Third-Party Fraud Prevention to Comply With the UK Economic Crime and Corporate Transparency Act

The UK's Economic Crime and Corporate Transparency Act (ECCTA), passed on October 26, 2023, is a significant step in preventing economic crimes and ensuring corporate transparency. One of the key provisions of the new law is the failure to prevent fraud offence, which holds large organisations accountable for specific fraud crimes that benefited the organisation and was committed by employees or third parties if reasonable fraud prevention procedures weren’t in place.

As organisations prepare to comply, it’s essential to carefully consider the offence of failing to prevent fraud and its consequences. By implementing effective measures to prevent fraud, organisations can avoid the risk of being held criminally liable and demonstrate dedication to transparent and ethical practises. The ECCTA represents a positive step towards fostering a safe and equitable business environment and ensuring organisations act responsibly to prevent economic crimes.

About ECCTA: Understanding How This Impacts Organisations and Third Parties 

The offence holds an organisation criminally liable if it fails to prevent misconduct by an “associated person.” It doesn’t matter whether the organisation was aware of the misconduct or not. The fraud must have been committed to benefit the organisation or the person for whom the organisation provides its services.

Here are three frequently asked questions about who is covered under the new law:

1. Who is considered an associated person? The new offence considers an organisation's employees, agents, subsidiaries, third-party vendors, and service providers as associates of the organisation. This definition is more comprehensive than the one previously issued regarding the failure to prevent bribery and tax evasion crimes.
2. Which organisations are in scope? The offence will apply to large companies and partnerships that satisfy at least two of the following conditions during the financial year preceding the year in which the crime is committed:
   
   
   • An annual turnover of £36 million or more
   • A balance sheet total of £18 million or more
   • More than 250 employees on average
   Per the newly implemented regulation, parent companies are liable for the actions of their subsidiaries. Specifically, if a group of companies meets at least two of the following criteria in the financial year preceding the year in which the crime is committed:
   
   
   • An aggregate turnover of over £36 million net (or £43.2 million gross)
   • Aggregate balance sheet total of over £18 million net (or £21.6 million gross)
   • More than 250 aggregate employees
3. What’s the jurisdiction of the failure to prevent fraud offence? This particular offence has a broader geographic reach beyond the borders of the UK. It will come into effect if any associated person, regardless of their location, engages in any of the fraudulent activities listed below. It’s important to note that this offence can be applied internationally as long as there’s sufficient evidence of fraudulent activity taking place within the jurisdiction of the UK.

Third-Party Risk Management and Prevention of Fraud 

The UK will begin implementing ECCTA throughout 2024, beginning with initial changes in March. The UK government will also publish guidance on the 'reasonable procedures' defence, which will allow an organisation to avoid liability if it can prove it has proper compliance procedures to prevent misconduct. The guidance is expected to be published in spring 2024. As the final guidance is still pending, what organisations must do to comply is still being determined. 

However, it’s likely that organisations will need to take specific measures, including:

• Maintain a high-level commitment to prevent fraud
• Assess and keep risks under review
• Implement anti-fraud policies and procedures
• Provide appropriate training on fraud prevention issues (including tailored training for those in 
  higher-risk positions)
• Establish reasonable financial and accounting controls
• Set appropriate enforcement mechanisms in all contracts of employment
• Ensure contractual provisions with third parties cover outward fraud
• Adapt or adopt whistleblowing procedures to cover fraud
• Continuously monitor, review, and assess the effectiveness of anti-fraud measures

Third-Party Risk Compliance With the Economic Crime and Corporate Transparency Act’s Failure to Prevent Fraud Offence     

Because third parties, vendors, and service providers are all considered “associated persons,” third party risk management teams must be aware of the failure to prevent fraud offence and ensure appropriate preventative measures are incorporated into regular third-party risk management practises.

Here are general best practises to incorporate third-party fraud prevention into your third-party risk management programme:

• Comprehensive risk assessment and monitoring of third-party fraud risk – It’s important to understand who your third-party vendors are and the risk they bring to your organisation. A risk assessment will help you identify fraud risks and the correct controls to put in place to mitigate future issues. 
• Risk-based due diligence – Due diligence should be proportionate to the level of fraud risk each third-party vendor poses. Those that are high risk should be reviewed at least annually. Due diligence should include:
  
  
  • Verified fraud prevention training of third-party vendor and service provider employees 
  • A thorough review of third-party financial and accounting practises and controls
• Third-party contractual provisions – The contract is one of the best places to mitigate risks. Contracts should address the prevention and monitoring of fraud and outline penalties and responsibilities in the event of noncompliance. 
• Periodic re-assessments and due diligence – Performing regular (risk-based) reviews to identify potential fraud risks and collecting updated due diligence documentation can help ensure risks are accurately identified. It also helps to ensure individuals involved have appropriate risk management practises and controls in place to effectively mitigate known risks.
• Ongoing monitoring of fraud risk – Third-party fraud risk can change quickly, so it’s important to continually monitor for changes. Looking at regular reporting can provide an early warning sign of issues and risk monitoring services can also alert to potential third-party vendor fraud. 

Once the final guidance is published, it’s recommended that organisations evaluate current fraud detection and prevention mechanisms (as well as those of third-party vendors and service providers) per the updated guidance. This approach can help identify potential gaps in existing procedures so organizations can take appropriate measures to strengthen and improve fraud prevention efforts.

Additionally, organisations should document compliance with the recommendations provided in the updated guidance to ensure transparency and accountability.