Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here
What We Do
Since 1989, Bottomline has been modernizing global business payments with connected solutions for more than 800,000 financial institutions and businesses in 92 countries.
AP Automation AP Automation For Real Estate Payments Hub
Payouts Automation Payments Processing Receivables Automation Payments Hub
Paymode Pay Vendors Receive Payments Partner With Us
Connectivity Services Message Transformation & Enrichment Message Vault Risk Solutions
Connectivity Services Message Transformation & Enrichment Message Vault Payments Verification Payments Verification for Businesses
Global Cash Management Hub Digital Banking
Global Cash Management Hub
Who We Serve
Our Company
By Owen McDonald, Editor, Bottomline
The UK is currently a hotbed of payments crime, reflecting the worldwide spike since 2020. A new Labor government is drawing a line in the cyber sand on fraud: if we can’t catch the fraudsters and recover funds, in many cases banks and businesses must repay victims.
For context, trade group UK Finance said in its Half-Year Fraud report that “over £570 million [had been] stolen by fraudsters in the first half of 2024”, or roughly USD622 million. And though there’s been a fractional year-on-year decrease in UK cybercrime, 2024 isn't over yet.
Making enforcement intentions clear, the UK’s Economic Crime and Corporate Transparency Act (ECCTA) became law in October 2023. An addendum to the ECCTA is the Failure to Prevent Fraud offence. Long-awaited guidance on the rule was published November 6, 2024, and Failure to Prevent is expected to be in force on September 1, 2025.
Despite whispers of regulatory overreach, many market watchers call it a square deal.
“It's about making sure that companies have the right controls and anti-fraud measures to prevent fraud in the first place,” said Ruud Grotens, Head of Cyber Fraud and Risk Management Solution Consulting at Bottomline.
“The goal is to push companies to be proactive instead of reactive about fraud. It's about showing that you take fraud seriously.”
According to the ECCTA Policy Paper updated in March 2024, “…an organisation will be liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place.” No need to prove those in charge know anything, much less that they’re involved. The fact that fraud happened on their watch is enough.
And there’s no “get-out-of-jail-free card” if an organisation is oblivious to a fraud scheme from which the company didn’t benefit. Call it modernisation by fiat, but with fraud being the most common crime in England at half a billion GBP annually, action was needed.
The timing is good. Grotens said now is an ideal time to start implementing stronger B2B anti-fraud controls because when the UK starts levying fines, they will be consequential. And those fines also extend to non-British companies doing business in the UK.
In such a climate, Grotens said conducting fraud risk assessments is another smart move. Central to this is identifying the most sensitive systems and the high-risk staff members who have access to these systems and, if not already in place, starting to consider behavioural monitoring or employee monitoring to detect malicious activities.”
Giving added heft to ECCTA and Failure to Prevent Fraud is the British government’s proposal of new laws extending “the time that payments can be delayed by 72 hours where there are reasonable grounds to suspect a payment is fraudulent and more time is needed for the bank to investigate,” according to GOV.UK.
High-risk businesses will be scrutinised the most. Failure to Prevent Fraud “applies to the entire industry, but it follows a risk-based approach,” Grotens said. “Some organisations won't bother at all about Failure to Prevent Fraud, but higher risk organisations like financial institutions, casinos, crypto exchanges – this law is most applicable to them.”
Specifically, the rule stipulates that only larger organisations are in scope. Using the standard Companies Act 2006 definition, which means “organisations meeting two out of three of the following criteria” are considered in scope: more than 250 employees, more than £36 million turnover, and more than £18 million in total assets.
According to the UK government’s Cyber Security Breaches Survey 2024, 50% of businesses and 32% of charities have had “some form of cyber security breach or attack in the last 12 months. The results are much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).”
Fraud figures like that make a high-value target for a new government to hang its hat on.
“For the UK, it's a way to show how serious they are about cleaning up financial crime, protecting consumers and the broader economy,” Grotens said. For those doing business in the UK from outside, it’s more of a wake-up call than a fire alarm.
“The guidance is advisory rather than binding, offering principles and examples to assist organisations in implementing procedures that prevent fraud. Courts will consider adherence to these principles in assessing whether an organisation had "reasonable procedures" in place as a defence.” he added.
Demonstrating commitment to this law could enhance the reputation and trust of financial institutions and companies within the UK, which is beneficial if you’re based there or doing business there.
“It's about establishing training programs,” Grotens said. “It's having reporting channels in place, documented procedures, incident response, and monitoring of high-risk staff to detect suspicious activity” before Failure to Prevent Fraud becomes law in 2025.
