emailfacebookinstagrammenutwitterweiboyoutube
 

Failure to prevent fraud: is your firm ECCTA ready?

The UK’s new ‘failure to prevent fraud’ offence is now in force – and it could have far-reaching consequences for law firms and even their subcontractors. Miller Insurance Services explains who’s in scope, how liability arises, and the six categories of prevention measures your firm should be addressing now

Calum MacLean|Risk manager, Miller Insurance Services|

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) is the gift that keeps on giving headaches to risk and compliance teams and law firm managers.

Ten months ago the government published guidance on the ‘failure to prevent fraud’ offence, which came into force on 1 September. The clear ambition for the UK government is to drive a major shift in corporate culture to help prevent fraud.

Who does it affect?

The offence applies only to organisations that meet two or all three of these criteria:

  • 250 staff+
  • £36m+ in turnover
  • £18m+ in total assets

Subsidiaries with a parent company that meets these thresholds also qualify.

Miller Insurance Services
Contact:
Taurai Ushe
0207 031 2487
More Miller Insurance Services Insights More Miller Insurance Services Case Studies More Miller Insurance Services Resources Go to Miller Insurance Services 's Website

However, smaller firms should also adopt the spirit of these provisions as best practice, even if they’re not directly affected by the law. There are some instances where they might still get caught out. For example, if larger firms subcontract work, smaller firms may be seen as ‘associated persons’, and could then be investigated under the legislation.

How could I be liable?

Every firm should take time to review the government guidance. But in summary, the offence holds firms to account when:

  • A deliberate fraud is committed by an employee, agent, subsidiary, or other associated person with the intention of benefiting the firm (directly or indirectly), or their clients.
  • The organisation fails to take reasonable steps to prevent it.

The offence applies only if the associated person commits a base fraud offence under UK law. This requires a UK nexus. A UK nexus means that at least one act in the underlying fraud happened in the UK, or that the gain or loss occurred in the UK.

Examples of fraud could be hiding information from clients (if clients knew the truth, they might not have bought the services); helping clients to misrepresent income to HMRC; or encouraging them to invest in tax-avoidance schemes.

What reasonable steps do I need to take to prevent fraud?

If you’ve already taken steps to meet your requirements, review and stress-test them regularly. If you’re not confident all necessary steps are in place, now is the time to act.

Have you:

  • Completed a fraud risk assessment in light of ECCTA, identifying high-risk areas?
  • Reviewed policies and procedures (including audits) to identify gaps that need fixing?
  • Assessed your management reporting capabilities related to fraud risk?
  • Evaluated your supply chain and wider ‘associated persons’ — and their processes where appropriate?
  • Considered broader culture and training needs?

Understanding the six categories of prevention measures

Your fraud-prevention frameworks must show compliance with six categories of prevention measures, appropriate to your level of risk exposure.

Each category needs an initial risk rating, details of existing controls, and a residual risk score. If the score is still too high, consider further risk improvements within an appropriate timeframe.

Let’s break down each category.

Top level commitment

You need evidence of a culture that rewards compliance over profit. Show clear statements of commitment, meaningful consequences for breaches, and sufficient investment in processes, systems and training. You also want to assign clear responsibility for implementing fraud prevention measures, along with established governance protocols.

Risk assessment

Your firm’s risk assessment is vital for showing the seriousness of your fraud prevention measures. While regulated entities address many fraud risks, ECCTA identifies risks you might not have considered before.

Consider how staff, agents, and associated persons might commit fraud. Think about any inadvertent incentives your organisation may create (like financial targets or time pressures) and the opportunities current processes afford. If your corporate oversight is limited to financial data, there’s every chance you could be overlooking certain frauds.

Prevention measures

You must show that your fraud prevention procedures were reasonable at the time of any fraud. A common mistake when creating risk registers is to mark all risks in the highest risk categories, making the register overloaded and less useful.

Quantifying risks and prioritising each of them can offer you substantial protection against prosecution.

Prevention measures can include:

  • Robust pre-employment checks, with enhanced due diligence when needed.
  • Verification checks on third-party authorised parties.
  • System-based and exception reporting, high-risk matter supervision, financial audits, and thematic file audits.
  • System enhancements, like client vetting.
  • Review of risk events to identify trends and gaps in processes and procedures.
  • Incentive scheme design and appraisal categories.
  • Removal of single-party approval processes for key activities (eg, payments authorisation).
  • Making whistleblowing easier and safer.

Due diligence

Your screening of staff and third parties, along with how you supervise or audit them, may be questioned if fraud occurs. Creating an environment with strong checks and balances is the best deterrent. If you acquire another team or firm, relevant due diligence to assess fraud risk is essential.

Training and communication

You must show that your organisational culture supports the messaging in your risk assessment and policies. And that commitment needs to be clear to see at all levels and departments.

Firm-wide awareness training is essential, with targeted training for those in high-risk roles. Ideally your training will include active learning, tailored to your specific policies and procedures. Make sure your training covers whistleblowing processes too.

Ongoing monitoring

Your risk assessment, systems, processes, policies, risk controls, and training must undergo regular review. Any ongoing insights will inform updates — and may require you to make changes to your audit processes and reporting metrics as you go. You should also make fraud prevention a standing item in risk committee meetings and board reports.

Given that the legislation is new, it’s likely you’ll be making iterative changes — especially in the first year. This is not a ‘set and forget’ change — it’s a journey.

Contact Miller for support on yours: solicitors@miller-insurance.com.

LPM Conference 2026

LPM Conference 2026

The LPM annual conference is the market-leading event for management leaders in SME law firms

Powerful perspectives

Diving into the top headlines from the LPM Conference 2025