.jpg)
The landscape of corporate accountability in the UK has shifted significantly with the passing of the Economic Crime and Corporate Transparency Act (ECCTA). While the Act contains many provisions, one stands out as a particular source of anxiety for boards and compliance officers: the new failure to prevent fraud offence.
This new strict liability offence changes the rules of engagement. Historically, prosecutors needed to prove the "directing mind and will" of a company was involved in wrongdoing—a notoriously difficult hurdle. Under the new regime, if a specified fraud offence is committed by an "associated person" (an employee, agent, subsidiary, or anyone performing services for you) for the organization's benefit, the organization itself can be held criminally liable.
The implications are severe: unlimited fines and significant reputational damage. Currently, this applies to "large organizations" (meeting two of three criteria: more than 250 employees, over £36m turnover, or over £18m in gross assets), but the direction of travel suggests smaller firms should also take note as best practices evolve.
Crucially, the Act provides only one defence: the organization had "reasonable prevention procedures" in place at the time of the fraud.
This begs the multi-million-pound question: What currently constitutes "reasonable"?
The Ministry of Justice has provided guidance structured around six core principles, including top-level commitment, risk assessment, and monitoring. However, the guidance makes one thing abundantly clear: a static anti-fraud policy, buried somewhere on the company intranet and signed off annually, will no longer cut it as a "reasonable procedure."
In the modern business environment—characterized by high volumes of digital transactions, remote workforces, and complex supply chains—"reasonable" implies agility, visibility, and continuous oversight.
To adhere to the new law, companies must transition from reactive compliance frameworks to proactive, data-driven risk management.
Building a defence against this new offence requires a fundamental rethink of how your organization detects behavioural anomalies.
Traditional fraud risk assessments are often periodic, interview-based exercises conducted on spreadsheets. They offer a snapshot in time that is often outdated by the time it’s published.
The new requirement demands a continuous understanding of your risk profile. You need to know not just where fraud might happen in theory, but where the indicators are flashing red right now. This requires moving away from manual sampling and towards analyzing 100% of your operational data. Modern governance platforms are essential here, providing the ability to ingest vast datasets across silos—finance, procurement, HR—to identify emerging patterns of risk that human auditors would inevitably miss.
The definition of "associated person" is broad. It’s not just your payroll staff; it’s agents in overseas territories, crucial suppliers, and joint venture partners.
"Reasonable procedures" mean conducting proportionate due diligence on these third parties, not just at onboarding, but throughout the relationship lifecycle. If an agent’s behaviour changes—for example, a sudden spike in entertainment expenses or unusual invoicing patterns—your organization needs to know immediately. Relying on annual attestations from these third parties is insufficient; you need independent verification through ongoing data monitoring.
Perhaps the most critical shift is the move towards continuous monitoring. The MoJ guidance emphasizes that procedures must be kept under review and adapted.
You cannot effectively monitor thousands of employees and agents manually. "Reasonable" in 2024 and beyond means leveraging technology that can operate 24/7, establishing baselines of normal behaviour for different roles and regions, and instantly flagging deviations. This isn't about a lack of trust in employees; it's about having the necessary controls to protect both them and the organization.
At Continual, we see this shift daily. Organizations are realizing that to satisfy prosecutors that their procedures are "reasonable," they need an audit trail showing not just that a policy existed, but that a system was actively looking for breaches of that policy and that the company acted on the intelligence gathered.
The ECCTA’s failure to prevent fraud offence is a clear signal that the UK government expects businesses to take ownership of their ecosystems. Compliance is no longer a cost centre to be minimized; it is a critical shield against catastrophic liability.
By embracing a continuous, data-led approach to risk management, companies can do more than just avoid fines. They can build more resilient, transparent, and trustworthy organizations.
Experience the power of supplementing your ethics and compliance program with AI. Schedule a personalised demo now to see how our advanced platform can give you clearer risk insights and better corporate governance.
We are also available on the details below.
