Economic Crime: What ECCTA Means for Public Sector Fraud Investigators

Mark Harrison, a trainer on the Counter Fraud Apprenticeship programme with a 30-year policing background, spoke at Counter Fraud 2026 about the Economic Crime and Corporate Transparency Act (ECCTA) and what it means in practice for fraud investigators and their organisations. Here is a summary of his key points.

🎵 Prefer to listen? Hear Mark's session in full here >> 🎵

Why ECCTA matters to the public sector

Harrison opened with a direct challenge to any assumption that ECCTA is primarily a private sector concern. If your organisation uses third-party suppliers (and almost all do) then those suppliers are likely required to comply with ECCTA. If they fail to, your organisation can be held accountable. The financial stakes are significant: non-compliance can result in penalties of up to 4% of budget. For public sector bodies already under financial pressure, Harrison was clear that this is not a risk to ignore.

He described ECCTA as the most significant reform to economic crime legislation in 50 years - an investigation enabler rather than simply a new offence. An investigation launched under ECCTA will typically surface other offences alongside it: fraud, false accounting, fraudulent trading, bribery and corruption. The legislation is designed to close the gaps that made corporate prosecutions difficult under older laws.

The problem with the old framework

Under the previous identification doctrine, prosecutors had to establish a 'directing mind and will' - essentially prove that someone at the top of an organisation knew about and directed the fraudulent activity. In practice, directors rarely admitted knowledge, and documentary evidence rarely existed. Harrison cited the Tesco v Natras case as an illustration of how easily large organisations could deflect liability onto individuals further down the chain. ECCTA removes that barrier. Organisations are now liable if a senior manager commits an economic crime - and 'senior manager' is defined broadly, covering anyone with significant influence, including regional heads, compliance leads and programme managers.

Which organisations are in scope

ECCTA applies to organisations that meet at least two of the following three criteria:

• 250 or more employees
• £36 million or more in turnover (or budget equivalent)
• £18 million or more in total assets

For public sector bodies, turnover is interpreted as budget - and that figure is calculated on a worldwide basis. For departments with overseas offices, overseas activity is included.

The six principles - and what they require

Harrison walked through the six Home Office guidance principles that organisations should be working to. The thread running through all of them is documentation. As he put it, drawing on established case law: if it is not written down, it did not happen. This applies not just to actions taken, but to decisions not to act - recording why something was considered and ruled out is equally important evidence of a proportionate and considered approach.

In practical terms, the six principles point towards:

• Risk assessment - organisations must conduct a formal fraud risk assessment, including cyber-enabled fraud. With 85% of crime now cyber-enabled in some form, Harrison argued that siloing cyber, intelligence and fraud investigation teams is a missed opportunity. Bringing them together - cyber teams scraping data, analysts reviewing it, fraud investigators applying investigative judgement - is a proportionate control worth considering.
• Proportionate procedures - controls must match the risks identified. Record what you have done and why, and record what you have chosen not to do.
• Due diligence - on suppliers, on staff joining the organisation, and on ongoing relationships. Crown Commercial Supplier status is a starting point, not a guarantee.
• Communication - fraud awareness must be communicated regularly and visibly, whether through team meetings, town halls or mandatory training. Attendance at events like Counter Fraud 2026 counts as evidence of a fraud-aware culture.
• Training - regular, documented training is evidence of a preventative environment. Harrison noted that ECCTA compliance should become part of mandatory annual learning across the public sector.
• Monitoring and review - fraud prevention procedures must be actively maintained, not set and forgotten.

Companies House reform

Harrison used a striking example to illustrate how lax Companies House had historically been - a firm registered under a name translating as 'the chicken thief', with an address listed as 40 Ali Baba Street and declared occupation as 'fraudulent thief', in Italian. It remained on the register unchallenged for years. He was candid that Companies House is still in a transition period and that investigators should cross-reference its data against other sources rather than treating it as definitive.

The reforms now require directors to verify their identity - passport or driving licence, the same as when opening a bank account - and to sign a statement confirming lawful purpose. Legitimate e-mail addresses will be required. Companies House is moving from a passive filing function to an active role in economic crime prevention, with powers to query filings, reject information and remove misleading data.

Practical advice for investigators and their organisations

Harrison closed with a number of direct recommendations:

• Check your credentials. Use Have I Been Pwned to identify whether staff e-mail addresses have appeared in data breaches, and change passwords where they have. Consider whether personal e-mail addresses on professional profiles such as LinkedIn represent an unnecessary exposure.
• Know your whistleblowing legislation. The relevant legislation is the Public Interest Disclosure Act (PIDA). Encouraging staff to come forward is part of a healthy fraud prevention culture - make it part of mandatory training.
• Watch for red flags in your own workforce. Unexplained changes in lifestyle or spending patterns are not proof of wrongdoing, but they are starting points for enquiry.
• Share intelligence. Information known to one team or department is not automatically known to others. The barriers to sharing should be actively lowered.
• Apply the investigative mindset. Harrison summarised it simply: assume nothing, believe nobody, challenge everything.

His closing message was straightforward. Prevention failures equal prosecution leverage. Organisations that fail to put reasonable fraud prevention procedures in place are not just exposed to fraud - they are exposed to prosecution. With an estimated £55 billion of fraud across the public sector, the case for investment in prevention is not difficult to make.