Financial crime prevention: what has 2025 brought us?

As we near the end of 2025, we can reflect on some significant changes, both in law and regulation and in regulatory stance. Financial crime prevention is an area that sees constant change, as regulators and enforcement agencies strive to keep up with changes in business practices, technology and consumer behaviour, as well as the constant struggle to stay one step ahead of the criminals.

In this article, written for Compliance Monitor, Emma Radmore and Stephen Wilson of Womble Bond Dickinson look at the main themes of the year.

APP reimbursement – one year on

The big change in 2024 was the introduction of the mandatory APP reimbursement requirement, which finally took effect on 7 October 2024. As a reminder, the rules, which replaced the voluntary CRM Code, cover individuals, micro-enterprises and charities, and apply to all transactions made via Faster Payments or CHAPS when money is transferred from one UK account to another. All payment service providers within scope must reimburse victims of APP fraud within 5 days, and the responsibility is not all on the sending PSP – the cost of the loss must be shared between the sending and the receiving PSP. If the victim and the transaction are in scope, only in very limited circumstances will the reimbursement not apply – essentially where the consumer has not met the "Standard of Caution", which will happen only in cases of gross negligence.

The scheme allows for a maximum payment of £85,000, set to match the Financial Services Compensation Scheme maximum and which was expected to cover over 99% of claims – but firms could of course choose to pay more. Additionally, firms are allowed to apply an excess of up to £100.

Firms within scope had to register with Pay.UK and submit regular data to it.

So, how has it been working? The Payment Systems Regulator looked at the impact of the scheme after its first 9 months, and was pleased with the results. £112m had been reimbursed to victims. 84% of claims were resolved within the required 5 days, and an additional 13% within the 35 day hard stop limit, which firms are allowed to take when they need to get more information to resolve the claim. The statistics showed that 88% of money claimed was returned to victims, which was a pleasingly large increase from the corresponding period the previous year, before the requirement took effect. Pay.UK reported that nearly all firms were submitting accurate data on time.

It wasn't all good news, because the PSR research showed that most fraud victims did not know about the scheme, despite the communications firms had put out, and that nearly half of fraud victims didn't try to get reimbursed. It also seems there is still work to be done on ensuring that receiving banks bear half of the reimbursement cost. The data suggests that only two-thirds of receiving firms were remitting the reimbursement contribution to sending firms within the 5 day limit, so the PSR is looking into the reasons for this.

So far, though, the £85,000 limit does not appear to have been a problem – and customers whose claims are over that limit whose payment providers don't reimburse in full do still have the option to complain to the Financial Ombudsman Service, which has the power to require firms to make awards up to £430,000.

For the time being then, we're not likely to see any changes to the regime, but the regulators will continue to focus on firms that are not responding as quickly as they might, whether to consumers or to other providers.

Failure to prevent (FTP) fraud – the new offence takes effect

On 1 September 2025, the failure to prevent fraud offence in the Economic Crime and Corporate Transparency Act 2023 (ECCTA) took effect.

Again, as a reminder, this offence applies only to defined "large organisations" (with at least two of (a) 250 or more employees, (b) 36m turnover, (c) 18m assets). It is an offence for such an organisation to fail to have in place reasonable procedures to prevent fraud that an employee or "associated person" of the organisation commits in order to benefit the organisation.

While based on the now familiar Bribery Act model, the FTP fraud offence has several distinct features which mean that while firms can and should to a significant extent take a holistic view of risk assessment and policies to comply with all the FTP offences, they need also to be aware of the nuances in different scope and that different departments and third parties will present greater risks in relation to different offences.

New prosecutor guidance for FTP offences

Of course, it's way too early to know how the authorities will approach potential breaches of the FTP fraud offence, but the Home Office has suggested it will be looking to take action sooner rather than later. And with this in mind, the prosecutors have some new guidance on dealing with corporate prosecutions for FTP offences generally, which includes:

• How to establish who a "senior manager" is for the purposes of establishing corporate liability;
• How to evidence "failure to prevent" offences, including that what is an "associated person" may vary across the three offences (FTP bribery, facilitation of tax evasion and fraud respectively);
• That, for the FTP fraud offence, depending on how the underlying fraud was committed, the organisation may face liability for that as well as the FTP offence; and
• How there may often be a close factual nexus between bribery and fraud offences, so prosecutors may need to consider whether they might be able to proceed under ECCTA if they can't under the Bribery Act.

Beefing up corporate verifications

Another key part of ECCTA involves compulsory identity verification of directors and persons with significant control (PSCs). From 18 November, all new directors must verify their identity before being appointed to an existing company or incorporating a new one. Existing directors must very their identity before the company makes its first confirmation statement after 18 November 2025 – so some might have had a day while others will have nearly a year. A person who is a director of more than one company must provide the personal code they will be given and a verification statement for every relevant company.

PSCs meanwhile will have 14 days after being registered to confirm their identity, while those who were already PSCs at 18 November had a transition period which broadly means completing the process and inputting the code within 14 days of the start of their birth month.

Those who are both directors and PSCs need to provide their codes for each role.

Slow burn on AML changes – but a new supervisor for some

2025 maybe hasn't brought the changes we expected to the AML regime. HM Treasury had consulted back in 2024 on changes to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) to make the regime more proportionate and effective.

In July, the Government confirmed that it would be making some changes, in particular to:

• Clarify when enhanced due diligence is required, and in particular to give more flexibility to firms dealing with customers or transactions linked to high risk third countries
• Require supervisors to update their guidance to clarify key terms as they apply to the specific sector, such as when a "business relationship" is established – in preference to updating the MLRs themselves
• Allow covered firms to offer pooled client accounts in a wider range of scenarios than currently
• Make it easier for some customers of insolvent banks to get new accounts quickly
• Align requirements for crypto-firms with the new FCA regulatory regime for these firms.

At the time, the Government said it hoped to put legislation before Parliament before the end of the year to achieve these changes. It duly published draft amending regulations on which it asked for comment by the end of September and at the time said it hoped to finalise the legislation early in 2026 with the changes to take effect 3 weeks later. 

Meanwhile, it has confirmed that the FCA is to take over responsibility for AML supervision of all professional firms subject to the MLRs. This will include lawyers, accountants and trust and company service providers.

A consolidated sanctions list

2025 brought several changes and clarifications to the sanctions supervisory and enforcement regimes. Most importantly. A new single sanctions list is to take effect from 28 January 2026, and firms will need to have adapted their systems by then to ensure they use the data from the new UK Sanctions list rather than using identifiers based on the current OFSI Consolidated List.

Enforcement themes

Finally, enforcement themes seem stable, with a few high profile actions reported during the year.

From the FCA perspective, we saw fines on banks variously for:

• Failing to check the bank had enough information to understand the money laundering risk before opening an account – in this case the customer that sought to open a client money account did not have permission to hold client money
• Failing to manage the risks of providing banking services to a customer which was subsequently found to be a large money laundering operation
• Failing to implement and maintain proper risk assessments and processes after the bank's MLRO had left and the role was carried out by other senior managers on an interim basis – which led to the FCA imposing a requirement which the bank also breached.

We also saw the FCA take its eighth enforcement action for financial crime failings by trading firms in relation to cum-ex trading.

From the OFSI perspective, there was a report of a breach by a bank whose systems allowed a newly Designated Person to have full access to funds in their account for 8 days following the designation. OFSI had warned the bank that one of its customers was to be designated the day before designation, but various delays in the bank's processes meant the block was not applied quickly enough. OFSI did not consider the breach merited a penalty, instead just publishing a disclosure notice.

From the FTP perspective:

• An insurance broker being charged with failing to prevent overseas intermediaries from bribing foreign officials
• Reports of an accountancy firm becoming the first business charged under the failure to prevent facilitation of tax evasion offence.

Other changes

Among the other changes over the last year, we have seen:

• An increase in the threshold amounts under the Proceeds of Crime Act 2002, so that in specified cases firms can pay away up to £3,000 without needing a defence
• A new National Risk Assessment, significantly updated since its predecessor
• Several new reports from OFSI on sanctions typologies, and a consultation on changes to its enforcement process
• Updated FCA PEP guidance.

What will 2026 bring?

Looking forwards then, it doesn't look like there should be too many surprises in 2026. Mainly it will be a case of bedding in changes that are already in force but still in their infancy, or putting in place those we know are coming but which aren't yet in quite final form. As ever, financial crime plays a large part in the FCA's strategy, and its 5 year strategy to 2030 is no exception.

That apart, we will wait to see what effects the Leeds Reforms and the smarter regulation initiative may have on financial crime prevention. We will particularly await the final decision, and banks' reaction, to the FCA's proposal to remove the contactless payment limit, in favour of allowing choice in whether to set a limit at all and if so, what the limit should be.

And finally, AI will surely play an increasing role – both in greater use by firms to help detect financial crime and meet regulatory obligations, and by regulators in supervisory and deterrence-based activities. To date, many firms are successfully using it in their fraud prevention and compliance, and this is surely set to grow – but with increased use comes increased risks, which firms and regulators alike must be equipped to deal with.