Talk to an Expert
Pricing

ECCTA and Provision 29: Building a Holistic Framework for Fraud Prevention and Corporate Transparency

Governance, Risk, and Compliance (GRC) teams today face a rapidly evolving regulatory landscape. In the UK, two developments stand out: the Economic Crime and Corporate Transparency Act (ECCTA) and Provision 29 of the UK Corporate Governance Code. Both set new expectations for fraud prevention and corporate transparency, and together they effectively require organizations to adopt a more holistic internal control and governance framework. This post breaks down what ECCTA and Provision 29 entail, how they overlap and reinforce each other, and why these changes matter for cross-functional GRC teams striving to improve resilience and performance. We’ll also see how meeting these requirements not only ensures compliance but can strengthen overall business performance – and how an integrated approach (such as using Connected Risk) can help tie it all together.

What is the Economic Crime and Corporate Transparency Act (ECCTA)?

The Economic Crime and Corporate Transparency Act 2023 is a significant new UK law designed to combat financial crime and enhance corporate transparency. Enacted in response to rising concerns about fraud, money laundering, and other economic crimes, ECCTA aims to create a more accountable business environment. Two of its headline provisions are:

  • Broader Corporate Liability for Fraud: ECCTA makes it easier to hold companies criminally liable when wrongdoing occurs within the organization. It introduces a “senior manager” liability regime – if a senior manager commits certain offenses (like fraud, bribery, or sanctions breaches) in the scope of their role, the company itself can be held guilty of that offense. This is a shift from previous rules that made prosecuting large companies difficult, and it underscores the need for top-down ethical conduct and oversight.
  • “Failure to Prevent Fraud” Offense: Perhaps most notably, ECCTA creates a new corporate offense of failing to prevent fraud. Starting in 2025, large companies could face unlimited fines if an employee or associate commits fraud for the company’s benefit and the company cannot prove it had “reasonable steps” or adequate procedures in place to prevent fraud. In plain terms, if your organization doesn’t have proper anti-fraud controls and a fraud by staff occurs, the organization itself could be punished. (This is similar to the UK Bribery Act’s approach to bribery – you must have preventative measures in place as a defense.)
  • Corporate Transparency Reforms: Beyond fraud, ECCTA also targets opaque corporate structures. It reforms the role of Companies House (the UK’s companies registry) to improve the accuracy and transparency of company information. For example, the Act will require identity verification for all new and existing company directors and beneficial owners (Persons with Significant Control), to ensure the information on the register is trustworthy. Companies House will get more powers to check and refuse incorrect filings and share data with law enforcement when something looks suspicious. The goal is to weed out “shell” companies and false information, making it harder for criminals to hide and delivering a more reliable companies register to underpin business activity.

In short, ECCTA compels companies to tighten their fraud defenses and be transparent about their corporate information. Organizations should be proactive in strengthening internal fraud controls and compliance processes to meet these new legal duties (the UK government is expected to issue guidance on what “reasonable steps” to prevent fraud entail). By acting now, businesses can avoid liability and help build the trusted, crime-resistant environment ECCTA envisions.

What is Provision 29 of the UK Corporate Governance Code?

Provision 29 is a new requirement in the 2024 revision of the UK Corporate Governance Code (effective for accounting periods starting 2025, with many companies preparing in 2025 for reporting in 2026). The UK Corporate Governance Code sets best-practice standards for how companies are directed and controlled. Provision 29 specifically deals with risk management and internal controls, and it significantly raises the bar on board accountability for those controls.

In simple terms, **Provision 29 requires the board to annually monitor and assess the effectiveness of the company’s entire internal control framework, covering financial, operational, compliance, and reporting controls. The board must then make an annual declaration in the company’s report on whether these controls are effective, and describe how it conducted its review. If any key controls were not effective during the year, the board needs to explain what actions have been taken (or will be taken) to fix the issues.

This is a step up from prior governance code provisions. Previously, boards needed to review and report on internal controls (often focused on financial controls) in a general way. Now, under Provision 29, the expectation is more explicit and comprehensive. Boards of in-scope companies (generally UK premium-listed companies) must provide:

  • A description of how they monitored and reviewed the effectiveness of the risk management and internal control framework over the year – i.e. what process did the board use to get comfortable that controls are working?
  • A formal declaration that the material controls are effective as of the year-end date – essentially an affirmation that the key controls in the business (financial, operational, compliance, etc.) have operated effectively.
  • Details on any material controls that were not effective and how they are being remedied – transparency about control failures and what management is doing about them.

Provision 29 forces boards and executives to pay close attention to all categories of controls, not just financial reporting controls. Compliance controls and operational controls are explicitly in scope, which means areas like fraud prevention systems, anti-money laundering processes, IT security controls, and other non-financial controls cannot be ignored. While regulators have framed this change as an evolution rather than a revolution, in practice “Provision 29 requires considerable work across several domains”. Companies will need to evaluate their enterprise risks, identify their most “material” controls, possibly expand their control monitoring programs, and figure out how to evidence and assure control effectiveness to back up the board’s declaration.

In effect, Provision 29 is prompting something akin to a UK-version of Sarbanes-Oxley-style rigor (though covering a broader array of controls). It puts internal control effectiveness firmly on the agenda of the board and audit committees. For GRC teams, this means there is a heightened focus on internal audit, risk management, and compliance functions working together to ensure that when the board signs off on that controls effectiveness statement, it’s based on solid evidence and cross-functional input.

How ECCTA and Provision 29 Overlap and Reinforce Each Other

It’s no coincidence that these two initiatives – one legal (ECCTA) and one a governance code provision – arrived around the same time. They share a common theme: strengthening organizations’ defenses against fraud and misconduct through better controls and transparency. For companies impacted by both, there is a significant overlap in expectations. Meeting one will help meet the other, and vice versa. Key overlaps include:

  • Robust Fraud Prevention Controls: ECCTA’s failure to prevent fraud offense essentially mandates that companies have adequate anti-fraud controls and procedures in place. This could include things like fraud risk assessments, employee training, whistleblowing channels, anti-fraud policies, monitoring systems, and responsive investigation processes. Meanwhile, Provision 29 explicitly covers compliance controls and operational controls as part of the “material controls” the board must oversee. Anti-fraud controls fall squarely into this category (as do anti-bribery, sanctions compliance, and other economic crime prevention measures). In other words, both ECCTA and Provision 29 expect companies to have effective fraud risk management and internal controls. If your company is doing what it needs to avoid an ECCTA violation – implementing “reasonable steps” to prevent fraud – you will likely have a stronger control framework to report on under Provision 29. And conversely, if you are rigorously following Provision 29 and testing your controls (including fraud prevention controls) for effectiveness, you’ll be in a much better position to defend against any “failure to prevent fraud” allegations. The two requirements reinforce a single message: proactively identify fraud risks and control them or face serious consequences.
  • Corporate Transparency and Accurate Reporting: A major objective of ECCTA is to improve corporate transparency – shining a light on who is behind companies and ensuring filings are accurate. While this might seem external to internal controls, it actually dovetails with good governance practices. Provision 29 requires boards to consider reporting controls and data accuracy as part of the internal control framework. Ensuring accurate disclosures (financial and non-financial) is part of a strong control environment. Under ECCTA, companies will need to cooperate with new identity verification rules and possibly enhance their own governance of legal entity data (for example, verifying that all directors and Persons of Significant Control in their organization have completed the required ID verification, and that company filings are correct). This likely involves internal procedures and checks – a compliance responsibility that may span the legal, finance, and company secretarial teams. Both ECCTA and Provision 29 demand a culture of accuracy and honesty in corporate reporting. ECCTA literally seeks to “improve the accuracy of Companies House data, to support business decisions and law enforcement investigations”. Provision 29 pushes for transparent disclosure to investors about control effectiveness. In combination, they encourage organizations to break down any silos between compliance reporting (e.g. statutory filings) and internal control reporting. All reporting should be accurate and trustworthy, which requires robust internal processes.
  • Board Accountability and Cross-Functional Governance: ECCTA and Provision 29 together put a spotlight on boards and senior management to drive an integrated approach to governance, risk, and compliance. Under ECCTA, senior leaders cannot turn a blind eye to fraud risks – if fraud happens on their watch without proper controls, the company (and potentially individuals) could be held accountable. Under Provision 29, the board must formally attest to control effectiveness, meaning they need confidence in what all parts of the business are doing to manage risk. This naturally leads to greater cross-functional collaboration. GRC teams must work together – risk managers, compliance officers, internal auditors, finance teams, and operational managers – to provide the board with a holistic view of the risk and control landscape. These requirements effectively tear down the notion that, say, the anti-fraud program is just the compliance department’s job, or financial controls are just finance’s concern. Instead, organizations have to ensure all key players are engaged in risk management and controls. As one commentary on Provision 29 notes, companies will need to “engage a broad spectrum of stakeholders on enterprise risks and controls across what are typically siloed business units”. The same is true for meeting ECCTA obligations – for example, HR and IT might need to work with compliance to roll out fraud awareness training and reporting systems, while legal and finance work together on verification of corporate information. The overlap of ECCTA and Provision 29 effectively pushes companies toward a unified, enterprise-wide internal control framework, rather than a set of disjointed compliance checklists.

In summary, ECCTA and Provision 29 are two sides of the same coin. ECCTA brings the force of law (with penalties for non-compliance), and Provision 29 brings the expectations of governance best-practice (with accountability to shareholders and stakeholders). Both aim to strengthen trust in businesses – trust that companies aren’t enabling fraud, and trust that they have their house in order internally. For GRC teams, the message is clear: use the momentum of these reforms to build a comprehensive internal control system that covers financial integrity, fraud prevention, operational resilience, and transparency in one coherent framework.

Why This Matters to GRC Teams: Resilience, Better Governance, and Risk Reduction

For cross-functional GRC teams, the convergence of ECCTA and Provision 29 is more than just another compliance box-ticking exercise – it’s an opportunity to enhance the organization’s resilience and governance in a meaningful way. Here are several reasons why these requirements should be front-and-center for GRC professionals and executives:

  • Enhanced Risk Resilience: By implementing the controls and processes demanded by ECCTA and Provision 29, organizations inevitably become more resilient to risk. Strong anti-fraud controls mean the company is less likely to suffer significant fraud losses or scandals. Rigorous internal control monitoring means operational surprises (like control failures leading to errors or losses) are more likely to be caught and corrected early. In a world of increasingly complex risks, having this resilience can be the difference between a minor issue and a major crisis. Think of it as “stress-proofing” your enterprise – you’re better protected against both internal threats (e.g. rogue employee fraud) and external scrutiny (regulators, auditors, investors asking tough questions).
  • Better Cross-Functional Coordination: Meeting ECCTA and Provision 29 forces silos to come down. Compliance can’t do it alone; risk management can’t do it alone; the board certainly can’t do it alone. The requirements encourage the formation of cross-functional working groups or committees that bring together diverse expertise – legal, compliance, finance, operations, IT, HR, and audit. This collaboration can yield benefits beyond just compliance. When teams communicate more, they share insights that can lead to improved processes and a more cohesive strategy. For example, in preparing the Provision 29 controls declaration, internal audit might work more closely with compliance and operational managers to test controls. That teamwork can identify inefficiencies or gaps that wouldn’t surface in a silo. Over time, a habit of cross-functional risk dialogue builds a strong risk culture and a unified approach to problem-solving.
  • Stronger Corporate Governance and Accountability: Provision 29 squarely puts internal controls on the board’s agenda, and ECCTA adds external accountability (including potential legal liability) for getting things right. This high-level focus can empower GRC teams to get the resources and attention they need. When the board needs to declare “our controls are effective,” they will understandably demand thorough evidence and assurance. This elevates the importance of internal audit reports, risk assessments, and compliance certifications. The board and executives will likely set a tone from the top that emphasizes integrity and transparency (to meet ECCTA’s spirit and Provision 29’s letter). A company that embraces this will have clearer oversight structures – for instance, defined executive responsibility for economic crime prevention, and regular board reviews of risk management effectiveness. All of this translates to better governance practices, which in turn make the organization more attractive to investors and partners who value well-governed companies.
  • Reduced Regulatory and Legal Risk: Non-compliance with ECCTA could lead to prosecutions and heavy fines; failing at Provision 29 (while not a law per se) could lead to shareholder backlash, reputational damage, or intervention by regulators if disclosures are poor. By aligning your internal controls to satisfy both, you significantly lower the risk of regulatory enforcement or negative audit findings. It’s much better (and cheaper) to invest in preventative measures now than to face an investigation later because something slipped through the cracks. GRC teams can use ECCTA’s legal requirements as a powerful argument to get buy-in for control improvements: for example, justifying budget for a new fraud monitoring system by pointing to the “failure to prevent fraud” offense. This proactive stance is essentially insurance against future legal troubles.
  • Holistic View of Risk (No Blind Spots): The overlapping scope of ECCTA and Provision 29 ensures that risk is looked at holistically. It’s not just about financial reporting or just about compliance – it’s about enterprise risk management as a whole. This encourages development of integrated risk registers and control matrices that map out everything from financial misstatement risk to cyber risk to fraud risk. When all these risks and controls are seen in one integrated framework, management can better prioritize and allocate resources to where it matters most. It also helps in identifying interdependencies (for example, how a weakness in IT security controls might facilitate fraud, or how third-party due diligence lapses could create both compliance and operational risks). For GRC teams, this is a chance to break away from fragmented risk assessments and move toward a truly integrated GRC program.

Importantly, aligning with ECCTA and Provision 29 isn’t just about avoiding negatives (frauds, fines, failures); it’s about positioning the company to operate more effectively and confidently. When risk is managed in a coordinated way, the business is free to pursue its objectives with fewer interruptions. As one governance expert put it, organizations need to find the “golden thread” that links their strategic goals with underlying risks and the controls in place – doing so gives the business the strongest chance of achieving its objectives. In practice, that golden thread might mean, for example, that if a company’s strategy is to expand into new markets, the risk and compliance teams are involved early to ensure fraud prevention and compliance controls are extended appropriately to those new operations, thereby safeguarding the strategy’s success.

From Compliance to Performance: How Holistic GRC Strengthens Business Performance

Beyond satisfying regulators and boards, there’s a silver lining: meeting the stringent requirements of ECCTA and Provision 29 can actually boost overall business performance. Here’s how a holistic internal control and transparency framework benefits the business:

  • Fraud and Loss Reduction: Companies with strong fraud prevention controls are less likely to suffer financial losses due to fraud. They are also more likely to detect and stop any fraud that does occur, much sooner. Fraud can be enormously costly – not only in direct financial terms but also in terms of reputation and stakeholder trust. By preventing those incidents, companies save money and avoid disruption, which positively impacts the bottom line.
  • Improved Data Quality and Decision-Making: The corporate transparency measures in ECCTA (like verified and accurate company data) mean that both regulators and businesses themselves have more reliable information. Internally, having accurate data about your corporate structure, ownership, and financial statements is critical for making sound decisions. ECCTA’s reforms will “improve the accuracy of Companies House data” which in turn “supports business decisions” according to the UK government. In practice, cleaning up data and ensuring every important piece of information is verified can help executives and managers base their strategies on facts, not flawed data. Accurate internal control reporting (under Provision 29) likewise gives leadership confidence to take informed risks, invest, or streamline operations, because they know the state of the company’s controls and risk exposures.
  • Investor and Partner Confidence: Both robust controls and transparency are highly valued by investors, lenders, business partners, and customers. When a company can demonstrate it has a tight handle on risk (through something tangible like a Provision 29 effectiveness declaration or compliance with ECCTA’s requirements), it sends a signal of reliability. Investors may view the company as a safer investment. Business partners may be more willing to collaborate, knowing the company has low exposure to fraud or regulatory sanctions. Over time, this can translate into a competitive advantage – the company might enjoy lower costs of capital or win more business because of its reputation for integrity and good governance.
  • Operational Efficiency and Consistency: While implementing new controls and procedures sounds like it might add bureaucracy, a well-designed holistic framework can actually streamline operations. When controls are integrated and risk management processes are consistent across the enterprise, there is less duplication of effort and less confusion. For example, if different departments were separately handling risk issues in the past, a unified approach under these reforms can consolidate those efforts, eliminate redundant checks, and focus on what really matters. Automated controls and centralized monitoring (which many companies are considering in response to these rules) can reduce manual work and error. In short, you create a control system that works with the business, not against it. Employees also get clearer guidance and processes, which can improve compliance and efficiency simultaneously.
  • Resilience Leads to Agility: A business that has mapped out its risks and controls thoroughly is often more agile when change comes. Whether it’s a sudden market shift, a new regulation, or an unexpected event, the company knows its exposure and has playbooks (controls, response plans) in place. This means quicker, more decisive action. In performance terms, that agility can mean seizing opportunities faster than competitors or minimizing downtime during crises. For instance, a company that already has strong anti-fraud controls and monitoring might be able to venture into a higher-risk market (geographically or in a new product line) with confidence, knowing it can manage the fraud risk – whereas a less prepared competitor might shy away or fail catastrophically due to unchecked risks. Thus, good GRC isn’t just defensive; it can enable strategic moves.

It’s worth noting that regulators themselves highlight the positive business impacts. By strengthening transparency and fighting economic crime, ECCTA is expected to “strengthen the business environment” in the UK​gov.uk. A stronger business environment is one where honest firms can thrive without being undercut by illicit activity, and where markets function more fairly – ultimately benefiting compliant companies. Similarly, the intent behind Provision 29 is to foster sustained success of companies through better oversight (the Financial Reporting Council wants reporting that isn’t boilerplate, but truly reflective of how a company is managing for long-term success). In sum, compliance and performance go hand-in-hand here: doing the right thing internally tends to produce better outcomes externally.

Embracing a Connected Approach to GRC (and How Technology Can Help)

Implementing a holistic, cross-functional GRC framework to satisfy ECCTA and Provision 29 can be challenging. It requires coordination, information-sharing, and consistent practices across the organization. Many companies are finding that technology and integrated solutions are invaluable for managing this complexity. In fact, experts note that as organizations prepare for Provision 29’s demands, “now is an excellent time to explore how investing in integrated governance, risk, and compliance (GRC) technology… can increase control framework maturity and its associated assurance across the business”. In other words, the right tools can make your internal control system both more effective and easier to manage.

So what does an integrated GRC solution do? In practical terms, it can centralize all your risk and control information in one place. For example, it might allow you to link your fraud risk assessments with the controls that mitigate those risks and the audit tests that verify those controls – and then present that information in dashboards or reports for management and the board. This is hugely helpful when trying to document “reasonable preventative procedures” for ECCTA or evidencing control effectiveness for Provision 29. Rather than chasing spreadsheets and emails from different departments, all relevant data is connected. Many modern GRC platforms also provide workflow automation (for control attestations, issue tracking, etc.) which reduces the administrative burden on teams.

Connected Risk is one such solution, purpose-built to enable these interconnected, cross-functional GRC efforts. By adopting a platform like Connected Risk, organizations can break down silos between risk, compliance, and audit functions. For instance, a compliance officer’s updates to fraud controls could automatically feed into the risk team’s enterprise risk register and notify internal audit to adjust their audit plan – all within the same system. This ensures everyone is on the same page and that the “single source of truth” for controls and risks is available when the board needs assurance or when regulators come calling. Ultimately, leveraging technology helps ensure nothing falls through the cracks and that GRC teams can focus on analysis and improvement rather than manual coordination.

Finally, integrating your approach not only helps with compliance, but it also further reinforces those business performance benefits we discussed. Automation and integration lead to more reliable data (supporting transparency), and real-time reporting can give management ongoing insights rather than once-a-year snapshots. A connected GRC framework means that the work done to comply with ECCTA and Provision 29 actively contributes to running the business better year-round.

Ready to strengthen your organization’s fraud defenses and internal controls in a truly integrated way? Book a demo with Connected Risk to see how our platform can help your cross-functional GRC team stay ahead of these requirements and turn compliance into business advantage. Book a demo with Connected Risk.

Like this article?

Email
Share on Facebook
Share on LinkedIn
Share on XING

Empowered delivers innovative solutions for audit, compliance, and risk management, empowering organizations globally to meet an ever-changing and demanding world.

Linkedin-in Facebook Youtube Instagram

our products

our Solutions

Company info

website disclaimer

Any capabilities or technologies described on this site or shown to you are subject to intellectual property protection, including, without limitation, international copyright laws and treaties (and in some cases patents/patent applications) and all rights are reserved. Any quotation provided must be kept confidential and used only for your purchasing decision. You can share a quotation or proposal with your advisers for that purpose if they have signed an agreement with you covering non-disclosure of such information, but you may not share it with anyone else without Empowered Systems prior written consent. Any supplementary information provided by Empowered Systems shall also be treated as confidential and may only be used in the same way as the information set out in your quotation or proposal (unless otherwise specified). This website is not a quotation or proposal.

This website is provided for informational purposes only. It neither constitute an advice nor an offer capable of acceptance or create any right or obligation between Empowered Systems and the user of this website or anyone associated with the aforementioned user. Any contract will be made based on Empowered Systems standard terms and conditions. Nothing on this site creates any agreement between Empowered Systems and the user of this website.

The information on this site has been compiled with care, but Empowered Systems does not make any express or implied representation or warranty that the information is without errors or omissions and shall have no liability resulting from use of or reliance on the information (except when arising from fraudulent misrepresentation or other matters where liability cannot be excluded or limited under law).

References to Empowered Systems capability may include capability provided to Empowered Systems by third parties.

 AutoAudit® and Empowered Systems are all registered trademarks of Empowered Systems IP Holder LLC.

© 1995-2024 Empowered Systems. All rights reserved.

Empowered Systems is the trade name of Empowered Systems Ltd. in the United Kingdom. Registered Number: 13416888 in England and Wales. Registered office: 6 Lloyds Avenue, Suite 4cl, London, England EC3N 3AX.

Talk to an Expert
Pricing
Talk to an Expert
Pricing

Talk to an Expert

"*" indicates required fields

Are you looking for support?

If you're looking for product support, please login to our support center by clicking here.

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit a Pricing Request

"*" indicates required fields

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit an RFP Request

"*" indicates required fields

First, what's your name?*
Which solution does your RFP require a response on?*
Drop files here or
Accepted file types: pdf, doc, docx, Max. file size: 1 MB, Max. files: 4.
    This field is for validation purposes and should be left unchanged.
    Skip to content