ECCTA’s Corporate Offence for Fraud guidelines: How to review your existing fraud and control framework
The Economic Crime and Corporate Transparency Act’s (ECCTA) new corporate offence of failing to prevent fraud (FtPF) becomes law on 1st September 2025.
In this article, Bruce Viney, Director of Financial Crime Compliance Training, discusses the new guidelines and some of the key questions that firms should consider now regarding their existing fraud risk and control frameworks.
The corporate offence applies to any organisation which qualifies as a ‘large’ organisation, the criteria for which are listed here.
Your existing fraud risk and control framework
Many firms have been reviewing their existing fraud risk assessments and controls to ensure compliance with the new requirements and to avoid committing the offence.
If you have not yet reviewed your risk assessment and controls, you should consider doing this now. Existing fraud control may not be adequate for the purposes of the new corporate offence. This is because the offence introduces new criteria that are unlikely to have been in pre-existing fraud control frameworks.
It is worth considering whether your existing fraud risk and control framework include the following key features of the FtPF offence:
- The FtPF offence involves 9 base fraud offences. Most legacy fraud risk and control frameworks only focus on the offences under the Fraud Act 2006 and the Computer Misuse Act 1990. Does your framework account for all nine of the base fraud offences within the FtPF offence?
- At the heart of the FtPF lies the idea of a benefit accruing to the firm. Does your fraud framework identify and measure ‘benefit’?
- A FtPF offence can be carried out by any associate of the firm. Does your fraud framework fully identify all of the firm’s associates, even those who might not be under contract?
- A FtPF offence only applies where there is a UK nexus. Does your fraud framework adequately identify when a UK nexus has been achieved?
- The only defence against a FtPF offence lies in having ‘reasonable procedures’ in place to prevent fraud. Does your fraud framework include a commitment to the following?
-
- A demonstrable, active top level commitment, leading by example, which promotes a strong anti-fraud culture, including clear governance
- Fully resourced anti-fraud controls including people and technology
- Effective communication and endorsement of the firm’s stance on fraud
- A detailed and up to date assessment of both internal and external fraud risks including:
- Identification of associated persons
- Fraud risk typologies
- Proportionate risk-based fraud prevention and detection procedures including:
- Appropriate due diligence (e.g. in respect of clients, counterparties, business partners and transactions)
- Reporting and whistleblowing procedures
- Communication and training
- Monitoring and review
The above 5 bullet points are described in more detail in the Home Office Guidance, November 2024, and in the FAQ set out below.
Frequently Asked Questions (FAQ)
Please note, this FAQ is not intended to be a substitute for reading the legislation and / or government guidance[1]
The ‘base fraud’ offences that come under ECCTA are broader than the three offences under the Fraud Act 2006. These include:
| Offence | Fraud Act | Theft Act | Companies Act | Common Law |
| False representation | x | |||
| Failure to disclose | x | |||
| Abuse of position | x | |||
| Obtaining services dishonestly | x | |||
| False accounting | x | |||
| False statements by directors | x | |||
| Suppression of documents | x | |||
| Fraudulent trading | x | |||
| Cheating the public revenue | x |
The committing of any of these by an associated person in a way which intends to confer a relevant benefit is likely to come under the FtPF offence. Does your fraud risk and control framework account for all of these offences?
The FtPF offence is not intended to penalise firms when a fraud is committed against it, but only where a fraud includes an actual or potential intended benefit to the firm or to clients to whom the associated person provides services for or on behalf of the firm arising from the fraud.
The intention to benefit does not have to be the sole or even the dominant motivation for the fraud. For example, a relationship manager may misrepresent the benefits and / or risks an investment product in order to increase sales and their bonus payment. The increased sales also bring a benefit to the company and so the offence would apply.
Please note that this is based on the circumstances at the time the fraud was committed. If the firm is statutorily required at a later date to reimburse clients who have been the victims of misselling, this will not be relevant to the benefit arising at the time the fraud was committed.
Does your fraud risk and control framework include the identification, assessment and control of ‘benefit’?
Two key control issues are particularly relevant:
- Identifying who is an ‘associated person’; and
- Understanding when it is relevant
An employee, agent or subsidiary of an organisation is automatically an ‘associated person’ for the purposes of the FtPF offence. A person who provides services for or on behalf of the organisation is also an associated person while they are providing those services. It is important to note that ‘providing services for or on behalf of an organisation’ does not include providing services to the organisation.
An associated person is defined by reference to all the circumstances, and substance over form is to be applied. A person may be an associate based on what they do, even if there is no formal contract.
Does your fraud risk and control framework adequately identify associates of your firm?
The actions of the associated person must have a UK nexus to trigger the FtPF offence. This means one of the following:
- One of the acts of base fraud must have taken place within the UK; and/or
- The related gain or loss must have occurred in the UK. This must be actual gain or loss, not just intended loss.
This means that, if an associated person based in Johannesburg commits a base fraud that benefits a firm in the UK, a UK nexus will have been achieved.
It is also worth noting that even an overseas based firm could commit the FfPF offence if one of its associated persons committed a base fraud, either in the UK, or that created a gain or a loss in the UK, in which case the whole organisation might be prosecuted.
Is your fraud risk and control framework equipped to identify all the possible situations that might create a UK fraud nexus?
The fraud prevention framework put in place by relevant organisations should be informed by a number of principles.
Top-level commitment
This requires a proactive approach from Senior Management across the firm, in particular those charged with governance.
There is strong emphasis on the role of top-level management in creating an appropriate fraud prevention culture. This includes:
- Communicating and endorsing the organisation’s stance on fraud, including articulating the consequences for anyone carrying out a fraud
- Making a case for the importance of and advantages of good anti-fraud compliance. This should include identifying and countering any arguments which might seek to undermine this
- Ensuring clear governance
- Providing a strong commitment to training
- Ensuring appropriate resourcing, and leading by example
Can your Senior Management demonstrate that it is actively involved in preventing fraud?
Risk Assessment
Due to the breadth and potential complexity of defining an ‘associated person’, the Home Office Guidance suggests that an organisation’s fraud risk assessment begins by identifying all associated persons of the organisation.
The Guidance provides extensive examples of risk best practice in the context of fraud (which cannot be reproduced here, given the volume of Guidance).
Senior Management may consider taking third party advice on fraud typologies, as these typologies require a detailed understanding of the motives for fraud, the methods that are used and the mentality of different types of fraudsters. Fraud today is very different to fraud of only a few years ago.
Other issues to consider include:
- Areas of higher fraud risk, both from inside and outside the firm, cyber enabled and non-cyber frauds
- Identification of associated persons, including those who may be de facto associated by their role but non formally under contract
- Assessing the risk of associated persons and a realistic assessment of controls that may be applicable
Senior Management should review these requirements against any existing fraud risk assessments and consider any required additions or changes.
Proportionate risk-based fraud prevention procedures and due diligence
An organisation’s procedures to prevent fraud by associated persons should be proportionate to the nature, scale and complexity of the organisation’s activities, and the fraud risk it faces. They must also be clear, practical, accessible, effectively implemented and enforced.
Given the importance of fraud prevention controls, rigorous testing may be appropriate.
If controls already exist that achieve what is needed to provide a suitable defence to the FtPF offence, there is no need to duplicate them.
Proportionate procedures may include:
- Identification and mitigation of motivation, rationalisation and opportunities for fraud
- Identification and control of ‘one-off’ frauds which may lead to the normalisation of fraud
- Putting in place appropriate consequences for committing fraud
- The use of appropriate technologies
- The development and use of management information, including KPIs linked to the prevention and detection of fraud
Does your fraud risk and control framework cover these issues and any others that might be relevant?
Communication (including training)
Senior Management should ensure the provision of risk-based, proportionate training to all relevant staff and other associated persons. In particular specific, tailored training might be appropriate for associated persons who perform tasks or occupy roles with a higher risk of opportunities for relevant fraud.
Senior Management should ensure that staff and other associated persons are familiar with the firm’s whistleblowing policies and procedures. Whistleblowing is one of the most effective controls for detecting potential or actual fraud.
Do you have an appropriate, risk-based training programme so that all relevant staff are aware of the fact and implications of fraud risk and your firm’s approach to mitigation?
Monitoring and review
Organisations must monitor and review their fraud detection and prevention procedures and make improvements where necessary. This includes learning from investigations and whistleblowing incidents
It also includes reviewing information from its sector-specific analysis of fraud trends and typologies.
Monitoring and review of fraud prevention measures might include:
- Monitoring financial controls
- Collecting data in relation to fraud prevention training courses (and any test results)
- Reviewing procedures (for example, due diligence procedures) and updating them where necessary
- Monitoring contractual arrangements with associated persons
- Reviewing fraud detection analysis and management information on the effectiveness of fraud prevention measures
Do you have an appropriate, programmes to monitor and review your fraud prevention controls?
Finally
Some final questions to consider include:
- Do the existing procedures meet the requirements of the new corporate offence and related guidance?
- What checks, analyses, reconciliations, management information and other controls are in place to detect fraud and are they sufficient and appropriate in the light of the new corporate offence?
- Does the organisation have sufficient staff, with appropriate experience, to detect anomalies, indicators or other red flags that might indicate fraud?
- Where fraud is detected and investigated, are lessons learned fed back and are controls changed to reflect new threats or typologies?
How can we help?
For in-depth training and a deeper understanding of the new corporate offence of failing to prevent fraud, see our range of related courses below, including our latest in-house training course, ECCTA: Failure to Prevent Fraud Offence - for Senior Management & the Board.
[1] Home Office: Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud November 2024
About the Author
Bruce has been working in financial services for nearly 40 years, 25 of these as a learning professional focusing on compliance for a wide range of financial services companies, mainly through the analysis, design, creation and implementation of global training programmes for Tier 1 Banks and FTSE 100 companies. He has been Global Head of Compliance Learning for such firms three times and has provided compliance learning consultancy to similar companies many times.
Bruce has also provided compliance training and consultancy in other fields such as real estate, industrial supply chains, charities, payment services providers, gambling and casinos and many others.
A former Director of Training for CISI, Bruce has extensive experience of compliance and financial services-related qualifications and qualified as a Chartered Accountant with Price Waterhouse (as it was then known).
Bruce provides excellent training events on compliance, with a specific focus on financial crime, including all aspects of anti-money laundering, anti-bribery and corruption, fraud and sanctions.
