How Documenting your Internal Processes Can Save your Business from an Unlimited Fine
Blog
Knowing what’s actually happening inside their organisation is not something most business leaders need encouragement on. Any executive worth their salt will have a comprehensive view of what’s going on, and the construction of that view varies as the business scales - the journey from scrappy Google Sheets reconciliation to your very own over-complicated Salesforce integration is a corporate right of passage. You need to start thinking about a new audience looking at your reporting, though - new UK legislation empowers government agencies to inspect both your finances and your internal processes if they suspect fraud, and if you’re found wanting then you could face an unlimited fine.
The changes arrive care of the Economic Crime and Corporate Transparency Act, which was passed in 2023 but will come into effect gradually over the next few years. Company registration requirements have already been tightened up; later this year we’ll see changes to financial reporting requirements, and in 2025 comes the big one: Failure to Prevent Fraud legislation.
The name is self-explanatory; the burden is significant. All companies operating in the UK - regardless of where they are headquartered - need to enact rigorous and comprehensive processes to prevent fraudulent behaviour at every level of the organisation. The Act gives significant new powers to both Companies House and the Serious Fraud Office to interrogate financial reports and corporate structure, and if fraud is found then there’s no limit on the resulting fine - even if senior leadership were unaware of the fraud taking place.
The only defence for this is for affected businesses to enact rigorous, and consistently monitored, internal processes that they can demonstrate to the SFO in mitigation. By making it the responsibility of every business to actively prevent fraud - rather than simply expecting them to follow the rules - the ECCT is closer to the spirit of established US legislation, which has been wielded by the SEC to extract whopping fines from companies like Uber and SolarWinds.
Smaller companies are spared this, as the “Failure to prevent Fraud” legislation will only apply to “large” companies, which are defined as meeting two of three criteria: turnover of over £36M, a balance sheet over £18M, and over 250 employees. (As a rule of thumb, if your business is big enough to require an audit, then it’s “large”).
Such companies await detailed guidance from the UK government on the legislation and their defence against it - but the vision is clear, and the solution is to look at your business right now. Evaluate your internal processes and the points - and people - where there is potential for fraud, and start thinking about the changes you can make that would catch it before it happens - and would be easily understood and respected by the SFO when they come looking. Scrupulous documentation of both your operational activity and your internal processes will be key.
Get a head start on this preparation by signing up for our upcoming webinar “Trading in the UK? You need to comply with the ECCT Act”, which features Workiro’s CISO Luke Keily in conversation with Payhawk’s Director of Solutions Engineering, Robbie Hadfield. Both Workiro and Payhawk have robust software solutions for delivering and monitoring business operational processes, and Luke and Robbie have extensive experience and insights in how different organisations can ensure compliance with this type of legislation.
