Home » Managing » Legislation and Regulation » Think you’re ECCTA-compliant? You might want to check again

Think you’re ECCTA-compliant? You might want to check again

Audit your business to ensure your ECCTA-compliant

Avatar photoby Dana Wagstaff

Many UK firms believe they’re ECCTA-compliant, but most aren’t. As enforcement ramps up, Dana Wagstaff explains the hidden risks, the urgent need for audits and why company secretaries must lead the charge to avoid penalties and protect governance

The UK has entered a new era of corporate accountability. The Economic Crime and Corporate Transparency Act 2023 (ECCTA) is the most sweeping reform to Companies House since it was founded in 1844. The legislation is transforming how businesses must handle identity verification, transparency and fraud prevention.

But despite its scale and significance, many firms wrongly assume they’re already ECCTA-compliant. This false confidence often rests on outdated assumptions and an overestimation of internal controls.

The gap between perception and reality is widening, and with enforcement already underway, the cost of inaction is rising fast.

The ECCTA demands more than passive compliance

The ECCTA is a systemic shift in corporate governance.

From 18 November, organisations will be responsible for verifying the identities of directors, LLP members and persons with significant control (PSCs). They must maintain more rigorous controls around company formation and filings, as well as engage with a newly empowered Companies House that’s already rejecting inaccurate submissions and exercising more scrutiny than we’ve ever seen before.

Companies House and the Insolvency Service recently uncovered 30 entities that had incorporated 30,000-50,000 companies they considered to be involved in ‘illicit activities’, and over 11,500 companies have been struck off the register. They have also analysed 100,000 shell companies and are commencing investigations into a number of them.

Companies House will take a hard-line stance on non-compliance and confirmed during the Corporate Governance Institute’s annual conference that it will remove all non-verified companies from the register following the deadline, regardless of potential technical issues or backlogs. The message to firms is clear: take notice and act.

Critically, since 1 September 2025, the new Failure to Prevent Fraud offence has taken effect, which requires larger firms to demonstrate they have reasonable procedures in place to prevent fraud. Meeting this obligation demands active monitoring, robust documentation and clear accountability – operational processes that many companies believe they have in place, but the coming months will reveal those who are truly compliant, and those who are exposed.

The gap between belief and reality

Many firms assume that their existing processes for fraud are robust enough, that they still have time to complete identity verification and that filings and procedures are always accurate. Yet it is possible that none of these internal audits have been validated against the ECCTA-specific rules or the new government guidance.

Firms often rely on informal, outdated processes and legacy data without timestamped audit trails or consideration of newly revised standards. These informal methods will likely fall short of the ECCTA’s requirements.

Recent data illustrates the scale of this compliance gap. As of August 2025, Companies House has reported that only 300,000 of an estimated seven million individuals required to verify their identities have done so, which is just over 4 per cent of those affected.

Only 28 per cent of UK directors surveyed in June 2025 claimed they were ready for Companies House reforms, with a further 39 per cent stating they were completely unaware of the ECCTA deadlines. These statistics reveal that readiness among directors is dangerously low in terms of ECCTA alignment.

A lack of understanding won’t shield firms from the consequences of ECCTA non-compliance. Delaying identity verification or relying on outdated processes risks disqualification, reputational harm, and unlimited fines, while regulators are likely to make examples of those who fall short.

Why an ECCTA audit is essential

To avoid the costly complacency trap, businesses should urgently conduct a health check aligned with the ECCTA’s requirements. This has been perceived by many as a simple box-ticking exercise, but it’s actually about exposing hidden vulnerabilities before regulators do.

A thorough audit can pinpoint critical gaps:

  • Are contracts and policies robust enough to meet the requirements of the Failure to Prevent Fraud offence?
  • Has ID verification been completed for all those it applies to?
  • Are your filing processes consistent, transparent, and traceable?
  • Are PSC (people with significant control) records accurate and up to date?
  • Do directors and senior staff truly understand their legal obligations?

An audit will also stress-test fraud controls, uncovering risks that are buried in legacy onboarding systems, inconsistent documentation or siloed workflows. Left unchecked, these weak points could result in financial penalties or criminal liability.

But this is more than a defensive move. Auditing builds a culture of accountability and clarity. Strong compliance frameworks inspire confidence across boards, investors and regulators.

In this new era of corporate governance, ECCTA compliance is the foundation for stability, trust, and long-term resilience.

Company secretaries must act now

Company secretaries play a crucial role in bridging the gap between perceived and actual compliance. Their role has evolved from corporate administrator to compliance architect, leading internal education on the ECCTA, coordinating cross-departmental audits, and briefing the board on any risks and vulnerabilities.

Ensuring ECCTA compliance demands leadership, structure and often independent review from third-party experts, and isn’t something to delegate or delay.

The worst mistake organisations can make is assuming they are compliant simply because nothing has gone wrong. Confidence without evidence is not a strategy, it’s a serious judgement error.

In this increasingly stringent regulatory climate, inaction is not an option and ignorance offers no defence.

Conducting a formal ECCTA readiness audit is essential as it gives firms the clear, actionable insight they need to pinpoint their current compliance status, identify gaps and take decisive steps to futureproof their business.

Dana Wagstaff is global product lead – entity management at Vistra.

Read more

Failure to Prevent Fraud offence and what you need to do now – The new Failure to Prevent Fraud offence is now in effect. Find out what you need to do so that you don’t get caught out

Related Stories

Legislation and Regulation

The New Labour Government – 5 changes to employment law businesses need to know

Chris Hadrill, Partner in the employment team at Redmans Solicitors, explains how Labour's proposed changes to employment law could affect UK businesses

Legislation and Regulation

Change in company size threshold – could it slash your red tape?

Legislation and Regulation

3 things you need to know about whistleblowing

Whistleblowing can be terrifying if you don't know your rights, here is everything you need to know about blowing the whistle.

Legislation and Regulation

What all parcel shippers need to know about dimensional weight

Dimensional weight, or volumetric weight as its frequently termed, is potentially one of the most confusing aspects of shipping parcels and freight. Here ParcelHero’s head of consumer research, David Jinks, lightens the load by explaining how carriers bill shipments by weight and size

Related Topics

Legal Issues