ECCTA Has Teeth Now: Identity Verification and the Failure-to-Prevent-Fraud Offence

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) arrived in stages, and 2026 is the year its two sharpest measures bite: mandatory identity verification for directors and persons with significant control, and the corporate offence of failing to prevent fraud for large organisations.

Identity Verification Is Now Mandatory

Companies House has moved from a passive registry to an active gatekeeper. New directors and PSCs must verify their identity — directly via GOV.UK One Login or through an Authorised Corporate Service Provider — and existing directors are being brought into scope progressively as companies file their confirmation statements. An unverified director cannot validly be appointed, and acting while unverified is an offence for both the individual and the company. Groups with large director populations across multiple entities should treat this as a programme: inventory every appointment, sequence verifications ahead of confirmation-statement dates, and fix the discrepancies in registered data that verification inevitably surfaces.

Failure to Prevent Fraud: The New Corporate Offence

Since September 2025, a large organisation commits an offence where a person associated with it commits a specified fraud intending to benefit the organisation — unless the organisation can show it had reasonable fraud-prevention procedures in place. The offence applies to organisations meeting two of three thresholds: more than 250 employees, £36m turnover, or £18m in total assets. There is no requirement to prove board knowledge; the procedures defence is everything. The Government guidance maps the expected framework — risk assessment, proportionate procedures, top-level commitment, due diligence, communication and training, monitoring and review — and prosecutors will measure organisations against it.

What "Reasonable Procedures" Look Like in Practice

A defensible programme starts with a documented fraud risk assessment that names the realistic ways the organisation could benefit from fraud — revenue recognition pressure, misleading sustainability claims, false statements to lenders or insurers — and traces each risk to a control. Generic anti-fraud policies do not meet the standard. The assessment must be refreshed, the controls tested, the training targeted at the roles that carry the risk, and the whole framework owned at board level with evidence of challenge. Organisations that already maintain Bribery Act adequate-procedures frameworks have a head start: the architecture is the same, the risk universe is different.

The Board Agenda for 2026

Three actions belong on the next board agenda. First, confirm the identity-verification programme covers every UK entity in the group, with a named owner and a deadline schedule tied to confirmation statements. Second, commission or refresh the fraud risk assessment against the Government's six principles, and close the gap between policy and evidence. Third, review the group's exposure through subsidiaries and agents — the offence reaches conduct by associated persons, and the supply chain is where unexamined risk usually sits.