How UK law reforms and enforcement trends affect corporate crime risk in 2025

The Financial Conduct Authority (FCA) is focusing on reducing open investigations and enhancing data analytics for market monitoring. Financial crime, operational resilience, and customer treatment are priorities. The FCA emphasizes redress for harmed customers, often opting for restitution schemes.

Government guidance on the new corporate offence of failure to prevent fraud, effective September 2025, is driving many businesses to review and implement new procedures to prevent fraud that benefits the business or clients. A robust risk assessment is key.

Internal investigations are under scrutiny, and sectors such as banking, crypto, and internet platforms are targeted for enforcement. Cross-border cooperation remains a priority.

NGOs are using existing laws in novel ways to challenge supply chains that involve alleged human rights or environmental harms.

Investigations by UK authorities - trends and developments

SFO

There is a renewed focus at the UK Serious Fraud Office on:

• Progressing investigations more quickly: including using new technology and encouraging more whistleblowers. The director, Nick Ephgrave, is calling for whistleblowers to be rewarded, arguing that it will enable the SFO to focus in more quickly on key evidence. The average duration of an SFO investigation is 4.4 years¹, and it currently has 130 live cases. In 2024 the SFO’s new investigations related to an aircraft parts supplier, car leasing, care home investment and property development.
• Dawn raids: In the first three months of Nick Epghrave’s tenure at the SFO, it conducted more raids than in the previous two years. Businesses should check their dawn raid procedures are up to date and fit for purpose, and to check that policies and procedures reflect an up-to-date view of where and how the business holds its records, in particular its electronic evidence.

The SFO has not yet publicly taken advantage of the new rules on corporate attribution, which were introduced under the Economic Crime and Transparency Act 2003 (ECCTA) and came into force in December 2023, making it easier to bring corporate prosecutions. However, they have already taken advantage of new pre-investigation compulsory powers, granted in 2023, also under ECCTA. These new powers allow the SFO to compel interviews and documents in more types of investigation. Previously it could only do so in matters concerning alleged international bribery and corruption, but now the powers can be used for alleged fraud and domestic bribery and corruption.

On the horizon the SFO has promised refreshed guidance on corporate cooperation and self-reporting. And we are awaiting the outcome of a review into criminal disclosure rules, following the collapse of high-profile prosecutions due to disclosure failings by the prosecution.

Statements made this year suggest that delivering value to the British taxpayer is a priority. Whilst not explicit, and the SFO has been at pains to point out its continued cooperation with overseas prosecution agencies, this does suggest perhaps more focus on domestic cases where there has been loss caused in the UK, e.g. by fraud. The new pilot Domestic Corruption Unit may bolster the SFO’s efforts on corruption matters.

As part of efforts to enhance the NCA’s ability to co-ordinate the UK effort to fight serious and organised crime, the National Crime Agency (Directed Tasking) Order 2024 (SI 2024/629) came into effect in 2024. and enables the NCA to direct the Director of the SFO to conduct investigations into serious fraud. The NCA itself has been active in the corruption enforcement space. A report by two listed company executives, who had been asked to pay bribes to win work, led to the conviction of a Madagascan public official and a French co-defendant in 2024

The SFO regularly works with its overseas counterparts to achieve coordinated settlements with large multinationals.

The SFO’s Strategy for 2024-2029 highlights the depth and ambition of its international alliances, specifically referring to its strong relationship with the US Department of Justice, and its intention to use Criminal Overseas Production Orders (under the UK/US data access agreement) to obtain data directly from overseas service providers.

FCA

The UK’s FCA has powers to prosecute firms and individuals and indeed it is of note that the UK Government’s guidance on the failure to prevent fraud states that regulators, such as the FCA, may choose to prosecute the new failure to prevent fraud offence.

The change in leadership within the FCA’s Enforcement and Market Oversight Division in 2023 appears to have resulted in a change of strategy. In addition to consulting on controversial proposals to announce details of investigations into firms prior to an outcome having been reached, the FCA is focusing on reducing the number of open investigations and the time taken to investigate issues prior to opening-up settlement discussions. It has said it:

• wants to reduce the number of cases referred to its enforcement division;
• has raised the bar for opening an investigation; and
• has strengthened its pre-investigation process. 

The FCA has invested in its data teams to enable the FCA to better analyse data already available, e.g., data reported to it, or data collected through web-scraping, and for its data analytics capabilities for market monitoring and countering market abuse. The FCA’s ambition to be a data-led regulator has resulted in an increase in the number of targeted, proactive, data-led, information requirements being received by firms, often at short notice. These enable the FCA to conduct a deeper dive into areas where it perceives an increased risk of harm. There is an enforcement risk associated with responding to these requests and a firm’s response can lead to the FCA using its early intervention powers either because it is concerned about the data provided by a firm or because a firm has difficulty providing the data requested on a timely basis, or at all. It is also important to note that the offence of misleading the FCA or PRA by a ‘senior manager’² under s398 FSMA 2000 is listed as one of the offences under ECCTA that attracts corporate liability where a senior manager is acting within the scope of their authority.

Financial crime remains a priority area for investigations, as does operational and technological resilience. The FCA has also started to announce more prosecutions and enforcement outcomes relating to market conduct issues, including personal dealing, disclosure of market sensitive information and market abuse systems and controls.

AML law as a proxy claim for other abuses

Some UK authorities have come under pressure to use their powers to deter human rights abuses, with challenges often being grounded in UK money laundering laws. For example:

• in a judicial review, an NGO challenged the UK authorities’ decisions not to investigate (i) whether the import of cotton into the UK from particular regions where modern slavery was alleged to be a risk breached the Foreign Prison-Made Goods Act 1897 (FPMGA); and (ii) whether cotton goods with their origin in those regions could be criminal property under the UK Proceeds of Crime Act 2002 (POCA), and thus trading in them amounting to criminal conduct. A landmark ruling in May 2024 found that the decision by the UK National Crime Agency to refuse to investigate was based on an mistaken interpretation of key elements of the UK’s money laundering regime. The decision upended widely held views on how a key defence to money laundering ‘adequate consideration’ works, especially in the supply chain context.
• Similar arguments have been used to try and persuade the FCA not to allow the IPO in London of a fast fashion online retailer, again alleging forced labour in the supply chain. 

It is difficult to say at this stage to what extent challenges like this will gain traction with authorities. But even if it does not lead to a change in prosecutorial approach by these authorities, the claims are succeeding in achieving a lot of publicity for the claimants’ causes and are likely to have led to increased reports to the NCA. Scrutiny of increased climate related and sustainability disclosures, e.g., under the EU Corporate Sustainability Reporting Directive, by activists and claimant law firms will further fuel the potential for claims.

Shareholder claims piggybacking on enforcement action

Claims by institutional investors (or ‘securities claims’ as they are more commonly known in the U.S.) are piggy backing on financial crime enforcement. There are several civil claims against large companies that have already been the subject of criminal enforcement action. The claims allege, in summary, that the company misrepresented how it was doing business and as a result the investors suffered loss when the value of their shares reduced following financial crime enforcement. Some of these claims settled in 2023 so we have not yet seen one go to a full trial. There have been some interlocutory skirmishes concerning issues of reliance and privilege. The risk of follow-on litigation is one of the reasons why a company should take care about how it structures an internal investigation and manages document hygiene and privilege.

Significant law reforms impacting corporate criminal liability

Planning for the new corporate criminal offence of failure to prevent fraud, passed in October 2023, was a key theme in 2024:

• Delayed by the UK General Election, UK Government Guidance was finally issued in November on the new offence, meaning the clock has now started ticking towards the ‘in force’ date of 1 September 2025.  The new offence applies where a large business fails to prevent fraud by an associated party (which includes employees, subsidiaries, agents etc), where that fraud was committed with an intent to benefit the company or its clients/customers. It is a strict liability offence, with only one defence available – that of having reasonable procedures in place to prevent fraud.
• The new offence has very wide territorial reach. It applies to UK and non-UK companies, wherever they are located, even if all conduct is overseas, provided there are victims in the UK. The SFO, FCA, Pensions Regulator and private prosecutors can prosecute this new offence.
• Businesses have started getting ready for the new offence coming into force. Senior buy in and a good risk assessment are critical, part of which will be understanding how the many different types of fraud offences covered by the new ‘failure to prevent fraud’ offence could be committed in an organisation. Properly understanding the fraud offences, and how they apply extraterritorially, will be key to a robust risk assessment and reviewing/designing proportionate fraud prevention policies and procedures. 

The UK Government has stated it will introduce an Audit Reform and Corporate Governance Bill, part of which is likely to increase personal liability for a director for incorrect financial reporting. A new authority (ARGA – the Audit, Reporting and Governance Authority) will replace the Financial Reporting Council, with expanded powers to investigate and sanction directors for serious failures in relation to financial reporting and audit responsibilities. Similar plans were shelved under the previous Conservative Government.

Plans to extend the new senior manager test of attribution for corporate crime from just economic crimes to all crimes did not survive the General Election. The Labour Government may resurrect this.

The UK’s upcoming inspection by the Financial Action Taskforce (FAFT) may lead to some changes being made to the UK’s AML/CTF regime if any gaps are found to exist. The UK’s regime is based on the EU model, but there have been enhancements made, e.g., to enable easier information sharing between banks and reduce the need for suspicious activity reports in certain defined situations involving mixed clean/tainted funds in accounts and closing accounts.

Internal investigations

Regulators and law enforcement agencies in the UK have always been interested in how an internal investigation has been conducted, and how an organisation responds to findings. Interest has intensified in the wake of recent scandals, e.g., Post Office/Horizon where there had been repeated failings during internal investigations, including by in-house and external counsel, and senior officers. In 2024 the UK Solicitors’ Regulation Authority published guidance which highlights the importance of effective internal investigations, but also the risks that they present for in-house counsel, including breaching professional duties to act independently, to treat colleagues fairly and with respect, and to act in a way that upholds public trust and confidence in the profession. 

In the virtual and digital workplace, a notable trend is the increasing incidence of employees using their personal devices to surreptitiously record whistleblowing conversations, disciplinary meetings, and investigations. Often, managers, including those in senior positions, are less cautious about their remarks when unaware they are being recorded. What might be intended as a casual conversation can become highly detrimental when replayed during a grievance, at an employment tribunal, or on social media. Despite most company policies explicitly prohibiting covert recordings, this practice continues unabated.

Under UK employment law, covert recordings made by employees can be admissible in employment tribunals, especially if the recordings are relevant to the case and the employee had a legitimate reason for making them. However, the admissibility of such recordings is determined on a case-by-case basis, and tribunals may consider factors such as the context in which the recording was made and the employee's motive.

In-house lawyers must ensure that managers and senior executives are made aware of this growing trend and would be advised to "assume that all conversations are recorded". As well as ensuring that relevant policies are fit for purpose, training should include a section to ensure that employees are aware of the rules and the potential consequences of breaching them.

Sectors targeted in 2024

• Banking: Financial services continue to be a target of enforcement action, and this is likely to continue. One of the NCA’s strategic priorities is to combat money laundering, ‘corrupt elites’ and Serious Organised Crime Groups.³ This means that those who serve such individuals or entities or those associated with them run the risk of AML or sanctions enforcement. It is notable that one of the few financial crime related enforcements this year related to weaknesses in a challenger bank’s sanctions screening. In the Final Notice against the firm, the FCA highlights “the risk that criminals may be attracted to the faster onboarding process offered by challenger banks when compared to traditional high street banks.” The December 2020 National Risk Assessment of money laundering and terrorist financing also identified that where challenger banks promote the ability to open accounts very quickly to attract customers, there is a risk that their due diligence is insufficient to identify high risk customers. The 2020 assessment is the latest risk assessment reported - HMT and the Home Office are currently in the process of updating the national risk assessment. The UK financial sanctions enforcer, OFSI, signed a memorandum of understanding with its U.S. counterpart, OFAC, in January 2025 to encourage increased information sharing and coordination.
• Crypto: The misuse of crypto assets to move illicit finance is a focus area for UK authorities, who are working on a new strategy to address this challenge. The SFO was recently given new powers to seize, freeze and forfeit crypto assets.
• Internet platforms: The NCA also has online crime in its sights, acknowledging that it is a ‘critical enabler.’ Likewise, referring to the UK’s new Online Safety Act, a senior enforcement official at the UK’s communications regulator has said they are ready to drag uncooperative companies “kicking and screaming into compliance”. The Act contains a range of measures intended to improve online safety in the UK, including duties on platforms about having systems and processes in place to manage harmful content on their sites, including illegal content. The Act also introduces new criminal offences and creates Ofcom as the regulator for online safety, granting it new powers to impose fines and prosecute senior individuals for failures under the Act. In July 2024, Ofcom fined a social media platform for failing to provide accurate information about its parental controls following a formal request for information from the regulator. The fine was issued under the existing penalty regime, but soon Ofcom will have the power to bring criminal charges against companies and their senior managers for not complying with these types of requests.
• Auditors: High profile collapses of companies have led to investigations of auditors, and the highest total of financial penalties, due principally to the fine of an auditor relating to the Carillion collapse. The criticisms made of auditors during enforcement, e.g., relating to obtaining insufficient audit evidence and documentation, insufficient regard to ‘red flags’ of fraud, and other misconduct will no doubt be felt by companies being audited going forwards.

Predictions for 2025

• Many companies will be getting ready for the new failure to prevent fraud offence coming into force on 1 September, 2025 by conducting risk assessments and implementing updated or new fraud prevention policies and procedures. We have already been helping some clients on this, particularly on aiding understanding of how the different fraud offences could map onto their business.
• Climate change funding, e.g., carbon offsetting programs or low-carbon development or renewable energy, often involves dealing with governments, and therefore in some high-risk jurisdictions can present a higher corruption risk. It also has the potential to lead to concerns around potential misrepresentations in marketing/investment materials. We expect to see more companies adding ESG to financial crime risk screens  as fraud, bribery and corruption risks in carbon offset and other net zero related schemes are monitored. Many are already doing so.
• Corruption, sanctions evasion and illicit money flows go hand in hand. We expect to see increased enforcement relating to failure to have in place systems and control to counteract money laundering and sanctions evasion. The new UK trade sanctions enforcer “OTSI” (Office for Trade Sanctions Implementation) will be wanting to make an early impact.
• More companies are likely to have to conduct internal investigations focusing on ESG (environmental, social and governance) issues, e.g., into treatment of workers in their supply chains. Careful thought will need to be given to how these investigations are structured, bearing in mind the possibility  of follow-on civil claims or regulatory action. Claimant law firms and activists will continue to look for opportunities to challenge large businesses’ supply chains, by using existing laws in novel ways.
• A review of the rules on private prosecutions will report on  who and how a private prosecution should be brought. This follows criticism of the current process which contributed to the post office scandal. Businesses are sometimes the targets of private prosecutions, and we anticipate an increase in the number of private prosecutions once the failure to prevent fraud offence under ECCTA is in force.

Looking further ahead than 2025, we predict that greenwashing and ‘AI-washing’ may form the basis of prosecutions where there has been harm to the UK public, as investors or otherwise. If AI powered technology is involved with harm, we may see the criminal law develop to allocate responsibility for such harm, perhaps on a strict liability, ‘failure to prevent’ or other basis – this will be an area to keep an eye on.

Directory quotes

• “It has impressive people and does really impressive work.” — (Corporate Crime & Investigations, Chambers UK 2025)
• “The team is best in class; they provide pragmatic and high-quality legal advice and act as a true partner to our firm.” — (Financial Services Contentious, Legal 500 UK 2025)
• “A wrap around professional and personal service to all clients however big or small. The team is completely accessible and dispenses the most practical and pragmatic advice.” — (Fraud: White-Collar Crime, Legal 500 UK 2025)
• “A brilliant team of talented individuals with all round excellence. They are far sighted and practical.” — (Regulatory Investigations and Corporate Crime, Legal 500 UK 2025)
• “They are leaders in this field.” — (Regulatory Investigations and Corporate Crime, Legal 500 UK 2025)

Footnotes 

1. SFO Annual Report and Accounts 2023-2024

2. This is a reference to a ‘senior manager’ under the new test of corporate attribution in s196  ECCTA. This is different to the meaning of the term in the Senior Managers and Certification Regime

3. NCA Annual Report and Accounts 2023-2024

This article is part of the A&O Shearman Cross-Border White-Collar Crime and Investigations Review. Please click here for our overviews and insights in other jurisdictions.