

Automated verification at intake points. Every place your business accepts a document from an external party is a fraud entry point. Loan applications, insurance claims, tenant screening, supplier onboarding, employee hiring. VerifyPDF checks a document in under 5 seconds, flagging metadata anomalies, editing traces, font inconsistencies and other red flags no human reviewer can spot. That is a proportionate procedure.

Audit trail for every document decision. If the SFO comes knocking, you need to show not just that you had a system, but that the system was actually used. Every document entering your business should have a verification record: when it was checked, what was flagged, what action was taken. Automated systems generate this trail by default. Manual processes almost never do.

Ongoing monitoring, not just onboarding checks. The law does not stop at the moment a customer or employee joins. Fraud can happen at any stage of a relationship. As we explored in our post on ongoing document monitoring, a one-time check at onboarding is not enough. Reasonable procedures means continuous vigilance.

Which industries face the most exposure?

Not every company faces the same level of risk. Based on the fraud patterns we see across the documents processed by VerifyPDF, some sectors are particularly exposed under the new offence:

Financial services and lending. Banks, mortgage brokers, buy-now-pay-later firms and asset finance companies process thousands of financial documents monthly. Fake bank statements and forged payslips are the bread and butter of application fraud. Many European fintechs are already switching to automated document checks to stay ahead of exactly this risk.

Insurance. Fraudulent claims backed by manipulated documents cost UK insurers billions every year. Under the new law, an insurer that relies on manual claims review and misses a pattern of internal or agent-driven fraud could face prosecution. The irony is hard to miss: the industry that prices risk for a living now faces criminal risk from its own processes.

Property and lettings. Tenant screening is one of the most fraud-heavy document workflows in the UK. Applicants routinely submit doctored payslips and bank statements. Letting agents and property management companies that meet the size threshold need automated verification to demonstrate reasonable procedures.

Professional services. Law firms, accountants and consultancies that perform client due diligence on behalf of others carry a double exposure. A forged document that slips through a due diligence review can mean liability for both the client and the firm itself. The JPMorgan-Frank acquisition fraud is a painful reminder of what happens when due diligence relies on surface-level checks.

Building a compliance framework: a practical checklist

If you are thinking “we need to do something about this,” here is a practical starting point. This is not legal advice (talk to your solicitor for that), but it reflects what we see working across the companies we support.

  1. Map your document intake points. List every process where your business receives a document from an outside party. Applications, claims, onboarding, procurement, due diligence. You cannot protect what you have not mapped.

  2. Assess fraud risk at each point. For each intake point, ask: what happens if someone submits a forged document here? What is the financial exposure? What is the reputational damage? This feeds your risk register.

  3. Deploy automated document verification. Replace or augment manual review with automated checks. Look for solutions that analyse document metadata, detect editing traces, cross-reference formatting patterns and produce a risk score. VerifyPDF processes documents in under 5 seconds and flags anomalies across bank statements from over 90 countries.

  4. Create an audit trail. Every document decision should be logged. When was it received? What verification ran? What was the result? What action was taken? If you cannot answer these questions for a document submitted six months ago, your procedures have a gap.

  5. Train your teams. The law requires communication and training. Make sure staff know what document fraud looks like, what the company’s procedures are and what to do when they spot something suspicious. Annual training is the minimum.

  6. Review and update regularly. Fraudsters adapt. Your procedures need to adapt with them. Schedule quarterly reviews of your fraud prevention framework, including the performance of your automated tools.

The cost of getting this wrong

The penalties under the new offence are severe. A conviction can result in an unlimited fine. But the financial penalty is almost secondary compared to the reputational damage. Being the first company prosecuted for failure to prevent fraud would be catastrophic for client trust, share price and employee morale. Nobody wants to be the case study every law firm cites for the next decade.

There is also a personal dimension. The offence targets the organization, but the individuals who committed the underlying fraud still face prosecution. Senior management who failed to put reasonable procedures in place may find themselves under scrutiny in regulatory proceedings, even if they are not criminally charged.

In our experience, the companies that act first end up with a real edge. They can tell clients and partners they have automated, auditable fraud prevention in place and actually mean it. That matters, especially in regulated industries where procurement teams ask hard questions.

Do not wait for the first prosecution

The SFO has signalled clearly that enforcement is coming. The law is live. The guidance is published. The threshold for “reasonable procedures” will be set by the first wave of cases, and you really do not want to be in that wave.

Here is the part that surprises people: building compliant document verification is easier than it sounds. Automated tools like VerifyPDF plug into existing workflows through an API, check documents in seconds and generate the audit trail the law demands. Most of our clients are up and running within a week.

If your business meets two of the three size criteria, the time to act is now. Not next quarter. Not after the first prosecution makes headlines. Now. Proving you had reasonable procedures means having them in place before the fraud happens, not scrambling to build them after.

Stop guessing. Know in 5 seconds.

Upload a PDF. In under 5 seconds, VerifyPDF tells you if it's genuine or forged, with detailed evidence of every modification. Try it free for 15 days, no credit card needed.

Start free trial Watch demo

Trusted

This document is identical to others from this issuer

Match found in our document database
Document integrity verified
No traces of suspicious editing software