The UK’s new Fraud Strategy is not just a tougher stance on criminals, it is a blueprint for pushing fraud prevention onto the infrastructure providers that may enable frauds to scale. For banks, the message is clear: reimbursement is no longer the end of the story, prevention is becoming a core market obligation.
Fraud has become too large for the UK’s law enforcement to handle alone. The Government’s Fraud Strategy 2026-2029 (the “Strategy”) describes fraud as the UK’s largest crime type, with an economic cost of at least £14.4bn in 2023-24. The Strategy commits over £250m from 2026-2029 and involves three pillars: Disrupt, Safeguard and Respond. For banks, the most important message sits beneath that structure: fraud prevention is moving upstream.

It is yet another compliance shift for a sector already expected to carry out diligence on customers, monitor and detect suspicious transactions, and provide reimbursements. The Strategy points to something even broader; the increasing expectation that banks have fraud controls embedded into product design, onboarding journeys, payment flows, authentication, account security, customer communications and mule detection. Reacting well after a fraud event will not be enough.

Go deeper with GlobalData

Data Insights

The gold standard of business intelligence.

Find out more

Access deeper industry intelligence

Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.

Find out more

From reimbursement to prevention

On the financial services sector, the Strategy is polite about the progress banks have made. It recognises the Retail Banking Fraud Charter of 2021, Confirmation of Payee, the Banking Protocol, and the mandatory reimbursement regime for eligible authorised push payment frauds (“APP Fraud”), which returned £173m to victims in its first year. But the same section makes clear that the current approach has not solved the problem. At least £629.3m was stolen in the first half of 2025 alone, including £371.8m of unauthorised fraud.

The Government is now asking why, despite these efforts, fraud continues to get through. A Home Office Call for Evidence on APP Fraud is due in 2026. The Financial Conduct Authority (“FCA”) is expected to consider good and poor practice in preventing APP Fraud and money mules. HM Treasury intends to repeal the existing Strong Customer Authentication technical standards, allowing the FCA to incorporate new standards geared towards a more agile, outcomes-focused approach.

This is the direction of travel for banking. The question will not only be whether a bank met a prescriptive, static, control, it will be whether its controls adapted as the fraud threat changed.

The rise of the “enabler” lens

One of the most commercially important themes in the Strategy is the pressure on businesses as potential fraud enablers, not just victims.

Banks sit in the middle of that picture; not merely victims of fraud losses or processors of disputed transactions. They are the infrastructure criminals need to monetise frauds – and conversely are also described in the Strategy as the last line of defence. That does not mean banks are responsible for every fraud. What it does mean is they will face growing pressure to prove that their systems are not easy to exploit.

The new corporate offence of failure to prevent fraud reinforces this wider direction.

For bank boards, the takeaway is simple. They will increasingly be judged on designing agile and adaptable anti-fraud controls for an ever-changing fraud landscape. That is a higher bar than having a competent fraud response team.

What banks should do next

The temptation is to read the Strategy as a list of future consultations and regulatory developments to be considered at a later stage. However, banks should really treat it as a signal of where regulatory and political expectations are heading and consider what actions may need to be taken to meet such expectations.

As the Strategy calls out, defensive measures rarely stop criminals for long. New controls sparks innovation, and criminals continue to look for ways to undermine future countermeasures. The sector will need stronger authentication, better KYC and customer due diligence, more effective mule detection, more intelligent payment warnings, better use of behavioural signals and a clearer view of how fraud moves across channels – all of which need to be adaptable, with standards still to be confirmed. This is no mean feat.

At this juncture, without further guidance or regulatory development, banks should consider, at least, the following practical steps:

  • First, map the fraud journey from first contact to cash-out. That means understanding where customers are being defrauded before they enter the bank’s environment, where payment controls are weak, where warnings are ignored, where mule accounts enter the system, and where recovery fails. The point is not adding friction everywhere, it is to place friction where it has the best chance of stopping harm, and moving that friction when the threat evolves.
  • Secondly, strengthen authentication and identity controls without stifling legitimate banking. The Strategy focuses on passkeys, digital verification services and outcomes-based authentication, and the proposal of new standards (TBC). Banks should consider moving away from current standards of static and physical biometrics (like one-time password or facial recognition – for the ‘something they have and are’ tests), and instead embrace dynamic and behavioural biometrics as a compliant authentication factor.
  • Thirdly, ensure the controls are properly documented, tested and legally assured. As expectations become more outcomes-focused, banks will need to show how controls operate, are tested, and adapt to new technologies, plus how board-level oversight operates. This is where legal assurance becomes critical: banks will need to show not only that fraud controls exist, but that they can be explained, challenged, evidenced and defended.

Ultimately, the direction of travel is clear the UK Government’s Fraud Strategy 2026-2029 is seeking to move fraud prevention upstream, across an array of sectors and it is no longer just a law enforcement issue. For banks, there is a legitimate question as to whether this allocation of responsibility is fair, particularly given the already significant regulatory, operational and financial burden borne by banks in this space. However, regardless of that debate, the practical burden, is real: banks are being asked to move from reactive to proactive compliance across the full customer lifecycle. Meeting that expectation will require major investment. Ultimately, banks that treat the Strategy as an early signal and act now, rather than waiting for formal regulatory development, will be better placed to meet the standards that are coming and to protect both their customers and their own position.

Josie Welland, Senior Managing Associate, Sidley