The Hidden Legal Requirements within the ECCT Act

Team Workiro
August 12, 2024
2 min read

Fraud is no longer something that businesses are expected to avoid - it’s something they have to actively, consistently prove they’re avoiding, and across the entire organisation and its subsidiaries to boot. That’s one of the spicier features of the Economic Crime and Corporate Transparency Act (ECCT), which was passed in 2023 but is only slowly coming into effect. 

The scale of its changes is such that it will require several years, and multiple changes to the law, to enact. Those include the biggest change to Companies House since its foundation and the biggest increase in the powers of the Serious Fraud Office (SFO) for a decade, and the impact will be felt by literally every business operating in the UK - but many of them don’t fully understand the burdens it will place on them. 

The first set of new regulations, around company registration and data submitted to Companies House, have already come into force, and most businesses are well aware of them - not least because they apply to all UK businesses, removing previous exemptions for the very smallest. 

They’re straightforward, too, covering things like company addresses (PO boxes are no longer accepted) verifying the details of directors and people who control the business (Companies House will no longer “accept information in good faith”, but “actively scrutinise” everything submitted) and pledging that the company is not being created for criminal purposes (a requirement that was not, amazingly, previously specified). These came into effect earlier this year and there is a summary on gov.uk

Dig deeper into the legislation, however, and a raft of additional requirements await, with literally unlimited penalties facing businesses that don’t comply. Key among these is the creation of a new offence - “failure to prevent fraud” - with a wide definition of what’s considered fraud, and an even wider range of people who could commit it in a way that the company will be held liable for. 

These requirements are extensive, and not yet widely understood. Key highlights include:

  • Your business can be held liable for fraud carried out by any “associates” of the business - which includes employees, agents, subsidiaries and people employed by subsidiaries
  • Your business can be held liable for benefiting directly or indirectly from fraudulent activity by “associates”, even if directors were unaware the activity was taking place
  • Your business’s only defence will be to demonstrate “reasonable” procedures to prevent fraud - it won’t be possible to plead ignorance, only robust procedures will be judged as fit
  • Businesses will need to specify and communicate anti-fraud policy, conduct risk assessments and due diligence, and maintain ongoing monitoring and review of internal processes to demonstrate compliance
  • Overseas entities are now required to disclose detailed information on assets they hold, most notably land - any business that holds land for an overseas owner is now required to list who the owner is
  • Overseas entities are also required to record the identity of trustees who could previously remain private
  • All businesses will be required to submit all accounts digitally, with full tagging of financial information in iXBRL format

Small businesses won’t have to meet all of these requirements, but any “large” business - which is defined as meeting two of three criteria: turnover of over £36M, a balance sheet over £18M, and over 250 employees - will need to comply. (As a rule of thumb, if your business is big enough to require an audit, then it’s “large”).

For many of these requirements, the precise details are still being hammered out by the Home Office - which is one of the reasons why awareness is still low - and they’ll arrive with matching guidance on what will be considered “reasonable procedures” for conforming with the law. Knowing what these procedures are, and being scrupulous in following them, is going to  be the key requirement that prevents businesses from facing unlimited financial penalties.

To learn more about the scope of the legislation, and the sort of changes you should start considering now to get ahead of the official guidance, join our upcoming webinar on “Trading in the UK? You need to comply with the ECCT Act”, hosted by Workiro’s CISO Luke Keily with Payhawk’s Director of Solutions Engineering, Robbie Hadfield. Both have many years of experience in legislative compliance across a range of different companies, and a deep understanding of how to scope and deliver effective tools and processes to keep your business on the right side of the law.

Share this article

Team Workiro

Book a Discovery Call

Want to find out more about how Workiro works? Book a zoom-based discovery call with one of our experts who’ll be happy to answer any questions you may have, to ensure Workiro is the right fit for your business needs.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

The Hidden Legal Requirements within the ECCT Act

Blog
The author image who wrote the blog article
By
Team Workiro

Fraud is no longer something that businesses are expected to avoid - it’s something they have to actively, consistently prove they’re avoiding, and across the entire organisation and its subsidiaries to boot. That’s one of the spicier features of the Economic Crime and Corporate Transparency Act (ECCT), which was passed in 2023 but is only slowly coming into effect. 

The scale of its changes is such that it will require several years, and multiple changes to the law, to enact. Those include the biggest change to Companies House since its foundation and the biggest increase in the powers of the Serious Fraud Office (SFO) for a decade, and the impact will be felt by literally every business operating in the UK - but many of them don’t fully understand the burdens it will place on them. 

The first set of new regulations, around company registration and data submitted to Companies House, have already come into force, and most businesses are well aware of them - not least because they apply to all UK businesses, removing previous exemptions for the very smallest. 

They’re straightforward, too, covering things like company addresses (PO boxes are no longer accepted) verifying the details of directors and people who control the business (Companies House will no longer “accept information in good faith”, but “actively scrutinise” everything submitted) and pledging that the company is not being created for criminal purposes (a requirement that was not, amazingly, previously specified). These came into effect earlier this year and there is a summary on gov.uk

Dig deeper into the legislation, however, and a raft of additional requirements await, with literally unlimited penalties facing businesses that don’t comply. Key among these is the creation of a new offence - “failure to prevent fraud” - with a wide definition of what’s considered fraud, and an even wider range of people who could commit it in a way that the company will be held liable for. 

These requirements are extensive, and not yet widely understood. Key highlights include:

  • Your business can be held liable for fraud carried out by any “associates” of the business - which includes employees, agents, subsidiaries and people employed by subsidiaries
  • Your business can be held liable for benefiting directly or indirectly from fraudulent activity by “associates”, even if directors were unaware the activity was taking place
  • Your business’s only defence will be to demonstrate “reasonable” procedures to prevent fraud - it won’t be possible to plead ignorance, only robust procedures will be judged as fit
  • Businesses will need to specify and communicate anti-fraud policy, conduct risk assessments and due diligence, and maintain ongoing monitoring and review of internal processes to demonstrate compliance
  • Overseas entities are now required to disclose detailed information on assets they hold, most notably land - any business that holds land for an overseas owner is now required to list who the owner is
  • Overseas entities are also required to record the identity of trustees who could previously remain private
  • All businesses will be required to submit all accounts digitally, with full tagging of financial information in iXBRL format

Small businesses won’t have to meet all of these requirements, but any “large” business - which is defined as meeting two of three criteria: turnover of over £36M, a balance sheet over £18M, and over 250 employees - will need to comply. (As a rule of thumb, if your business is big enough to require an audit, then it’s “large”).

For many of these requirements, the precise details are still being hammered out by the Home Office - which is one of the reasons why awareness is still low - and they’ll arrive with matching guidance on what will be considered “reasonable procedures” for conforming with the law. Knowing what these procedures are, and being scrupulous in following them, is going to  be the key requirement that prevents businesses from facing unlimited financial penalties.

To learn more about the scope of the legislation, and the sort of changes you should start considering now to get ahead of the official guidance, join our upcoming webinar on “Trading in the UK? You need to comply with the ECCT Act”, hosted by Workiro’s CISO Luke Keily with Payhawk’s Director of Solutions Engineering, Robbie Hadfield. Both have many years of experience in legislative compliance across a range of different companies, and a deep understanding of how to scope and deliver effective tools and processes to keep your business on the right side of the law.

Author:
Team Workiro
Follow team Workiro for actionable work tips, how they apply to real-life scenarios, and take a deeper dive into our supercharged enterprise content management system, which seamlessly integrates with NetSuite.