Corporate criminal offences: where are we now?

Oct 01, 2020

In late 2018, HMRC surveyed over 1,000 businesses on their awareness of the corporate criminal offences legislation. Claire McGuigan reports on the findings and the next steps for businesses.

Corporate criminal offences (CCO) legislation, introduced in the UK two years ago, was designed to drive a behavioural shift in companies and partnerships to take an active role in preventing the facilitation of tax evasion. HMRC conducted a research project in late 2018, one year after the legislation took effect, to examine the extent to which this has been successful.

The results show that more work is needed to raise awareness of the legislation:

  • 74% have not heard of the Criminal Finances Act (the Act) and, of those aware, only one-third thought it was relevant to their business.
  • Large businesses and those in the financial services and insurance sectors are much more likely to have taken action.
  • 64% of businesses had not made changes to operations as a result of the Act.
  • 55% of respondents said they had at least one of the five standard prevention procedures in place.
  • Over one-quarter of respondents intended to make changes in the next 12 months.

While some operational changes are happening as a result of the introduction of CCO, it is also clear that the key messages in HMRC’s guidance are not getting through. With no de minimis to the CCO legislation and with sanctions including unlimited fines, criminal prosecution and director disqualification, organisations face a genuine risk if they fail to act.

Below is a list of commonly asked questions and lessons based on my work in this area.

1. What is a corporate criminal offence?

The CCO legislation took effect on 30 September 2017. It created two corporate offences, one relating to the evasion of UK tax and one relating to the evasion of foreign tax. It can apply to the evasion of any tax, including indirect and employment taxes, anywhere in the world. Any UK business, UK corporate, or a foreign corporate doing business in the UK will be within the scope of both offences. The business will have a strict liability under criminal law for failing to prevent the facilitation of tax evasion by one of its associates (employee, contractor or any other person providing services for, or on behalf of, the corporate). A defence exists of having ‘reasonable prevention procedures’ in place.

2. Who does this affect?

All companies and partnerships. There is no de minimis.

3. What happens if we don’t do anything? Are we at risk of penalties?

Yes, you are. A successful prosecution could lead to:

  • an unlimited fine;
  • a public record of the conviction; and
  • significant reputational damage and adverse publicity.

4. What has HMRC said since the legislation came into force?

HMRC has made it clear that it is taking this legislation very seriously. It has undertaken investigations, for example, which include interviewing staff to see what they know about CCO, what actions they are aware the business is taking in response to CCO, and if personnel know what to look out for to identify tax fraud.

5. Can you provide examples of what this legislation covers?

Here are three examples:

  • A member of your payroll team deliberately falsifying information relating to a worker so the worker is treated as a contractor rather than deducting PAYE at source.
  • An employee deliberately collaborating with one of your suppliers to falsify the amount paid on an invoice.
  • An employee deliberately conspiring with a supplier to conceal the true source country of goods to evade customs duties.

6. We already have Bribery Act and AML/KYC procedures in place. What more do we need to do?

You may already have financial and economic crime prevention procedures in place. These existing procedures are relevant, but a risk assessment specific to the facilitation of tax evasion must be carried out and then mapped to current procedures.

7. What should the message be from the board?

You need top-level commitment. The board is typically best placed to champion this. From here, your staff will need training so they know what they need to do.

8. I haven’t done very much. What do I need to do?

The CCO legislation is no longer new, and HMRC will expect you to have reasonable procedures to demonstrate a defence to this legislation in place. There are four stages of compliance with the CCO legislation:

  1. Risk assessment: your priority is to conduct and document your risk assessment.
  2. Implementation: the risk assessment process should include the development of an implementation plan, setting out the next steps and responsibilities.
  3. Training and communication: this is to ensure that CCO policies and procedures are communicated within and outside the business.
  4. Monitoring, review and testing: this comprises testing current process and the periodic update of the risk assessment.

9. What are other organisations doing at a practical level?

Once the risk assessment is complete, there are typical ‘quick wins’ and practical steps that businesses can focus on. This includes developing a suite of CCO policies, such as a board paper and communications to suppliers, and ensuring that CCO training is rolled out across the business.

10. What should my business do now?

All businesses should continue to develop their response both to COVID-19 and an evolving working environment. The challenges and opportunities of a remote workforce and the accelerating pace of digital change mean that different approaches to compliance, governance and regulation must be considered.

It is important to ensure that your reasonable prevention procedures are designed to prevent associated persons committing the facilitation offences in the new reality. Ensuring that your staff and other associated persons understand their responsibilities is also a critical control in minimising the risk of enforcement action.

Where there are staff reductions, employees working from home or management focused on critical functions only, unique opportunities arise to commit tax fraud. Risk assessments should be reviewed regularly, particularly within the context of COVID-19.

For businesses that have already performed a risk assessment, it is important to carry out a periodic review of existing policies and procedures, as well as refreshing your current risk assessment to reflect any changes in the business.

Claire McGuigan is Director, Corporate Tax, at BDO Northern Ireland.