The Economic Crime and Corporate Transparency Act (ECCTA), which received royal assent in October 2023, includes a new offence of 'failure to prevent fraud'. 

Large organisations, including local authorities and charities, can soon be found criminally liable if their employees, agents, subsidiaries or other 'associated persons' commit fraud with the intention to benefit the organisation or their clients.   

Many organisations will be live to potential frauds against them; however, the changes extend the requirements to fraudulent activity that is intended to benefit the organisation or its clients, holding businesses accountable for relevant crimes committed by 'associated persons'. 

The Act increases corporate responsibility, making it easier to hold organisations criminally liable for fraudulent activity if an 'associated person' commits an offence intending to benefit the organisation, either directly or indirectly, such as through gaining an unfair business advantage. An associated person is a party who provides services for or on behalf of the organisation – for example, an employee, agent, subsidiary or supplier.

Broad reach

The definition of fraud is very broad so these changes will be far-reaching, likely affecting several functional teams. Organisations will need to be comfortable with the robustness of the procedures in their organisation as well as at relevant third parties. 

The deadline for organisations to implement necessary measures and demonstrate compliance is 1 September 2025. Given the likely scale of work to be undertaken before the deadline, organisations will now need to start reviewing their processes and controls to give them sufficient time to comply with the requirements.

The updated provisions directly apply to businesses in all sectors meeting at least two of the following criteria in the year preceding the base fraud offence: 

• £36m or more in turnover
• £18m or more in total assets on the balance sheet
• 250 or more employees.

Due to the nature of the requirements, the Act is also likely to impact subsidiaries and other businesses. For example, smaller organisations who supply larger companies will be impacted. This might be an associated person if they provide services for or on behalf of large organisations who fall within the above criteria (eg suppliers). In these circumstances, small organisations may be subject to contractual or other requirements imposed by the larger organisation to support their compliance with the Act.

Fast-growing SMEs must also consider the requirements as they may soon meet the criteria. Furthermore, due to the nature of these organisations, they often do not have mature and established processes, controls and governance arrangements in place, which may make compliance more challenging.   

Penalties

The offence would lead to the organisation being prosecuted for failing to prevent the fraud, 

resulting in financial penalties of a potentially unlimited fine. This would also be likely to result in reputational damage, further impacting the company’s business and potentially excluding them from procurement contracts. The person who committed the fraud may also be prosecuted individually.

As a result of the punitive nature of these penalties, it is expected that organisations will improve their fraud prevention procedures, driving a major shift in corporate culture.

Actions 

Given the far-reaching nature of the ECCTA, organisations should start with determining how they are likely to be impacted to ensure they are ready to comply by 1 September 2025.

In line with the six principles set out in the Home Office guidance, activity that organisations should consider undertaking include:

1. Risk assessment: Assess the nature and extent of the risk of associated persons committing fraud. Consideration should be given to their opportunity, motive and rationalisation.
2. Proportionality of risk-based prevention procedures: Reasonable procedures that a relevant body should adopt to prevent fraud should be proportionate to the risk the relevant body faces. This will depend on the nature, scale and complexity of the organisation's activities. 
3. Top level commitment: Responsibility ultimately rests with those charged with governance. The board of directors, partners and senior management should be committed to the prevention of associated persons committing fraud. They should foster a culture where fraudulent activity is never acceptable.
4. Due diligence: Organisations should conduct due diligence on associated persons. This should include reviewing contracts with those providing services, and monitoring the wellbeing of staff and agents to identify persons who may be more likely to commit fraud. Due diligence should also be performed in respect of any mergers and acquisition activity.
5. Communication (including training): Fraud prevention policies and procedures should be communicated, embedded and understood by all relevant stakeholders through internal and external communication. This should come from senior management and cover staff at all levels in the organisation. Training should be given based on the needs of the highest risk roles.
6. Monitoring and review: The nature of fraud risks faced by an organisation will change and evolve over time. Post implementation monitoring of the effectiveness of fraud prevention measures, such as relevant processes and controls, should be undertaken. The organisation should monitor and review its prevention procedures and make improvements where necessary.

Organisations should develop a programme to determine how they will meet the requirements, working with key departments to develop processes, controls and governance arrangements which address their needs.

Si Mathavan, Head of Risk Assurance and Internal Audit, Johnston Carmichael LLP