With the 1 September 2025 deadline fast approaching, we’ve seen a sharp rise in client queries around the new requirements introduced by the Economic Crime and Corporate Transparency Act (ECCTA). In response, Camilla de Silva and the team have been regularly addressing some of the most frequently asked questions, offering practical insights into the Act’s implications and how businesses can prepare.
We’ve brought together their answers below, covering the key issues clients are grappling with. These form part of our broader support offering, including our ECCTA Fraud Prevention Toolkit - a practical set of resources designed to help organisations assess risk, strengthen internal controls, and reduce exposure to liability under the new failure to prevent fraud offence.
If you’d like to explore how the Toolkit can support your organisation, please get in touch to schedule a demo.
1. What is ECCTA?
The UK Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduces major reforms that significantly increase corporate criminal liability risks. A key change is the new offence of Failure to Prevent Fraud, which takes effect on 1 September 2025 and requires large organisations globally to assess and mitigate the risk of employees, agents, or subsidiaries committing fraud to benefit the business or its customers. To rely on the statutory defence, businesses must identify fraud risks, evaluate current controls, and strengthen them where needed. The ECCTA also expands corporate liability through a new “senior manager” attribution test, making it easier to hold companies accountable for economic crime when a senior manager - defined as someone with significant decision-making or managerial authority - commits an offence within their role.
2. Who does ECCTA apply to?
The ECCTA’s new corporate offence of Failure to Prevent Fraud is expected to apply to large organisations that meet the statutory size threshold (generally, at least two of: more than 250 employees, over £36 million turnover, or over £18 million in assets), including both UK-headquartered companies and large overseas businesses operating in the UK. It cuts across all sectors - financial services, energy, technology, life sciences, retail, manufacturing, and professional services - capturing any organisation that could benefit from fraud committed by employees, agents, or subsidiaries. Groups with complex structures or reliance on intermediaries will need to pay particular attention, as will senior management teams and boards, who must oversee risk assessments and implement reasonable fraud prevention procedures to rely on the statutory defence.
3. What constitutes reasonable fraud prevention procedures in relation to the new failure to prevent fraud offence?
Our take: In order to rely on the defence, a company must be able to prove on the balance of probabilities that it has reasonable procedures in place. What will be reasonable in every case will depend on the particular risks facing the organisation, its scale and its resources. What is key – and clear in the demanding guidance published by the Home Office – is that in scope companies should conduct risk assessments to understand where there risk lies. The Guidance says “it will rarely be considered reasonable not to have even conducted a risk assessment.” Once you understand your risks, you should ensure any necessary uplift is made to demonstrate: (i) top level commitment to an anti-fraud culture; (ii) proportionate prevention procedures, including in relation to due diligence on third parties; (iii) strong communication and training targeted at specific risks identified; and (iv) ongoing monitoring and review of these controls over time, including proactive investigations of any allegations raised or issues identified.
4. Is a UK subsidiary of an multi-national company in scope for the failure to prevent offence if it is doesn’t meet the size requirements?
Our take: Any company, anywhere in the world, is in scope if it is a ‘large organisation’. A ‘large organisation’ is defined as one that meets two or three out of the following criteria: (i) more than 250 employees; (ii) more than £36 million turnover; (iii) more than £18 million in total assets. What some are missing is that, if your company does not meet those requirements, it will still be within scope of the new offence if the overall corporate group, regardless of where it is headquartered, amounts to a large organisation when considered as a whole. In this instance, the ultimate parent of the group will be in scope for any failure to prevent fraud by its associates (so long as there is sufficient UK nexus for any underlying fraud). As the definition of associates is very broad and includes direct and indirect subsidiaries, a fraud by the UK subsidiary could lead to failure to prevent liability for the ultimate parent. The subsidiary, even though not a large organisation itself, can also be liable for failure to prevent fraud if one of its employees commits a fraud offence intending to benefit the subsidiary. In either case, if you can prove you had reasonable procedures in place this will provide a defence so the UK subsidiary and the group parent entity should consider whether their anti-fraud controls are sufficiently robust.
5. Should procedures be implemented on a global or UK-only basis?
Our take: There is no right or wrong answer to this. The Failure to Prevent Fraud offence requires there to be some nexus with the UK, which means that some part of the fraudulent act occurs in the UK. That could be a knowingly untrue statement made to a UK audience, the victim being a UK resident, an employee or agent based in the UK deliberately misleading someone, or the profit or loss accruing in the UK. Each business will have to decide how easily its business with a UK nexus can be ring-fenced. Developing existing policies and procedures (e.g. anti-external fraud, anti-bribery, or treating customers fairly) is often a better approach than trying to implement a stand-alone policy, so if existing policies are on global basis, that may be easier.
6. When a firm is currently entering a merger, what are key areas firms need to consider?
Our take: A firm should consider whether the combined firm (or any of its subsidiaries) would be considered a large organisation and is therefore in scope for the offence of Failure to Prevent Fraud. If the merger target is a large organisation (2 out of 3 of: more than 250 employees, turnover over £36m and total assets over £18m), or the combined firm would be, you should consider the extent to which it has activities in the UK and the risk of fraud being committed by the firm’s associates (its employees, agents and subsidiaries) with the intention of benefitting the firm. Inevitably a great deal of due diligence is conducted in the merger process and it will be worthwhile assessing the fraud risk of the merger target’s activities and the quality and effectiveness of any anti-fraud policies and procedures in place.
7. Is it reasonable to conclude that no measures can prevent fraud by a determined rogue employee who deliberately breaches policies and procedures?
Our take: Yes, an organisation could have reasonable policies and procedures in place, but still have them circumvented by an associated person intent on doing so. One point to watch is on culture though – did anyone else know and not speak up? Were the incentives for the employee to behave in that way too strong? Did others turn a blind eye? The Home Office Guidance makes clear that reasonable procedures will aim, through messaging, training and disciplinary proceedings, to make sure that the internal culture is one that does not condone or accept fraudulent behaviour. Employees should know how to respond if a colleague behaves in a way that breaches this and an anonymous whistleblowing line that is well publicised is essential.
8. If the procedures only have to be reasonable, is it going to be possible to argue none were needed?
Our take: In theory, yes. The Home Office guidance does mention this. But it would always have to be a conscious decision following the risk analysis identifying potential fraud risks. If that identified no realistic risks, or risks that were minor and the organisation already had suitable measures in place to ensure ethical behaviour by all staff and agents, it may be that nothing further is needed. The guidance suggests the decision must be documented and attributable to a named individual, which may or may not be designed to deter organisations from this course! In reality of course, if the company were prosecuted because an associated person had committed a fraud for its benefit, it would be an uphill struggle to argue that no procedures had been needed to prevent that.
9. If the parent company of a group is UK headquartered, is all group activity by foreign subsidiaries caught as it is ultimately for the benefit of the parent via dividends?
Our take: In our view the requirement for an intention to benefit the organisation requires more than an indirect benefit via ultimate dividend payments. Unhelpfully, the Home Office guidance does not state this, which the guidance issued on the Bribery Act did. It may depend upon how closely linked the subsidiary is. If it is used to being controlled by the parent and its income flows directly to the parent, that makes it more likely that its actions will be intended to benefit the parent. However, if it operates more independently but its shares are held by the parent, it would be harder to show an intention on the part of an associated person to benefit the parent and it is perhaps unlikely prosecutors would select a case where this issue arose as one of its first prosecutions.
If you have any further questions or you’d like to explore how the Toolkit can support your organisation, please get in touch to schedule a demo.
10. What should we be doing now that the offence has come into force?
Our take: With the corporate offence of Failure to Prevent Fraud now in force (as of 1 September 2025), companies should move from planning and preparation into active implementation and documentation of procedures. Given that regulatory and enforcement attention is shifting from “what might this law mean” to “how will it be enforced,” businesses should act now to signal readiness.
Key action points for the next 6-12 months:
- Conduct or refresh a fraud-risk assessment and board briefing that specifically references the new offence and maps key risk areas (e.g., international supply chains sales staff, digital intermediaries, third-party agents).
- Document how your controls fulfil the requirements of the “reasonable procedures” defence: a written risk analysis, updates to training, whistle-blowing channels, audit trails, and review mechanisms. Review and map your global footprint to understand how UK nexus could trigger exposure – even if your primary operations are outside the UK.
- Prepare for the possibility of early enforcement or request for information: keep internal findings, decision logs and escalation protocols readily available, and ensure your internal investigations are positioned with privilege and remediation in mind.
The next year is likely to see the first wave of enforcement and case outcomes under ECCTA. Organisations that treat this as a live obligation today – rather than a distant threat – will be much better placed to demonstrate oversight, challenge control gaps, and respond proactively if subject to investigation.
.jpg?crop=300,495&format=webply&auto=webp)
