ECCTA marches towards implementation

The new act, which demonstrates a shift in the UK’s approach to economic crime and corporate governance, is in its first phase of enactment

The Economic Crime and Corporate Transparency Act (ECCTA) is a significant piece of UK legislation that aims to tackle economic crime and improve corporate transparency by strengthening the regulatory framework, increasing accountability and ensuring that companies operate in an open manner. 

“This is one of the most significant moments for Companies House in our long history,” stated Louise Smyth, Chief Executive and Registrar of Companies, referring to the ECCTA’s passing.

ECCTA received Royal Assent in October 2023 and after an initial preparation and awareness period, phase 1 came into force in April. This involves enacting the requirements for enhanced reporting and the establishment of robust compliance frameworks. It is in this current phase that companies must begin submitting detailed beneficial ownership information and ensure their directors know their new responsibilities.

According to Andy Donovan of Compliance Office, this phase will include significant changes to the robustness of Companies House.

What changed? Prior to the Act, Companies House had to accept information if it was “properly delivered.” It had limited ability to question information that was suspicious or filings that were submitted either mistakenly or fraudulently.

With the ECCTA, Companies House (CH) is transformed from a passive recipient of information to a more active gatekeeper. This means that it will be able to:

  • ensure that any person required to deliver documents to the registrar does so, and that the requirements related to proper delivery are complied with
  • ensure that information contained in the register is accurate and complete
  • minimise the risk of records maintained by the register creating a false or misleading impression for the public
  • minimise the extent to which companies and others engage in unlawful activities or facilitate such activities by others

The changes will not only deal with the role of Companies House. New requirements on companies and LLPs will be introduced that include:

  • a requirement for all companies and LLPs to supply a registered email address to CH
  • the prohibition on companies and LLPs to use a PO Box address as their registered office address
  • a requirement for all companies and LLPs to confirm to CH on incorporation that they are being formed for a lawful purpose and that their intended future activities will be lawful

Companies must begin submitting detailed beneficial ownership information and ensure their directors know their new responsibilities.

Phase 2 implementation starts in the last quarter of 2024 and will involve stronger anti-money laundering measures. The government will publish guidance on the failure to prevent fraud offence in summer 2024. There will be a six-month implementation period after the guidance is published before the offence comes into force. This means that the new offence is expected to come into force in late 2024 or early 2025.  

Actions required are likely to involve financial, commercial, or accounting controls, training on fraud prevention and ensuring appropriate mechanisms are contained in whistleblowing policies and contracts of employment.

In phase 3, which will be the first quarter of 2025, the Act will be fully enforced. Regulatory bodies will actively monitor compliance, and non-compliant companies could face investigations, penalties, and legal actions. 

The ECCTA is a key part of the current government’s ongoing legislative strategy to tackle economic and financial crime. But members of the Labour party have been very critical of aspects of the ECCTA and with elections on July 4 and the likely event that the Labour party moves into #10, there could be even more regulations headed our way to tackle financial crime.  

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.