The expanding failure to prevent model
The failure-to-prevent model has become the default global framework for enforcing corporate accountability for economic crime.
Many organisations have not kept pace. What began as a single provision in the UK Bribery Act 2010 is now expanding rapidly across jurisdictions, reshaping corporate liability and the standard regulators expect of compliance and risk management.
Where it started
The story begins with the UK Bribery Act 2010. Section 7 created a corporate offence of failing to prevent bribery by an associated person. If bribery occurred, the organisation would be liable unless it could show that it had adequate procedures in place to prevent it.
That marked a significant shift. Historically, prosecuting a company for many economic crimes required proof that the offence had been committed by the organisation's directing mind and will — typically a very senior individual. The Bribery Act changed the focus: organisations had to evidence prevention, not just respond to incidents.
The statutory defence is underpinned by six principles: top-level commitment, risk assessment, proportionate procedures, due diligence, communication and training, and monitoring and review. Those principles have since become the blueprint for comparable regimes across jurisdictions.
The model expands
The Bribery Act was the starting point. Since then, variants of the model have been adopted across a widening range of offences.
In the UK, the Criminal Finances Act 2017 extended the failure-to-prevent approach to the facilitation of tax evasion. The Economic Crime and Corporate Transparency Act 2023 extended it further to include fraud, with the offence coming into force on 1 September 2025 and carrying an unlimited fine on conviction.
Australia introduced its own corporate offence of failing to prevent foreign bribery in 2024, closely modelled on the UK approach. Australia is also extending its AML/CTF regime, bringing lawyers, accountants, and real estate agents into the regulated population for the first time from 1 July 2026.
Singapore has lowered the evidentiary threshold for certain money laundering prosecutions. In some cases, prosecutors no longer need to prove a complete chain of evidence linking specific criminal conduct to the funds in question.
Across the EU, the Anti-Money Laundering Authority began operations on 1 July 2025, centralising aspects of AML supervision and reinforcing the shift towards measuring effectiveness rather than mere technical compliance.
The pattern is consistent. Regulators are widening the scope, raising the bar for what good looks like, and increasingly holding individuals and organisations to account.
The long arm of the law
A defining feature of this new generation of offences is their reach. Many regimes have an extraterritorial effect. Where victims are located, where funds flow, and where associated persons operate may all be sufficient to bring an organisation within scope, regardless of where it is incorporated.
FATF, whose standards underpin AML legislation in over 200 jurisdictions, concluded its February 2026 Plenary with a clear message: regulators are no longer satisfied that a policy exists. They want evidence that it operates effectively in practice.
Enforcement data reflects that direction. Regulatory penalties for AML, KYC, sanctions and customer due diligence failures totalled US$1.23 billion in the first half of 2025, a 417% increase on the first half of 2024. Full-year figures show US$3.8 billion in 2025, down from US$4.6 billion in 2024, but the regional picture is stark. North American fines fell 58%. EMEA penalties rose 767%. APAC rose 44%. Enforcement is not easing. It is shifting.
Personal accountability is also increasing. Regulators in multiple jurisdictions are more willing to name and sanction individuals for compliance failures, not only the institutions they work for. For senior executives and compliance leaders, that materially changes the risk profile.
Why compliance is more than a legal obligation
Some organisations struggle to see the value of compliance programmes. They can feel like cost centres, generating work without an obvious commercial return. That reaction is understandable. It is also incomplete.
AML, KYC, and enhanced due diligence exist not only to satisfy regulators, but to protect the people an organisation serves. Fraud costs victims real money. Money laundering enables serious crime. When an organisation builds robust controls, it is preventing harm, not just managing regulatory risk.
Compliance programmes also create a practical opportunity that many organisations miss. Designing controls for KYC, enhanced due diligence, or transaction monitoring often forces a hard look at core processes. In many firms, those processes have evolved over the years into something manual, inconsistent, and hard to audit. A programme that uses regulation as a catalyst to redesign those processes properly will come out the other side with something genuinely better — not just compliant, but more efficient and more defensible.
Building compliance that lasts
The legislative pattern of the last fifteen years tells us that the failure to prevent models is not going away. The question is not whether organisations will need to comply with the next iteration. It is whether they will be ready when it arrives.
Organisations that handle this well build on principles rather than rules. Rules change. Principles endure. The underlying expectations are broadly consistent across the board: top-level commitment, risk assessment, proportionate controls, due diligence, communication, and monitoring. Organisations that genuinely embed those elements do not start from scratch each time a new obligation arrives; they adapt what already works.
That means designing KYC and enhanced due diligence processes with regulatory change in mind from the outset. Automating where it reduces errors and improves consistency. Building monitoring and review into day-to-day operations rather than annual exercises. And ensuring the framework is owned by senior leadership and understood across the business.
Controls embedded in systems and workflows from the outset are more consistent, more auditable, and cheaper to maintain. That is not just good compliance. It is good business.