What evidence do I need for ECCTA Principle 6 — monitoring and review?
Principle 6 requires evidence that your fraud prevention procedures are actively monitored and periodically reviewed — not just adopted once. Evidence includes dated review records, change logs when scope changes, and a defined re-attestation cadence.
Not sure this applies to you? The offence targets large organisations that meet the size test — check whether you are in scope.
In short
- Principle 6 requires dated evidence of review cycles — not just an initial adoption record.
- Scope changes, acquisitions, and new markets are triggers for unscheduled review.
- Re-attestation cadence for associated persons should be documented and followed.
- Board sign-off on the review is the strongest evidence of top-level commitment to the cycle.
The six ECCTA reasonable procedures principles are not a one-time checklist. Principle 6 — monitoring and review — requires evidence that the organisation treats its fraud prevention procedures as a living framework, not a static document.
In practice, Principle 6 evidence typically includes: a documented review cycle (annually at minimum, triggered by material scope changes), evidence that the review actually occurred (board minutes referencing the review, dated sign-off from senior leadership), and records of changes made as a result of the review.
A common gap is organisations that completed a risk assessment in 2024 and have not revisited it since. The guidance is clear that procedures must be proportionate to evolving risk — a change in business model, acquisition, or entry into a new market is a trigger for an unscheduled review.
Re-attestation cadence for associated persons is a related requirement: the attestation record should show not just the original attestation date but evidence of periodic re-confirmation. Annual re-attestation is a common standard, though the right cadence depends on the risk profile of the relationship.
The sample board pack — a one-page view of where evidence is complete and what is missing — opens in your browser, no email, no form.
Official sources
- Home Office failure-to-prevent-fraud guidance v1.5
Updated 2025-10-10; accessed 2026-06-15.
- SFO compliance-programme evaluation guidance
Published 2025-11-26; accessed 2026-06-15.
Keep reading
DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.