In October 2023, the Economic Crime and Corporate Transparency Act (ECCTA) came into force. While it might sound like something only large banks or financial institutions need to worry about, the reality is that it could affect almost every business, including early-stage startups and fast-growing scaleups.

Understanding the basics of this law, and taking some simple steps to manage risk, could help protect your business and your reputation as you scale.

The backstory on how corporate crime law has changed

For decades, it was hard for UK prosecutors to hold companies criminally liable for the actions of employees or managers. Under a principle known as the identification doctrine, only the actions of a company’s ‘controlling mind’, usually board-level directors, could be treated as those of the company.

That made it tricky to prosecute companies for crimes like fraud, bribery or tax evasion, especially in complex businesses with multiple decision-makers. The Bribery Act 2010 introduced a ‘failure to prevent’ offence for commercial organisations that didn’t take reasonable steps to stop bribery.

Later, the Criminal Finances Act 2017 did the same for tax evasion. But these offences only applied in specific areas and the identification doctrine remained the general rule.

What ECCTA changes

The ECCTA builds on this earlier work and introduces two big changes that every startup should know about.

#1 – Failure to prevent fraud (for large companies)

If your business meets two out of three thresholds: more than 250 employees, over £36 million in turnover, or more than £18 million in assets, you are now legally required to take steps to prevent fraud by employees, agents or contractors. If fraud occurs and you didn’t take reasonable steps to prevent it, your company could be prosecuted.

This won’t apply to most early-stage startups just yet, but if you’re growing fast or have ambitious targets, it’s something to keep an eye on as your team expands.

#2 – Corporate liability for senior manager offences (applies to everyone)

This is the big one for startups. Under Section 196 of the ECCTA, any company, regardless of size, can now be held liable if a senior manager commits an economic crime while performing their job.

That means if a head of operations fudges the numbers, a product lead misuses company funds, or a finance director engages in tax evasion, your business could face prosecution, even if you as the founder, had no idea what was going on.

This change reflects a simple idea: the law expects companies to take responsibility for what their senior people do in the course of their work.

What’s coming next?

A new Crime and Policing Bill, currently being reviewed by Parliament, could make companies liable for any criminal offence committed by a senior manager in their role, not just financial crimes. That could include harassment, unauthorised data use or breaches of privacy law.

For startups, where senior people often wear multiple hats and have a lot of autonomy, this is a risk worth understanding.

What can startup founders do?

You don’t need to become a compliance expert or hire a legal team overnight. But you do need to show that you’ve taken reasonable steps to prevent misconduct. Here are a few practical steps to help protect you and your business:

• Set clear expectations – your employment contracts and policies should make it clear that fraud, bribery and other crimes won’t be tolerated, whilst explaining what’s expected from everyone in the business.
• Train your team – ensure that senior managers and your key people understand what they can and can’t do, especially when it comes to handling money, customer data, or supplier relationships.
• Create a speak-up culture – encourage people to raise concerns early if they spot something suspicious. You don’t need a complex whistleblowing system, but you do need a way for people to safely raise issues.
• Add checks and balances – even in a small team, consider requiring dual approvals for key decisions, like signing off payments or onboarding suppliers. This can help catch mistakes or misconduct before they escalate.
• Document what you’re doing – keep a record of your policies, any training you provide, and the systems you’ve put in place. If something goes wrong, this documentation could help defend your business.

Why this matters for startups

Building a startup is all about trust – with your customers, investors and your team. The ECCTA is a reminder that as your business grows, so do your responsibilities. Taking the time now to build good governance and set the right culture could save you a lot of trouble down the line.

Being a startup doesn’t mean you’re too small to matter. In fact, in a fast-paced, high-pressure environment, small issues can turn into big problems quickly and the best way to protect your venture is to lead from the front. Set clear expectations, stay informed and make sure you’re building not just great products and services, but a responsible and resilient business.

For more startup news, check out the other articles on the website, and subscribe to the magazine for free. Listen to The Cereal Entrepreneur podcast for more interviews with entrepreneurs and big-hitters in the startup ecosystem.