The Economic Crime and Corporate Transparency Act (2023) (ECCTA) introduces a ‘failure to prevent fraud’ (FTPF) offence which will come into force in September 2025. The new offence creates a layer of corporate criminal liability for large organisations across existing fraud offences.
Traditionally, fraud risk assessments (FRA) have been inwardly focused: ‘how can we be the victim of fraud?’ ECCTA requires organisations to look at base fraud offences where a business, or client of your business, is intended to benefit. For example, if your employees are deliberately misleading your customers, or you’re deliberately misreporting to mislead investors, and you didn’t have reasonable procedures in place to prevent those activities, then you may be in breach of FTPF.
Over the next few months organisations need to finish looking at the procedures they already have in place and, where needed, build on them to create a 'reasonable procedures' defence that’s aligned to the new rules.
What do you need to be on top of?
The 'reasonable procedures' that would constitute a defence to corporate criminal liability for fraud are a lot to think about, but breaking it down into discrete areas can help you identify what you already have, and what you need to do more of.
Understanding ‘associated persons’
ECCTA introduces a broader cohort of people who could trigger corporate criminal liabilities beyond just your employees: associated persons; for example, subsidiaries, intermediaries, or anyone operating on your half, such as brokers or agents. If your business (or clients of your business) could be intended to benefit from fraudulent actions by anyone in these groups then you could be liable. You need to identify and define this group.
Mitigating decentralisation
ECCTA embeds an expectation to operate fraud risk management control frameworks. For decentralised organisations there can be additional challenges in getting consistent visibility across all business areas of your key controls or confidence those controls are operating as intended.
Territoriality
You also need to consider which overseas activities are relevant for the offence. A key aspect of FTPF is that there needs to be a ‘UK nexus’ so that at least one part of the fraud offence takes place in the UK. This means victims or activities forming part of the fraud takes place in the UK, even if an offence was committed outside the UK.
Risk assessment
A lot of organisations are now realising that their FRA has been sitting in a desk drawer or on Sharepoint – rather than being the live and regularly updated document that it needs to be. A good FRA needs to be viewed through the FTPF lens and updated to also focus on the specific risks arising from your population of associated persons. The typical approach is to set up a series of workshops to develop a FRA with senior stakeholders, which requires active participation from everyone and quickly runs into the usual challenge of diary management. This is why you need to get buy-in for the entire project as early as possible.
Communication policies and procedures
Your anti-fraud position needs to be communicated to your people, and their level of understanding needs to be monitored, for example through pulse surveys. You also need a process for updating policies and procedures; sharing them with everyone in your organisation, and ensuring they’ve reviewed it.
Training and awareness
You should assess how much training on financial crime and fraud you already provide and decide whether any additional education needs to be created, and which groups must be given it.
Collaboration
Setting up working groups with other organisations in your industry to define associated persons can be helpful – some sectors, such as real estate, are ahead on this, but there's limited appetite for it in others.
Compliance
You need to ensure that your key fraud controls are operating effectively. They should be built onto and aligned to existing assurance activities or into a Corporate Governance Code Provision 29 programme.
ECCTA: readiness checklist
If you’re unsure about where you are in the process it’s useful to go through a rigorous analysis of your policies and management. The Home Office guidance on reasonable procedures is a good place to start, and we have identified some questions below which will help your organisation navigate this work, regardless of structure or sector. There’s also industry guidance in certain sectors which may be helpful too.
Ownership
Do you know who’s leading the project?
We often see General Counsel leading these projects, but in many organisations risk, internal audit, and finance functions also play a key role.
Associated persons
Do you have a list of the categories of associated persons relevant to your organisation, and a clear picture of who falls into each one?
You’ll need to keep it updated with new business activities or operating models.
Leadership buy-in
Do senior stakeholders understand what’s needed and support it?
You’ll require time and input now to get ready for September, so their receptiveness is critical. You need to ensure you have enough time and availability from key stakeholders.
Governance
Are you clear on how to ensure board-level visibility and accountability for fraud prevention? You’ll also need to define the role of regional boards and divisional management.
How can you get this all done?
Bringing all this together before September may seem daunting. Convening workshops to talk through the questions above and then using the findings to write a roadmap and refresh your FRA are tried and tested exercises for ensuring you know where you are and what you need to do next.
For more insight and guidance, get in touch with Emma Young, Tom Townson and Will Morris.
Learn more about how our Controls advisory services can help you
