The Economic Crime and Corporate Transparency Act 2023 (ECCTA), which was formally enacted on 26 October 2023, is one of the most significant pieces of anti-fraud legislation in decades. It was introduced amid a surge in economic crime in the UK, in 2023, fraud accounted for 41% of all crimes in England and Wales, costing the UK economy hundreds of billions annually, according to Home Office data. The new ECCTA provision - coming into force on 1 September 2025 - imposes stringent obligations on businesses to detect, prevent, and report fraudulent activities, with non-compliance penalties reaching up to 10% of global turnover. In this article, Mario Levin (CAMS) analyses the ECCTA's implications, underscores how corporate intelligence could be pivotal to compliance and speaks to compliance expert Gaon Hart about some of the Act’s unique aspects.
The Identification Doctrine and expansion of the scope of Corporate liability
The introduction of the ECCTA in December 2023 reflected an important change in corporate liability. Its expansion of scope of who could bind the liability of a company represents a departure from the traditional ‘directing mind and will’ principle, which limited corporate liability to a narrow group of individuals closely associated with the company's decision-making processes – usually those who could be said to be the ‘embodiment of the company’, namely board members and managing directors. The new scope means that a company or unincorporated partnership is guilty of an offence if one of its ‘senior managers’—defined as someone with significant responsibility for decision-making or overseeing substantial organisational activities—commits, attempts, conspires, or facilitates an offence while acting within their actual or apparent authority. This expansion of corporate criminal liability under UK law acknowledges the reality of distributed decision-making in modern corporate structures and introduces new compliance requirements for companies with complex operational networks.
It also creates a level playing field between small and large organisations by addressing a long-standing gap in corporate liability. While prosecutors could have historically easily pinpointed individuals “embodying” smaller companies, identifying such figures in large, complex organisations was nearly impossible—an issue the Act resolves by introducing a wider definition of what a ‘senior manager’ is (interestingly, the Crime and Policing Bill 2025, published by the UK Government in February 2025, proposes extending this new ‘senior manager’ test for corporate criminal liability to all criminal offences - not just economic crimes, where it currently lies).
Failure to Prevent Fraud: Types of fraud covered
Perhaps an even more groundbreaking aspect of the ECCTA is in its introduction of the offence of Failure to Prevent Fraud (FPF). This offence – coming into force on 1 September 2025 – applies to organisations (including corporates and partnerships) that meet at least two of the following criteria: more than 250 employees, more than GBP 36 million turnover, and more than GBP 18 million in total assets. According to this provision, organisations will be held criminally liable if their employees or ‘Associated Persons’ commit fraud intending to benefit the organisation or its clients, unless the organisation can demonstrate it had “reasonable” fraud prevention procedures in place. This offence applies to a wide range of fraud types and aims to shift corporate responsibility towards proactively preventing fraud rather than merely reacting to it.
The types of fraud covered within the FPF are mainly those which were introduced under previous acts, primarily the Fraud Act 2006 primarily: fraud by false representation (fabricating information to deceive); fraud by failing to disclose legally required information; fraud by abuse of position (exploiting a position of trust for dishonest gain); participation in a fraudulent business operation; dishonestly obtaining services without payment; false accounting (manipulating records to conceal financial misconduct); false statements by company directors (misleading shareholders or regulators); and fraudulent trading (operating a business with intent to defraud creditors).
A fraud offence under the FPF provision can be complete even if the organisation gains no actual benefit, as long as the fraudster intended to benefit the organisation—whether directly or indirectly.”
It is worth noting that a fraud offence under the FPF provision can be complete even if the organisation gains no actual benefit, as long as the fraudster intended to benefit the organisation—whether directly or indirectly. The benefit could take many forms, including financial or non-financial advantages, such as harming a competitor or gaining an unfair advantage in the market, and it doesn’t need to be the sole motivation for the fraud. For instance, a salesperson inflating sales figures to earn a personal bonus could still create liability if their actions also benefit the organisation. However, organisations are exempt if they are the intended victim of the fraud, such as when it is committed to harm or cause loss to the organisation itself. The good news is that companies can defend against this offence by demonstrating they had “reasonable” fraud prevention procedures in place.
The ‘Associated Person’ framework and the important considerations
Many companies have fraud controls already, but these primarily focus on fraud against the company, either by outsiders or inside fraud. The FPF creates a corporate liability for fraud committed against others by the company’s employees, subsidiaries or ‘Associated Persons’. Interestingly, the Act's definition of ‘Associated Person’ extends liability to fraud committed by those acting "for or on behalf of" an organisation, with "on behalf of" naturally providing a broader scope than "for." While "for" typically refers to formal contractual relationships like suppliers, distributors, or marketers, "on behalf of" covers more flexible arrangements, such as joint ventures, intermediaries, or supply chain relationships, even without a formal contract. This broader scope eliminates the need to prove senior management’s awareness or approval, instead imposing strict liability unless companies can demonstrate implementation of reasonable prevention procedures.
This paradigm shift has far-reaching implications, particularly for corporate groups and multinational entities. It creates a statutory presumption of responsibility that requires companies to implement enterprise-wide fraud controls rather than relying on legal separation between entities. While this aligns with global trends toward increased corporate accountability, it also raises questions about proportionality, as parent companies may now face liability for geographically and operationally remote activities. That said, this scope is not unsimilar to that of previous acts, such as the UK Bribery Act or the Tax Facilitation Act.
Another important element worth highlighting is the FPF’s UK nexus, which means that foreign companies can still fall under UK jurisdiction even if they don’t operate directly in the UK. For example, if a Singaporean company with no UK office or branch makes false claims when buying or selling products to or from a UK citizen or company, it could be held liable—especially if it’s large enough and gains a benefit from the transaction, as defined by the Act. Similarly, a US company with no physical presence in the UK that promotes its business to UK investors and provides misleading information could face fines running into millions of pounds. Such penalties could also lead to exclusion from government contracts in multiple countries.
“Reasonable” fraud prevention procedures
In November 2024, the Home Office published its official guidance, helping organisations to prepare for the FPF offence by focusing on four key areas. First, companies should conduct a tailored fraud risk assessment that evaluates vulnerabilities linked to the fraud triangle framework: opportunity (weak internal controls), motive (financial or performance pressures), and rationalisation (cultural factors enabling unethical justification). This initial assessment should consider risks posed by employees, subsidiaries, agents, or third parties acting on the organisation’s behalf.
Second, the guidance also focuses on how organisations should integrate fraud prevention into existing compliance frameworks by updating their anti-bribery, anti-money laundering, and governance policies to also explicitly include the prohibition of outward fraudulent conduct. Training programmes should accordingly be expanded to address fraud risks, with clear examples of prohibited acts such as falsification of information.
Third, contractual agreements with agents, distributors, and intermediaries should be revised to include fraud prevention clauses, complemented by enhanced due diligence processes (e.g., vetting third parties for prior fraud allegations).
Lastly, companies should establish secure, confidential whistleblowing channels with board-level oversight, such as appointing a Whistleblowing Champion, to ensure allegations are investigated promptly and retaliation risks against whistleblowers are mitigated. These steps collectively could demonstrate implementation of “reasonable prevention procedures,” the statutory defence against liability under the Act.
Corporate Intelligence and how it can support affected organisations
The introduction of the FPF offence underscores the critical need for organisations to conduct thorough due diligence, particularly on what the Act defines as Associated Persons. Businesses will now be legally required to assess the fraud risk posed by employees, contractors, upstream and downstream supply chains, and third-party agents or influencers, whether they have a contractual relationship with them or not, ensuring they are not – even if indirectly – facilitating fraud. This means that due diligence processes must go beyond box-ticking, surface-level checks and include a deep dive into an individual’s or entity’s track record, relationships, liability and risks. For example, an identified history of fraud-related incidents, past regulatory infractions, or unresolved criminal charges should all be considered as red flags, along with high risk exposure to other 'Associated Persons', or engagement in considerable marketing or procurement within the UK. As such, it is essential for companies to adopt a proactive and investigative approach ahead of working with specific third parties or onboarding agents. Failure to do so would naturally result in increased exposure to legal penalties rising from the Act.
Due diligence processes must go beyond box-ticking, surface-level checks and include a deep dive into an individual’s or entity’s track record, relationships, liability and risks.”
The requirement to scrutinise third-party agents is particularly crucial, as these intermediaries often operate with a degree of separation from the core business, potentially masking fraudulent activity. By implementing stronger vetting and continuous monitoring measures, organisations can mitigate the risk of unknowingly facilitating fraud and demonstrate they had “reasonable” fraud prevention procedures to comply with the Act.
It is worth considering that a robust due diligence framework not only protects companies from liability under the new FPF offence but also fosters a culture of accountability and ethical business practices. Organisations that take a comprehensive approach—examining both internal and external risks—will nearly always be better positioned to prevent fraudulent activity before it occurs. Furthermore, by maintaining a transparent and well-documented due diligence process, businesses can provide regulators with clear evidence of their commitment to fraud prevention. In this evolving legal landscape, expert due diligence is no longer just a precautionary measure; it is an essential safeguard against financial and reputational harm.
Q&A
with Gaon Hart
Gaon is currently Managing Director of a corporate consultancy, developing for clients a range of policies, processes, systems, people and technological solutions to manage economic crime risks, focussing primarily on fraud, bribery & corruption, ESG, culture & ethics and money laundering. A former UK Senior Crown Advocate (prosecutor) who specialised in economic crime prosecutions and the UK Lead Prosecutor for public corruption, he straddles both the private and public sectors, also being Chair of the Board and Non-Executive Director for the NHS Counter-Fraud Authority, overseeing policy, prevention, protection and prosecution across the GBP 1.3 billion at risk from fraud across the NHS.
What would be your first advice to businesses that wish to prepare for the Act?
Due diligence is often seen as a "plug and play" solution, but often businesses are caught between thinking, "I'm already asking all the right questions," and "I really need to change everything I’m doing." And what I tell them is that the key is evolution, not revolution and to not reinvent the wheel. I have a feeling that when people wake up to the need for due diligence and start implementing it, they'll discover whole new areas of risk. One of these areas will be figuring out how to incorporate due diligence into what regulators are asking for within the fraud triangle model, as this is unlikely to be part of the current due diligence categorisation already in place. You don't want to reinvent due diligence just to bucket it into the three fraud triangle elements, because most companies already have these processes in place and it's more about adding the right new questions. My recommendation right now is: if you have a pre-existing system, stick to it. Instead, review what questions you're already asking, which ones you're not that are relevant to outward fraud, and consider the three elements of the fraud triangle within your output report. A risk assessment will need to take place to ensure your responses fit into those key areas. It's quite a clever way to focus on a more basic review and refine your existing processes.
How significant is the shift in approach introduced by the Associated Persons principle?
This follows the terminology in the UK Bribery Act and the Tax Facilitation Act. The requirement is that your company is liable for those who act, "for, or on behalf of you" and the harder part comes with "on behalf of," where you have no contractual agreements, control, or influence over what others do. This means your due diligence needs to be much broader. For instance, if you're in a joint venture arrangement involving multiple companies—say, five companies—and one of them commits a fraud that benefits the JV, everyone could be held liable, whether your organisation has a contractual relationship with them or not. When you consider "on behalf of," this could also apply to areas like procurement, marketing, and sales and to people like influencers who promote your products or services
What advice would you give to a company in a situation like this, say for example, in a joint venture?
Well, one of the advantages of the government's guidance is its realistic approach. It recognises that you have more responsibility over relationships where you have control. This means you can take a lighter touch when you have less control. For example, you can make the ‘parent’ responsible for the ‘child’. In a joint venture, you can clearly tell your partners, "you have the contractual agreement over this party, so ensuring they’re aware of our fraud prevention policies is your responsibility." The best advice for companies more generally is to start by dividing their relationships into two groups: those you have control over and those you have less control over, although it’s a sliding scale, and what the prosecutors will decide is appropriate is yet to be established.
What should companies do regarding those parties that do fall under their responsibility?
There are several practical steps companies can take for those parties: incorporate responsibility for outward fraud in the contracts, prepare documents and statements in advance that highlights your expectations on their reasonable controls; provide training to the higher risk population or at least require them to train on the new offence to ensure everyone is on the same page; and potentially set up an external whistleblowing/speak up capability and process, that those that company staff can use. These steps will help companies manage their responsibilities effectively and ensure they're complying with the new regulations.
What changes does the ECCTA bring in terms of enforcement?
The fact that this Act will be enforced by prosecutors rather than regulators represents a huge change. This means there's a much greater need to be prepared in advance. Regulators typically enforce rules, but also often work with businesses to ensure compliance. Prosecutors, however, don't operate that way—especially in the UK, where they’re not even allowed to do so. For some businesses, this represents a brand new approach to handling criminal offences. If your company doesn't have any procedures in place, you'll be seen as easy prey. Prosecutors will likely target you because you'll be the "low-hanging fruit." This makes it crucial for businesses to start preparing.
In relation to the UK Nexus of the Act, what are the main areas that businesses should consider?
The offence will apply where the 'Associated Person' (employee, subsidiary, agent etc. who act for or on behalf of the organisation) commits a base fraud offence under the law of part of the UK. This requires a UK nexus. The responsible organisation does not have to be incorporated in the UK, have a branch in the UK or even be connected to the UK in any governance manner. An organisation will be liable in the UK, wherever they are incorporated, or based, if: a UK-based employee commits fraud; an employee or associated person of an overseas-based organisation commits fraud in the UK or UK based victims are targeted; or an element of the offending requires proof from the UK (e.g. potentially the fraudulent funds come from a UK bank account or the fraud uses the UK email system).
Can you describe a scenario where a company based outside of the UK is fined due to its failure to prevent fraud? What questions would prosecutors be looking at when evaluating that company’s accountability?
Take a procurement type example:
A US-based company (with no connection to UK) buys widgets from a UK company and negotiates a cheaper price, due to the procurement officer lying about having other cheaper quotes. Work through the appropriate questions to ask:
- Was there a false representation? The claim to have other cheaper quotes which is a lie;
- Was the false representation made directly or indirectly (to any system or device)? It was direct to the UK company officers;
- Was it about a fact, legal position or state of mind? It was about a fact, other cheaper quotes;
- Was it instrumental in others taking action? It was material as it encouraged the UK company to lower its price;
- Did the person making the false representation know it was untrue or a lie? They knew they didn’t have cheaper quotes;
- Was there a benefit to the US company, loss to the UK company, or maintaining of what they already had? It caused the UK company to lower their prices, saving the US company money (benefit) and costing the UK company (loss);
- Does an element of the offence need to be proven from the UK (email or bank accounts) or was it a false representation to UK citizen in the UK? The company is based in the UK;
As a result, the US company is now liable to a GBP multi-million fine.
It doesn’t matter where you are based, if you are a large organisation or connected to one, and sell to the UK, promote to investors in the UK, buy from the UK etc., this new law makes your organisation liable for a large fine unless you can prove that you have reasonable procedures!
To discuss the fraud prevention offence and how it may impact your organisation, or any other topic covered in this article, please reach out to Mario m.levin@s-rminform.com.
