By Christopher Burt, Principal, Halex Consulting
The Economic Crime and Corporate Transparency Act (ECCTA) marks one of the most significant shifts in the UK’s corporate governance and enforcement landscape for a generation. At a recent Risk Coalition Risk Matters virtual roundtable, audit and risk committee non-executive directors and senior risk professionals explored what ECCTA really means in practice – not just in legal terms, but in terms of board behaviour, culture and oversight.
We were delighted to welcome Sarah Hawes, Head of Corporate Knowledge at Herbert Smith Freehills Kramer (HSFK), as our expert guest speaker and thank her most sincerely for her valuable contribution. Many thanks also to Rachael Johnson, Head of Risk and Corporate Governance at ACCA, for sharing some of the key outputs in slide format from their recent global Fraud research. Together Sarah and Rachael provided attendees with some stimulating and quality insights.
Three themes stood out clearly: the transformation of Companies House into a regulator with teeth; the arrival of a strict liability “failure to prevent fraud” offence; and the growing recognition that culture, speak-up arrangements and third-party relationships are now central to a credible defence.
From filing cabinet to regulator: Companies House grows up
ECCTA fundamentally redefines the role of Companies House. Historically seen as a passive filing repository, it is being repositioned as an active regulator with powers to query, reject and annotate information on the public register. The roundtable highlighted how this seemingly technical shift has real reputational consequences for boards.
Companies House can now issue civil penalties for failures such as late or inaccurate filings. While individual fines may be modest, the public annotation of enforcement action on the register is not. Participants noted that this creates a new form of “reputational signalling” – visible to investors, counterparties, journalists and regulators alike. Importantly, liability does not sit solely with the corporate entity: any “officer” of the company, executive or non-executive, may be exposed.
Identity verification (IDV) is the most immediate manifestation of this new regime. All directors, people with significant control (PSCs) and, in due course, those filing information with Companies House must verify their identity. Failure to do so is a criminal offence for the individual and the company. While the process itself is relatively straightforward, the discussion surfaced early practical challenges – from overseas appointees without biometric passports to system “gremlins” during rollout. The message for boards was clear: this is operationally mundane but governance-critical, and it needs clear ownership and oversight.
Failure to prevent fraud: a new board-level liability benchmark
The most far-reaching element of ECCTA for boards is the new corporate offence of failure to prevent fraud, which came into force on 1 September 2025. This is a strict liability offence applying to “large organisations”, where an associated person commits a relevant fraud offence intending to benefit the organisation.
For many NEDs, the significance lies not just in the offence itself but in the shift in mindset it demands. Traditional fraud risk assessments have tended to focus on fraud against the organisation – theft, expense fraud, cybercrime or third-party scams. ECCTA turns this on its head. Boards must now ask: where could fraud benefit us?
Examples discussed included mis-selling driven by incentives, misleading statements in financial reporting, and increasingly, ESG-related misrepresentation. As several participants noted, claims made in annual reports, regulatory announcements or on corporate websites could, if false or misleading, fall squarely within the definition of fraud by false representation. “Greenwashing” therefore becomes not just a reputational issue, but potentially a criminal one.
The statutory defence – having “reasonable fraud prevention procedures” in place – will be familiar to those with experience of the Bribery Act or failure-to-prevent tax evasion offences. However, what counts as “reasonable” will be judged in context. Boards were cautioned against seeing this as a one-off compliance exercise. Documentation alone will not suffice; regulators will look for evidence that controls are embedded, tested and taken seriously.
Culture, leadership and the speak-up system
A striking contribution to the discussion came from the ACCA’s global fraud research, which shows that lack of ethical leadership and accountability from the top consistently ranks among the strongest drivers of fraud across regions and sectors . Technology and economic pressure matter, but leadership behaviour shapes how effectively organisations close the gap between risk and control.
This finding resonated strongly with participants. Culture is often described as “soft”, yet it underpins whether policies are followed, concerns are raised and misconduct is challenged. Several contributors emphasised that a weak speak-up environment materially undermines a company’s ability to detect fraud early – and may itself weaken the failure-to-prevent defence if employees are deterred from reporting concerns.
Effective whistleblowing arrangements were repeatedly described as a form of governance “insurance”. Boards were encouraged to look beyond headline statistics and consider metrics such as time-to-acknowledge reports, time-to-close cases, substantiation rates and evidence of retaliation monitoring. The absence of issues may indicate not a healthy culture, but fear of speaking up.
The value chain blind spot
Another recurring theme was third-party and value-chain risk. The definition of “associated person” under ECCTA is deliberately broad, encompassing employees, agents, subsidiaries and, in some cases, suppliers and distributors. Participants observed that many organisations over-index on internal controls while underestimating risks arising from outsourced activities, sales intermediaries or complex supply chains.
Boards were urged to resist a “tick-box” approach to third-party due diligence. Questionnaires alone are rarely sufficient. Instead, organisations need to understand where fraud risks actually sit in their operating model, what leverage they have contractually, and how those risks are monitored in practice.
What boards should be asking now
The roundtable closed with a set of practical questions for boards and audit and risk committees. Among the most important:
Have we mapped fraud scenarios where the organisation could benefit, not just where it could lose?
Do we clearly understand who our associated persons are, and what controls apply to them?
Can we evidence that fraud prevention procedures are tested, reviewed and reported with appropriate cadence?
Does our speak-up framework genuinely enable concerns to reach the board?
Are ESG claims and other public statements subject to the same rigour as financial disclosures?
ECCTA raises the bar for boards, but it also provides an opportunity. Organisations that take a thoughtful, integrated approach – combining legal compliance, cultural leadership and practical risk management – will be better placed not only to defend themselves, but to strengthen trust with stakeholders.
As one participant observed, this is not about guaranteeing that fraud never happens. It is about demonstrating that the board has asked the right questions, set the right tone, and put in place reasonable and proportionate measures to prevent harm before it occurs.
Five Board Takeaways from the ECCTA Roundtable
Fraud risk now includes where the organisation benefits, not just where it loses
ECCTA fundamentally reframes fraud risk. Boards must look beyond traditional “fraud against us” scenarios and actively consider where incentives, reporting, ESG claims or commercial practices could result in the organisation benefiting from misrepresentation or misconduct.Reasonable prevention is about evidence, not intention
Having policies on paper is not enough. Boards need confidence that fraud prevention procedures are embedded, tested, and reported with appropriate cadence. Regulators will look for evidence of oversight, challenge and follow-through — not just compliance artefacts.Culture and speak-up arrangements are central to the defence
Weak ethical leadership and ineffective whistleblowing materially increase fraud risk. Boards should scrutinise whether employees feel safe to raise concerns, whether reports reach the right level, and whether retaliation risks are actively monitored.Third-party and value-chain risks are a major blind spot
The definition of “associated persons” is broad. Boards must understand where fraud risks sit across subsidiaries, agents and suppliers — and whether contracts, training, audit rights and termination levers are genuinely effective in practice.Companies House reform creates visible reputational risk
Civil penalties may be small, but public annotation on the register is not. Identity verification, filing accuracy and ownership of Companies House compliance are now board-level governance issues, not administrative afterthoughts.
Christopher Burt is Principal at Halex Consulting, a leading governance consultancy specialising in independent board evaluations and risk advisory. He is co-founder and Executive Chair of the Risk Coalition and principal author of its “Raising the Bar” and “Raising your Game” leading practice guidance for boards and committees.
Halex Consulting is Board Benchmarking’s UK/EU strategic partner.
Learn more about Halex Consulting’s board performance review services →
Chris Burt