The Economic Crime and Corporate Transparency Act 2023 (ECCTA) was intended to mark a pivotal shift in corporate governance and the battle against fraud. Receiving Royal Assent just over a year ago, the Act seeks to deploy ever more stringent measures to tackle fraud, particularly emanating from within large organizations based in the UK.

The latest guidelines to the Act, which set out guidance around the new failure to prevent fraud offence (coming into effect for larger organizations in September 2025), make interesting reading.

Pressure on the C-suite

This legislation appears to have been influenced, in part, by the global clamor for transparency. The “failure to prevent fraud” offence aims to exert pressure on those at the top of larger organizations to ensure that those at the bottom are following and enforcing compliance. Why? Because for far too long fraud investigations have floundered at the bottom of the corporate rung, while those at the top of the ladder effectively washed their hands of any problems. The claim was always that it was impossible to have a handle on everything happening in the company.

This “ignorance is bliss” defence was often used when I was investigating cases as part of the Fraud Squad. In some cases, it was impossible to break down this defense. After all, how can you prove dishonesty when an individual was (allegedly) unaware of their minions’ actions?

Breaching this defence is less problematic in civil cases, where the balance of probabilities comes into play. In criminal cases, however, claiming ignorance can be terminal to an investigation. Indeed, many astute fraudsters build this particular defence as they propagate their fraud. They know that “firewalling” themselves from the sharp end (of committing a crime) can be an effective defence.

Standard of criminal burden

Then there are the complexities inherent in the day-to-day cross border activities of multinational companies. With so many tentacles and entanglements, you can end up with an investigation which becomes problematic for law enforcement to investigate to the standard of criminal burden. These costs and resource implications would likely see them walking away from an investigation.

However in this instance, if we read between the lines, it may be that the legislation could put a chink in the fraudsters’ armor. Perhaps not to the criminal burden of proof, but certainly failure to follow the rules may in turn leave them vulnerable to civil wrongdoing and the financial consequences of this sort of breach.

Let’s be clear, most organizations are profit driven and pay their employees in line with their successes. This profit-driven and bonus-driven culture lends itself to turning a blind eye whenever suits. “Wilful ignorance” may be an effective defence in a criminal court, but it may prove a severe weakness in a civil court.

By emphasizing that organizations are now directly accountable for the behavior of their staff – that they are responsible for actively preventing fraud committed by their employees, agents or subsidiaries – the UK government may well have inadvertently hit upon a winning formula in creating this new offence.

As a career investigator still plying my trade nearly 43 years after becoming a cop, I am acutely aware of the pressure that law enforcement organizations are under to arrest and convict fraudsters. Arresting them is one thing, though: convicting them is another. Now the onus for maintaining a “steady ship” and navigating a straight course through both the legal and regulatory mire has been firmly shifted onto the upper echelons of management.

Fragmented responses are as dangerous as no response at all.

The legislation exerts pressure on larger organizations (those with 250+ employees, £36m ($47m) + in turnover, or £18m ($23m) + in assets), to take the burden and increase awareness and vigilance where their line of business could lend itself to fraudulent conduct by their employees. The pressure is now on them to be seen to invest in systems that will prevent employees, agents and subsidiaries from committing fraud.

Indeed, the Act expects these large organizations to anticipate and prevent acts that would ordinarily be considered outside of their reach. This is a tough task, given the implications it raises. However, I think that if organizations can be seen to embrace and aspire to prevent this type of fraudulent behavior, it may prevent them falling foul of the Act and would at least provide mitigation should they find themselves under investigation.

What is ‘reasonable’?

Organizations are expected to set up “reasonable fraud prevention procedures”. The key word here is “reasonable”. Although that sounds straightforward, it would surely vary depending on the organization’s sector and wealth, and the ability to invest resources to combat the problem and meet expectations.

These expectations would likely raise anticipation of transparent auditing procedures, as well as identifying and implementing new best practices. Additional compliance measures will likely see regulatory expectations rise, along with all the inherent increase in costs, notwithstanding the inertia that increased know-your-customer (KYC) measures and due diligence inevitably brings to the business process.

The word “reasonable” also generates ambiguity and raises the question: is it practical to expect organizations to prevent every possible fraudulent transaction? This uncertainty, at least in the short term, may lead to over-compliance, creating administrative burdens that may not necessarily address the root causes of fraud.

The territorial reach of the Act may have already caused some trepidation among CEOs and C-suite executives. Likely they will need people to try and lead them through the labyrinth of potential pitfalls. Reconciling regulatory practices in the UK with those abroad may become common practice. The problem is that devising an all-encompassing regulatory process that appeases all international requirements is impossible. Devising a viable system that evidences that an organization is at least aiming to meet the threshold may be advisable, rather than overcomplicating and missing the objective completely.

The new guidance also requires relevant organizations to consider their entire operational footprint, in whatever jurisdiction they have representation. Multinational organizations may find themselves facing conflicting demands from the UK and those countries where they have other central operations, creating a compliance paradox that could be insurmountable. Do they put the UK demands first, or do they prioritize the demands of the foreign jurisdictions?

On the chopping block

Additionally, what of the smaller businesses that fall under this legislation? Perhaps lacking the budgets to implement top-tier systems that will appease all the guidelines, how will they cope with the demands? Well-intentioned legislation and guidelines often lead to disparate and fragmented responses from organizations who are genuinely confused by the demands being placed upon them.

Fragmented responses are as dangerous as no response at all. Without uniformity and consistency of guidance, we will end up with opinion-based management processes that we must avoid at all costs. Opinions are welcome in blogs, but mayhem will ensue if we leave processes to well-intentioned professionals and their individual interpretations. Risks will vary from enterprise to enterprise, companies importing goods for resale in the UK will face different risks to those of a software company or oil exploration firm.

It is possible that the demands being placed upon organizations will drive innovative solutions, including those involving artificial intelligence. I am certain that there will be software companies that have already begun designing monitoring and reporting solutions that the rich few will be able to afford and install. But what about those that have less expendable income to invest?

Issuing printed guidelines is all well and good, but there is more need than ever for specialist advice to be made available to organizations that fall under the new failure to prevent fraud offence. The Act and guidelines present a monumental task for the companies affected. The commercial and reputational damage that could be caused if they get it wrong may lead not only to punitive fines and sanctions, but could see corporate heads being put on (proverbial) chopping blocks.

As a tool for focusing attention and effort, the guidance will definitely hit the spot. As always, we should all reserve judgement to see how the new legislation works in practice.