Corporate Criminal Offences: FAQ’s
We have been working hard with over 150 of our clients to support them in demonstrating a defence to the legislation, and we set out below the top 10 FAQs and learnings based on our work. We have also produced a Corporate Criminal Offences approach guide that looks at the two offences in detail providing examples of how they might arise, outlining the six key principles of defence as set out in HMRC guidance and practical examples of how other organisations are responding.
1) What is the Corporate Criminal Offence?
The CCO legislation took effect on 30 September 2017. Essentially, it created two corporate offences, one relating to the evasion of UK tax and one relating to the evasion of foreign tax. The legislation is very widely drawn and can apply to the evasion of any tax, including indirect and employment taxes, anywhere in the world. Any UK business, be it a UK corporate or a foreign corporate doing business in the UK, will be within the scope of both offences. The corporate or partnership will have a strict liability under criminal law for failing to prevent the facilitation of tax evasion by one of its associates (employee, contractor or any other person providing services for or on behalf of the corporate). A defence exists of having ‘reasonable prevention procedures’ in place.
2) Who does this affect?
All companies and partnerships - there is no de minimis.
3) What happens if we don’t do anything? Are we at risk of penalties?
Yes, you are. A successful prosecution could lead to:
- An unlimited fine
- Public record of the conviction
- Significant reputational damage and adverse publicity.
We also know that HMRC is already undertaking live investigations.
4) What has HMRC told us since the legislation came into force?
HMRC spoke at our Financial Crime seminar on 10 December 2018. It was made clear that HMRC is taking this legislation very seriously. For example, we have been informed that HMRC has started to undertake CCO investigations - including the first of a number of office dawn raids. As part of these ‘interventions’, HMRC’s procedure is to interview staff to see what they know of CCO, what actions they are aware the business is taking in response to CCO and to see if personnel know what to look out for to identify tax fraud. CCO is very much aligned to the Bribery Act and we know that many organisations have faced punitive and business critical fines and penalties as a result of Bribery Act prosecutions. It is not unlikely we will see the same for CCO.
We also know that a review of the extent of CCO procedures is one of the indicators of the new Business Risk Review approach by HMRC.
Finally, HMRC made it clear that the risk assessment plays a fundamental role in evidencing that you have reasonable prevention procedures in place. According to HMRC “everything hangs off this. You need an assessment of how your associated persons could criminally facilitate tax evasion.” In addition, we were informed that you “must document your risk assessment - I cannot tell you how many businesses fail to do this in respect of the Bribery Act”.
5) Can you give me some case studies of what this legislation covers?
Here are some examples:
- A member of your HR or payroll team deliberately falsifying information relating to a worker, so that the worker is treated as a contractor rather than deducting PAYE at source
- An employee deliberately and dishonestly collaborates with one of your suppliers to falsify the amount paid on an invoice eg, by reducing the true amount paid so that the supplier evades income/corporate taxes
- An employee deliberately conspires with a supplier to conceal the true source country of goods to evade Customs duties
- A US bank has a branch in London and a branch in Singapore. An employee of the Singaporean branch deliberately facilitates Russian tax evasion. The US bank would be culpable.
6) Who needs to take the lead on CCO within the business?
What we are seeing from our conversations with other clients (from FTSE100 to smaller inbounds) is that typically the head of legal and/or the head of risk and compliance is accountable to the Board for ensuring compliance with the legislation (and specifically ensuring the right policies/procedures are in place). However, responsibility for ensuring the risks are identified and that policies/procedures are drawn up which reflect these risks will fall on the tax or finance function.
7) We already have Bribery Act and AML/KYC procedures in place. What more do we need to do?
You may already have financial and economic crime prevention procedures in place. These existing procedures are relevant but it is essential that a risk assessment which is specific to the facilitation of tax evasion is carried out and then mapped to the existing procedures. You need to bridge any gaps.
8) What should the message be from the Board?
You need top level commitment. The Board is typically best placed to champion this. From here, your staff will need training so that they know what they need to do. It is imperative that there are no blocks to compliance (ie middle management blocking whistle-blowing from more junior staff).
To be compliant with the legislation, the clear message needs to be zero tolerance for tax evasion, and specifically, the facilitation of it.
9) I haven’t done very much. What do I need to do?
The CCO legislation is no longer new and HMRC will expect you to have in place reasonable procedures to demonstrate a defence to this legislation.
We see four key stages to compliance with the CCO legislation
- Risk Assessment – your first priority is to carry out and clearly document your Risk Assessment
- Implementation – the Risk Assessment process should include the development of a CCO Implementation Plan, setting out prioritised next steps, responsibilities and timetable
- Training and communications – this is to ensure CCO policies and procedures are successfully communicated within and outside the business; supported by CCO eLearning training that we can roll out across all organisations
- Monitoring, review and testing – this comprises both testing of the process in place as well as periodic update of the CCO Risk Assessment
10) What are other organisations doing practically?
Once the Risk Assessment is complete, there are typical ‘quick wins’ and practical steps that are clients are implementing.
This includes developing a suite of CCO policies (e.g., below) and ensuring CCO training is rolled out across the business.
Example policies include:
- Board paper on CCO
- Internal ‘Instant Messaging’ within the business
- CCO communications to Suppliers (for all Associated Persons)
- CCO Policy – detailed internal overview of CCO
- CCO Employee Code of Behaviour
- Code of Conduct for Suppliers – CCO section
- Agent Declaration
- CCO contractual terms for suppliers
- Supplier due diligence checklist
- M&A due diligence checklist
As to training, HMRC specifically state that organisations “should seek to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication, including training.” We have rolled out CCO eLearning training across not only all our staff at BDO but for dozens of our clients across all industries (and over 10,000 people). Specifically, we see it as a way of demonstrating the right ‘culture’ within the organisation – ie that you can demonstrate you have a zero tolerance approach to tax evasion and facilitation of tax evasion.
For help and advice on any tax risk issue please contact James Egert, Ed Dwan or Martin Callaghan.