Failure to Prevent Fraud: A practical guide to ECCTA 2023

Economic crime is growing – both in scale and complexity. Criminal networks are increasingly exploiting technologies like artificial intelligence (AI) and vulnerabilities in financial systems to commit crimes such as fraud.

The Economic Crime and Corporate Transparency Act (ECCTA) 2023 tackles the increased sophistication of fraud head-on by introducing a new corporate offence of "failure to prevent fraud", coming into force on 1 September 2025.

Under this regime, large UK companies can be held criminally liable if an “associated person” (employee, agent, subsidiary, or similar) commits fraud to benefit the organisation unless the company can demonstrate it had reasonable fraud prevention procedures in place. 

ECCTA applies to large UK companies which are defined as having two of the following. 

More than:

• 250 employees
• £36 million turnover
• £18 million in total assets

Compliance and L&D teams will play a leading role in developing and implementing policies that enable their organisation to meet their new obligations.

Key takeaways:

• Six guiding principles. There are six related components of reasonable fraud prevention procedures.
• ECCTA readiness. Just 2% of firms say they’re completely ready for the regulations. Our experts explain what they can do to prepare.
• Culture and compliance. Organisations that build cultures based on communication, transparency and training are more likely to stay compliant

Six guiding principles: What counts as “reasonable procedures” for fraud prevention under ECCTA?

There are six principles set out in Chapter 3 of the ECCTA guidance on what counts as “reasonable procedures” in fraud prevention.

1. Top level commitment

The board and senior management should visibly endorse the procedures, embedding anti-fraud responsibilities into governance. This includes allocating appropriate resources and training, as well as modelling ethical behaviour themselves. They also should foster an open culture where employees feel empowered to report suspicious activity, so fraud is neither accepted nor concealed at any level of the organisation. 

2. Risk assessment

A dynamic risk assessment allows organisations to continually assess and document their exposure to fraud risks posed by employees, agents and other “associated persons”. This doesn’t need to be a separate process. Instead, organisations can extend their existing fraud and economic crime assessments to cover offences under the ECCTA.

Continuous fraud specific assessments help to identify key vulnerabilities – such as payment flows, customer onboarding and third-party intermediaries – and quantify the potential impact. 

3. Proportionate, risk-based procedures

A dynamic risk assessment should form the basis of a fraud-prevention plan, with proportionate controls in place. These measures should be proportional to the likelihood and impact of each risk and how much control the organisation has over different associated persons (for example, employees versus outsourced contractors).

Organisations must clearly document decisions to scale back control and review them regularly. Existing compliance frameworks – such as financial reporting or health-and-safety processes – can help mitigate related fraud risks. But they must be specifically adapted to address fraud prevention to satisfy the “reasonable procedures” under ECCTA.

4. Due diligence

Organisations must perform checks on associated people, especially third parties and include contractual fraud-prevention clauses where necessary. 

While many compliance teams already perform extensive checks for high-risk sectors or transactions, these checks must now be explicitly tailored to the ‘corporate failure to prevent fraud’ offence.

Relying on generic due diligence for other risks is insufficient – leaders need to clearly define and document fraud-focused vetting procedures to mitigate the relevant threats effectively.

5. Communication

Organisation-wide communication and ongoing training are key to a successful fraud prevention framework. 

Senior and middle management should consistently communicate and promote a zero-tolerance policy – reinforcing it in internal and external messaging. This ensures that anyone delivering services understands the rules and consequences of fraud.

Fraud-specific training for employees and third parties helps them to spot the signs, raise concerns with their managers and follow whistleblowing procedures. By integrating fraud reminders into existing policies – such as sales targets – and sharing real investigation outcomes and sanctions, they’ll build better awareness and understand the impact of non-compliance. 

6. Monitoring and review

Organisations need to continuously monitor and review their fraud detection and prevention procedures – learning from investigations,  investigations, whistleblowing incidents and sector-wide developments. This will help to identify weaknesses and make targeted improvements. It also ensures controls evolve in line with emerging risks and best practices.

The expert view: How to prepare for ECCTA 2023

As ECCTA comes into force, we hosted a webinar for industry professionals to help them navigate the new rules. 

The webinar, chaired by Scott Morris, Advisory Board Member Skillcast, brought together Jim Bridges, Head of Risk & Compliance Allsop LLP, and Martin Schofield Group, MLRO Market Financial Solutions to share their insights and advice. 

A poll of attendees found that very few are fully ready for the new offence set out in the ECCTA, despite the deadline being just a few months away:

• 2% are completely ready
• 20% are partially ready (written and approved but not embedded)
• 60% say there’s more to do to be ready by the headline
• 18% say there’s more to do and are concerned their firm won’t be ready

The biggest concern – highlighted by 69% of respondents – is creating/managing a fraud risk assessment with just over half indicating they are struggling to define the firm’s agents, partners and associates. 

During the webinar, attendees asked the experts a number of questions – which we’ve collated below to help you understand what ECCTA means for your business, and how you can prepare. 

You can also watch the full recording and download the slides. 

1. What are examples of proportionate prevention procedures under ECCTA?

The following are all examples of proportionate prevention procedures:

• Policies
• Fraud risk assessments
• Internal audit functions with fraud controls
• Whistleblowing mechanisms
• Due diligence on third parties (including suppliers, vendors, consultants, representatives)
• Anti-fraud clauses in contracts
• Disciplinary policies; documented fraud prevention strategy

Guidance from the Ministry of Justice (Bribery Act) offers a helpful analogy because it requires firms to identify their associated person, like the ECCTA.

2. What are the best risk assessment templates to use to support the risk assessment process?

Use the HM Government’s National Risk Assessment format as baseline for ECCTA risk assessments. Firms can also adapt the FCA Financial Crime Guide templates – but consider sector-specific templates from JMLSG or SRA (legal sector). Finally, it’s important to choose a format that allows you to document the methodology, controls, rationale and outcomes.

Why is risk assessment critical?

A robust fraud risk assessment is the cornerstone of compliance. It prompts organisations to identify:

• Which fraud risks matter most (e.g. cyber-enabled invoice fraud vs. internal embezzlement)
• How controls should be designed and prioritised
• Where residual risk sits, helping the board weigh the cost of further controls against business realities

Without an up-to-date assessment, procedures become stale and there’s a higher risk of non-compliance.

3. What is the ECCTA guidance on associated persons?

Associated persons (ECCTA s.199) follow the Bribery Act 2010 model – that is, persons performing services for or on behalf of the organisation. It includes employees, agents, subsidiaries, contractors. You can find more information in the ECCTA Explanatory Notes and MOJ Bribery Guidance §33–38.

4. How does the failure to prevent fraud offence work for groups of companies?

Each UK-incorporated body is individually assessed for scope under Schedule 1. You can implement group-wide policies for compliance purposes – but liability applies to individuals. If your company operates internationally, only UK-incorporated entities are covered. 

The 250-employee threshold only applies to employees of the UK-incorporated body. That means branches with fewer than 250 employees in the UK do not need to include their global headcount, unless employees are part of the same legal entity.

5. How does ECCTA impact SAR obligations?

ECCTA does not change Suspicious Activity Report (SAR) obligations. If you suspect fraud or money laundering, a SAR must be filed with the National Crime Agency (NCA) under the Proceeds of Crime Act 2002 (POCA 2002). Refer to NCA SARs Guidance for details.

6. Under ECCTA, is an outsourced payroll service considered an associated person?

Outsourced payroll could be an “associated person” (ECCTA s.199) if they carry out services for or on behalf of the organisation. A risk-based assessment will help you to determine this. Again, it’s similar to the Bribery Act, so take a look at those requirements.

7. Is the ECCTA failure to prevent fraud offence bigger than bribery and tax evasion in scope and seriousness?

The ECCTA failure to prevent fraud offence includes a broader range of misconduct compared to bribery and tax evasion. The Fraud Act 2006 – which includes false representation, failure to disclose, abuse of position – creates wider scope for prosecution than bribery or tax evasion. This means the threshold for triggering liability may be lower due to breadth of the criminal conduct in scope.

Bribery and tax evasion offences are often difficult to detect and prove in their own right – but the concept of fraud is much broader. In practice, many forms of misconduct could include a fraudulent element – which significantly expands the range of activity that could fall within scope. 

8. Does ECCTA failure to prevent fraud apply worldwide?

The offence only applies to UK-incorporated bodies or partnerships, or foreign bodies carrying on business in the UK (ECCTA s.199(6)). An associated person could be acting in another part of the world – but they will still be liable if their actions are intended to benefit the UK firm.

9. Does ECCTA apply if the company has fewer than 250 employees – but expects to grow?

Employee thresholds are assessed at the time of the offence, so projected future headcount doesn’t count. Under Schedule 1 ECCTA 2023, the employee count must be more than 250 on a rolling 12-month basis at the time of assessment.

10. Who’s responsible for overseeing compliance if you don’t have a risk department?

Responsibility falls to your MLRO (Money Laundering Reporting Officer), or the financial crime, compliance, finance or legal team.

If you don’t have a risk function, assign responsibility to the most senior governance/control team with cross-functional reach – and remember that responsibility must be at board or executive level. The MOJ Bribery Guidance “Top-Level Commitment” has more information.

11. What do firms need to do in order to evidence top-level commitment?

These principles are designed to help firms defend themselves if they’re accused or charged with failing to prevent fraud and end up in court. 

Demonstrating that you have taken every step to prevent fraud is key. You’ll need to provide evidence such as:

• A formal fraud prevention policy approved by the board
• Training attendance logs
• Documented executive oversight at board level (monitoring of KPI/BI, risk and issue management)
• Minutes of board discussion/decisions relating to fraud prevention
• KPI tracking of fraud risk mitigation activities
• Record of discussion of prior, open cases with relevance and/or lessons to learn.
• Take a look at examples of case law on corporate offence defence evidence thresholds (for example, Skansen Interiors) for more information

12. Should firms perform DBS checks on personnel?

There is no statutory requirement for DBS under ECCTA – instead, a risk-based approach applies. DBS checks may be appropriate for high-risk roles (such as board members, MLRO, compliance officer, finance, procurement), although there is no frequency specified. Align these checks with internal hiring policy and consider a periodic review or annual attestation.

How does culture impact the failure to prevent fraud?

Culture has a direct impact on compliance. A healthy culture fosters communication, transparency and opportunities to learn – which enables employees to understand the risks, take steps to mitigate them, and call out bad behaviours if they see them. 

ECCTA is a watershed moment for organisations. They need to act now by reviewing their policies, undertaking risk assessment, refreshing their training and harnessing technology responsibly – cultivating a culture where every employee is a gatekeeper in the prevention of financial crime

How to build a compliance culture

1. Embedding robust, risk-based procedures

Anti-fraud training and policy attestation are often treated as “sheep-dip” exercises – one-size-fits-all e-learning modules and generic memos that employees ignore. To embed policies, we recommend the following: 

• Anchor controls to the individual: Show staff how a phishing email, for example, could target them in their role and the consequences.
• Use Positive reinforcement: Recognise and reward proactive fraud reporting.
• Understand Local nuances: Adapt processes to the payment methods and regulatory regimes of each jurisdiction you operate in.

2. Match training needs 

The ECCTA requires “reasonable measures” in both controls and training. It’s important to adapt training delivery and content to meet the needs of different people within the team, depending on their role and responsibilities. Components of an effective training programme:

1. Data-driven, using incident metrics to refine content
2. Offer tiers of training: basic for all staff, specialist modules for high-risk teams
3. Include  bite-sized and regular training, rather than once-a-year marathon sessions
4. Clearly signpost escalation routes so employees know whom to contact when they spot anomalies

3. Use technology - and AI - caution

Advanced analytics and AI can supercharge your financial crime and fraud-detection functions. Machine-learning models (like HSBC’s risk-advisory tool) adapt to novel fraud patterns, reducing false positives and freeing up investigators. However, keep in mind:

• Explainability: Regulators will ask for clarity on how models make decisions.
• Ownership and governance: The risk committee must understand who owns the model, how it’s validated, and what data feeds into it.
• Human oversight: AI should augment - not replace - trained compliance professionals.

Want to learn more about Fraud?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Fraud Prevention Training Package and Financial Crime Training Package also offer a complete solution for your compliance programme. Courses in our libraries include:

• Fraud Prevention Training Course
• Identity Crime Training Course
• Financial Crime Prevention Training Course

We've also created a comprehensive AML & CTF roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.