We have been reporting since it becomes law in 2023, of the impact of the new ECCTA rules as its measures are introduced over a period. The most recent being notifications being the mandatory identity verification for directors and persons of significant of interest. More details can be found HERE.
The Act is one that that introduces the measure that all businesses will need to include a profit and loss as part of their accounts filed at Companies House from April 2027.
The Act is to prevent/minimise fraud and introduces a new offence of the failure to prevent fraud which became effective on 1 September 2025. The new offence only applies to a “relevant body” (see below), which can be held liable if an associated person (e.g. an employee, agent, subsidiary) commits fraud offences intending to benefit the organisation (or in certain cases its clients). The organisation must have failed to have reasonable fraud prevention procedures in place. If it did have procedures, that is a defence, but they must be robust, implemented and enforced i.e. no “lip service.”
The key point is that the offence only applies to large organisations. The test for “large organisation” must meet at least two out of the three criteria below in the financial year preceding the year of the fraud offence:
- More than 250 employees;
- Turnover of more than £36 million;
- Total assets of more than £18 million.
A large organisation includes corporates, partnerships and charities.
The above will exclude all HK clients, but this part of the ECCTA should not be ignored, as firstly, it is a rolling test “meet at least two out of the three criteria below in the financial year preceding the year of the fraud offence” Secondly, although small businesses are exempt, the guidance says that even if you are not caught by this specific offence, the same principles of good practice (fraud risk assessment; prevention procedures) are still relevant.
The new guidance outlines a range of offences; however, even if not a large organisation, all companies are within the bribery measures under the Bribery Act and are required to prevent the facilitation of tax evasion under the Criminal Finances Act. See our article.
There are few defences to the failure to prevent fraud, for bribery, proving that procedures are ‘adequate’ and for tax/fraud offences, showing that they are ‘reasonable’. However, under the ECCTA joint guidance states that prosecutors must consider other factors to include, systemic compliance failings; board-level knowledge or wilful blindness; or ignoring prior warnings or sanctions.
Mitigation factors outlined in the guidance include early self-reporting, a compliance culture that is ‘mature’ and remediation that is ‘genuine’. i.e. not just having a process in place, making sure it is being followed and where required enforced.
Investigators are being encouraged to use asset restraint orders early on, and at sentencing, serious crime prevention orders, and director disqualification orders. The Act has serious implications, and it is highly likely that prosecutions will take place to show the impact of the Act.
The failure to prevent fraud offence under ECCTA will not apply to most HK clients. The other rules and regulations already highlighted, businesses will still require internal procedures and processes to minimise their own internal risks, and to prevent breaking laws. We are seeing several larger buyers on due diligence asking what clients have in place, or more recently an investment fund with a stake in start-up requesting measures be put in place. This is not just for large businesses!
A straightforward example of how Harbour Key could be prosecuted for failure to prevent tax evasion could occur is if a client informs a team member that they have incurred an expense that is not allowable for tax purposes, and the employee disregards this information, permitting the expense to be claimed regardless.
Measures businesses need to consider:-
- Making sure that senior management/persons assume responsibility for fraud and bribery risks, setting zero-tolerance policies, and applying oversight mechanisms;
- Updating fraud and bribery risk assessments in relation to business, its clients, its employees, contractors, suppliers etc;
- Implementing control measures with principles and applying them to the risks identified with ownership commitment to the implementation, proportionate procedures, due diligence, communication and training, monitoring and reviewing;
- Creating robust onboarding, renewal, and due diligence procedures for third parties: customers, intermediaries, joint venture partners, and vendors;
- Having systems in place to enable staff to make reports of suspicious activity, and internal systems to log the reports, and investigations of the report;
- Delivering role-specific and risk-based training that encompasses potential fraud and bribery scenarios. Maintain uptake records and refresh them regularly;
- Regular reviews/audits of the internal systems and process.
The ECCTA is one aspect of legislation that just adds extra compliance and work for corporate business owners, however if anything goes wrong the implications can be severe. Therefore, focussing on process and procedures, as well as employee education, should protect the business and the business owners.
