Mapping Associated Persons Under ECCTA: A Practical Framework

Section 196(2) of the ECCTA defines an associated person as an employee, agent, or subsidiary of the relevant body, an employee of such a subsidiary, or any other person who performs services for or on behalf of the body. The catch-all — 'performs services for or on behalf of' — is deliberately broad and does not require a formal contractual relationship. A person who carries out work that benefits the organisation, in circumstances where they could commit a fraud intending to benefit it, may qualify as an associated person even if they are not employed or retained directly.

The practical consequence is that the associated-person perimeter is typically larger than the employee headcount suggests. A 500-person organisation with 200 contractors, 50 agents, and a supply chain of 300 active suppliers may have over 1,000 associated persons. Each of those individuals is, in principle, a person whose fraud could expose the organisation to liability under s.199 — provided the other elements of the offence are met.

Not every person who theoretically qualifies will be in a position to commit a Schedule 13 fraud intending to benefit the organisation. The compliance task is not to apply due diligence indiscriminately across every possible associated person, but to identify those whose roles and relationships create a material fraud risk and to focus proportionate procedures on them.

Employees are the most straightforward category: anyone in an employment relationship with the relevant body is an associated person. The fraud risk from employees varies significantly by role. An employee in a customer-facing sales function, with authority to make representations on the organisation's behalf, creates a different risk profile than an employee in a back-office support role with no external-facing responsibilities.

Agents — persons authorised to act on behalf of the organisation in dealings with third parties — are a high-risk category in many sectors. Commercial agents, intermediaries, and distributors who have authority to bind the organisation in contracts or transactions create fraud risk because they can make false representations or engage in bribery and corrupt practices in circumstances where the organisation benefits. The Bribery Act DPA precedents illustrate how agent-related conduct has resulted in significant corporate liability.

Documenting the agent population — who they are, what authority they have, which markets and transactions they cover, and what due diligence has been conducted on them — is the foundation of a proportionate agent compliance programme. The depth of due diligence should be calibrated to the risk: a high-value agent in a high-risk jurisdiction warrants more scrutiny than a low-value agent in a low-risk one.

Subsidiary companies are associated persons of the parent, and employees of those subsidiaries are also associated persons by virtue of s.196(2). For a group structure with multiple operating subsidiaries, this means the parent's associated-person perimeter includes the employees of all its subsidiaries — a population that may be many times larger than the parent's own headcount.

Group structures introduce complexity around which entity bears liability. If an employee of a subsidiary commits a fraud intending to benefit the parent, it is the parent that faces potential liability under s.199. If the fraud was intended to benefit the subsidiary, it is the subsidiary that is exposed. Most group compliance programmes need to address both layers: a group-wide policy framework with implementation at the subsidiary level, and a consolidated evidence register that allows the group to demonstrate proportionate procedures across the enterprise.

Acquired entities introduce a specific risk: the new subsidiary brings its own fraud risk profile, its own associated-person network, and — typically — an incomplete or untested compliance framework. Post-acquisition integration of ECCTA compliance should be treated as a priority, with a rapid assessment of the acquired entity's fraud risk and an integration plan for bringing it within the group framework.

Supply-chain participants and third-party service providers are often the category where organisations undercount their associated-person exposure. A supplier who provides goods or services to the organisation is not automatically an associated person — the test is whether they 'perform services for or on behalf of' the body. But where a supplier's performance is integral to the organisation's ability to deliver its own products or services, or where the supplier acts in the organisation's name in dealings with customers, the 'for or on behalf of' test may be met.

The compliance task here requires judgment. An organisation does not need to treat every supplier in its procurement database as an associated person; but it should be able to articulate why those it has excluded are excluded. The distinction between a supplier who provides commodities at arm's length and a supplier who performs services that create fraud risk for the organisation is the relevant analytical question.

For supply-chain participants that do qualify as associated persons, the due-diligence programme should include contractual anti-fraud provisions, periodic screening, and — for high-risk relationships — more active monitoring. The contractual provisions are both a risk-mitigation tool and a Principle 3 (proportionate procedures) artefact: they evidence that the organisation has taken steps to limit fraud risk in the supply chain.

Risk tiering assigns each category of associated person — and, where feasible, each material associated person — a risk rating based on the fraud risk they create. The tiering criteria typically include the nature of the role (external-facing, authority to bind the organisation, access to assets or sensitive information), the value and complexity of the relationship, the sector and geographic profile, and any red flags identified in initial screening.

The due-diligence programme applies proportionate scrutiny to each tier. High-risk associated persons receive enhanced due diligence — background screening, financial crime screening, reference checks, and more frequent review cycles. Medium-risk associated persons receive standard due diligence — policy acknowledgement, periodic self-certification, and less frequent review. Low-risk associated persons may receive only basic onboarding documentation.

Due diligence records should document what was done, when it was done, who did it, and what conclusion was reached. A due-diligence record that records only 'cleared' or 'approved' is of limited value if it cannot be reconstructed to show the specific steps taken and the information reviewed. The record should be sufficient to allow a reviewer — including a prosecutor or regulatory investigator — to understand what the compliance function concluded and why.