Skip to main content
DefenceFile
ECCTA guidePilot access

Ungated checklist

Ungated ECCTA readiness checklist for failure-to-prevent-fraud evidence.

A print-friendly evidence checklist for legal, compliance, financial-crime, governance, and adviser teams preparing an ECCTA failure-to-prevent-fraud readiness file before making organisation-specific legal judgments.

Use it to prepare evidence for review. It is not legal advice, does not decide scope, and does not determine whether a statutory defence will succeed.

Download Markdown

Top-level commitment

Show who owns the fraud-prevention programme, how the board or senior leadership reviews it, and which blockers remain unresolved.

  • Board or committee minutes showing review of ECCTA failure-to-prevent-fraud readiness.
  • Named accountable owner for fraud-prevention work and escalation path.
  • Latest board-pack blocker list, including items not yet ready for adviser or board review.
  • Record of leadership communications to relevant teams and associated-person owners.

Risk assessment

Connect fraud scenarios, business units, geographies, associated-person populations, controls, and open gaps.

  • Fraud scenario register with owner, date, source version, and review status.
  • Large-organisation and UK-nexus scope screen, labelled as a screen rather than a legal conclusion.
  • Group-structure and subsidiary notes used for scope and associated-person analysis.
  • Gap map showing each material scenario, current control, evidence item, and unresolved issue.

Proportionate risk-based prevention procedures

Make the procedure-to-risk chain inspectable without saying the workflow decides whether procedures are reasonable.

  • Policy and control evidence mapped to each material fraud scenario.
  • Reviewer decision for each mapped item, including rejected, stale, superseded, or pending evidence.
  • Replacement lineage explaining why a newer item replaced an older source.
  • Residual issue log for controls that exist on paper but need operation evidence.

Due diligence

Show how the organisation understands employees, agents, subsidiaries, subsidiary employees, service providers, and supply-chain boundaries.

  • Associated-person register with relationship type, service description, geography, owner, and risk tier.
  • Due-diligence evidence for higher-risk associated-person populations.
  • Attestation chase log showing sent, viewed, submitted, overdue, and reviewed states.
  • Unclear supplier, franchise, group, or overseas-entity facts marked for qualified review.

Communication and training

Preserve what was communicated, who received it, when it changed, and what evidence supports completion or exception handling.

  • Training completion evidence by role, business unit, date, and source system.
  • Fraud-prevention communications to employees and associated-person owners.
  • Exception list for incomplete, stale, or not-applicable training records.
  • Reviewer notes explaining whether communication evidence is ready, blocked, or needs replacement.

Monitoring and review

Show that the file can be refreshed and challenged, and that operation evidence is visible to reviewers.

  • Monitoring exception log, sample results, control testing notes, and remediation actions.
  • Refresh cadence for risk assessment, due diligence, training, and board-pack review.
  • Audit trail for material changes, reviewer decisions, and export readiness.
  • Source register with official-source dates and the public source baseline used for the review.