In our latest conversation, we spoke with Tom Abbey, UK Account Executive at Trustpair, to discuss how the Economic Crime and Corporate Transparency Act (ECCTA) is reshaping corporate responsibility around fraud prevention. With years of experience helping organizations strengthen their financial controls, Tom shares how ECCTA marks a turning point where fraud prevention is no longer optional but a legal obligation.
He explains what the new “failure to prevent fraud” offence means in practice, who is in scope, and how companies can build reasonable procedures that go beyond compliance to create long-term resilience and trust.
Tom also highlights that ECCTA is more than a compliance exercise. It is an opportunity for businesses to rethink their risk management, protect their reputation, and future-proof their operations against evolving threats.
Read on for expert insights, practical steps, and actionable guidance to help your organization stay compliant and confident under ECCTA.
1. Can you quickly introduce yourself and your role at Trustpair?
My name is Tom Abbey and I am UK Account Manager at trustpair. My role is to manage the sales relationship with our end clients, but equally to work closely with our partners on offering the Trustpair solution to their clients as well.
2. For those unfamiliar, what is the Economic Crime and Corporate Transparency Act, and why is it important for UK businesses?
It’s a new corporate criminal offense introduced under the Economic Crime and Corporate Transparency Act for large organizations that fail to put reasonable procedures in place to prevent fraud by associated persons such as employees, agents, subsidiaries, or third parties. It means the government now has the power to hold companies accountable if someone within their network commits fraud that benefits the business and proper controls weren’t in place.
The rule applies to large organizations with more than £36 million in turnover, over £18 million in assets, or more than 250 employees. ECCTA changes the game, fraud prevention is no longer optional, it’s a legal requirement that demands proactive action and stronger internal safeguards.
3. What kind of changes should UK businesses be aware of now that ECCTA is in force?
It’s particularly relevant when it comes to vendor fraud. The focus is on removing manual handshakes and manual validation steps that create weak points in the process. With the rise of AI-driven and technology-led fraud, manual checks simply don’t hold up anymore. Businesses that fail to modernize could face penalties if they don’t have the right technology in place to automate validation and secure their payment processes. Today, the reality is that around 95% of companies still rely heavily on manual controls, leaving them exposed to unnecessary risk.
4. How does ECCTA influence how companies manage payment fraud and vendor fraud?
ECCTA raises the standard for how companies handle payment and vendor fraud. Many organizations still rely on manual checks, callbacks, document requests, and internal reviews as part of their due diligence and vendor onboarding. Under ECCTA, that won’t be enough. These processes will need to evolve, with greater automation to verify information and detect anomalies in real time. Automating validation helps remove human error and reduces the growing risks of document forgery, AI-led fraud, and other sophisticated scams.
5. Are companies treating this Act as a compliance checklist, or are they actually using it to strengthen their overall fraud defense?
Many companies are still treating ECCTA as a compliance exercise rather than an opportunity to strengthen their overall fraud defense. But it should be seen as a catalyst for change. Last year, 86% of corporates and mid-market businesses were successfully defrauded, which shows just how urgent it is to automate controls and reduce risk exposure.
ECCTA gives organizations a strong reason to start implementing additional checks and smarter processes. The challenge is that many businesses are still unaware of the Act, so for some, this will come as a surprise and without proper procedures in place, they could quickly find themselves at risk of penalties.
Many companies are still catching up on what ECCTA means in practice. Use our ECCTA Checklist to understand your obligations and take the right first steps toward compliance.
6. What procedures should they look at first when trying to be more compliant with ECCTA?
If you’re looking at your P2P chain, I’d say if you’re still running callback campaigns through shared business services, global business services, or your AP team, businesses need to look at automating those processes. That removes manual handshakes and manual validation.
7. How does ECCTA raise the bar for internal fraud prevention and third-party risk management?
In raising the bar, businesses and in particular directors and senior managers, are now liable for fines. It places personal responsibility on them to ensure this is a priority initiative: removing manual processes where possible and employing technology to reduce risk exposure.
A senior manager could be several levels below the board, and the board itself may not know what’s happening. Yet the organisation could still be held liable. This makes it even more important for companies to implement clear ownership, accountability, and transparent reporting across all levels of management.
8. What kind of internal controls and tools are now essential for compliance for risk and finance teams?
Having a technology-first approach to P2P. That means having a procurement onboarding platform or portal to streamline data capture, an ERP where master data is secured and stored, with shared responsibilities so no one has total control of a process. A treasury management system (TMS) is also essential to prevent payment files from being manipulated or tampered with at the final stage.
Within this ecosystem, Trustpair adds an extra layer of protection, performing multiple verification checks throughout the entire process, from vendor onboarding to final payment, ensuring every transaction is accurate, compliant, and secure.
9. What role does vendor data quality play in complying with ECCTA requirements?
At the moment, businesses typically have static data when it comes to master data, especially within the supplier ecosystem. Letting it sit statically allows fraud risk to grow. It creates opportunities for manipulation or internal fraud and also leads to payment errors down the line.
By doing nothing, you’re allowing risk to incubate through poor procedures and manual intervention.
10. What mistakes do you commonly see businesses make when they are trying to improve their fraud prevention processes?
The biggest mistake is outsourcing to someone abroad to do the task manually. We come across this the most. But it isn’t fit for purpose, isn’t scalable, and won’t defend against modern fraud like automation or AI deepfakes.
It might solve the problem for a few months, but it isn’t a long-term strategy, especially under this regulation.
11. What should be the ideal long-term strategies for companies then?
A total removal of manual processes where possible. Ensure everything is automated. Remove manual handshakes. Remove full ownership of processes. Use automation and direct banking sources for bank account verification.
12. What long-term changes do you think ECCTA will bring to UK businesses?
Fraud, especially vendor fraud, hasn’t really been anyone’s responsibility until now. But this will fall into the office of the CFO and also CTO/IT functions, including cybersecurity. It will become a full business initiative involving everyone: compliance, IT, and finance. ECCTA is more than just compliance, it’s a chance to build lasting resilience and trust.
13. If you could offer a few strategic recommendations to risk and finance leaders post-ECCTA, what would they be?
The biggest one is to take ownership, don’t wait for someone else to lead. Act now, because the regulation is already in force. And finally, look to technology to close the gap. Don’t just hire more people; use technology to address your risk exposure effectively. Those who act early will not only stay compliant, they’ll strengthen their business against the next wave of fraud.
ECCTA: key takeaways
- ECCTA makes fraud prevention a legal obligation. Large organizations can now be held criminally liable if an employee, agent, or subsidiary commits fraud that benefits the company and no reasonable prevention procedures were in place.
- Automation is now essential to meet ECCTA standards. Vendor data quality is a hidden compliance risk.
- Static or outdated supplier data allows fraud risk to grow. Keeping vendor information continuously verified and up to date is critical for ECCTA readiness.