The Economic Crime and Corporate Transparency Act (‘ECCTA’) was enacted in October 2023, but discrete sections continue to come into force including the introduction of new statutory offences.

From 1 September 2025 it will be an offence under the Act for an organisation to fail to prevent fraud.

There has already been significant commentary as to the scope and extent of this new offence, but what measures can businesses take now to ensure that they are compliant in time for the looming commencement date?

The offence

Section 199 of The EECTA imposes criminal liability on qualifying organisations in circumstances where an employee, agent, subsidiary, or other ‘associated person’ commits a fraud intending to benefit the organisation and where the organisation did not have reasonable fraud prevention procedures in place.

In addition, the offence also applies where a fraud is committed with the intention of benefitting a client of the organisation. There is no requirement for directors or senior managers to know about the fraud for liability to attach.

This new offence sits alongside existing legislation criminalising individual involvement in fraudulent activity.

Although the offence strictly only applies to ‘large’ organisations – being those that satisfy at least two of the following three conditions – it would be prudent for all companies to ensure that they are achieving best practise in their activities. The qualifying criteria are:

• Annual turnover of more than £36 million;
• Balance sheet total of more than £18 million; and/ or
• More than 250 employees.

What can businesses do to prepare?

It is anticipated (and hoped) that those companies which fall into the above definition will already have addressed their mind to the measures which can be taken within their own operations to achieve compliance.

To help with this exercise the government has published guidance as to what companies may want to consider when implementing reasonable fraud prevention procedures. It is suggested that organisations should be guided by the following six principles:

• top level commitment;
• risk assessment;
• proportionate risk-based prevention procedures;
• due diligence;
• communication (including training); and
• monitoring and review.

Best practice

The format and implementation of each of the above suggestions will vary between organisations, and it is probably impossible to be prescriptive as to the measures which should be taken given that these will be influenced by operational sector, extent of operations and exposure to potentially fraudulent activity.

This is reflected within the EECTA itself, which provides a ‘reasonable procedures’ defence in terms that large organisations will not be guilty of the offence if they can demonstrate that they had reasonable procedures in place at the time the fraud was committed.

The guidance available explains that, when considering risk-reduction measures, businesses should be outcome focussed and concentrate on what will work for them specifically.

How might these principles operate in practice?

1. Corporate commitment

Section 199 imposes liability on corporate undertakings and, as with other aspects of day-to-day compliance, such as health and safety and anti-bribery procedures, commitment to the aim trying to be achieved must come from the top. Culture flows down an organisation and senior individuals should work to generate and encourage a culture in which fraud is never acceptable, nor seen as an easy short-cut. Undoubtedly there will be businesses which do not have this mindset, and the provisions of the EECTA seek to identify those organisations to enable appropriate action to be taken.

Parallel with this commitment, there also needs be appropriate governance measures in place to ensure that the top-level commitment is communicated to all corners of the business and is understood by those affected. Companies may want to promote, if they are not already doing so, zero tolerance of underhand or questionable behaviour, including that which could be seen as fraudulent.

Hand-in-hand with the above goes clear and unambiguous communications to staff, and businesses should explain the measures being taken, the reasoning behind these and clearly stating the objectives to be achieved.

2. Identify areas of risk

Risk factors and areas of potential exposure will vary from business to business. What is recommended however is for all businesses, including those which are out of scope of the specific wording of s.199, to undertake a deep-dive to identify where they may be exposed to potentially fraudulent activity.

For example, this may include:

• risk to employees from third parties in the supply chain
• whether fraud is prevalent within the specific sector
• where within the organisation fraudulent activity is likely to take place
• what oversight is provided to those operating on the company’s behalf
• the extent to which the company’s fraud prevention measures have been, or will be, communicated to third party contractors and suppliers
• whether there are any particular pressures within/ outside of the business which may encourage staff to cut corners or seek ‘easy wins’.

3. Preventative measures

Whilst it may not be possible, nor practical, for businesses to prepare a prevention process for every conceivable instance or occurrence, as a minimum there should be a documented procedure in place to identify risks and implement appropriate control measures.

Any measures taken must be proportionate to and effective at preventing fraud. It is unlikely to be sufficient for a business to rely upon the fact that it is regulated or compliant with requirements imposed by other regulations and therefore is automatically compliant with the EECTA. Section 199 requires organisations to examine all their processes and consider whether there is more that can be reasonably done to prevent fraud.

4. Due diligence

Appropriate checks and assurance procedures relating to third parties are already likely to be in place for many of the organisations which will be caught by section 199. However, on their own, these procedures may not be sufficient to discharge the new duty and companies must consider whether there is more that can be done.

For example, it may be appropriate to expand the onboarding checks undertaken when engaging with a new agent or contractor, to include consideration of their fraud prevention measures. Likewise, it may be necessary in certain instances to incorporate into contracts the third party’s agreement to abide by the company’s fraud prevention measures. It would also be helpful to identify those individuals within the business who may be customer-facing and therefore directly exposed to possibly fraudulent activity.

5. Training

Following-on from the above, staff need to be aware of the risk of fraud that they may be exposed to, to ask appropriate questions and recognise the indicators of fraudulent activity. Any fraud prevention measures and procedures introduced by a business will only be effective if they are understood and implemented by staff.

This may require training, refreshed as necessary, to ensure that staff are aware of their responsibilities. It would be prudent to document and record any training delivered, should the company’s procedures be queried down the line.

Equally, staff should be encouraged to bring the company’s attention to questionable activity without fear of reprisal or prejudice. Appropriate safeguards should be in place to respond to any such whistleblowing concerns as may be received.

6. Ongoing monitoring

Fraud prevention procedures are not a tick box exercise and their effectiveness and continued appropriateness should be reviewed on a regular and ongoing basis. Where suspicions of fraud arise, these should be robustly investigated, with necessary actions being taken. Where appropriate and/ or required, revisions to procedures should be implemented to prevent a recurrence.

It remains to be seen how the reasonable procedures defence will operate in practice, but where organisations are on notice of a possible risk, steps should be taken to address and/ or remedy this. What is likely to aggravate any offending under the EECTA is where a company was aware of a risk but did nothing in response.

Conclusion

The EECTA will introduce the new offence of failure to prevent fraud from 1 September 2025.

Section199 does not however represent a sea-change from what many will have considered for a long time to be good businesses practices. In addition, the process of risk assessment and implementation of reasonable control measures mirrors other day-to-day compliance obligations which, in some instances, have already been in operation for decades. Whilst new, s.199 is unlikely to come as a surprise to businesses with the exception of those which it is intended to target.

Undoubtedly there will be a period of acclimatisation as companies, regulators and the courts become familiar with its practical application. That being said, there remains time for businesses to review their processes and procedures, to address any shortfalls and ensure that they are compliant across the entirety of their operations.

The impact of the coronavirus pandemic has been complex and far-reaching. No facet of business, or society, has escaped the effects of COVID-19 and serious questions have been asked of both employers and employees. 

While the issue of fraud – and more specifically employee fraud – has been on the radar for many years, the unique challenges posed by the pandemic have brought the problem under the spotlight in recent months. 

Whether it’s payment fraud, procurement fraud, personnel management, travel or subsistence fraud, exploiting assets and information, or receipt fraud, cases of employee fraud are common. According to Action Fraud, nearly 1 in 5 small businesses have been defrauded by an employee at some point during their trading history, causing significant loss and damage. Unsurprisingly, recent figures from NatWest show that UK businesses have been hit by fraud at a cost of £190 million a year, with 40% being caused by internal employees.

Despite a general perception around the issue, fraud isn’t always the product of malicious intent. Quite often, it materialises from despair, a lack of ability, or even inexperience. With many employees working remotely, and feeling disconnected from the structure and security of the workplace, it’s little wonder the problem of employee fraud has come under the spotlight. 

Times of economic uncertainty or economic boom, as evidenced before and as a result of the 2008 financial crash, often lead to an increase in fraud. Circumstances created by the pandemic – homeworking, job insecurity and financial hardship, and availability of financial support from the Government – all create an environment in which workplace fraud can increase.

Pre-pandemic, the fear of the boss “looking over the shoulder” could be a key factor in limiting employee wrongdoing and minimising the risk of employees falling victim to fraud from third-parties. However, the pandemic has forced employers to rely to a greater extent on its internal policies and procedures, as well a trusting its employees to do the right thing.

 To minimise the risk of fraud by employees, employers should consider:

• Reviewing and (as appropriate) improving their internal policies and practices, so that employees understand what is and is not acceptable in the workplace.
• Ensure their IT security is fit for purpose now that many employees are working from home and will continue to do so long term.
• Deal with concerns promptly and proactively before they escalate. This approach can help maintain high standards within the workplace and promptly deal with issues before they get out of hand.
• Implement mandatory periods of annual leave, job rotation and other similar measures to protect against employee fraud.
• Review the financial incentives provided by the employer and consider whether they could in fact encourage employee wrongdoing.
• Ensure employees receive adequate training on the employer’s systems and their obligations under the likes of the Bribery Act 2010.
• Work on creating a culture in which employees feel they can talk to their employer about concerns, such as financial worries. If the employer does not have one it could look at implementing an employee assistance programme.

 To minimise the risk of employees’ actions resulting in fraud by others:

• Make sure employees know that they can speak to their manager if they have concerns or are worried about anything.
• Ensure employees receive adequate training and support.
• Educate employees on the risk of fraud and how fraudsters may target them individually or the employer’s business. 

Whilst a determined and sophisticated fraudster will always find a way, most workplace fraud (committed by or against employees) is often opportunistic and possibly due to lapses in oversight, poor management, or simple human or technology error. Taking a risk-based approach to identifying the greatest areas of risk within a business can help an employer effectively review, monitor, and minimise risk and to put in place the appropriate systems and defences to protect against internal fraud.

 If you would like to discuss the topic of employee fraud, contact employment director, Michael McNally, on 07736617394 or email Michael.McNally@pannonecorporate-com.stackstaging.com