What Counts as “Reasonable Procedures”?
This is the million-dollar question. The legislation doesn’t exactly spell out what makes up adequate procedures.
That's where the forthcoming government guidance comes in.
We can look to the Bribery Act 2010 for clues. The adequate procedures defence typically involves:
Risk Assessment: Organisations must conduct thorough assessments of their fraud risks. This isn't a one-and-done exercise – it needs to be ongoing and comprehensive.
Proportionate Procedures: The procedures you implement should match the level of risk your organisation faces. A small consultancy firm doesn't need the same anti-fraud measures as a multinational investment bank.
Top-Level Commitment: Senior management must show genuine commitment to fraud prevention. This means more than just signing off on a policy – it requires active leadership and resource allocation.
Due Diligence: Organisations need robust due diligence procedures for employees, business partners, and third parties. If you're working with external suppliers or agents, you'd better know who they are and what they're doing.
Communication and Training: Your anti-fraud procedures are worthless if nobody knows about them.
Regular training and clear communication are essential.
Monitoring and Review: Finally, you need systems to monitor compliance and regularly review your procedures. The fraud landscape evolves, and your defences need to evolve too.
Two Key Examples
Let's look at how ECCTA might play out in practice with two detailed examples:
Example 1: The Procurement Fraud
MegaCorp, a large manufacturing company, employs James as a procurement manager. James has been secretly inflating supplier invoices and pocketing the difference through a shell company he controls. The fraud goes undetected for two years, costing MegaCorp £500,000.
Under ECCTA, MegaCorp could face criminal charges because:
- James is associated with the organisation
- The fraud was intended to benefit MegaCorp (through the inflated invoices appearing as legitimate business expenses)
- MegaCorp failed to prevent the fraud
MegaCorp's only defence would be proving they had adequate procedures in place. This might include regular audits of supplier invoices, segregation of duties in procurement, and mandatory training on fraud risks.
Example 2: The Sales Manipulation
Company XYZ Ltd employs Emma as a relationship manager. Under pressure to meet quarterly targets, Emma creates fictitious client accounts and generates fake transactions to inflate her performance metrics. This fraud makes it appear that her division is more profitable than it actually is.
Even though Emma's fraud doesn't directly steal money from the company, ECCTA could still apply because:
- The fake performance metrics benefit the organisation by presenting a false picture of success
- Emma's actions could influence business decisions, investor confidence, and regulatory reporting
- You guessed it: the organisation failed to prevent the fraud
The company's defence would depend on whether it had adequate procedures such as regular account verification, transaction monitoring systems, and controls over performance reporting.
The Penalties: What's at Stake?
ECCTA doesn't mess around when it comes to penalties. Organisations found guilty of failing to prevent fraud face:
Unlimited fines – Yes, you read that right. There's no cap on the financial penalties courts can impose.
Serious reputational damage – Criminal convictions have a funny way of making headlines and scaring away customers and investors.
Regulatory consequences – Financial services firms could face additional penalties from the FCA or other regulatory bodies.
Director disqualification – In severe cases, directors might be banned from holding company positions.
The government is serious about making the penalties hurt enough to change corporate behaviour.
Getting Ready for ECCTA: Practical Steps
So, how do you prepare for ECCTA compliance? Here's a quick roadmap to get you started:
Start with a fraud risk assessment. Map out where fraud could occur in your organisation. Consider internal fraud, external fraud, and fraud involving third parties.
Review your existing procedures. What anti-fraud measures do you already have? Are they adequate? Do they actually work?
Engage senior leadership. ECCTA compliance isn't a job for the compliance department alone. It requires board-level commitment and resources.
Train your people. Everyone in your organisation needs to understand
fraud risks and how to report suspicious activity.
Implement monitoring systems. You need ways to detect fraud before it becomes a major problem.
Document everything. If you end up in court, you'll need evidence of your adequate procedures.
A Final Word and a Friendly Nudge
ECCTA represents a fundamental shift in how the law views corporate responsibility for fraud. Gone are the days when companies could claim ignorance about fraud committed by their employees or associates. The legislation sends a clear message: if you're a large organisation, fraud prevention is now a legal requirement, not a business best practice.
We now need to work together and prevent financial crime in the UK.
For finance and legal professionals, ECCTA compliance is about protecting your organisation's reputation, maintaining stakeholder trust, and ensuring long-term business sustainability.
The organisations that take ECCTA seriously and implement robust fraud prevention measures will have a competitive advantage. Those who don't may find themselves facing unlimited fines, criminal convictions, and irreparable reputational damage.
Understanding ECCTA is just the beginning.
The real challenge lies in implementing effective compliance measures that will stand up to legal scrutiny. This requires specialised knowledge, practical experience, and a deep understanding of how the legislation applies to your specific industry and organisation.
Ready to master ECCTA compliance and protect your organisation from fraud-related criminal liability?
Don't leave your career and your company's future to chance.
Enrol in "Understanding the Failure to Prevent Fraud Offence" and gain the expert knowledge you need for ECCTA compliance. Take control of your professional future. Master ECCTA compliance today.
FAQ
Who is an associated person under ECCTA?
An associated person under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) is anyone who performs services for or on behalf of an organisation. This includes employees, agents, subsidiaries, contractors, and potentially even consultants or intermediaries. If they commit fraud that benefits the organisation, and the organisation lacks reasonable fraud prevention procedures, the company can be held liable, even if senior management was unaware.
What does this mean for the broader compliance landscape?
ECCTA doesn't exist in a vacuum. It's part of a broader trend toward holding corporations accountable for the actions of their employees and associates. Similar legislation exists in other jurisdictions, and the trend is clearly toward more, not less, corporate responsibility. For multinational organisations, this means juggling multiple compliance regimes with potentially conflicting requirements. The smart approach is to implement a global framework that meets the highest standards across all jurisdictions.
What is ECCTA compliance and the link with technology?
Modern fraud prevention increasingly relies on technology. Data analytics, artificial intelligence, and machine learning are becoming essential tools for detecting suspicious patterns and preventing fraud before it happens. However, technology alone isn't enough. ECCTA emphasises the importance of human oversight, proper governance, and organisational culture. In other words, the most sophisticated fraud detection system is useless if nobody acts on its alerts.