The UK’s new “failure to prevent fraud” law, effective September 2025, shifts liability onto large organizations unless they prove “reasonable prevention measures.” With extraterritorial reach, it compels stricter due diligence across the mobile ecosystem. MEF Director of Programmes, Nicholas Rossman analyses its profound implications for global anti-fraud standards.
The landscape of corporate responsibility in the United Kingdom has undergone a fundamental transformation with the introduction of a new criminal offense: “failure to prevent fraud“. As of September 1, 2025, a new era of proactive corporate accountability has begun, ushered in by the Economic Crime and Corporate Transparency (ECCT) Act 2023.

This landmark legislation significantly alters the burden of responsibility, placing it squarely on large organizations to prevent fraudulent acts committed by their employees or “associated persons” for the organization’s benefit.
This new law moves away from the traditional model, which required prosecutors to prove that senior management had direct knowledge or involvement in a fraudulent act. Instead, it operates on a principle of strict liability. An organization can be held criminally liable if a fraud is committed on its behalf, unless it can demonstrate that it had “reasonable fraud prevention measures” in place at the time of the offense. This legal paradigm is intended to compel companies to embed an anti-fraud culture into their very structure, rather than simply reacting to criminal acts after they have occurred.
The government’s motivation for this shift is clear, following a 31% increase in fraud as reported by the Office for National Statistics (ONS). The new law, along with other measures like the push for a ban on SIM farms, signifies a coordinated and comprehensive government approach to targeting the entire fraud ecosystem.
An organization can be held criminally liable if a fraud is committed on its behalf, unless it can demonstrate that it had “reasonable fraud prevention measures” in place at the time of the offense.”
The implications of this legislation are profound and direct, particularly for members of the Mobile Ecosystem Forum (MEF). The law’s broad definition of “associated persons” creates a ripple effect throughout the entire supply chain, compelling large organizations like Mobile Network Operators (MNOs) and Communications Platform as a Service (CPaaS) providers to scrutinize their third-party partners. As a result, this UK-specific legal requirement is effectively becoming a de facto global commercial standard for anti-fraud compliance within the mobile ecosystem.
The Legal Framework and its Widespread Impact on the Mobile Ecosystem
The “failure to prevent fraud” offense applies to any “large organization” that meets at least two of the following criteria in the financial year prior to the offense: more than 250 employees, an annual turnover greater than £36 million, or total assets exceeding £18 million. A critical and far-reaching aspect of this law is its extraterritorial scope; it applies to any fraud committed under UK law or targeting UK victims, regardless of whether the organization or the associated person is based overseas. This means that any global MEF member with a presence or business with UK citizens is subject to this new law.
The only available defence is for the organization to prove to the court that it had “reasonable fraud prevention measures” in place when the fraud occurred. The Home Office guidance outlines six key principles for this defence:
- Top-Level Commitment: Senior management must demonstrate a clear and visible commitment to preventing fraud.
- Risk Assessment: Organizations must conduct dynamic risk assessments to understand their specific fraud vulnerabilities.
- Proportionate Risk-Based Prevention Procedures: Procedures must be proportionate to the assessed risks and the complexity of the organization.
- Due Diligence: Organizations must review and strengthen their due diligence procedures for associated persons, including employees and third-party partners.
- Communication and Training: Anti-fraud policies must be clearly documented, communicated, and reinforced at all levels.
- Monitoring and Review: Procedures must be regularly monitored and reviewed for effectiveness, typically every one to two years.
The new law’s impact is not uniform across the mobile ecosystem. It affects various MEF member categories in distinct ways:
- Mobile Network Operators (MNOs) are at heightened risk as fraudulent messaging and voice traffic could be interpreted as benefiting the MNO through fraudulent revenue. They must enhance due diligence on partners and use robust systems to block fraudulent traffic.
- CPaaS & Aggregator Providers are uniquely exposed as “associated persons” to large organizations. Their platforms must demonstrate “reasonable procedures” to prevent fraud to remain commercially viable.
- Brands, Financial Institutions & Agencies face direct liability for fraud committed by employees or third-party agencies. They must conduct thorough audits of internal policies and partner practices.
- Anti-Fraud Technology Providers have a significant market opportunity. Their services are now a critical component of a client’s legal defence, and they must align their products with the six principles of “reasonable procedures”.
MEF’s Strategic Response and a Clear Path Forward for Members
MEF is uniquely positioned to assist its members in navigating this new landscape. The Forum has a collaborative relationship with the UK Home Office, having co-hosted a session on the UK Telecom Fraud Charter. This alignment with government objectives allows MEF to act as an authoritative guide for its members.
Furthermore, MEF’s existing anti-fraud initiatives are already aligned with the new law’s “reasonable procedures” defence. Participation in these programs is therefore not just a matter of best practice, but a critical component of a legally defensible compliance framework.
- The UK’s SMS Sender ID Protection Registry, operated by MEF, provides a measurable and auditable mechanism that directly aligns with the law’s “Proportionate Procedures” and “Monitoring and Review” principles.
- The Business SMS Code of Conduct establishes a self-regulatory framework that directly supports the “Top-Level Commitment” and “Due Diligence” principles by setting clear standards for ethical responsibility.
If its members want, MEF can take several proactive steps:
- Offer best practices and guidance: MEF could create new reports and educational materials that give members a clear roadmap for compliance.
- Establish a dedicated working group: A new Corporate Fraud Prevention working group could be created to allow members to share knowledge and collaborate on solutions.
- Provide tailored education: MEF could organize webinars and workshops to educate legal and compliance teams on the details of the new law and offer practical advice.
- Serve as a central resource: MEF could become the main source for updates on the Home Office’s expanded fraud strategy and other policy developments.
- Continue advocating: MEF could maintain an open dialogue with government bodies to advocate for the industry’s interests and help ensure the new law is implemented fairly and effectively.
The “failure to prevent fraud” offense represents a fundamental philosophical shift in the UK’s approach to combating economic crime. For large organizations, compliance is now a legal and commercial necessity, and its implications compel even smaller partners to elevate their anti-fraud measures.
MEF is an indispensable partner in navigating this new landscape. By actively engaging with MEF and adopting its existing initiatives, members can most effectively develop a comprehensive and legally sound defense. Recommended actions for members include conducting a fresh risk assessment, reviewing third-party contracts, and prioritizing training and communication.
If you’re a MEF member, join our ID & Data and Antifraud insight groups. These groups offer a platform for discussions, initiatives, and continuous updates on these crucial topics.