In a year of evolving corporate standards, a new piece of legislation is poised to challenge large UK firms. The “failure to prevent fraud” offence, a key provision of the Economic Crime and Corporate Transparency Act, is scheduled to come into force on September 1, 2025.
This measure applies to large organisations, defined as meeting at least two of the following criteria: more than 250 employees, a turnover exceeding £36 million, or total assets over £18 million. It is designed to hold them accountable for profiting from fraudulent activity.
The stakes are significant, especially since the Home Office notes that fraud accounts for roughly 40% of all crime in England and Wales.
The urgency for firms to act was recently underscored by SFO Director Nick Ephgrave, who emphasised the agency’s intent to prosecute the new offence. “Come September, if they haven’t sorted themselves out, we’re coming after them. That’s the message I’ll be delivering,” Ephgrave stated. “I’m very, very keen to prosecute someone for that offence. We can’t sit with the statute books gathering dust, someone needs to feel the bite.”
With just under two weeks (at the time of publishing) until the enforcement deadline, the readiness of firms to meet this new legal standard is a growing concern.
At the beginning of August 2025, Elephants Don’t Forget hosted a joint webinar with specialist regulatory consultancy firm, Ocorian, exploring what organisations need to consider in their preparations.
A series of webinar polls of 545 senior financial services professionals revealed a widespread and concerning lack of preparation.
A notable 37% of firms said they have yet to complete a risk assessment to identify their fraud exposure, a foundational element of the Home Office’s recommended prevention framework. A further 16% admitted their assessments were outdated, being over a year old. Only 47% of firms said they have completed this essential step within the last six months.
Confidence in the effectiveness of existing fraud controls is also highly varied. While a small number of firms (17%) feel very confident, having recently tested their controls, a considerable majority appear to be on an uncertain footing.
An overwhelming 64% of respondents said they have policies in place but have not tested them against the new legal standard of “reasonable procedures.” Additionally, 19% of firms admitted their controls were incomplete or poorly documented.
A particularly weak area appears to be employee training. Despite official guidance stressing the importance of proportionate, regular and effectively monitored training, 64% of firms said they either offer no formal fraud training, provide it as a one-off event, or rely solely on annual mandatory sessions.
Only 36% of firms said they are tailoring their training to specific roles and reinforcing it regularly, a key practice for building a strong, proactive fraud defence.
Adrian Harvey, Chairman and co-founder of Elephants Don’t Forget, said:
“The findings of our polls are a stark wake-up call for large organisations. With the SFO making its intentions clear, the sentiment captured reveals a dangerous gap in preparedness for many.
Our research indicates that over half of firms either haven’t conducted a fraud risk assessment or are relying on outdated ones, leaving them blind to their risk exposure. This is also compounded by a false sense of security, with an overwhelming number of firms admitting they haven’t tested their controls against the new legal standard of ‘reasonable procedures’.
Crucially, the reliance on generic, one-off training, as seen in 64% of firms, demonstrates a critical failure to embed a proactive fraud prevention culture. A documented, tailored, and continuously reinforced approach to both risk assessment and employee training and fraud competence is an essential defence to avoid becoming a test case for the new legislation.”