ECCTA Board Reporting: What Evidence Your Board Pack Must Contain

Principle 1 of the Home Office fraud prevention guidance requires top-level commitment to the anti-fraud programme: visible board ownership, a documented governance structure, and ongoing oversight of the programme's performance. The board pack is the primary evidence of that commitment. A board that has approved a policy but receives no subsequent reporting on how the programme is performing has not discharged its Principle 1 obligations in a way that strongly supports the reasonable-procedures defence.

The SFO's compliance programme evaluation guidance asks, in assessing whether a compliance programme was genuine, whether the board received adequate reporting and whether it acted on what it was told. Board minutes that record substantive engagement — questions asked, concerns raised, decisions made — are stronger evidence of genuine top-level commitment than minutes that simply note receipt of a report.

The timing of board reporting also matters. A board pack produced in the weeks before an investigation begins is less persuasive than a series of board packs produced periodically throughout the compliance programme. Dating and version-controlling each iteration of the board pack creates a contemporaneous record of the board's engagement with the programme.

The board pack should open with a scope confirmation: whether the organisation meets the large-organisation size test, the basis for that conclusion, and any open questions about group structure, UK nexus, or overseas entities. If an external legal adviser has reviewed the scope analysis, the pack should note this and include a reference to the adviser's written conclusions.

The risk assessment summary should present the key findings from the fraud risk assessment in a format readable by a board that has not been involved in the detailed work: the principal fraud scenarios identified, the current risk rating for each, and the controls in place. A heat-map or traffic-light format is often useful for communicating the risk landscape at a glance, with the underlying detail available in the full assessment.

If the risk assessment has been updated since the last board report, the pack should note what changed and why. Changes to the risk landscape — a new business, a new market, an industry-relevant enforcement action — should be explained in the context of how they affect the organisation's risk profile and what the programme is doing in response.

The principle coverage map shows the status of the compliance programme against each of the six Home Office principles. For each principle, it records whether the evidence is complete, in progress, or has identified gaps. This gives the board a structured view of the programme's completeness rather than a narrative summary that is difficult to assess.

The evidence gap map provides more detail: for each gap identified in the principle coverage assessment, it records what is missing, who is responsible for obtaining it, the target completion date, and the current status. The gap map converts a static snapshot of the compliance position into an action plan, making it visible to the board which gaps are most material and who owns them.

Boards that receive a gap map — rather than an assurance that 'the programme is on track' — are better placed to ask the right questions about compliance adequacy. The gap map is also more useful for the organisation: it creates accountability for gap closure and records the organisation's awareness of its own compliance weaknesses, which is relevant to any future enforcement assessment of the organisation's good faith.

The board pack should include evidence that the fraud prevention procedures are not just documented but operational. Training completion rates, attestation completion rates for associated persons, due-diligence review completion rates for the current cycle, and monitoring report findings are all evidence that the programme is running.

Training completion data should show not just an overall rate but rates by function or business unit, so the board can see whether particular areas are lagging. Attestation completion data should show rates for each tier of the associated-person population, with the chase list for incomplete attestations. These data points allow the board to see whether the programme is being applied consistently or whether there are areas of non-compliance within the business.

Unresolved blockers — areas where the programme is stalled pending a decision, a resource, or an external input — should be explicitly listed. The board needs to know what is preventing the programme from progressing so that it can make or endorse the decisions needed to unblock it. Blockers that are invisible to the board cannot be resolved by the board.

If the organisation uses external legal advisers for ECCTA compliance review, the board pack should record the adviser's status: what they have reviewed, what their findings were, what queries are outstanding, and what has been done in response to prior review comments. Adviser review is evidence that the organisation sought qualified external input — it is part of the due-diligence narrative, not a replacement for it.

Board minutes should record substantive engagement with the pack: questions asked by directors, answers given, any decisions made or actions arising, and the board's formal approval of any documents presented for approval (such as a revised risk assessment or an updated policy). Minutes that simply note 'the board received the ECCTA compliance report' are weaker evidence than minutes that record what the board considered and what it concluded.

The board pack, together with the board minutes, creates the written record of top-level commitment. Both should be retained in the evidence register with their dates, version numbers, and the identities of the board members present. This record is the primary evidence of Principle 1 compliance — without it, the board's engagement with the programme rests on recollection rather than contemporaneous documentation.