The Economic Crime and Corporate Transparency Act (‘ECCTA’) was enacted in October 2023, but discrete sections continue to come into force including the introduction of new statutory offences.
From 1 September 2025 it will be an offence under the Act for an organisation to fail to prevent fraud.
There has already been significant commentary as to the scope and extent of this new offence, but what measures can businesses take now to ensure that they are compliant in time for the looming commencement date?
The offence
Section 199 of The EECTA imposes criminal liability on qualifying organisations in circumstances where an employee, agent, subsidiary, or other ‘associated person’ commits a fraud intending to benefit the organisation and where the organisation did not have reasonable fraud prevention procedures in place.
In addition, the offence also applies where a fraud is committed with the intention of benefitting a client of the organisation. There is no requirement for directors or senior managers to know about the fraud for liability to attach.
This new offence sits alongside existing legislation criminalising individual involvement in fraudulent activity.
Although the offence strictly only applies to ‘large’ organisations – being those that satisfy at least two of the following three conditions – it would be prudent for all companies to ensure that they are achieving best practise in their activities. The qualifying criteria are:
- Annual turnover of more than £36 million;
- Balance sheet total of more than £18 million; and/ or
- More than 250 employees.
What can businesses do to prepare?
It is anticipated (and hoped) that those companies which fall into the above definition will already have addressed their mind to the measures which can be taken within their own operations to achieve compliance.
To help with this exercise the government has published guidance as to what companies may want to consider when implementing reasonable fraud prevention procedures. It is suggested that organisations should be guided by the following six principles:
- top level commitment;
- risk assessment;
- proportionate risk-based prevention procedures;
- due diligence;
- communication (including training); and
- monitoring and review.
Best practice
The format and implementation of each of the above suggestions will vary between organisations, and it is probably impossible to be prescriptive as to the measures which should be taken given that these will be influenced by operational sector, extent of operations and exposure to potentially fraudulent activity.
This is reflected within the EECTA itself, which provides a ‘reasonable procedures’ defence in terms that large organisations will not be guilty of the offence if they can demonstrate that they had reasonable procedures in place at the time the fraud was committed.
The guidance available explains that, when considering risk-reduction measures, businesses should be outcome focussed and concentrate on what will work for them specifically.
How might these principles operate in practice?
- Corporate commitment
Section 199 imposes liability on corporate undertakings and, as with other aspects of day-to-day compliance, such as health and safety and anti-bribery procedures, commitment to the aim trying to be achieved must come from the top. Culture flows down an organisation and senior individuals should work to generate and encourage a culture in which fraud is never acceptable, nor seen as an easy short-cut. Undoubtedly there will be businesses which do not have this mindset, and the provisions of the EECTA seek to identify those organisations to enable appropriate action to be taken.
Parallel with this commitment, there also needs be appropriate governance measures in place to ensure that the top-level commitment is communicated to all corners of the business and is understood by those affected. Companies may want to promote, if they are not already doing so, zero tolerance of underhand or questionable behaviour, including that which could be seen as fraudulent.
Hand-in-hand with the above goes clear and unambiguous communications to staff, and businesses should explain the measures being taken, the reasoning behind these and clearly stating the objectives to be achieved.
- Identify areas of risk
Risk factors and areas of potential exposure will vary from business to business. What is recommended however is for all businesses, including those which are out of scope of the specific wording of s.199, to undertake a deep-dive to identify where they may be exposed to potentially fraudulent activity.
For example, this may include:
- risk to employees from third parties in the supply chain
- whether fraud is prevalent within the specific sector
- where within the organisation fraudulent activity is likely to take place
- what oversight is provided to those operating on the company’s behalf
- the extent to which the company’s fraud prevention measures have been, or will be, communicated to third party contractors and suppliers
- whether there are any particular pressures within/ outside of the business which may encourage staff to cut corners or seek ‘easy wins’.
- Preventative measures
Whilst it may not be possible, nor practical, for businesses to prepare a prevention process for every conceivable instance or occurrence, as a minimum there should be a documented procedure in place to identify risks and implement appropriate control measures.
Any measures taken must be proportionate to and effective at preventing fraud. It is unlikely to be sufficient for a business to rely upon the fact that it is regulated or compliant with requirements imposed by other regulations and therefore is automatically compliant with the EECTA. Section 199 requires organisations to examine all their processes and consider whether there is more that can be reasonably done to prevent fraud.
- Due diligence
Appropriate checks and assurance procedures relating to third parties are already likely to be in place for many of the organisations which will be caught by section 199. However, on their own, these procedures may not be sufficient to discharge the new duty and companies must consider whether there is more that can be done.
For example, it may be appropriate to expand the onboarding checks undertaken when engaging with a new agent or contractor, to include consideration of their fraud prevention measures. Likewise, it may be necessary in certain instances to incorporate into contracts the third party’s agreement to abide by the company’s fraud prevention measures. It would also be helpful to identify those individuals within the business who may be customer-facing and therefore directly exposed to possibly fraudulent activity.
- Training
Following-on from the above, staff need to be aware of the risk of fraud that they may be exposed to, to ask appropriate questions and recognise the indicators of fraudulent activity. Any fraud prevention measures and procedures introduced by a business will only be effective if they are understood and implemented by staff.
This may require training, refreshed as necessary, to ensure that staff are aware of their responsibilities. It would be prudent to document and record any training delivered, should the company’s procedures be queried down the line.
Equally, staff should be encouraged to bring the company’s attention to questionable activity without fear of reprisal or prejudice. Appropriate safeguards should be in place to respond to any such whistleblowing concerns as may be received.
- Ongoing monitoring
Fraud prevention procedures are not a tick box exercise and their effectiveness and continued appropriateness should be reviewed on a regular and ongoing basis. Where suspicions of fraud arise, these should be robustly investigated, with necessary actions being taken. Where appropriate and/ or required, revisions to procedures should be implemented to prevent a recurrence.
It remains to be seen how the reasonable procedures defence will operate in practice, but where organisations are on notice of a possible risk, steps should be taken to address and/ or remedy this. What is likely to aggravate any offending under the EECTA is where a company was aware of a risk but did nothing in response.
Conclusion
The EECTA will introduce the new offence of failure to prevent fraud from 1 September 2025.
Section199 does not however represent a sea-change from what many will have considered for a long time to be good businesses practices. In addition, the process of risk assessment and implementation of reasonable control measures mirrors other day-to-day compliance obligations which, in some instances, have already been in operation for decades. Whilst new, s.199 is unlikely to come as a surprise to businesses with the exception of those which it is intended to target.
Undoubtedly there will be a period of acclimatisation as companies, regulators and the courts become familiar with its practical application. That being said, there remains time for businesses to review their processes and procedures, to address any shortfalls and ensure that they are compliant across the entirety of their operations.