How UK Gambling Operators Must Respond to the 'Failure to Prevent Fraud' Law

What the Law Actually Says

The Offense

Section 199 of the Economic Crime and Corporate Transparency Act 2023 creates a new offense: failure to prevent fraud. The offense applies when a person associated with an organization commits a fraud offense, the fraud is intended to benefit the organization or any person to whom services are provided on behalf of the organization, and the organization did not have reasonable procedures in place to prevent the fraud.

"Associated persons" includes employees, agents, subsidiaries, and any person who performs services for or on behalf of the organization. This is deliberately broad — it covers not just direct employees but contractors, technology providers, and business partners acting in the organization's interest.

Who It Applies To

The offense applies to "large organizations" meeting at least two of three criteria: more than 250 employees, more than £36 million turnover, or more than £18 million total assets. Most licensed UK gambling operators of any significant scale meet these thresholds.

Organizations that do not meet the size threshold are not exempt from fraud liability — they simply are not subject to this specific offense. Smaller operators remain liable under existing fraud legislation and UKGC license conditions.

The "Reasonable Procedures" Defense

The only defense against a failure to prevent fraud charge is demonstrating that the organization had "reasonable procedures" in place to prevent the type of fraud that occurred. The government has published guidance on what constitutes reasonable procedures, organized around six principles.

Top-Level Commitment. The board and senior management must demonstrate genuine commitment to fraud prevention — not just policy documents, but active oversight, resource allocation, and accountability. Board minutes should reflect regular discussion of fraud risk. Senior management compensation should not incentivize behaviors that increase fraud exposure.

Risk Assessment. The organization must conduct and maintain a documented fraud risk assessment that identifies the specific fraud risks relevant to its operations. For gambling operators, this includes multi-accounting and bonus abuse, match-fixing and insider betting, money laundering through gambling accounts, identity fraud and synthetic identity creation, payment fraud and chargeback abuse, and employee fraud and collusion.

Proportionate Procedures. Prevention measures must be proportionate to the identified risks. This does not mean implementing every possible control — it means matching the investment in prevention to the severity and likelihood of each risk. A high-volume sports betting platform faces different risks than a small online casino, and the procedures should reflect that difference.

Due Diligence. The organization must conduct due diligence on persons associated with it — employees, agents, and business partners — to assess their fraud risk. For gambling operators, this extends to KYC providers, payment processors, affiliate marketers, and any third party involved in customer-facing operations.

Communication and Training. Fraud prevention policies must be communicated to all associated persons, and training must be provided that is appropriate to each person's role and risk exposure. Front-line customer service agents need different training than compliance officers, who need different training than marketing teams managing affiliate programs.

Monitoring and Review. Procedures must be monitored for effectiveness and reviewed regularly. Static policies that were written once and never updated do not constitute reasonable procedures. The organization must demonstrate continuous improvement — identifying gaps, implementing fixes, and verifying that fixes work.

How This Intersects with UKGC Requirements

The failure to prevent fraud offense does not replace existing UKGC compliance obligations — it adds a criminal liability layer on top of them. Operators must continue to comply with the Gambling Act 2005, UKGC Licence Conditions and Codes of Practice, AML regulations under the Money Laundering Regulations 2017, and the UKGC's own guidance on fraud prevention and customer verification.

The practical effect is that fraud prevention measures now serve double duty: they satisfy UKGC license conditions (failure to comply risks license revocation) and they constitute the "reasonable procedures" defense against criminal prosecution (failure to implement risks criminal liability).

This creates a compliance floor that is higher than either regime alone would establish. An operator might satisfy the UKGC's minimum requirements while still falling short of what a court would consider "reasonable procedures" for the criminal offense — or vice versa.

The Verification Connection

Identity verification is the foundation of fraud prevention in gambling. Multi-accounting requires creating multiple identities. Money laundering requires obscuring the identity of the funds' owner. Bonus abuse requires exploiting the same identity across multiple accounts. Match-fixing coordination often involves accounts registered under false or synthetic identities.

A verification system that catches synthetic identities at registration, prevents multi-accounting through biometric deduplication, detects deepfake-assisted identity fraud, and maintains continuous monitoring of verified identities addresses the most common fraud vectors — and provides documented evidence of "reasonable procedures."

The documentation component is critical. It is not enough to have verification in place — the operator must be able to demonstrate to a court that the verification system was appropriate for the identified risks, was properly implemented, was monitored for effectiveness, and was updated as threats evolved. Audit logs, detection rates, false positive analysis, and system improvement records all contribute to the reasonable procedures defense.

What Operators Must Do Now

Immediate Actions

Conduct a fraud risk assessment specific to your operations. Document the fraud types relevant to your platform, assess the likelihood and impact of each, and map your existing controls against each risk. Identify gaps.

Review your identity verification infrastructure. Does it catch synthetic identities? Does it prevent multi-accounting through biometric deduplication? Does it detect deepfake-assisted fraud? Does it maintain continuous monitoring after onboarding? If the answer to any of these is no, you have an identified gap.

Ensure board-level visibility. The "top-level commitment" principle requires that fraud prevention is a board agenda item — not delegated entirely to the compliance team. Board minutes should reflect discussion of fraud risk, prevention measures, and investment decisions.

Ongoing Requirements

Train all associated persons — employees, agents, affiliates, and third-party service providers — on fraud prevention policies and their role in maintaining them. Document the training and refresh it annually.

Monitor your prevention measures for effectiveness. Track detection rates, false positive volumes, fraud losses, and incident response times. Use these metrics to identify where procedures are working and where they need improvement.

Review and update your risk assessment at least annually — or more frequently when the threat landscape changes. The emergence of AI-powered fraud agents, voice cloning, and deepfake-assisted identity creation all represent changes that should trigger a risk assessment update.