Culture is the operating system on which all fraud prevention procedures run –
Why Anti-Fraud Culture is Central to Your ECCTA Defence: A Message to the Board.
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) creates new liability for organisations. Understanding the cultural dimension isn’t just good practice—it’s essential to establishing the “reasonable procedures” defence.
ECCTA introduces a strict liability offence that holds large organisations accountable when associated persons commit fraud intending to benefit the organisation or its clients. While technical procedures and controls matter, the Home Office guidance makes clear that culture is the thread connecting all six principles of reasonable fraud prevention procedures. Without an embedded anti-fraud culture across your organisation and trusted third parties, even sophisticated compliance frameworks may fail to provide adequate defence.
The Offence: What Boards Need to Know
Under sections 199-206 of ECCTA, your organisation faces criminal liability and unlimited fines if:
- An employee, agent, subsidiary, or other “associated person” commits a specified fraud offence
- The fraud was committed intending to benefit your organisation or anyone to whom the associated person provides services on your behalf
- Your organisation did not have reasonable fraud prevention procedures in place
Crucially, senior management knowledge or involvement is not required for liability to arise. The statutory defence requires proving, on the balance of probabilities, that you had reasonable procedures in place—or that it was not reasonable to expect such procedures.
Culture is the Cornerstone, Not an Afterthought
Culture Permeates Every Principle
The Home Office guidance issued under section 204 of ECCTA establishes six core principles for reasonable fraud prevention procedures. Culture is not merely one principle among many—it is explicitly identified as the foundation that must support all others.
Principle 1: Top Level Commitment
The guidance states unequivocally that the board and senior management must “foster a culture within the organisation in which fraud is never acceptable” and “reject profit based on, or assisted by, fraud.” This goes beyond policy statements—it requires:
- Leading by example and fostering an open culture where staff feel empowered to speak up
- Challenging rationalisations that fraudsters commonly use to justify misconduct
- Demonstrating that ethical concerns, “no matter how minor,” are taken seriously
The guidance warns against “ethical fading,” where one-off frauds become normalised as people rationalise behaviors with arguments like “other businesses do it.” Senior managers have a leadership role in proactively challenging these views.
Principle 2: Risk Assessment – The Fraud Triangle: Understanding Cultural Risk Factors
The guidance directs organisations to assess fraud risk using the fraud triangle framework, which explicitly recognises culture as a determinant in two of three elements:
1. Opportunity
While technical controls address opportunity, the guidance asks: “have any existing fraud prevention procedures been weakened or neglected?” and “do some associated persons operate with minimal oversight?” These questions probe whether your culture actually enforces the controls you’ve implemented.
2. Motive
The guidance examines whether reward systems incentivise fraud and whether “the corporate culture (including sanctions and penalties) disincentivises whistleblowing when fraud is discovered.” These are fundamentally cultural questions.
3. Rationalisation
This element is entirely cultural. The guidance asks: “is the organisation’s culture quietly tolerant of fraud, particularly fraud that might be perceived as securing contracts or jobs?” and “is it difficult for staff to speak up if they have concerns?”
The guidance specifically cites research showing fraudsters rationalise misconduct through techniques like:
-
- “Someone needs to do this to save the business”
- “Everyone does it”
- “It’s not material”
- “Fraud is a victimless crime”
Senior managers must proactively challenge these arguments by articulating the effects of fraud on the business, colleagues, sector, and public trust.
Principle 3: Proportionate Procedures
The guidance emphasises: “It is not enough for the senior management to say that staff should not commit fraud, if middle management then actively ignore this and encourage junior members to circumvent the relevant body’s fraud prevention procedures.“
This highlights a critical vulnerability: cultural disconnect between levels of management can undermine even well-designed procedures.
The guidance provides numerous examples illustrating how fraud can occur despite technical controls:
- A payroll department head diverts pension payments for other company projects
- Accounting departments manipulate accounts to overstate profits
- Laboratory managers falsify test data for clients
- Technical department heads falsify discharge monitoring data
In each case, the perpetrator had legitimate access to systems and exploited their position of trust. Technical controls alone cannot prevent these frauds—they require a culture where such conduct is unthinkable and unacceptable.
The guidance also makes clear that reasonable procedures must extend to associated persons, but acknowledges that “the level of control, proximity and supervision the organisation is able to exercise” over them varies. For supply chains involving multiple entities, the guidance recommends:
- Employing fraud prevention procedures (such as risk-based due diligence) with your contractual counterparty
- Requesting that counterparty adopt a similar approach with the next party in the chain
Principle 4: Due Diligence
ECCTA’s definition of “associated person” is deliberately wide, encompassing:
- Employees and agents
- Subsidiaries (acting corporately)
- Any person providing services “for or on behalf of” the organisation
- Supply chain entities that provide services on your behalf, even without direct contracts
A third party’s fraud can expose your organisation to liability if they act as an associated person. Principle 4 of the Home Office guidance specifically addresses associated persons. Best practice includes:
- Conducting due diligence on agents, contractors, and business partners
- Reviewing contracts to include appropriate fraud-related obligations and termination rights
Principle 5: Communication and Training
Culture must be communicated and embedded throughout the organisation. The extended enterprise of associated persons also creates a requirement to export your anti-fraud culture through your business relationships. The guidance suggests organisations may “train third-party associated persons or encourage them to ensure their own arrangements are in place.”
Principle 6: Monitoring and Review
The guidance’s monitoring and review principle should include cultural metrics:
- Speak-up rates and patterns
- Investigation outcomes and how they’re communicated
- Staff survey results on ethical climate
- Training effectiveness on cultural aspects, not just technical knowledge
- Whether staff feel able to challenge unethical practices
The cultural elements behind motivation to commit fraud also requires the monitoring of the well-being of staff and agents to identify persons who may be more likely to commit fraud because of stress, targets, or workload. This last point is revealing: effective fraud prevention requires understanding the human pressures that might compromise integrity—a fundamentally cultural consideration.
Connecting All Six Principles Through Culture
As we have seen culture integrates the six principles enshrined in the home office guidance:
- Top Level Commitment establishes the cultural tone
- Risk Assessment must evaluate cultural factors (motive and rationalisation)
- Proportionate Procedures must be designed recognising that culture determines whether procedures are actually followed
- Due Diligence must assess the cultural integrity of associated persons
- Communication embeds culture throughout the organisation and beyond
- Monitoring and Review must assess cultural indicators, not just technical compliance
Culture is the operating system on which all fraud prevention procedures run.
Practical Implications for the Board
1. Cultural Assessment Must Precede Procedure Design
Before implementing fraud prevention procedures, conduct an honest cultural assessment:
-
- Is speaking up about ethical concerns genuinely encouraged or quietly discouraged?
- Do reward structures create pressure to achieve results by any means?
- How are those who raise concerns actually treated?
- What informal messages do middle managers send about fraud?
- Are there disconnects between stated values and actual behavior?
2. Senior Management Must Lead Cultural Change
The guidance emphasises the board’s “leadership role in fostering an open culture where staff are encouraged to speak up early if they have any ethical concerns, no matter how minor.”
This requires:
-
- Personal modeling of ethical behavior
- Visible responses to ethical concerns that reinforce their importance
- Challenging fraud rationalisations proactively
- Creating psychologically safe environments for raising concerns
- Rejecting fraud “even if this results in short term business loss, missed opportunities or delays”
3. Cultural Extension to Associated Persons
For third parties and associated persons:
-
- Include cultural values and anti-fraud expectations in contracting
- Provide training or encourage equivalent arrangements
- Conduct cultural due diligence, not just financial or reputational checks
- Cascade cultural expectations through the supply chain
4. Measure Cultural Indicators
-
- Monitor for warning signs of cultural pressure (unrealistic deadlines, aggressive targets)
- assess cultural indicators, not just technical compliance
The Clear Message: Culture Drives Effectiveness
The Home Office guidance contains several passages that underscore culture’s primacy:
“They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud.”
“Leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices”
“Senior managers can show leadership by challenging these arguments proactively, pointing out the effects of fraud on the business, other colleagues, the sector and public trust.”
These are not subsidiary recommendations—they appear in the first substantive principle (Top Level Commitment) and are described as fundamental responsibilities of those charged with governance.
Culture is Not Soft—It’s Your Defence
Boards must recognise that developing reasonable fraud prevention procedures is not primarily a technical or legal compliance exercise. It is fundamentally about:
Creating, sustaining, and extending an organisational culture—across your company and through your associated persons—where fraud is genuinely unacceptable.
Without this cultural foundation:
- Procedures will be circumvented or ignored
- Risk assessments will miss critical human factors
- Training will be box-ticking rather than transformative
- Controls will be defeated by those they’re meant to constrain
- Whistleblowing mechanisms will remain unused
The Home Office guidance makes this clear: reasonable procedures must be informed by culture, implemented through culture, and sustained by culture. Boards that treat culture as secondary to technical compliance are building their defence on sand.
The question for your Board is not whether to invest in culture—it’s whether your current culture, and your ability to export it to associated persons, will satisfy a court when tested.
The bottom line
ECCTA isn’t just another compliance requirement – it’s a fundamental shift requiring organisations and those providing services on their behalf to implement comprehensive, industry-specific fraud prevention frameworks. The Act’s broad scope, unlimited penalties, and strict liability standard make it impossible to ignore. Organisations that act decisively now can turn compliance into competitive advantage, while those that delay face potentially catastrophic consequences.
To receive articles such as this direct to your inbox you can sign-up for our regular newsletter
Check out our new toolkit – pre-register for free today for 50% off and special bonus material
We have also produced a number of additional resources you may find useful which can be downloaded for free. We will be releasing new resources over the next few weeks – sign up to be the first to hear
ECCTA – Board Actions for Developing an anti-fraud culture
ECCTA – One page explainer for a sceptical board
ECCTA – Fraud Typologies Analysis
Helpful links to the specific reports we have utilised in the above assessment.
Official Government Resources
- Home Office Official Guidance (November 2024): 44-page comprehensive guide covering the six key principles
- Government Factsheets: Detailed implementation guidance from multiple departments
Leave a Reply
You must be logged in to post a comment.