Principle 4 : Due diligence - ECCTA countdown to compliance

As a reminder organisations have until 1 September 2025 to ensure reasonable procedures are in place, to demonstrate compliance with ECCTA. This article will focus on principle four ‘due diligence procedures’.

The fraud prevention framework put in place by relevant organisations should be informed by the following guiding six principles:

• top level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review

The principles are intended to be flexible and outcome-focussed, allowing for the huge variety of circumstances that relevant bodies find themselves in. Procedures to prevent fraud should be proportionate to the risk.

To assist with preparations and as part of our commitment to clients and organisations we will be reaffirming the governments guidance on each of the six guiding principles in the lead up to the September deadline.

Due diligence

The organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.

Relevant organisations in the sectors facing the greatest fraud risks may already undertake a wide variety of due diligence procedures, both mandatory and in response to risks associated with specific transactions or customers.
However, it should be noted that merely applying existing procedures tailored to a different type of risk will not necessarily be an adequate response to tackle the risk of fraud. Those with exposure to the greatest risk may choose to clearly articulate their due diligence procedures specifically in relation to the corporate offence.

Relevant organisations should conduct due diligence on associated persons (including new partners). Examples of best practice include:

• using appropriate technology, for example, third-party risk management tools, screening tools, internet searches, checking trading history or professional or regulated status if relevant, or vetting checks if appropriate
• reviewing contracts with those providing services, to include appropriate obligations requiring compliance and ability to terminate in the event of a breach where appropriate
• reviewing contracts for agents
• monitoring of well-being of staff and agents to identify persons who may be more likely to commit fraud because of stress, targets or workload

Relevant organisations should conduct due diligence in relation to mergers or acquisitions. Examples of best practice include:

• using third party merger and acquisition tools
• assessment of any relevant criminal or regulatory charges
• assessment of tax documentation
• assessment of the firm’s exposure to risk
• assessment of the firm’s fraud detection and prevention measures (bearing in mind that if the firm being acquired does not qualify as a ‘large organisation’ it may not have any procedures that directly address the offence of failure to prevent fraud)
• integration of fraud prevention measures post-acquisition

Relevant organisations may choose to conduct their due diligence internally, or externally, for example by consultants. The due diligence procedures put in place should be proportionate to the identified risk and kept under review, as necessary.