Associated-person evidence

How to organise associated-person evidence for ECCTA failure-to-prevent-fraud readiness.

A practical guide for legal, compliance, procurement, financial-crime, and adviser teams mapping service providers, agents, subsidiaries, and other relevant relationships.

Why associated-person evidence matters

The government guidance describes associated persons as employees, agents, subsidiary undertakings, or others who provide services for or on behalf of the organisation. It also notes that whether someone performs services for or on behalf of the organisation depends on all the relevant circumstances.

That means readiness work should start with a documented population and a reviewable basis for inclusion, exclusion, and uncertainty. A generic supplier list is rarely enough on its own.

What to capture for each person or organisation

Useful associated-person evidence includes relationship type, service provided, business owner, risk tier, relevant fraud scenarios, due-diligence status, contractual fraud-prevention terms, training or policy communication, attestation status, and next chase date.

The register should distinguish a confirmed associated person from a counterparty that is merely in the supply chain, because the guidance says companies in the supply chain are not associated persons unless they provide services for or on behalf of the relevant body.

Attestations are evidence, not magic words

An attestation can help show what was asked, when it was asked, who responded, and what was outstanding. It should sit alongside risk assessment, due diligence, contract controls, training, monitoring, and review evidence.

For high-risk relationships, the workflow should expose missing or stale responses before an export or board pack is treated as ready. The SFO's November 2025 compliance-programme guidance emphasises that policies and controls need to operate in practice, not just exist on paper.

Current prosecution guidance signal

The Joint CPS-SFO Corporate Prosecutions guidance was updated in November 2025, after the failure-to-prevent-fraud offence came into force.

The SFO Director's June 2026 speech said the SFO is committed to making full use of the offence. Associated-person evidence should therefore be reviewable, dated, and clear about uncertainty rather than presented as a completed legal conclusion.

How DefenceFile handles the workflow

DefenceFile gives external associated persons zero-login attestation links, keeps raw bearer tokens out of audit records, rate-limits public links, and records the chase and response state back into the tenant evidence file.

Internal teams can then see which responses are complete, pending, overdue, or unresolved before counsel or advisers review the board pack.

Official sources

Home Office failure-to-prevent-fraud guidance v1.5
Updated 2025-10-10; accessed 2026-06-15.
Economic Crime and Corporate Transparency Act 2023
Royal Assent 2023-10-26; accessed 2026-06-15.
Joint CPS-SFO Corporate Prosecutions guidance
Updated 2025-11-10; accessed 2026-06-15.
SFO compliance-programme evaluation guidance
Published 2025-11-26; accessed 2026-06-15.
SFO Director anti-corruption conference speech
Published 2026-06-03; accessed 2026-06-15.

Related DefenceFile pages

Boundary

DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.

Request pilot review View pricing and FAQ