Insurance sector ‘could become vulnerable’ following new fraud rules

The failure to prevent fraud offence (FTPF) that recently became law in the UK could expose the country’s insurance sector and its clients to vulnerabilities and prosecution if sufficient action is not proactively taken to comply with the statute and prepare for potential legal challenges.

New rules around failing to prevent fraud came into effect in the UK on 1 September 2025 via legislation introduced in The Economic Crime and Corporate Transparency Act 2023 (ECCTA). 

The FTPF offence places a legal obligation on organisations – including insurers, brokers and their suppliers – to implement robust fraud prevention procedures, with these firms open to prosecution if an employee, agent or supplier commits fraud for their benefit. 

Any UK company is included within ECCTA’s scope if it meets two of three criteria – these are having over 250 employees, more than £36m in annual turnover or exceeding £18m in total assets.

Counter fraud experts that attended the most recent Insurance Times Fraud Charter roundtable – held on 16 September 2025 and sponsored by law firm Carpenters Group – noted that while the FTPF provision has only recently come into force, the UK government’s Serious Fraud Office (SFO) has already been keen to utilise the new powers. 

Indeed, during the launch of the SFO’s 2025-26 Business Plan in April this year, director Nick Ephgrave warned companies to prepare their counter fraud procedures ahead of the September effective date. 

Ephgrave said: ”Come September, if [companies] haven’t sorted themselves out, we’re coming after them. I’m very, very keen to prosecute someone for that offence. We can’t sit with the statute book gathering dust – someone needs to feel the bite.” 

Speaking at September’s Fraud Charter roundtable, Matt Gilham, director at Whitelk Fraud Performance Consulting, noted that the SFO had pushed hard on publicising the FTPF rules and seemed to be preparing action. 

He commented: ”As [the insurance sector], it strikes me that there’s two aspects of this we need to be alert to.

”One is the impact on our clients. I’m super pleased that some insurers have already taken the lead in publicising this to help support their corporate clients – especially under directors’ and officers’ and corporate liablity offences. But if the SFO does pick up the pace, there’s potential for more claims, particularly around what costs are covered and potentially around legal defence.

“Two, however, is that the rules cover the insurance sector itself. Any material insurers will be in scope according to the size criteria and what strikes me about the sector is that we’re one of the industries with the most complex ecosystems of associated persons, both in the acquisition of business and in service to customers and servicing claims.

”The sector has a double interest – both protecting our clients and understanding what this [legislation] might mean for future claims, but also potential risk and impact to ourselves.”

Agents and suppliers

Requirements around the FTPF offence mandate that companies covered by the legislation must implement “reasonable fraud prevention procedures” organised along six principles – leadership commitment, risk assessment, proportionate procedures, due diligence, communication and training and monitoring and review. 

Companies found guilty of a FTPF offence may face “unlimited fines”, with the SFO or other authorities acting as prosecutor. SMEs below the threshold of the size criteria are exempt from the act’s rules, but subsidiaries of larger organisations may still be covered.  

As a result, it is vital that companies ensure they are compliant with ECCTA’s rulebook – while insurers hold an equally strong interest in ensuring their insureds are properly prepared. 

Gilham added: “In many ways, the reasonable procedures [required] are no more than sound fraud risk management, so should not be new to any financial services company or legal firm.”

However, Mike Brown, head of fraud at Weightmans, added: ”ECCTA is somewhat different to previous corporate offences.

”We need to take stock of the fact that, unlike the [Bribery Act 2010 and Failure to Prevent the Facilitation of Tax Evasion rules, included in the Criminal Finances Act 2017], in which the focus was on directors and officers, ECCTA applies to all employees, irrespective of position within that organisation.

”That is a significant risk for insurers, law firms and indeed corporates.”

Additionally, Brown explained that ECCTA’s rules also applied to agents and suppliers acting on a given company’s behalf, which further “heightened the potential risk”.

As a solution, he suggested that organisations add ECCTA specific training scenarios into existing fraud training for staff.

”Insurers or any of the organisations that fall into scope need to ensure that any suppliers or agents likely to act on their behalf have the relevant controls and processes in place to mitigate the risk,” he said.

”If you don’t and the agent commits the offence, then you’re also culpable.”

One of the difficulties in addressing the partner and supplier ecosystem for insurers, however, lies in the fact that it is not yet clear which firms do and do not fall under this umbrella when considering ECCTA.

Sian Davies, group head of financial crime prevention at Admiral Group, said: ”One of the biggest issues for us has been to identify who does fall into our associated persons populations. We’re trying to be very clear over what does fall into that camp because of the potential obligations further down the line in the event of a relevant offence.” 

Gilham echoed this point, noting that he had encountered “unusual examples” of what some firms had identified as falling under this remit. 

He said: “It is difficult to figure out how to strike this balance between very specific training and a framework for reasonable procedures to mitigate the failure to prevent fraud offence, versus being hyperspecific and missing something. 

“Fraud risk management is by no means new and the benchmark should be sound for risk management. But it has to come down to case law and I’m certainly waiting to see what cases come through. 

”It feels like the SFO is waiting for an opportunity and may even have something in the pipeline. The risk for us as an insurance sector is not that [the SFO] would target us specifically, but were there to be a complaint or regulatory issue crop up that raised the spectre of fraud within the extended ecosystem, that’s when we could become vulnerable.”