Corporate Criminal Offence: Top 10 FAQs
18 January 2022
We have been working hard with our clients to support them in demonstrating a defence to the legislation, and we set out below the top 10 FAQs and learnings based on our work. We have also produced a Corporate Criminal Offences approach guide that looks at the two offences in detail providing examples of how they might arise, outlining the six key principles of defence as set out in HMRC guidance and practical examples of how other organisations are responding.
The CCO legislation took effect on 30 September 2017. Essentially, it created two corporate offences, one relating to the evasion of UK tax and one relating to the evasion of foreign tax. The legislation is very widely drawn and can apply to the evasion of any tax, including indirect and employment taxes, anywhere in the world. Any UK business, be it a UK corporate or a foreign corporate doing business in the UK, will be within the scope of both offences. The corporate or partnership will have a strict liability under criminal law for failing to prevent the facilitation of tax evasion by one of its associates (employee, contractor or any other person providing services for or on behalf of the corporate). A defence exists of having ‘reasonable prevention procedures’ in place.
All companies and partnerships - there is no de minimis.
Yes, you are. A successful prosecution could lead to:
- An unlimited fine
- Public record of the conviction
- Significant reputational damage and adverse publicity.
We also know that HMRC is already undertaking live investigations.
HMRC spoke at our Financial Crime seminar on 10 December 2018. It was made clear that HMRC is taking this legislation very seriously. For example, we have been informed that HMRC has started to undertake CCO investigations - including the first of a number of office dawn raids. As part of these ‘interventions’, HMRC’s procedure is to interview staff to see what they know of CCO, what actions they are aware the business is taking in response to CCO and to see if personnel know what to look out for to identify tax fraud. CCO is very much aligned to the Bribery Act and we know that many organisations have faced punitive and business critical fines and penalties as a result of Bribery Act prosecutions. It is not unlikely we will see the same for CCO.
We also know that a review of the extent of CCO procedures is one of the indicators of the new Business Risk Review approach by HMRC.
Finally, HMRC made it clear that the risk assessment plays a fundamental role in evidencing that you have reasonable prevention procedures in place. According to HMRC “everything hangs off this. You need an assessment of how your associated persons could criminally facilitate tax evasion.” In addition, we were informed that you “must document your risk assessment - I cannot tell you how many businesses fail to do this in respect of the Bribery Act”.
Here are some examples:
- A member of your HR or payroll team deliberately falsifying information relating to a worker, so that the worker is treated as a contractor rather than deducting PAYE at source
- An employee deliberately and dishonestly collaborates with one of your suppliers to falsify the amount paid on an invoice eg, by reducing the true amount paid so that the supplier evades income/corporate taxes
- An employee deliberately conspires with a supplier to conceal the true source country of goods to evade Customs duties
- A US bank has a branch in London and a branch in Singapore. An employee of the Singaporean branch deliberately facilitates Russian tax evasion. The US bank would be culpable.
What we are seeing from our conversations with other clients (from FTSE100 to smaller inbounds) is that typically the head of legal and/or the head of risk and compliance is accountable to the Board for ensuring compliance with the legislation (and specifically ensuring the right policies/procedures are in place). However, responsibility for ensuring the risks are identified and that policies/procedures are drawn up which reflect these risks will fall on the tax or finance function.
You may already have financial and economic crime prevention procedures in place. These existing procedures are relevant but it is essential that a risk assessment which is specific to the facilitation of tax evasion is carried out and then mapped to the existing procedures. You need to bridge any gaps.
You need top level commitment. The Board is typically best placed to champion this. From here, your staff will need training so that they know what they need to do. It is imperative that there are no blocks to compliance (ie middle management blocking whistle-blowing from more junior staff).
To be compliant with the legislation, the clear message needs to be zero tolerance for tax evasion, and specifically, the facilitation of it.
The CCO legislation is no longer new and HMRC will expect you to have in place reasonable procedures to demonstrate a defence to this legislation.
We see four key stages to compliance with the CCO legislation;
- Risk Assessment – your first priority is to carry out and clearly document your Risk Assessment
- Implementation – the Risk Assessment process should include the development of a CCO Implementation Plan, setting out prioritised next steps, responsibilities and timetable
- Training and communications – this is to ensure CCO policies and procedures are successfully communicated within and outside the business; supported by CCO eLearning training that we can roll out across all organisations
- Monitoring, review and testing – this comprises both testing of the process in place as well as periodic update of the CCO Risk Assessment
Once the Risk Assessment is complete, there are typical ‘quick wins’ and practical steps that are clients are implementing.
This includes developing a suite of CCO policies (e.g., below) and ensuring CCO training is rolled out across the business.
Example policies include:
- Board paper on CCO
- Internal ‘Instant Messaging’ within the business
- CCO communications to Suppliers (for all Associated Persons)
- CCO Policy – detailed internal overview of CCO
- CCO Employee Code of Behaviour
- Code of Conduct for Suppliers – CCO section
- Agent Declaration
- CCO contractual terms for suppliers
- Supplier due diligence checklist
- M&A due diligence checklist
As to training, HMRC specifically state that organisations “should seek to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication, including training.”
How can BDO NI support you?
All businesses continue to develop their response both to COVID-19 and also an evolving working environment post COVID-19. The challenges, and opportunities, of a remote workforce and the accelerating pace of digital change mean that different approaches to compliance, governance and regulation must be considered.
It is important to ensure your reasonable prevention procedures are designed to prevent associated persons from commuting the facilitation offences in the new reality.
Ensuring your staff and other associated persons understand their responsibilities is a critical control in minimising the risk of enforcement action. In fact, Communication and Training is one of the key Six Guiding Principles in establishing a defence from prosecution as set out in HMRC’s CCO guidance.
Where there are staff reductions, employees working from home, or management focused on critical functions only, unique opportunities arise for committing tax fraud. Risk assessments should be regularly reviewed, particularly within the context of COVID-19.
For businesses who have already performed a risk assessment, we can support with carrying out a review, which normally involves reviewing your existing policies and procedures as well as refreshing your current risk assessment to reflect any changes in the business.
BDO NI can help businesses identify areas of risk and train staff on the obligations placed on them by this legislation. We can also provide support to the board to put in place policies and in communicating these to their employees and other associated persons.