The Economic Crime and Corporate Transparency Act (ECCTA) introduces a new corporate offence: failure to prevent fraud, applied to large organisations since 1 September 2025.
The rule is simple but far-reaching: if an employee, subsidiary, or agent commits fraud that benefits your company, the business itself can be held criminally liable. That could be as ordinary as a sales manager exaggerating ESG data in a bid, or an overseas agent inflating invoices. If the company gains, liability follows. The only defence is to prove you had “reasonable procedures” in place to prevent fraud. For finance leaders, that means demonstrating clear governance, robust processes, reliable data, and strong oversight of third parties. For years, UK corporates were hard to prosecute under the old “directing mind and will” test, which focused narrowly on board-level intent. ECCTA changes that, extending liability to senior managers and lowering the bar for enforcement.
This checklist helps you:
- Understand your risk exposure under ECCTA.
- Identify gaps in your fraud prevention framework.
- Benchmark against official guidance and insights
What’s Changed Under ECCTA
Who’s in the scope?
The failure to prevent fraud offence only applies to large organisations. Your company is in scope if you meet two out of three thresholds:
- Annual turnover above £36 million
- Balance sheet total above £18 million
- More than 250 employees
(These figures apply at group level. If you’re a parent company, you must add up the turnover, assets, and employees of all subsidiaries when assessing whether you qualify)
Since when does it apply?
The offence has been live since 1 September 2025. From that date, any company meeting the thresholds can face criminal liability for fraud committed by people acting on its behalf.
What does liability mean?
- In scope: If an employee, subsidiary, or agent commits fraud that benefits the company For example, a sales manager exaggerating ESG metrics to secure a contract, the company itself can be prosecuted.
- Out of scope: If the company is the victim of fraud, for example targeted by an external payment scam, the offence does not apply (although the financial and reputational damage remains very real).
|
Aspect |
Before ECCTA |
After ECCTA |
|
How companies were prosecuted |
Prosecutors had to prove board members were directly involved. Very hard in large organisations. |
If a senior manager is involved, the company can be held liable. Easier to prosecute. |
|
Corporate offence |
There was no specific crime for failing to stop fraud. |
A new offence exists: companies can be guilty if someone acting for them commits fraud that benefits the business. |
|
Who is included |
Only directors and top executives were in scope. |
All employees, subsidiaries, agents, and third parties can trigger liability. |
|
Possible defence |
Companies could only argue they didn’t know about the fraud. |
Companies can defend themselves if they can show they had “reasonable procedures” in place to prevent fraud. |
The Six Pillars of Reasonable Procedures
Governance
Liability under ECCTA goes beyond the boardroom. Anyone with significant decision-making authority could expose the company. A regional finance head approving supplier tenders without oversight might manipulate terms to secure business. If the company benefits, the whole organisation can still be held liable.
The question you should ask yourself: Do you know who your senior managers are, and is accountability clear?
Processes
What this means for you: Fraud risk isn’t confined to finance. ESG disclosures, tender bids, and tax filings can all create liability if manipulated. For instance, inflating carbon reduction figures to strengthen a tender may help win a contract, but the misstatement still triggers corporate liability.
The question you should ask yourself: Are fraud risks assessed across ESG, procurement, tenders, and tax?
Training
Generic training rarely prepares teams for the risks they face day to day. Without tailored instruction, red flags can slip through. A procurement officer might approve duplicate invoices without realising it’s a fraud pattern, creating losses and exposure.
The question you should ask yourself: Do staff receive role-specific compliance training (procurement vs finance vs ESG)?
Monitoring
Fraudsters adapt faster than static frameworks. Controls that worked once may now fail. A supplier’s bank details may have been checked at onboarding, but if never reviewed again, criminals could take over the account and divert payments.
The question you should ask yourself: Are you monitoring both fraud risks and fraud controls over time?
Data
Outdated or unverified vendor data is a major weakness. Manual callbacks and spreadsheets are easily bypassed, especially with AI-driven scams. Picture AP phoning a supplier to confirm new bank details, only to be fooled by a deepfake voice. Payments are rerouted and the company suffers the loss.
“Manual handshakes no longer stack up. With AI-led fraud, businesses need technology-driven validation.” – Tom Abbey, Trustpair
The question you should ask yourself: Is vendor and transaction data continuously validated and reviewed?
Third-Party Oversight
Fraud risk doesn’t stop at your company borders. Subsidiaries, agents, and distributors are all in scope. A distributor abroad might inflate invoices to increase commissions, making group revenue look stronger. The UK parent benefits – and liability still applies.
The question you should ask yourself: Do your subsidiaries, agents, and suppliers fall within your prevention framework?
Five Actions to Take To Be ECCTA Compliant
The failure to prevent fraud offence came into force on 1 September 2025. Organisations need to act now to ensure they have effective fraud prevention procedures in place. These five steps provide practical actions to move from awareness to implementation.
Map senior managers and clarify responsibilities
- Identify who qualifies as a senior manager under ECCTA – not just board directors, but anyone with significant decision-making authority.
- Define responsibilities for fraud prevention across compliance, finance, procurement, and operations.
- Ensure governance structures and escalation routes are clearly documented.
Review Schedules 12 & 13 to identify offences that trigger liability
- Schedule 12: Lists offences where senior manager misconduct can be attributed to the company.
- Schedule 13: Lists the fraud offences covered by the failure to prevent fraud provision, including false accounting, misstatements to investors, and cheating the public revenue. Map these offences to your business activities to see where risks may arise.
Audit whistleblowing reports for recurring fraud themes
- Review past whistleblowing cases, audit findings, and compliance investigations.
- Look for patterns – repeated ESG misstatements, vendor disputes, or anomalies in reporting.
- Use these insights to strengthen your fraud risk assessment and prevention framework.
Replace manual controls with proportionate, scalable solutions
- Stop relying on manual callbacks, spreadsheets, and email checks to verify vendor details.
- Automate key controls such as vendor account validation, data cleansing, and anomaly detection. Solutions like Trustpair make these checks continuous, reliable, and far less prone to human error.
- Adopt scalable, technology-led solutions that reduce human error, increase auditability, and strengthen compliance.
“Manual handshakes no longer stack up. Businesses need technology-led validation to reduce risk exposure and that’s why at Trustpair, we focus on giving companies a reliable way to continuously verify vendor data” – Tom Abbey
Tailor training and procedures by function and jurisdiction
- Avoid one-size-fits-all compliance.
- Train staff in procurement, finance, tax, and ESG on how fraud risks show up in their daily roles.
- Adapt training for regional teams to reflect local laws and risk profiles.
- Reinforce learning regularly, not just once a year.
ECCTA Real Life Examples
Example 1: ESG Misstatements
Scenario: A company falsely claims its raw materials are responsibly sourced, its waste is recycled, or that it complies with fair labour practices.
Would ECCTA apply? Yes, if the misstatement benefits the company. For example, if false ESG claims help the firm win contracts, attract investors, or secure financing, the organisation could be criminally liable.
Example 2: Vendor Underpayments & Rebate Manipulation
Scenario: A procurement team deliberately miscalculates supplier rebates or misreports royalties owed to vendors, reducing amounts payable.
Would ECCTA apply? Yes, if the organisation gains a financial advantage. Reducing liabilities or inflating profits, even indirectly, falls within scope.
Example 3: Manual Callbacks vs Automated Validation
Scenario: An accounts payable team validates supplier bank account changes by phone. Fraudsters use AI-generated voices or forged documents to bypass these checks.
Would ECCTA apply? Yes, if weak manual controls enable fraud that benefits the company. If payments are diverted or liabilities reduced due to inadequate procedures, the company could face prosecution.
“95% of businesses still rely on manual processes. With AI-led fraud, manual handshakes no longer stack up.” – Tom Abbey
These examples show that ECCTA liability isn’t limited to headline-grabbing financial scandals. Everyday processes, from ESG reporting to vendor payments, can trigger exposure if fraud benefits the organisation and “reasonable procedures” are not in place.
To conclude
ECCTA is not just another compliance obligation. It reshapes corporate liability, shifts responsibility onto senior managers, and creates a new corporate offence that will test the resilience of your fraud prevention framework. For leaders in compliance, risk, and finance, the message is clear: act now.
- Map exposure.
- Close framework gaps.
- Replace manual checks with scalable, technology-driven solutions.
- Strengthen governance, training, and oversight.
Done right, ECCTA can be a catalyst: transforming fraud prevention from a reactive cost centre into a strategic enabler of trust, resilience, and ethical growth.
Trustpair can play a role in making this shift possible. It automates vendor account validation and keeps supplier data up to date, removing the weak spots created by manual checks. This can help your organisation reduce fraud risk and show that reasonable procedures are in place – two essentials under ECCTA.