ECCTA Fraud Risk Analysis - Approach Considerations

Conducting a robust fraud risk analysis requires managers to define an appropriate scope, develop a comprehensive understanding of resources, business processes, and activities, estimate the likelihood and impact of risks using an appropriate risk matrix, and align existing controls with identified fraud risk factors. Ultimately, this enables an evaluation of the effectiveness of existing controls to support regulatory compliance.

Under the new ECCTA legislation, which introduces a "failure to prevent fraud" offence, firms must now perform a comprehensive, end-to-end fraud risk assessment that identifies risks where the intended beneficiary of the fraud is the organisation itself (the “relevant body”). This shift requires organisations to reassess their fraud risk management frameworks, ensuring that frauds benefiting the company—not just harming it—are fully considered.

Below, we outline six key components of an effective ECCTA fraud risk analysis framework to help firms remain compliant and prevent corporate fraud.

Scope & Mapping

The legislation makes clear that organisations can be held liable for fraudulent acts committed by employees, agents, subsidiaries, or other “associated persons” providing services for or on behalf of the organisation, where those acts were intended to benefit the organisation or its clients.

To meet this requirement, firms must conduct a comprehensive business-wide risk profiling and mapping exercise aimed at identifying all associated persons and related business units. A structured scoring model may assess risk profile based on key indicators, including:

• Maturity of corporate counter-fraud measures
• Business unit budget size
• Degree of external party involvement
• Maturity of operational systems
• Historical fraud incidents or known vulnerabilities

Understanding the Context

Fraud risk assessments should be embedded within the broader enterprise risk management (ERM) framework. Fraud often overlaps with other risk areas—such as cybersecurity—meaning controls may already exist that mitigate multiple risk types simultaneously.

The assessment process should be iterative, collaborative, and investigative—essentially a structured exercise in “thinking like a fraudster.” This involves deep dives into business processes to identify inherent fraud risks. Effective approaches include:

• Interviews with senior stakeholders
• Independent assessments of key processes
• Fraud risk surveys
• Facilitated workshops
• Review of historical fraud cases and internal reports

In addition, two complementary perspectives should be applied:

• Bottom-up: via process mapping
• Top-down: using methods like the ABCD (Activities, Beneficiaries, Channels, Drivers) framework

Controls Analysis 

Many controls already in place may be transversal, meaning they mitigate several risk categories—including fraud. However, managers must also assess whether specific fraud controls are in place and whether they are effective.

For example, consider staff onboarding. Managers should evaluate onboarding practices across all relevant entities and third-party partners. Key questions include:

• Are clear and mandatory onboarding standards issued?
• Is compliance regularly audited?
• Can the organisation demonstrate enforcement action when standards are not met?

The ECCTA legislation expects firms to ensure that fraud prevention procedures are practical, clearly communicated, and demonstrably enforced.

Estimating Likelihood and Consequence

The ECCTA legislation provides organisations with a defence only if they can demonstrate that they had reasonable procedures in place to prevent fraud. Conducting a formal fraud risk assessment is fundamental; failure to do so will rarely be deemed reasonable.

Firms should develop a documented methodology to rate risks based on:

Likelihood – influenced by:

• Volume and nature of financial transactions
• Number and type of access points to sensitive processes
• History of fraud incidents

Consequence – measured by:

• Financial Gain - Possible corporates gains or advantages obtained.  
• Financial Loss - As a result of litigation and legal penalties 
• Reputational damage - To brand and market positioning.
• Regulatory impacts - Cross regulatory breach.  
• Impact on staff or customers - Human impacts on key staff, partners, cultural investments and client harm. 
• Disruption to strategic objectives

Evaluating Fraud Risks

Evaluation is about prioritisation. Risks assessed as having high likelihood and significant impact must be escalated for treatment, with proportionate countermeasures resourced accordingly.

The evaluation process should involve fraud risk owners with sufficient authority to weigh the cost of mitigation against the organisation’s risk appetite. Possible outcomes include:

• Accepting the risk (if within tolerance)
• Avoiding or discontinuing activities
• Further analysis to refine understanding
• Implementing treatments to reduce the risk to an acceptable residual level

Treating Fraud Risks

Countermeasures are the specific actions, processes, or systems designed to prevent, detect, respond to, or recover from fraud. A cohesive group of countermeasures forms the organisation’s control environment.

Each countermeasure should meet the following criteria (SMART-like in nature):

• Specific: Defined objective and scope
• Measurable: Progress and effectiveness can be tracked
• Achievable: Practical and proportionate
• Relevant: Directly aligned with the risk being addressed
• Time-bound: Includes deadlines or review intervals

Conclusion

The ECCTA legislation introduces a significant shift in how organisations must assess and respond to fraud risk. By embedding fraud risk analysis into enterprise-wide processes, ensuring thorough documentation, and actively managing and mitigating risks with targeted countermeasures, firms can better position themselves to comply with the legislation—and more importantly, to prevent fraud before it occurs.