Understanding ECCTA: the new duty to prevent fraud, what should HR be thinking about?

What are the sanctions?

If convicted, large organisations could face an unlimited fine and significant reputational damage.

While the new regime does not include provision for individual liability on the part of senior managers or directors, it is possible that individuals who have committed the fraud offence might be held personally liable under the relevant criminal offence.

Those working in regulated sectors will need to be mindful of any potential regulatory exposure too.

What does the defence mean in practice, and how can HR help their organisations ensure they are doing all that they can to prevent fraud?

As mentioned above, the offence will only have been committed if "the organisation does not have reasonable fraud prevention measures in place".

There is no definitive checklist of what demonstrates "reasonable" fraud prevention, and the legislation does not set out prescribed steps. What is reasonable will depend on your businesses' size, structure, operations and risk profile. The greater the risk of fraud in the business (or a specific area), the stronger controls need to be.

Impacted organisations should consider the Government Guidance published in November 2024 which outlines six core principles to consider when designing a fraud prevention framework. The guidance is not binding, but it does provide a helpful structure to follow.

It suggests the nature and extent of exposure should be assessed in a way that is dynamic, documented and kept under regular review. There is also a clear expectation that organisations will at a minimum carry out a risk assessment (and document that they have done so).

What are our practical tips based on the six key principles?

1. Carry out a (tailored) risk assessment

• Tailoring is key – your risk assessment should assess the likelihood and impact of fraud based on how and where your specific business operates.
• Assign "risk owners" – think carefully about who is involved in assessing risk and ensure they know your business. These individual(s) could be assigned as key "risk owners" with responsibility for monitoring the effectiveness of any prevention measures. A multi-disciplinary approach is to be encouraged. This could involve those from HR working with legal, compliance and risk management teams to ensure a coordinated and consistent approach to risk management.
• Think about the "fraud triangle" and high-risk areas / people – the fraud triangle identifies three key conditions that contribute to fraud. They are (1) opportunity – arising from weak controls or inadequate oversight; (2) motive – perhaps driven by the stress of meeting targets; and (3) rationalisation – belief that it is causing no harm, or everyone does it. Common examples of high-risk areas include sales, procurement and performance-based bonuses. Think about jurisdictional issues too, does your assessment need to go wider than the UK?

2. Secure top-level commitment

What this looks like practically will differ across organisations, but in all organisations, it is likely to include leading by example and communicating / endorsing the organisation's stance on fraud prevention.

In practice that will mean:

1. Making fraud a regular leadership / board agenda item – the "risk owners" mentioned earlier should have a direct line to the board, ensuring fraud risk is regularly discussed at the highest level. The same rules should apply to senior leaders as to other employees.
2. Allocating sufficient budget and resource – proper funding and dedicated resources are needed to facilitate a successful fraud prevention framework.
3. Communication – the framework should be clearly articulated and appropriately communicated across the organisation. It should be leadership led, with clear signposting on where to direct concerns.

3. Proportionate risk-based prevention measures

The Guidance recognises that existing work does not need to be duplicated. It also makes clear that compliance processes for existing duties will not be sufficient in and of themselves.

Practically, organisations should consider:

1. Reviewing contracts – including those with "associated persons" and reviewing / adding in anti-fraud clauses. Consider in particular including an obligation on employees and senior executives, particularly those in finance, sales and procurement, not to engage in or facilitate fraud, a duty to report any suspicion of fraud and to comply with any anti-fraud policies and procedures.
2. Review policies and procedures – ensure it is clear that a zero-tolerance approach will be adopted to foster ethical behaviours. Consider reviewing and updating disciplinary policies to ensure fraud is an example of potential gross misconduct.
3. Strengthening existing controls and reporting channels – think about the relevant reporting channels already in place. Subject to compliance with legal obligations, consider screening candidates (regardless of seniority) at the point of hire where potential risk is identified. Think too about the appropriateness of carrying out ongoing regular checks. Would monitoring of workforce activity in areas identified as 'at risk' be appropriate and if used be compliant with the obligations contained in the GDPR and Data Protection Act 2018? Are your whistleblowing policies fit for purpose, are they well publicised and easily accessible across the organisation?
4. Documenting decisions – if your current policies and systems are considered sufficient to address certain risks, record how and why that conclusion was reached.

4. Due diligence

Due diligence should be used to mitigate identified fraud risks. In practice, this will mean:

1. Considering and documenting any existing weaknesses – it may be that some need to be revisited and tweaked to screen for fraud as needed.
2. Enhancing diligence – including carrying out media and reputational screening to help flag risks that might not otherwise be identified
3. Strengthening recruitment and onboarding practices – as mentioned above does your organisation carry out sufficient pre-employment vetting checks? Do not ignore anomalies in the information presented to you - be curious and investigate.

5. Communication & Training

Fraud prevention only works in practice if the whole organisation knows what to do when they spot something suspicious. Establishing and maintaining robust communications and training programmes is very much at the heart of this.

Practically, this will mean:

1. Training – this should be regular, practical and tailored to the needs of different roles and / or different parts of the organisation.
2. Record keeping – accurate and up-to-date training records should be kept as they can help demonstrate how the organisation has communicated its stance. They also help with monitoring and follow-ups.
3. Engagement surveys – existing staff engagement surveys can provide valuable insights to help determine where and what type of fraud prevention measures might be needed. For example, by identifying whether particular parts of the organisation report being under resourced or under pressure to perform.

6. Ongoing Monitoring & Review

Having the best compliance systems and processes in the world is of course of no use if you do not routinely monitor and review the effectiveness of their operation.

Fraud risks evolve, so prevention measures must be continuously assessed and adapted.

With all of this in mind, here are our key takeaways:

1. Prevention is better than cure – the first priority is to protect the business from fraud occurring, as much as it is providing a defence if it does.
2. Taking no action is unlikely to provide an effective defence – organisations must be able to demonstrate proactive prevention steps and not being able to do so could be costly, in financial, reputational and potentially regulatory terms too.
3. No "one size fits all" approach – what is reasonable depends on the organisation, so a holistic tailored approach to the fraud prevention framework is key.
4. No need to reinvent the wheel – good starting points will likely already be in place and the Guidance is clear that this work does not have to be duplicated. That said, linking back to the above, do bear in mind that relying on existing measures alone will not be enough.
5. Not a one-off exercise – keep records, keep revisiting them and respond to any changes in risk profile promptly.

If you have any questions about the issues raised in this article, please get in touch with Anna Fletcher or Kiran Gosal. To receive future articles in our Understanding ECCTA series and related insights, sign up to our mailing list.