This week we bring you the latest HMRC performance data to the end of January 2024 and draft legislation has been published for consultation in relation to changes being made to the information businesses will need to provide to HMRC via various returns. HMRC is also warning of bogus tax refund offers and we update you below on R&D tax relief including the intensive tax relief available for businesses in Northern Ireland. And finally, a consultation has been launched seeking views on proposals for the design and administration of the UK carbon border adjustment mechanism which would commence from 1 January 2027.  Draft legislation on additional data  HMRC has launched a technical consultation which is open until 9 May 2024 and relates to two draft Statutory Instruments. The consultation examines the draft legislation which will require businesses to provide additional information to HMRC as follows:- employers will be required to provide more detailed information on employees’ hours via PAYE Real Time Information;  directors will be required to provide the amount of dividend income received from their company separate to other dividend income in addition to their percentage shareholding in the company in their Self-Assessment (“SA”) return; and  self-employed individuals will be required to provide start and end dates of self-employment via their SA return. These changes will take effect from April 2025. Finance Act 2024 introduced powers to enable the collection of this additional data and enabled HMRC to specify, through the two Statutory Instruments, the particular information required within those returns. Feedback on the draft regulation should be sent by email to HMRC at responsivenessdataconsultation@hmrc.gov.uk. Bogus tax refunds  HMRC has issued a Press Release which reports that it responded to almost 210,000 referrals of suspicious contact in the last year, up 14 percent on the previous year. More than 79,000 of these were offering bogus tax rebates. HMRC is therefore warning of a further spate in fraudsters contacting taxpayers after the 2022/23 SA deadline on 31 January 2024.  Taxpayer can help fight phishing scams by reporting any suspicious communications to HMRC:-   forward emails to phishing@hmrc.gov.uk;   report tax scam phone calls to HMRC on GOV.UK;  forward suspicious texts claiming to be from HMRC to 60599.  R&D tax relief update   At Spring Budget 2021, the government launched a review of R&D tax reliefs to ensure the UK remains a competitive location for cutting edge research, the reliefs continue to be fit for purpose and taxpayer money is effectively targeted.   As part of this review, the government announced additional support for R&D intensive SMEs, which will continue alongside the new merged scheme SME and “large” company reliefs announced at the Autumn Statement 2023.  Regulations made earlier this month on 4 March specified that the merged scheme and the amendments to the additional relief for R&D intensive SMEs will commence for companies with accounting periods beginning on or after the 1 April 2024.   As a result, the Financial Secretary to the Treasury laid before the House of Commons the Research and Development (Chapter 2 Relief) Regulations 2024 which introduce changes to the further support for R&D intensive SMEs due to particular market conditions in Northern Ireland.   Under the new rules, eligible companies in Northern Ireland will be able to benefit from relief on subcontracting expenditure undertaken outside the United Kingdom. To protect against the fiscal risk of uncapped overseas expenditure, a cap on the amount of relief that can be claimed will also be introduced, at £250,000 over a rolling three-year period.   The cap will only apply to the amount of intensive scheme relief that is above the amount that could have been claimed under the merged scheme.  Guidance on the new rules is available. Further guidance on the merged scheme R&D expenditure credit and enhanced R&D intensive support is also available. As Finance Act 2024 has received Royal Assent and the relevant Appointed Day Regulations have been made, claims for enhanced R&D intensive support for expenditure incurred on or after 1 April 2023 can now be made.  HMRC also published draft guidance on the new subcontracting and overseas rules for consultation on 9 February. HMRC is currently reviewing responses and will publish final versions of that guidance shorty.  At Spring Budget, the government also announced that HMRC will establish an Expert Advisory Panel to support the administration of the R&D tax reliefs. This panel will support HMRC to develop and update guidance, improve communications, provide insights on the types of R&D occurring across certain sectors and feedback from industry.   Given the broad array of projects and specialisms from the life sciences and tech sector, HMRC will seek representatives from these sectors and will directly reach out to relevant organisations. Further details and the terms of reference will be published in due course. This panel will supplement HMRC’s R&D Communications Forum, which will continue to provide the opportunity for broader discussion and feedback.  

In this week’s EU exit corner, we bring you the latest guidance updates and publications relevant to EU exit. The most recent Trader Support Service and Cabinet Officer Borders bulletins are also available. HMRC also recently published guidance on sending parcels from Great Britain to Northern Ireland which will take effect under the Windsor Framework from 30 September 2024. And finally, we provide information on a recent update to VAT and EORI guidance.  VAT and EORI guidance  If a business deregisters for VAT, any Economic Operators Registration and Identification (“EORI”) number(s) they hold will also be removed at the same time.   By way of reminder, EORIs are needed for authorisations, including a UK Internal Market System (“UKIMS”) authorisation, and licences. To continue using these, there are actions a business needs to take which are as follows:  Authorisations (including Duty Deferment Accounts and guarantees) - contact the supervising office. This can be found in the authorisation correspondence received originally;  Licences - to continue using these please contact the issuing government department; and  If a business still needs an EORI number, they can apply for a new GB EORI number. The number is usually confirmed immediately. Once a business has a GB EORI, they will then be able apply for an XI EORI number, if needed and they meet the relevant criteria. The number will be issued within five working days of applying.  If a business needs help getting a new EORI number, please contact HMRC.   Miscellaneous updated guidance etc.   Recently updated guidance, and publications relevant to EU exit are set out below:-  Classifying footwear for import and export;  Customs Declaration Service is open for all export migration;  Get help using example declarations for exports from Great Britain to the rest of the world;  Making an export declaration using a pre-shipment advice;  Making an export supplementary declaration;  Making an export declaration in your records;  Making a full export declaration;  Tell HMRC when exports have arrived or departed a UK port;  Make and manage an export declaration online;  Get help using example declarations for exports from Great Britain to the rest of the world;  Apply for authorised consignor or consignee status; and  Report a problem using the Customs Declaration Service. 

HMRC’s latest schedule of live and recorded webinars for tax agents is available for booking. Spaces are limited, so take a look now and save your place. HMRC is also running a series of webinars on R&D tax relief.  R&D tax relief webinars  HMRC is running a series of webinars on R&D tax reliefs to aid understanding of what qualifies as R&D, how to claim relief correctly and what the new R&D merged scheme entails.  The webinars series will also cover the enhanced support available for R&D intensives schemes: Register here to learn more about 'Research and Development for tax purposes’;  Register here for more information about ‘How to claim Research and Development tax relief’; and  Visit GOV.UK to watch the recorded webinars and to register for the upcoming webinar session about the R&D merged schemes. 

Do you use HMRC online services? Don’t be caught out by the planned downtime to some services. HMRC are warning about the non-availability of specific services on the HMRC website, a range of services are impacted. Check the relevant page for information on planned downtime.  

Check out the latest items on the Agent Forum. Remember, in order to view each item, you must be signed up and logged in.   All agents, who are a member of a professional body, are invited to join HMRC’s Agent Forum. This dedicated Agent Forum is hosted in a private area within the HMRC’s Online Taxpayer Forum. You can interact with other agents and HMRC experts to discuss topical issues and processes. 

According to the OECD, work under BEPS Action 6 “Prevention of tax treaty abuse” continues to make steady progress. The latest peer review report on the implementation of the minimum standard on treaty shopping reveals that most agreements between members of the Inclusive Framework are already compliant with the standard. The BEPS Multilateral Instrument (BEPS MLI) seems to be the preferred tool for most countries implementing the minimum standard. 

Revenue has updated the Tax and Duty Manual regarding Tax Credit Certificates issued on a Week 1/Month 1 basis. The updated manual includes additional reasons for the issue of a Week 1/Month 1 basis Tax Credit Certificate (paragraph 1) and advise on sourcing additional information on the matter (paragraph 4). 

Revenue has updated the Tax and Duty Manual regarding the CAT self-assessment return Form IT38. The updated manual reflects the Finance (No.2) Act 2023 amendment regarding the obligation to file a CAT return where an individual is in receipt of certain interest-free loans. 

The Minister for Justice Helen McEntee TD has published a report on the role of Sheriffs in the State. The Department of Justice and the Office of the Revenue Commissioners established a Joint Review Group to focus on the future role of Sheriffs and to establish whether there is a more efficient and cost-effective system of debt collection.  The report identifies five key areas of focus and sets out 27 recommendations to support the continuation of the office of Sheriff into the future, noting its effectiveness and efficiency. The Review Group also noted that overall debt recovery rates appear to be high by international standards.    Commenting on the findings of the review, Minister McEntee said:  “I am pleased to see the importance of the office of the Sheriff recognised in this report. It is the oldest debt enforcement mechanism in the State and I welcome the recommendations to support and modernise the role to ensure its continued viability.  Key to this modernisation will be the development and implementation of an updated and streamlined joint supervision and oversight strategy between the Department of Justice and the Office of the Revenue Commissioners, and I look forward to that being developed.”  Further information is available in the Department of Justice press release. 

As readers likely know, the deadline for engaging with Revenue in respect of warehoused debt is 1 May 2024. In advance of this deadline, Revenue has issued letters to 30,825 taxpayers with warehoused debt to outline the immediate action required to arrange the repayment of their debt. The letters should issue to the taxpayers’ ROS inbox unless they no longer have an active ROS digital certificate, in which case it should arrive by post this week. Agents will not receive a copy of the letters issued to their clients.  The letter includes a schedule of the warehoused debt and the range of payment options available to the taxpayer. Where a Phased Payment Arrangement (PPA) is required, the application must be submitted on ROS now in advance of 1 May 2024 to allow sufficient time to agree a payment plan suitable to the business circumstances.    A separate letter has issued to taxpayers with warehoused debt of less than €500 as PPAs are not available in these circumstances. 

Nóra Cashe explains the obligations, compliance, and acceptance and rejection procedures for employers outlined in the Work Life Balance and Miscellaneous Provisions Act 2023 Code of Practice The Code of Practice (the Code) for the right to request flexible and remote work has been released. Now that these two rights are in effect, employees can request these entitlements. So, do you know your obligations as an employer, and do you understand how to comply with the new legislation? What are the rights to request remote and flexible work? The right to request flexible working and the right to request remote working are the last two of five statutory parts to come into effect within the Work Life Balance and Miscellaneous Provisions Act 2023. While many of the same guidelines apply to these two entitlements, they are separate. ‘Flexible working’ is defined as the adjustment of an employee’s working hours or working patterns. This includes flexible working schedules, reduced working hours, or even remote working. The right to request flexible working only applies to parents and to those acting in loco parentis or guardians as defined by the Act. Meanwhile, ‘remote working’ is an arrangement between employer and employee in which the work is carried out at a location other than at the employer's place of operation. This is done without any change to the employee's ordinary working hours. What is the Code of Practice? Drafted by the Workplace Relations Commission (WRC), the Code provides practical guidance for businesses and their staff regarding flexible or remote work requests. It is separated into three sections. The first two sections are Flexible Working (FW) and Remote Working (RW), which lay out guidelines for employees and employers to follow when requesting or receiving requests for flexible or remote working arrangements. The last section consists of policies and templates. Here, employers can find templates to use for relevant documentation, such as a Work Life Balance Policy, a Flexible Working Request application, and a Remote Working Request application. Staying compliant The Code defines flexible and remote work and provides the details on who can apply and when. The Code also contains important timelines and procedures for employers and employees to follow when a request is made and the consequences for not doing so. Failure to follow the timelines and procedures and to keep records could result in an award of up to 20 weeks of remuneration and/or a costly fine/summary conviction. Additionally, the Code of Practice includes information on situations such as: the abuse of any new working arrangements; the need to modify new working arrangements; and the need for the employee or employer to terminate the new working arrangements. Acceptance or rejection procedures Employers are not obligated to accept requests for remote or flexible work but it’s important to remember that a response must be delivered to the employee in writing within four weeks of their request. The three responses an employer can give are: Extension: the employer may request up to four more weeks to consider its decision, which it must also do in writing. Refusal: the employer must lay out its reasoning in writing. Acceptance: the employer must produce a written document with the relevant details for the employee to sign. Overall, employers are advised to weigh their employees’ circumstances and rationale for these requests against their own business needs. In addition, the Code provides tangible questions that employers may ask themselves when deciding whether to approve or reject a request. Nóra Cashe is a Litigation Manager at Peninsula

The new EU Directive NIS2 requires meticulous compliance strategies to improve cybersecurity resilience, explains Puneet Kukreja The intense uptake of digital solutions and innovative technologies over the past four years has changed the way we socialise, work, shop, bank, and receive necessary services, such as health. As sectors and services increasingly become interconnected and interdependent, the cybersecurity threat landscape continues to grow in sophistication and focus. Safeguarding critical infrastructures and services is paramount to protecting society and economies from these actors. In response, EU lawmakers have introduced several interconnected EU-wide laws to improve the digital and operational resilience of the sectors and services we rely on most. The second Network and Information Systems Directive (Directive (EU) 2022/2555 (NIS2)) is one of these EU-wide laws. It comes into effect on 18 October 2024 and will have a compliance impact on many public and private sector organisations across 18 sectors, similar to that experienced under the GDPR. The regulatory supervision and enforcement measures under NIS2 bear similarities to the GDPR. However, direct accountability and liability for upper management and possible suspension of CEO duties brings this squarely into the board room. NIS2 is an evolution from its predecessor, NIS-D (Directive (EU) 2016/1148), extending the legislative scope to capture entities in several additional sectors and subsectors, including public bodies and a wider range of digital service providers, as well as covered entities’ information and communications technology (ICT) supply chains. NIS2 sets out the minimum powers of supervision and enforcement that Member State competent authorities must have. Administrative fines can be imposed on essential and important entities for breaches of obligations relating to cybersecurity risk management measures and incident notification. For ‘essential entities’, the maximum fine is at least €10,000,000 or at least 2 percent of the total worldwide annual turnover in the previous financial year, whichever is higher. For ‘important entities,’ these figures are €7,000,000 and 1.4 percent. Irish legislation must be enacted before 18 October 2024 to transpose NIS2. Consistent with its treatment of NIS-D, the transposing legislation will provide that breaches of certain provisions of the same will be a criminal offence. We expect that a person found guilty of any of these offences will be liable on conviction to a fine and/or imprisonment. It is vital that CEOs, CFOs, CIOs, CISOs and board members understand not only the financial, personal, and reputational consequences of non-compliance – which underscores the urgency of pursuing NIS2 compliance now – but also the role that NIS2 will play in safeguarding their organisation’s cybersecurity and operational resilience. Navigating NIS2 There are several steps an organisation can take to navigate the NIS2. 1. Legal analysis Assess whether NIS2 applies to your organisation or whether any of the statutory exemptions will apply. To the extent NIS2 applies, it will be necessary to understand its requirements, including any cross-border implications and the steps necessary to secure ICT supply chains. 2. Strategic planning of compliance navigation Identify cybersecurity risks and set clear targets to assist in allocating resources and creating strong governance for resilience and regulatory adherence. This will also ensure operational integrity and informed decision-making. 3. Technology procurement Align chosen technologies with organisation needs and regulatory requirements. 4. Implementation strategy Develop a robust plan covering technology integration, employee training, and monitoring mechanisms. 5. Technology implementation Explore partnerships with organisations experienced in technology transformation. This will help you enable the full lifecycle of capability from analysis to managed services. 6. Employee training and awareness Champion comprehensive training programmes to instil a culture of cybersecurity within the organisation. 7. Managed services for continuous compliance Explore partnerships with experienced service providers for ongoing monitoring and response capabilities. 8. Budgeting and resource allocation Collaborate on budgeting to align finance planning with strategic cybersecurity objectives. 9. Documentation and reporting Oversee the creation of comprehensive documentation, ensuring transparency and accountability. Your NIS2 journey Organisations will differ in their level of compliance or maturity across the key control areas that are required under NIS2. However, one thing is certain: all in-scope organisations should now consider the implications of NIS2 to ensure they have sufficient time to assess, design, and implement their compliance plans before the legislation comes into effect. Organisations operating in the sectors defined in NIS2 will need to assess whether they fall within its scope, the availability of any exemptions, their categorisation as ‘essential’ or ‘important’, their NIS2 obligations, and the impact of and interplay with other EU cybersecurity and operational resilience laws. NIS2 requires organisations to address cybersecurity risks in their own ICT supply chains. In practice, this will require a risk-based assessment of ICT supplier relationships, enhancing contracts and securing inspection and other rights to ensure supply chain security. Early supplier engagement will be essential. To the extent certain in-scope organisations are established and/or providing their services in more than one EU Member State, they may be subject to implementing laws in more than one jurisdiction or the EU Member State where their cybersecurity risk management decisions are predominately made. The NIS2 jurisdiction rules require careful consideration and may cause certain entities to rethink the geographic positioning of cybersecurity decision-making. To successfully achieve and sustain NIS2 compliance, an organisation must commit to continuous improvement as well as the adoption of proactive measures. Both are key in this evolving digital landscape. Beginning a compliance journey with a legal analysis of the new directive will ensure you start on the right path and your organisation not only avoids substantial financial penalties but also becomes more resilient to evolving cyber threats. Puneet Kukreja is Cyber Security Leader at EY