Contents
This article explores what that means in practical terms, and how businesses can tighten their fraud control framework to prepare for the upcoming enforcement date. For legal, finance, and risk professionals, the clock is ticking.
You can read the official government policy paper on the offence here.
What does the new law say?
The ECCTA’s ‘Failure to Prevent Fraud’ offence will apply to large organisations, that is, those meeting two of the following: over 250 employees, more than £36 million in turnover, or over £18 million in assets. These businesses can be held criminally liable if they fail to stop associated persons (employees, agents, subsidiaries) committing fraud for the organisation’s benefit.There is a defence, but it hinges on your ability to prove your anti fraud controls were “reasonable”. So, the real question becomes, are your current fraud controls enough?
Why businesses need to act now
The law takes effect in September 2025, but establishing and embedding effective fraud prevention procedures takes time. Simply updating a policy or sending an email to staff won’t cut it. To demonstrate you’ve taken fraud and risk management seriously, your controls need to be:
- Proportionate to the size and nature of your organisation
- Fully documented
- Regularly reviewed and enforced
- Integrated into your broader fraud & risk management framework
That is when it is time to conduct an internal fraud control health check, discover what gaps are available and make sure your company can hold its own if challenged at all times.
Step 1: Conduct a thorough fraud risk assessment
Everything starts with a strong understanding of your exposure. A fraud risk assessment would look at every facet of your operations, identifying where fraud could realistically occur and how likely or material those risks are. Some areas of special focus should be:
- Payment processes and authorisation chains
- Supplier and customer due diligence
- Expense claims and procurement procedures
- Insider threats (e.g. payroll fraud, data misuse)
AccessPay’s platform is built to strengthen fraud and error prevention across the finance function, particularly in high-risk areas like payments and cash management.
Step 2: Review and update your fraud control framework
Once you’ve assessed your risk landscape, it’s time to review your existing anti fraud controls. Ask yourself:
- Are policies and procedures clearly documented and accessible?
- Do controls to prevent fraud span all departments and subsidiaries?
- Are approval thresholds and segregation of duties consistently enforced?
- Is transaction data monitored for anomalies in real-time?
If the answer to any of these is ‘no’ or ‘not sure’, that’s a red flag. Controls should be automated wherever possible, and policy enforcement shouldn’t rely solely on people doing the right thing.
Step 3: Strengthen your due diligence processes
Fraud and internal controls don’t just apply internally. In the new legislation, a company can be held accountable for fraud by an outside agent or partner on its behalf. That is why third-party and supplier due diligence is paramount.
- Are you verifying supplier legitimacy before onboarding?
- Do you regularly check for red flags like multiple bank account changes?
- Is there a formal process for escalating suspicious activity?
Your procurement and finance teams need to work together to vet new relationships well and vet any changes in account data.
Step 4: Deliver targeted training to at-risk teams
Your fraud control framework is only as strong as your people’s ability to implement it. Under ECCTA, it’s not enough to say you have procedures, you must show that staff understand and follow them. Focus training efforts on high-risk teams:
- Finance and accounts payable
- Procurement
- Sales and commercial teams
- Anyone with authority to approve payments or enter contracts
Training should be clear, practical, and tailored to the specific fraud risks those teams face. Simulated fraud scenarios can be especially effective.
Step 5: Document everything
To defend your organisation under the new law, you’ll need to provide evidence that your fraud prevention procedures are reasonable and effective. That includes:
- Written fraud and risk management policies
- Audit logs of financial transactions
- Training records and staff attestations
- Results of risk assessments and control testing
This is where technology can really help. By integrating digital controls and maintaining a clear audit trail, businesses can reduce their exposure and make demonstrating compliance much easier.
Step 6: Implement real-time fraud detection tools
Having robust controls to prevent fraud isn’t just about prevention. Detection is just as important. Modern finance systems can incorporate fraud detection features that monitor behaviour, flag anomalies, and alert the right people instantly. AccessPay helps finance teams:
- Prevent unauthorised payments from leaving the business
- Detect suspicious activity in bank files and payment instructions
- Block duplicate payments, mismatched approvals, and ghost suppliers
These capabilities not only improve fraud risk management, but also provide a defensible audit trail that demonstrates your organisation is taking reasonable steps.
To see how AccessPay can help your team stay compliant and fraud-resilient, you can book a demo.
Step 7: Appoint a senior owner for fraud and risk
Strong fraud controls require clear accountability. Appointing a senior leader (typically from legal, finance, or risk) to oversee your fraud & risk management programme ensures that ownership doesn’t fall through the cracks. This person should:
- Own the fraud control framework
- Ensure procedures are implemented, reviewed, and enforced
- Liaise with auditors and external advisors
It also sends a message to staff and regulators alike: fraud is taken seriously at the highest levels of your organisation.
Step 8: Conduct a mock audit or gap analysis
A great way to test your preparedness is to conduct an internal audit or bring in external specialists to perform a gap analysis. This gives you a benchmark against what might be considered “reasonable procedures” under ECCTA. Make sure this review includes:
- Fraud risk mapping
- Control design and effectiveness
- Testing policy awareness across departments
- Reviewing recent near-misses or incidents
Afterwards, develop an action plan to address weaknesses before September 2025 rolls around.
What counts as “reasonable procedures”?
The government hasn’t provided a checklist, but they have published guiding principles for what counts as reasonable under the ECCTA offence. These include:
- Proportionality is important as larger firms are expected to have more comprehensive controls
- A Risk-based approach as procedures must reflect actual exposure
- Top-level commitment, senior management must be visibly engaged
- Communication and training, it’s important that staff understands policies
- Monitoring and review, try regular evaluation of control effectiveness
You can read more on this in the official policy paper.
Final checks before September
The new Failure to Prevent Fraud offence marks a shift in how corporate fraud is regulated, from reactive prosecution to proactive prevention. Businesses that fail to prepare may find themselves vulnerable not just to fraud itself, but to prosecution under ECCTA.The good news is that there’s still time. By assessing your risks, tightening your fraud controls, documenting your efforts, and showing visible commitment from leadership, you can position your business as compliant and fraud-resilient.
At AccessPay, we’re helping finance teams across the UK build smarter, stronger anti fraud controls that go beyond just ticking the boxes. If you’d like advice or a walkthrough of how our solutions support compliance and fraud detection, get in touch today.
