ECCTA failure to prevent fraud considerations for UK and international businesses

Under the Economic Crime and Corporate Transparency Act 2023 (ECCTA), the new offence sets out to prevent frauds which are intended to benefit an organisation or an organisation’s clients.

The offence, which will come into force on 1 September 2025, applies to large organisations which are businesses with two of the following applying: more than a £36m turnover; more than £18m in assets; more than 250 employees. For group organisations, the criteria apply to the whole organisation regardless of where the organisation is headquartered or where its subsidiaries are located.

The failure to prevent offence applies when an associated person of an organisation commits a fraud offence with an intention to benefit the organisation or an organisation to which the associated person provides services to (i.e. a client). The offence is subject to a defence of having in place such prevention procedures as it was reasonable in all the circumstances to expect the organisation to have in place.

To help organisations, the government recently published guidance including a number of key considerations concerning scope, extra-territorial application and the reasonable procedures defence.  Below are our key takeaways.

Intention to benefit

The guidance notes that the intention to benefit may relate to the organisation or the organisation’s client. For example, a professional services firm would be criminally liable if an employee of the firm committed fraud (made a false representation) intending to benefit a client. This is a point that should be factored into an organisation’s risk assessment.

Parents and subsidiaries

A parent undertaking can be prosecuted for frauds by an employee or associated person of a non-large subsidiary where the fraud is intended to benefit the parent company directly or indirectly. A subsidiary that does not meet the criteria for being a large organisation can be prosecuted where the parent company is a large organisation. This is why a group wide risk assessment is important.

Definition of associated person – in scope and out of scope

An associated person automatically includes employees, agents and subsidiary companies. The automatic inclusion of subsidiaries goes further than the offence of failing to prevent bribery by associated persons under the Bribery Act 2010 and is therefore a significant development. Other persons who perform services for or on behalf of a large organisation are also associated persons.

The guidance notes that an associated person does not include persons or entities providing goods only. There will be a need to analyse whether a provider is simply providing goods or also providing services – for example shipping, customs clearance, marketing services, or technical support. This could be identified through a risk assessment and used to inform third party due diligence procedures.

Persons or entities providing services to the relevant body rather than ‘for and on behalf of’ the body are not associated persons under ECCTA. The guidance notes that persons providing services to an organisation – for example external lawyers, valuers, accountants or engineers – are not acting on “for or on behalf of” the organisation. However, the distinction between providing services “to” and “for or on behalf of” needs carefully thought through. Taking the external lawyer example, when a law firm gives advice to a client, it is providing a service to that client; but when the law firm acts for the client in deal negotiations or in litigation, the firm is acting for and on behalf of its client. Likewise, in the construction sector, with main contractors, while they are providing services to a client, it may also be the case that the main contractor is developing a project for and on behalf of a client and, likewise, that sub-contractors are delivering services for and on behalf of the main contractor. This will require careful analysis on a case-by-case basis.

Territoriality

The guidance confirms that for the organisational failure to prevent by associated persons to apply there must be a base (predicate) fraud offence under the law of any part of the UK. An example given of sufficient UK nexus for the offence to apply is where a UK based employee commits fraud, wherever in the world the employing organisation is based. Building on this example, a sufficient nexus would also be present where a UK based employee facilitates others to commit fraud overseas. Another basis for jurisdiction is where there is a UK victim. In short, in many instances the offence will apply to non-UK companies and overseas business activities.

Reasonable fraud prevention procedures and resource allocation

An organisation reliant on the reasonable procedures defence has the onus to prove that it had reasonable procedures in place to prevent fraud at the time the fraud was committed. The preventative guidance is built on six familiar compliance pillars but there are some new recommended steps such as allocating a reasonable and proportionate budget specifically for the leadership, staffing and implementation of the fraud prevention plan, including personnel costs and funding of technology such as due diligence tools. Testing of fraud prevention measures by those who were not involved in writing them is specifically recommended.

The importance of risk assessment

The guidance notes in bold that “it will rarely be considered reasonable not to have even conducted a risk assessment”. Various examples of fraud scenarios are given, including:

• fraud by abuse of position which entails a payroll department diverting pensions contribution to other projects but continuing to record the payments as transfer to the pension fund;
• an overseas fraud resulting in liability for the new offence is where an overseas laboratory falsifies product test results to benefit a UK customer; and
• HR fraud involving right to work checks being falsified.

Most organisations will currently not feature these sorts of examples in their existing fraud assessments.

The guidance also recommends developing fraud typologies by considering the three elements of the fraud ‘triangle’ – opportunity, motive and rationalisation – with a list of example rhetorical questions noted. Businesses are recommended to consider previous audits which may have flagged fraud risks, sector specific information and regulatory enforcement notices, for example Financial Conduct Authority enforcement notices, and to consider emergency scenarios leading to an increase in fraud risk, such as significant financial instability. The guidance suggests classifying ‘inherent’ risks by its likelihood and impact.

The overall impression is that the risk assessment exercise should be thorough and searching, and the prevention programme properly resourced from both a personnel and technology perspective. Organisations will need to challenge themselves as to the depth of their risk assessments and to consider whether their current risk assessment methodology is sufficient to align with the guidance.

Fraud detection and investigations

Under monitoring, it is noted that organisations are likely to have measures in place for detecting frauds against the organisation, but those detection measures may need to be extended to frauds intended to benefit the organisation or its clients. This point aligns with our experience of advising clients on ECCTA.

Consideration of data analytics is specifically referenced. There is also a specific section on investigating suspected frauds and, as part of their fraud prevention programmes, organisations will need to consider their approach to internal investigations and whether the investigations are sufficiently independent and appropriately resourced. The guidance notes that investigations should be scoped through legal advice and be legally compliant.

The guidance warns that in a prosecution, the court will consider adherence to the principles set out in the guidance. The guidance is helpful in that it is clear and it builds on existing and familiar compliance principles.

However, the guidance sets a high standard to follow. Depending on the circumstances, a high-level risk assessment, a policy statement and generic training may not be enough to discharge the reasonable procedures defence. More detailed risk assessments, fraud prevention plans which are adhered to and monitored, and additional resource allocation are clear expectations.