There’s a new risk to your business, and it’s not hackers or malware or even any kind of deliberate attack. It's almost exclusively internal and there’s no limit on what it could cost you - by law. It’s not something that can be prevented by making password policies even more annoying or blocking USB sticks: you need better business processes and proof that you monitor them, which is a job that goes way beyond the IT security team.
It lies within the new Economic Crime and Corporate Transparency Act (ECCT), which was enacted in 2003, and includes upcoming legislation on “Failure To Prevent Fraud” which applies to all large businesses. The key word here is “prevent” - even if the crime is accidental, you can be held liable, because your business failed to prevent it. You won’t be able to claim ignorance and you will be held liable for people across the entire business, and there is no limit on the fine that the Serious Fraud Office can apply for non-compliance.
Under the terms of the ECCT any “associate” of the company can commit fraud, even if they’re only employed by a subsidiary or not based in the UK, and the company will be held liable for not preventing it. It doesn’t matter if the associate wasn’t directed by management, either - if the business benefits from the fraudulent activity, directly or indirectly, then the business can be held liable under the Act.
The range of possible activities is significant too, including false representation, false accounting, fraudulent training and fraud by failing to disclose information. The precise details have yet to be confirmed by the government, but the scope of the law makes it entirely plausible that staff members deep within an organisation, in an overseas office, can commit fraudulent activity for which the business as a whole will be held responsible.
It’s a major new responsibility for business owners, and while the Failure to Prevent Fraud legislation hasn’t come into effect yet, you should start preparing now. To defend yourself, you need to have “reasonable processes to prevent fraud” in place - which means you need a clear and reliable view of data and activity across the business.
Having to share business-critical documents in a secure and easily monitorable way is the problem that Workiro was created to solve. It creates a centralised hub which automatically stores vital emails and documents, handles secure document signing, and maintains a chronological history of each version, so you can tame your internal processes and have complete visibility on the data flow through the organisation.
That’s just the first step, though - you need to pair those organisational skills with a robust compliance policy, and a holistic view of potential issues across the entire organisation. Get a head start on this preparation by signing up for our upcoming webinar “Trading in the UK? You need to comply with the ECCT Act”, hosted by Workiro’s CISO Luke Keily in conversation with Payhawk’s Director of Solutions Engineering, Robbie Hadfield. Both Workiro and Payhawk have robust software solutions for delivering and monitoring business operational processes, and Luke and Robbie have extensive experience and insights in how different organisations can ensure compliance with this type of legislation.
Register for the webinar here.