The UK’s new Fraud Strategy is not just a tougher stance on criminals, but a blueprint for pushing fraud prevention onto the infrastructure providers that may enable frauds to scale. For banks, the message is clear: reimbursement is no longer the end-game; prevention is becoming a core market obligation.
Fraud has become too significant for the UK’s law enforcement to handle alone. The Government’s Fraud Strategy 2026-2029 (the “Strategy”) categorises fraud as the UK’s biggest crime type, with an economic cost of at least £14.4bn in 2023-24. The Strategy commits over £250m from 2026-2029 and involves three pillars: Disrupt, Safeguard and Respond. For banks, the most important takeaway from this structure is that fraud prevention is moving upstream.
This marks another compliance shift for a sector already expected to carry out diligence on customers, monitor and detect suspicious transactions, and provide reimbursements. The Strategy suggests something even broader; the escalating expectation that banks have fraud controls embedded into product design, onboarding journeys, payment flows, authentication, account security, customer communications, and mule detection. Reacting well after a fraud event will not be sufficient.
From reimbursement to prevention
In the financial services sector, the Strategy acknowledges the progress banks have made. It recognises the Retail Banking Fraud Charter of 2021, Confirmation of Payee, the Banking Protocol, and the mandatory reimbursement regime for eligible authorised push payment frauds (“APP Fraud”), which returned £173m to victims in its first year. Despite this, the section emphasises that the current approach has not resolved the issue. At least £629.3m was stolen in the first half of 2025 alone, including £371.8m of unauthorised fraud.
The Government is now questioning why, despite these efforts, fraud continues to occur. A Home Office Call for Evidence on APP Fraud is due in 2026. The Financial Conduct Authority (“FCA”) is expected to consider good and poor practice in preventing APP Fraud and money mules. HM Treasury intends to repeal the existing Strong Customer Authentication technical standards, permitting the FCA to incorporate new standards geared towards a more agile, outcomes-focused approach.
The rise of the “enabler” lens
A crucial theme in the Strategy is the pressure on businesses as potential fraud enablers, not just victims. Banks are situated in the centre of this picture; not merely victims of fraud losses or processors of disputed transactions. They are the infrastructure criminals need to monetise frauds – and are also described in the Strategy as the last line of defence. This doesn’t mean banks are responsible for every fraud, but they will face growing pressure to prove that their systems are not easy to exploit.
The new corporate offence of failure to prevent fraud exemplifies this wider trend. For bank boards, the takeaway is simple. They will increasingly be judged on designing agile and adaptable anti-fraud controls for an ever-changing fraud landscape. This is a higher bar than having a competent fraud response team.
What banks should do next
While it’s tempting to see the Strategy as a list of future consultations and regulatory developments to be considered at a later stage, banks should treat it as a signal of where regulatory and political expectations are heading, and consider what actions they need to take to meet these expectations.
The Strategy notes that defensive measures rarely deter criminals for long. New controls spark innovation, and criminals continue to look for ways to undermine future countermeasures. The sector will need stronger authentication, better Know Your Customer (KYC) and customer due diligence, more effective mule detection, more intelligent payment warnings, better use of behavioural signals and a clearer view of how fraud moves across channels. Importantly, these measures need to be adaptable and conform to yet-to-be-confirmed standards. This is no mean feat.
At this juncture, banks should consider the following practical steps:
- First, map the fraud journey from first contact to cash-out. This involves understanding where customers are defrauded before they enter the bank’s environment, where payment controls are weak, where warnings are ignored, where mule accounts enter the system, and where recovery fails. The point is not adding friction everywhere, it is to place friction where it has the best chance of stopping harm, and moving that friction when the threat evolves.
- Secondly, strengthen authentication and identity controls without stifling legitimate banking. The Strategy focuses on passkeys, digital verification services and outcomes-based authentication, and the proposal of new standards. Banks should consider moving away from current standards of static and physical biometrics (like one-time password or facial recognition – for the ‘something they have and are’ tests), and instead embrace dynamic and behavioural biometrics as a compliant authentication factor.
- Thirdly, ensure the controls are properly documented, tested and legally assured. As expectations become more outcomes-focused, banks will need to show how controls operate, are tested, and adapt to new technologies, plus how board-level oversight operates. Legal assurance becomes critical here: banks will need to demonstrate not only that fraud controls exist, but that they can be explained, challenged, evidenced and defended.
Ultimately, the direction of travel is clear: the UK Government’s Fraud Strategy 2026-2029 is seeking to move fraud prevention upstream, across an array of sectors. It is no longer just a law enforcement issue. For banks, there is a legitimate question as to whether this allocation of responsibility is fair, particularly given the already significant regulatory, operational and financial burden borne by banks in this space. Regardless of that debate, the practical burden is real: banks are being asked to move from reactive to proactive compliance across the full customer lifecycle. Meeting that expectation will require major investment. Banks that treat the Strategy as an early signal and act now, rather than waiting for formal regulatory development, will be better placed to meet the standards that are coming and to protect both their customers and their own position.
Josie Welland, Senior Managing Associate, Sidley
Source: Here
