The closing months of 2025 saw the coming into effect of the Economic Crime and Corporate Transparency Act (ECCTA), designed to combat economic crime and impose further obligations on corporates to assist with such endeavours. Importantly for readers, the ECCTA, which arose from a 2022 Law Commission report examining options to ensure corporates are held of account for committing serious crimes, also introduced a new criminal offence of a failure to prevent fraud.
Colleagues in Fladgate’s regulatory team have explored the consequences of the new offence in greater detail here, but to summarise, under the offence, an organisation may be criminally liable where an employee, agent, subsidiary undertaking, or other ‘associated person’, commits a fraud intending to benefit the organisation and the organisation did not have reasonable fraud prevention procedures in place. The offence is committed regardless of whether directors or senior managers knew or ordered the fraud. Moreover, the organisation does not need to actually receive any benefit for the offence to apply.
What offences apply?
The types of fraud that fall within the scope of the ECCTA are wide ranging, and include fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, false statements by company directors and fraudulent trading. Fraudulent conduct can therefore range from the diversion of company funds by an employee, to the false promotion of the ‘sustainability’ credentials of a product, to dishonest practices by sales agents to boost sales.
The ECCTA is also extra territorial in nature: if a UK-based employee commits fraud, the employing organisation could be prosecuted, wherever it is based, and if an employee or associated person of an overseas-based organisation commits fraud in the UK, or targeting victims in the UK, the organisation could be prosecuted. The offence will not, however, apply to UK organisations whose overseas employees or subsidiary undertakings commit fraud abroad with no UK nexus.
Consequences and defences
The offence of failing to prevent fraud can be prosecuted by the Crown Prosecution Service and the Serious Fraud Office. Organisations that are found liable can face unlimited fines, regulatory consequences (fraudulent conduct would trigger regulatory notification requirements and potential investigations and fines by the FCA or other regulatory body), and serious reputational damage.
That all being said, organisations will have a defence if they have ‘reasonable procedures’ in place to prevent fraud (or if they can demonstrate to the satisfaction of the court that it was not reasonable in all the circumstances to expect the organisation to have any prevention procedures in place).
It is here that existing and emerging technologies will undoubtedly have an important role to play.
The use of technology
Home Office guidance, issued in conjunction with the coming into effect of the ECCTA, sets out six fraud prevention principles that should inform organisations’ fraud prevention framework:
- top-level commitment to the prevention of fraud,
- risk assessment,
- proportionate risk-based prevention procedures,
- due diligence,
- communication (including training), and
- monitoring and review.
The use of technology in these areas is already prevalent in larger sophisticated organisations, but smaller enterprises, who may now be caught by the ECCTA, may not be doing so. Such organisations, when dealing with ‘associated persons’ – which, as noted, will include employees, agents, and subsidiaries (including new partners) - must now consider increasing their use of appropriate third-party risk management and screening tools, products that allow for the checking of trading history or professional or regulated status, or vetting checks.
Systems that also provide for pattern recognition (i.e. the detection of suspicious patterns within organisations) are increasingly available, driven by sophisticated technologies that incorporate data analytics, artificial intelligence, and machine learning.
Further, regardless of an organisation’s sophistication, adequate budget should be allocated to address these principles and to fund these types of technologies. Doing so will help bring the organisation within the defence of having ‘reasonable procedures’ in place.
A word of caution: even those organisations who have systems already in place would be well advised to review their processes; the guidance makes it clear that merely applying existing procedures will not necessarily be an adequate response to tackling the risk of fraud.
However, despite the importance of technology, humans have not (yet) been replaced: the ECCTA makes clear that human oversight remains a fundamental part of the fraud prevention ecosystem, with the board and senior members being required to ‘lead from the front’, to ensure clear governance structures are in place, to train staff, and to lead by example and foster an open culture, where staff feel empowered to speak up if they encounter fraudulent practices.
