New research has revealed that almost one in four financial services firms are in direct violation of ECCTA regulations, leaving them seriously vulnerable to the new ‘failure to prevent fraud’ offence, while nearly a third of firms are failing to do their due diligence with clients.
The findings are part of the ‘ECCTA Regulations Report‘ by compliance training provider Skillcast, which analysed over 37,000 data points from 2,000 private limited UK companies in ten sectors.
Transparency around Persons with Significant Control (PSC) was inconsistent across the financial services sector. Twenty-six per cent of firms named a company rather than a person as their PSC, while nearly four per cent reported no PSC at all. Two firms were also found to be registered to PO boxes, a practice discouraged under ECCTA as it can obscure corporate accountability.
The findings further revealed that 16 per cent of the financial firms analysed had overdue confirmation statements, while a further six per cent had failed to file accounts on time. This currently breaches core governance duties under the Economic Crime and Corporate Transparency Act (ECCTA), which carries serious penalty risks.
This concerning level of vulnerability and risk across financial firms comes ahead of the ECCTA’s enforcement of the new ‘failure to prevent fraud’ corporate offence on 1 September, which will hold entire organisations, operating in the UK, accountable for failing to implement rigorous anti-fraud measures.
Retaining risky practices
Many UK businesses still rely on gut instinct and goodwill over hard verification when choosing suppliers, partners and clients, according to separate research from digital verification platform Umazi.
In fact, according to the findings in its report, ‘Broken ID, Broken Growth: The UK’s Verification Chokehold‘, nearly 30 per cent of UK businesses admit they don’t request any documentation when engaging with a business that has a ‘recognised industry name’. Even more worryingly, 29 per cent of organisations say they knowingly accept the risk of working with entirely unverified businesses.
Despite growing concern over corporate identity theft, data breaches and fraud, over 20 per cent of businesses say they perform no due diligence at all – citing a lack of tools or knowledge to do so.
Umazi’s report also uncovers the persistence of outdated practices. Sixty-three per cent of businesses still feel comfortable emailing sensitive information to third parties, and 73 per cent say they trust the recipient to store that data securely.
In response, Umazi is calling on UK businesses to adopt a modern, digital-first approach to identity verification – one that protects against reputational risk, regulatory scrutiny, and financial harm.
Warning against fraud setbacks
Vivek Dodd, CEO at Skillcast, commented on the firm’s fraud findings: “The ECCTA places a clear legal obligation on large organisations to demonstrate they have reasonable procedures to prevent fraud, and that does not just mean having policies on paper.
“The findings from our ‘ECCTA Regulations Report’ should serve as a wake-up call for the financial services sector. With less than two months to go until the new ‘failure to prevent fraud’ corporate offence requirements are enforced, many companies are operating in high-risk conditions that leave organisations exposed to serious criminal liability.
“Without urgent action, these firms risk severe reputational damage and financial fallout, making strong governance, due diligence, and company-wide fraud prevention training business-critical.”
Cindy van Niekerk, CEO and Founder of Umazi, added: “Not every business mistake can be undone. When companies engage with unverified partners, the fallout isn’t just a bad deal or a temporary setback; it can lead to financial collapse, legal exposure, and in the worst cases, needless liquidation.
“We’ve seen it time and again: a fraudulent supplier, a fake corporate identity, a data breach that spirals out of control, and suddenly a business that was stable is gone. And yet, this is entirely preventable.”
“The tools exist. Digital verification is not a future concept – it’s here now. We don’t need more cautionary tales. We need a cultural shift where trust is earned through verification, not assumed through reputation. This isn’t something to fix later, it’s something to fix now.”
