Six Essential Insights About Getting your Business Ready for ECCT
Blog
The new Economic Crime and Corporate Transparency Act (ECCT) specifies a series of new laws that will start to be introduced over the next two years, and significantly changes the approach that companies operating in the UK need to take to preventing fraud, tracking internal processes, and monitoring internal and external processes.
The impact is significant but awareness is low - and the Act specifically states that ignorance of your corporate responsibilities will not be considered an excuse, should your business be found wanting by the newly empowered Serious Fraud Office. To guide you through the looming obligations and what you can do to ready yourself for them, Workiro has put together a webinar. Security expert Luke Kiely, CISO at Workio, is joined by audit expert Robbie Hadfield, Solutions Director at Payhawk, to discuss the impact of the new Act. You can sign up to watch it here - here are five key lessons from their conversation.
1. You need to know exactly what’s going on in your business - and in your supply chain
One of the key new pieces of legislation the Act will introduce is a Failure To Prevent Fraud offence, and while that has yet to be specified it will have a broad scope - which means you need to think about all your internal policies. “When you think of fraud, generally you think about fraud against the company,” says Robbie. “And that's not what this is about. It's it's fraud that benefits the company. I think a lot of the practices that get a bit dodgy here are around bribery, tendering processes and unfair benefits to certain companies or individuals.”
These practices are clearly both fraudulent and benefiting the company - and as such are targeted by the Act, with the prospect of unlimited fines for non-compliance. Businesses need to make sure their policies are up to scratch, says Robbie. “Companies: you've got to be more aware of your customers and make sure you're maintaining fair practices. You've got to engage properly with your suppliers and make sure that you have appropriate due diligence on your supply chain.”
Maintaining this due diligence within your organisation is something that both Workiro and PayHawk make easier: Workiro enables you to manage every document and communication securely, within a single application, across internal and external parties, while Payhawk gives you real-time visibility on your global spend.
2. Business leaders will be held accountable for the actions of subordinates
“One of the key points of the Act is to make business leaders more accountable for what happens in an organization,” Luke points out - the ECCT makes clear that senior leadership will not be able to claim ignorance of fraudulent activity elsewhere in the organisation, because they will be legally compelled to have processes to prevent it. Robbie explains: “The government's trying to push governance and controls in businesses at multiple levels. It used to be very top down, it was on the directors to do everything. One of the things the ECCT starts bringing in is broadening the responsibility of compliance - it's going down the organization more, and it's looking at the key processes in the organization. So fraud detection, fraud mitigation, mitigating risk generally at a more operational level”.
Once again, this is where robust operations platforms like Workrio and Payhawk can set you on the right path: having a holistic view of your communications, documents and payments means you can see at glance how your business is running - and leave fewer opportunities for fraudulent activity to happen.
3. Compliance requires a change in culture, not just relying on the audit
The ECCT demands that business leadership have processes in place to actively prevent fraud, but it’s not practical for them to enforce it throughout the organisation. “I think it's very easy to say management should be responsible for everything, but at the same time they have to delegate down, and when they delegate down they lose touch of what's going on,” explains Robbie.
“I feel like most big companies tend to try and mitigate this through internal audit - reporting into the board or into board committees to create independence. But at the same time, internal audits are never going to capture everything.” More robust protection comes from building a culture of transparency and accountability, promoted throughout the organisation. By “making the leadership of an organization more accountable,” says Robbie, “there's more on them to promote a better culture in their organizations.”
4. You need a whistleblowing program to guide enforcement
Preventing fraud within an organisation, says Luke, means looking at internal processes, and making difficult decisions about how you encourage compliance. “A whistleblower program is no longer ‘a nice to have’. Businesses now need to have some level of a whistleblower or confidential reporting program in place that's going to allow employees of any level to report wrongdoings that they see inside the organization.”
He strongly advocates this as a fundamental part of your corporate governance. “The whistleblower program really needs to be a core part of your overall program - whether it be in HR, whether it be in IT, whether it be a cultural program, it doesn't really matter.” Both Luke and Robbie are united on the importance of establishing a strong culture to guide compliance: simply passing down new rules and processes is rarely an effective way to drive change.
5. Multinational organisations are affected - and there’s more to come
“Multinational organizations are automatically again sucked into having to comply with this legislation if they've got any commercial footprint inside the UK,” Luke points out. And that liability extends through the business, its subsidiaries and increasingly its supply chain - something that’s increasingly subject to legislation in other jurisdictions too.
“When we're looking at the relationship side of things, it's not necessarily our employees and our customers,” says Luke. “We also need to look at our third parties. If we look at legislation globally, again, third party supply chain, third party risk management is becoming a significantly large topic of conversation. Even if we look at the White House's cyber security, strategy for 2023 into 2024 and into next year, they talk very clearly around about knowing your supply chain, knowing what products you using to help you deliver your services, and if you don't, that really falls on you to know who you're actually working with.”
Robbie can likewise see the impact spreading to multinational businesses, ahead of further legislation in other countries. “This is coming to the US soon. You need to do this. You can't just get away with it by just doing something in the UK. Having a global mindset straightaway, that's what gets you ahead in the regulatory framework as you look at all the markets you operate in.”
6. You have to take control of your data and processes, and you need to make it easy for employees to use them
The letter of the ECCT Act is very clear: businesses need to have clear, effective and regularly reviewed processes to prevent fraud. A key requirement is visibility of your business operations. You need “visibility of where data is flowing, what data is being used, how it's being used, how long it's being retained for” says Luke. “So that technology conversation probably needs to start happening now, if it hasn't already, to make sure you are compliant with the ECCT.” The Workiro platform is an excellent basis for this, securing documents and communications throughout the organisation, enabling straightforward control of business data, and positioning the business for compliance.
Robbie has helped deliver similar processes rolling out Payhawk to different businesses, and is a firm believer in ease of use driving adoption and cultural impact. “If you can get that sort of user experience, make it easy for people to use whilst also making sure you get the right data flows as it flows around the organization, you can achieve the best of both worlds,” he says. “Rather than the ‘oh, here we go, compliance’ mentality.”
To find out more about how Workiro lets you take control of your documents and workflows and keeps you fully informed about your business - while making it easier for staff and customers to track accounts, contract signing and much more - sign up for a demo.