Fraud is no longer something that businesses are expected to avoid - it’s something they have to actively, consistently prove they’re avoiding, and across the entire organisation and its subsidiaries to boot. That’s one of the spicier features of the Economic Crime and Corporate Transparency Act (ECCT), which was passed in 2023 but is only slowly coming into effect.
The scale of its changes is such that it will require several years, and multiple changes to the law, to enact. Those include the biggest change to Companies House since its foundation and the biggest increase in the powers of the Serious Fraud Office (SFO) for a decade, and the impact will be felt by literally every business operating in the UK - but many of them don’t fully understand the burdens it will place on them.
The first set of new regulations, around company registration and data submitted to Companies House, have already come into force, and most businesses are well aware of them - not least because they apply to all UK businesses, removing previous exemptions for the very smallest.
They’re straightforward, too, covering things like company addresses (PO boxes are no longer accepted) verifying the details of directors and people who control the business (Companies House will no longer “accept information in good faith”, but “actively scrutinise” everything submitted) and pledging that the company is not being created for criminal purposes (a requirement that was not, amazingly, previously specified). These came into effect earlier this year and there is a summary on gov.uk.
Dig deeper into the legislation, however, and a raft of additional requirements await, with literally unlimited penalties facing businesses that don’t comply. Key among these is the creation of a new offence - “failure to prevent fraud” - with a wide definition of what’s considered fraud, and an even wider range of people who could commit it in a way that the company will be held liable for.
These requirements are extensive, and not yet widely understood. Key highlights include:
- Your business can be held liable for fraud carried out by any “associates” of the business - which includes employees, agents, subsidiaries and people employed by subsidiaries
- Your business can be held liable for benefiting directly or indirectly from fraudulent activity by “associates”, even if directors were unaware the activity was taking place
- Your business’s only defence will be to demonstrate “reasonable” procedures to prevent fraud - it won’t be possible to plead ignorance, only robust procedures will be judged as fit
- Businesses will need to specify and communicate anti-fraud policy, conduct risk assessments and due diligence, and maintain ongoing monitoring and review of internal processes to demonstrate compliance
- Overseas entities are now required to disclose detailed information on assets they hold, most notably land - any business that holds land for an overseas owner is now required to list who the owner is
- Overseas entities are also required to record the identity of trustees who could previously remain private
- All businesses will be required to submit all accounts digitally, with full tagging of financial information in iXBRL format
Small businesses won’t have to meet all of these requirements, but any “large” business - which is defined as meeting two of three criteria: turnover of over £36M, a balance sheet over £18M, and over 250 employees - will need to comply. (As a rule of thumb, if your business is big enough to require an audit, then it’s “large”).
For many of these requirements, the precise details are still being hammered out by the Home Office - which is one of the reasons why awareness is still low - and they’ll arrive with matching guidance on what will be considered “reasonable procedures” for conforming with the law. Knowing what these procedures are, and being scrupulous in following them, is going to be the key requirement that prevents businesses from facing unlimited financial penalties.
To learn more about the scope of the legislation, and the sort of changes you should start considering now to get ahead of the official guidance, join our upcoming webinar on “Trading in the UK? You need to comply with the ECCT Act”, hosted by Workiro’s CISO Luke Keily with Payhawk’s Director of Solutions Engineering, Robbie Hadfield. Both have many years of experience in legislative compliance across a range of different companies, and a deep understanding of how to scope and deliver effective tools and processes to keep your business on the right side of the law.