Principle 5: communication (including training) - ECCTA countdown to compliance

As a reminder, organisations have until 1 September 2025 to ensure reasonable procedures are in place, to demonstrate compliance with ECCTA. This article will focus on principle five: ‘communication (including training)’.

The fraud prevention framework put in place by relevant organisations should be informed by the following guiding six principles:

• top level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review

The principles are intended to be flexible and outcome-focused, allowing for the huge variety of circumstances that relevant bodies find themselves in. Procedures to prevent fraud should be proportionate to the risk.

To assist with preparations and as part of our commitment to clients and organisations, we will be reaffirming the Government’s guidance on each of the six guiding principles in the lead up to the September deadline.

Communication (including training)

The organisation seeks to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Training and maintaining training are key.  

A clear articulation and endorsement of an organisation’s policy against fraud deters those providing services for or on behalf of the relevant body from engaging in such activities. Communication should be from all levels within an organisation. It is not enough for the senior management to say that staff should not commit fraud, if middle management then actively ignore this and encourage junior members to circumvent the relevant body’s fraud prevention procedures.

It is important that the relevant body ensures awareness and understanding of its policies amongst those who provide services for or on its behalf. The organisation may feel that it is necessary to require its representatives to undertake fraud-specific training, depending on the risks it is exposed to. This would be to ensure that they have the skills needed to identify when they and those around them might be at risk of engaging in an illegal act and what whistleblowing procedures should be followed if this occurs.

It may be helpful to integrate fraud messaging into existing policies and procedures. For instance, policies related to sales targets or customer interactions could include a brief statement addressing fraud rationalisation and the potential consequences of committing fraud.

Organisations may also choose to publicise within the organisation the outcome of investigations, particularly the sanctions imposed.

Training

Training should be proportionate to the risk faced. Consideration should be given to the specific training needs of those in the highest risk posts. Training should cover the nature of the offence as well as the procedures to address it.

Some relevant bodies may wish to incorporate training into their existing financial crime prevention training, while other organisations may wish to introduce bespoke training to address specific fraud risks. Relevant bodies may choose either to train third party associated persons or encourage them to ensure their own arrangements are in place.

Training should include ensuring that staff and other associated persons are familiar with whistleblowing policies. Since whistleblowing is something that staff or other associated persons are likely to do infrequently, it may be helpful to have reminders of the procedures in internal communications.

It is good practice to monitor the effectiveness of training programmes and to ensure that they are kept up to date, particularly as staff move.

Whistleblowing

Transparency International states that “whistleblowing is one of the most effective ways to uncover corruption, fraud, mismanagement and other wrongdoing” [i]. To help prevent fraud, organisations should have appropriate whistleblowing arrangements.

Large organisations may already have whistleblowing processes in place. In some cases, this is a regulatory requirement (for example, the Financial Conduct Authority handbook sets out the expected whistle-blowing procedures for FCA-regulated organisations) [ii]. Where whistleblowing procedures are required by regulators, organisations should assess whether these procedures would be suitable for the risks identified in the risk assessment.

In cases where organisations are not required by regulators to have whistleblowing processes in place for fraud, or where the existing procedures do not appear to be suitable for the risks identified in the risk assessment, organisations may wish to consider measures such as:

• having board level accountability to oversee whistleblowing
• overseeing a culture where employees feel able to raise concerns
• consulting trade unions and/or employee representatives about the content of formal systems for receiving concerns raised by whistleblowers
• ensuring that reporting channels for whistleblowers are independent
• signposting internal and external whistleblowing arrangements, such as those of the relevant regulators [iii] and, if appropriate, trade unions
• training staff to ensure that they are aware of how to access whistleblowing arrangements and managers on how to respond when whistleblowing concerns are raised
• investigating and responding to internal concerns appropriately and in a timely manner
• conducting victimisation risk assessments and protecting whistleblowers from potential victimisation
• providing feedback to whistleblowers
• learning from the issues raised by whistleblowers
• keeping systems under review, including, if appropriate, external assessment of arrangements

Further information can be found in the Whistleblowing Guidance for Employers and Code of Practice [iv]. The charity Protect provides a free confidential helpline for whistleblowers and support to organisations in developing their whistleblowing procedures.