ECCTA Readiness in 90 Days: A Practical Implementation Timeline for Compliance Teams

ECCTA reasonable-procedures compliance is evidence-led, not document-led. The value of a compliance programme is in the evidence it generates over time — training completion records, attestation records, risk assessment reviews, and board reporting. An organisation that has built a complete documentation set but has no operational evidence of the programme working is in a weaker position than one with a simpler framework and strong operational evidence.

The 90-day plan below is sequenced to produce operational evidence as quickly as possible, starting from the items that take the longest to accumulate. Attestations, for example, require time to send, chase, and receive responses — starting the attestation process in week 5 means you have several weeks of chase activity and responses before the end of the 90 days. Starting it in week 10 means you have almost none.

Organisations with a more mature starting position — existing AML frameworks, existing third-party due-diligence programmes, or existing ethics training — can adapt the timeline to build on those foundations rather than starting from scratch. The first step is always an honest assessment of what already exists and whether it maps onto the ECCTA framework.

Week 1 should focus on scope confirmation: does the organisation meet the large-organisation thresholds, and do any subsidiaries need to be in scope? This step requires legal input in most cases, particularly for groups close to the thresholds. Without scope confirmation, the programme scope is undefined and resources may be misallocated.

Weeks 2-3 should focus on building the associated-person register. The register is the foundation for due diligence, attestation, and supply-chain risk assessment. It should identify all employees, agents, contractors, subsidiaries, and third-party service providers who perform services for the organisation and could commit a specified fraud offence that benefits it. The register does not need to be perfect in week 3 — it will be updated as the risk assessment identifies additional categories — but it needs to be complete enough to proceed with risk assessment.

Week 4 should produce the first version of the fraud risk assessment. The risk assessment identifies the fraud scenarios most relevant to the organisation, maps them to the associated-person categories in the register, and assesses the controls currently in place for each scenario. The first version will be imperfect — it will identify gaps that need to be addressed in the procedures and due-diligence phases — but it needs to exist before the procedures can be designed.

Weeks 5-6 should focus on building the fraud prevention procedures framework: the anti-fraud policy, the specific procedural controls for high-risk areas identified in the risk assessment, and the due-diligence framework for associated persons. These documents should be drafted with the risk assessment in front of the drafting team, so that the procedures address the specific risks identified rather than generic fraud risks.

Weeks 6-7 should launch the training programme. Training for high-risk roles and functions should be targeted and substantive — generic fraud awareness training delivered to all staff can run concurrently but does not substitute for role-specific training for procurement, finance, and sales functions. Recording and retaining training completion data from the start of the training launch gives the compliance team several weeks of completion records by the end of the 90-day period.

Weeks 7-8 should begin the attestation chase for high-risk associated persons. A first round of attestations — sent to the highest-risk associated persons identified in the risk assessment — produces chase records and response records that are part of the Principle 4 and Principle 5 evidence. Even if completion rates in the first round are below target, the records of the chase and the progress of responses demonstrate that the programme is operational.

Weeks 9-10 should set up the monitoring programme: the KPI dashboard or monitoring report that will be produced on a regular cadence going forward. The monitoring programme does not need to be elaborate — training completion rates, attestation rates, and risk assessment currency are the minimum. What it needs to do is generate a regular output that goes to someone with authority to act on it, so that the monitoring function is connected to governance.

Week 11 should produce the first board report on ECCTA compliance status. This report — even if it identifies many gaps and open items — is itself evidence of Principle 1 (top-level commitment) and Principle 6 (monitoring and review). The board's engagement with the report, recorded in board minutes, begins the governance evidence trail.

Week 12 is evidence register consolidation: reviewing what has been produced, checking that it is organised and accessible, and identifying the most significant remaining gaps for the next phase of work. At the end of the 90-day period, the organisation should have: a scope confirmation, an associated-person register, a fraud risk assessment, an anti-fraud policy and procedures, training records, first-round attestation records, a monitoring output, and at least one board report. This is a foundation, not a completion — the programme needs to continue operating and generating evidence.