Top-Level Commitment Under ECCTA: What the Board Needs to Do and Evidence

The Home Office failure-to-prevent-fraud guidance identifies top-level commitment as the foundation of a reasonable procedures framework. Principle 1 requires that those at the top of an organisation — the board, senior management, or equivalent governing body — take ownership of fraud prevention rather than delegating it entirely to the compliance or legal function. The guidance states that the organisation's anti-fraud culture must be championed at the top.

Ownership at the top level does not mean the board itself conducts fraud risk assessments or writes procedures. It means the board approves the framework, receives regular reporting on compliance status, engages substantively with identified risks and gaps, and makes decisions on the level of resource and priority the programme receives. The compliance team's role is to run the programme; the board's role is to govern it.

The guidance makes clear that top-level commitment must be visible — communicated to the workforce, embedded in the organisation's culture, and supported by appropriate resources. A board resolution made in private and never communicated is insufficient. Employees and associated persons need to understand that the organisation's leadership takes fraud prevention seriously and that non-compliance will be taken seriously at the highest level.

Top-level commitment is evidenced by records, not assertions. A policy that states 'the board is committed to fraud prevention' is weaker than a board minute that records the directors considering a fraud risk assessment, asking questions about specific risk areas, and approving the assessment with named blockers and actions. The record needs to show that the board engaged with the substance of the programme, not just that it acknowledged receipt of a document.

Useful evidence of top-level commitment includes: board minutes recording ECCTA agenda items with substantive discussion; sign-off records for the fraud risk assessment; communications from the CEO or equivalent to the workforce about fraud prevention obligations; training completion records showing that directors and senior management completed fraud prevention training; and records of any decisions taken by the board in response to compliance monitoring reports.

The frequency of board engagement matters too. Annual review of a static compliance programme is weaker than quarterly reporting to the board or a sub-committee with records of each meeting. The SFO's compliance-programme evaluation guidance asks whether senior leadership was consistently engaged over time, not just at the point when a document was approved.

The Home Office guidance requires that top-level commitment be communicated to the organisation's workforce and associated persons. This means that employees and relevant third parties need to understand that fraud prevention is a priority for leadership, not just a compliance obligation that sits with the legal team. Communication can take many forms: a letter from the CEO, a video message, a dedicated section of the induction programme, or all-staff communications at the time of a policy update.

The SFO's guidance on compliance programme evaluation notes that it evaluates whether senior leadership set a tone at the top that discouraged misconduct. Evidence of tone includes how the organisation responded to compliance failures when they were identified: whether they were investigated, whether consequences were applied consistently regardless of the seniority of those involved, and whether the compliance programme was updated in response. An organisation that discovered a potential fraud issue and addressed it proactively demonstrates a different culture from one that suppressed the concern.

Cultural evidence is inherently harder to document than procedural evidence, but it is not impossible. Internal communications, staff survey results on culture and ethics, training-scenario outcomes, and records of how whistleblower concerns were handled all contribute to the cultural evidence picture. Compliance teams should retain this material alongside the procedural documentation.

The SFO's November 2025 compliance programme evaluation guidance places significant weight on whether a company's compliance programme was driven by genuine senior commitment rather than a compliance-for-compliance's-sake exercise. The guidance specifically asks whether the organisation's leadership understood and accepted compliance as a priority, and whether that understanding was translated into resource, process, and communication.

In ECCTA enforcement, Principle 1 matters because it goes to the question of whether the organisation had a genuine compliance culture or was attempting to construct a post-hoc defence. An organisation with contemporaneous evidence of board engagement, workforce communication, and senior-level accountability for the programme is in a materially different position from one that can produce only a policy document with a board member's signature.

Compliance teams preparing for ECCTA enforcement scrutiny should audit their Principle 1 evidence now. The questions to ask are: Can you demonstrate that the board received and engaged with ECCTA compliance reporting? Can you show that senior management communicated fraud prevention obligations to the workforce? Do you have records of board decisions made in response to compliance monitoring or risk assessment findings? If the honest answer to these questions is 'no' or 'not really', the governance evidence gap is material and should be addressed before the compliance programme faces scrutiny.