ECCTA breakdown for compliance teams (+9 steps to take)

zinc logo icon
Regulation
Maria Kampen
April 30, 2025
Updated on:

Table of contents

How ready is your org for the changes that the Economic Crime and Corporate Transparency Act (ECCTA) will bring?

With the new “failure to prevent fraud” law and other legislation taking effect on 1st September this year, HR and compliance teams across the UK are getting ready, from refreshing background checking processes to educating employees on avoiding fraud.   

If you’re a compliance manager, it’s even more important that you review your responsibilities and processes to make sure nothing slips through the cracks. While the ECCTA only applies to large companies, it’s considered best practice across all FCA-regulated organisations.

 

Wait, what’s the ECCTA all about? Check out our full breakdown here.

Some of the major implications from the ECCTA include:

Fraud risk assessments

If you haven’t already, you’ll need to conduct formal fraud risk assessments to comply with reasonable prevention requirements. 

Basically, you need to take a magnifying glass to the places in your process where compliance risks can slip through the cracks, and fill them. 

Work with business unit leaders to identify high-risk areas (procurement, sales and marketing, accounting and finance, customer interactions, etc). Whether it’s thorough background checks during your hiring process or fully vetting third-party vendors, there are lots of places where you can tighten compliance. 

Every organisation is different, but regulators want to see a proactive approach to documenting risks and mapping controls to mitigate them. The government’s guidance on the legislation emphasises a risk-based approach and proportionality in prevention measures. 

For compliance officers, this is a chance to update or create an anti-fraud risk register and ensure senior management has visibility into the top risks facing the business. 

The “reasonable procedures” framework

Six ways to prevent fraud.

The official guidance from November 2024 outlines six core ways compliance teams can follow reasonable procedures to prevent fraud:

  1. Top-level commitment
  2. Risk assessment
  3. Proportionate policies and controls
  4. Due diligence
  5. Communication and training
  6. Monitoring and review

If you don’t have an anti-fraud policy, that’s a great place to start. Include things like what fraudulent conduct is, what the consequences are, how to do due diligence on third parties, and setting up ongoing monitoring. 

Documentation is key. If something does slip through the cracks, your company needs to prove that it had reasonable procedures and controls in place, tailored to the risks you could expect. 

Cross-functional collaboration

Thankfully, it’s not all on compliance teams. 

Work closely with HR, finance, legal and operations teams to implement requirements. 

Under the ECCTA, you’re encouraged to share information to prevent economic crime, whether that’s within your own organisation, with industry bodies, or public-private partnerships. 

At the very least, all departments need to understand the importance, and the top authorities at your company should champion them wherever possible and avoid silos.

Updated policies and reporting mechanisms

If things go wrong, do your employees know what to do?

As part of compliance process updates, review internal policies, codes of conduct, and reporting channels. 

For example, your code of conduct should explicitly forbid fraud, explain what it is, and encourage ethical behaviour. 

Make sure your incident response plan is up to date so if fraud is discovered, the company can react swiftly and report it to the authorities. Whistleblower policies should be aligned with best practices, since encouraging internal fraud reporting will make your company stronger. 

77percent of large companies increased budgets to train staff on fraud defence.

According to Cifas, 77% of large companies have increased their staff training budgets on fraud defences in the last year. E-learning modules and workshops can help make sure employees are ready to respond and demonstrate the company is compliant with the ECCTA. 

Monitor and test controls

You can’t just implement procedures and then leave them to ferment. To comply with legislation, you should monitor and review any policies and procedures to test their effectiveness. 

This could involved:

  • Internal audit teams running surprise audits or data analytics tests
  • Control self-assessments where managers evaluate how anti-fraud controls are working in their departments
  • Periodic reviews of fraud risk assessments

Regulators expect to see an evolving program, not one that’s stuck in the Jurassic age. Stay informed on what bodies like the Serious Fraud Office (SFO) or the FCA are saying about best practices. 

Best practice for compliance: Practical steps to take today

Practical steps for compliance.

You might be looking at the list we’ve just outlined (and your own to-do list) and feel your palms getting sweaty. 

But dry those clammy hands, because we’re here to help. 

Here’s what you can do to stay prepared:

1. Run a fraud risk assessment and gap analysis

You can’t know what you have to do until you know where your problems are. 

Get a cross-functional team in a room to write a long list of all the ways fraud could happen at your organisation. Scenarios include:

  • Could an employee work with a supplier to defraud us?
  • Could someone falsify records to earn a bonus?
  • Could a salesperson mislead a client about a product?

Identify controls for each scenario, and score based on likelihood and impact. There’s your map. 

Now, use the principles from the official ECCTA guidance to perform a gap analysis:

  1. Do we have visible top-level commitment?
  2. Have we documented our policies?
  3. Is our due diligence on third parties formalised?
  4. Are our training and comms effective?
  5. Do we test our controls?

Use the results to highlight what needs improvement. 

2. Secure leadership buy-in

Make sure your board and senior leadership are active champions for fraud prevention. 

If possible, use internal comms channels to issue statements from key leadership about compliance with the ECCTA as a strategic responsibility. Keep leadership briefed on fraud risks and mitigation plans. 

This kind of top-level buy-in helps counteract cultural resistance and sets the tone for the rest of your program. 

3. Write down what you’re doing

You should have clear policies on preventing fraud, including an anti-fraud policy. 

Your anti-fraud policy should:

  • Define what fraud is in plain language
  • Give relevant examples
  • State the consequences of employee fraud
  • Outline the responsibilities of employees and managers in preventing fraud

Having written procedures helps demonstrate to regulators that you have a systematic approach. 

4. Know who you’re working with

Whether it’s employees on your payroll or third parties, background checking is crucial — in fact, it’s the first recommendation in the government guidance. 

HR should verify credentials and perform appropriate checks for new hires, particularly in finance, accounting, and management. 

If you work with third parties, build a due diligence questionnaire or onboarding checklist that:

  • Requires them to disclose any past fraud-related convictions
  • Confirms they have their own anti-fraud programs
  • Checks references or reputation
  • Verifies company ownership

Remember, “associated persons” can create liability, so choose them wisely and set expectations from the start. If you’re using AI tools for HR compliance, be sure to vet them thoroughly. 

Find out how Zinc can help streamline your background checks and re-checking process.

5. Train and communicate

When people know better, they do better — or so the saying goes. 

Training tailored to different types of staff can be an effective tool for preventing fraud. Interactive workshops, e-learning, and specialised training for high-risk roles can help make it even more impactful. 

Repeat training regularly, and use internal comms channels to keep awareness fresh. Encourage questions and feedback, since your employees are often closest to the ground and can see where potential loopholes might be exploited. 

6. Make it easy to report and respond

Whistleblowing channels are essential for finding and reporting fraud. Whether it’s a dedicated hotline, email, or open-door policy, promote it frequently so people remember it. 

When a credible report comes in, have a procedure in place to handle it with discretion. Taking action quickly builds trust in the system and encourages others to come forward early. 

7. Use tech and data to make your job easier

Invest in tech tools that can monitor transactions and flag anything out of place, including:

  1. Expense management software that flags claims outside your policy
  2. ERP systems with built-in fraud indicator reports
  3. AI-driven analytics that learn patterns and detect outliers

According to a PWC study, while 55% of organisations see procurement fraud as a major concern, only a minority use data analytics to combat it. 

You know what that means? Opportunities to use available tools more effectively. Even a simple email search for terms like “cash payment” can turn up problems. Demonstrating ‘an adequate system of internal controls’ is part of showing how you took reasonable steps.

8. Test your anti-fraud program for leaks

Even the best system needs to be put to work every once in a while — and if you do it before you have an incident, even better. 

Whether it’s internal or external, have someone on your team periodically evaluate how effective your fraud prevention measures are. 

This could include:

  • Penetration testing of financial controls
  • Dummy fraud scenarios to test if staff follow reporting protocols
  • Knowledge checks to gauge retention

Demonstrating a clear audit trail or preventative actions is key for aligning with government guidance. 

9. Plan for the worst

The worst words a compliance officer can hear? “There’s been an incident.”

But having a plan in place can make responding easier and more effective. Your plan should outline:

  • How to conduct an internal investigation
  • When to involve legal counsel
  • How and when to report to authorities
  • What authorities to report to 
  • How to remediate the situation
  • What crisis comms need to go out

From an ECCTA perspective, a strong response can limit the fallout and demonstrate company responsibility. 

Conclusion: Best practices for ECCTA and compliance

The ECCTA shouldn’t be seen as yet another thing you need to add to your busy to-do list — rather, view it as an extension and validation of the importance of your work. 

Implementing best practices will help your business move towards compliance and strengthen resilience against a threat that, statistics show, isn’t going away anytime soon. 

For more information on how Zinc can help you implement background checking processes that help you stay safe and compliant, get in touch with our team.

More from Zinc

Regulation

Upcoming changes in UK employment law 2025: Zinc’s take on what you need to know

Hamraj Gulamali
Background checks

Help! How do I interpret employee background check results?

Zinc Team
HR technology

AI for HR compliance: A no-BS guide to evaluation and implementation

Maria Kampen

Add Zinc and save weeks of team time

Simply book a demo or request more information and one of our team will be in touch.
Request more infoBook demo

Find out how Zinc can save you hours of time

Fill in the form below and we'll send you information to your inbox in the next few minutes.