Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

'Complacency is a risk' one year on from creation of new UK tax offences

  • Businesses not doing enough to protect against offences
  • 55% of FTSE 100 not made public statements about their attitude to evasion
  • A prosecution is likely soon

23 Oct 2018

Speed Read

SPEED READ: Many businesses are not taking seriously enough the risk of prosecution for failing to prevent tax evasion– recent research showed that 55% of the FTSE 100 have not made public statements about their attitude to evasion. HMRC is looking at automatically rating a company high risk if it can’t demonstrate that it has a serious compliance programme. HMRC is chomping at the bit to investigate

New facilitation of tax evasion offences are now a year old and HMRC has repeatedly warned that businesses should take the risk of prosecution seriously, but some business have not done enough.


It is now over a year since two new corporate criminal tax offences (CCOs) were introduced in the Criminal Finances Act 2017 (CFA). On 30 September 2017, companies became strictly liable in criminal law for any facilitation of tax evasion offence committed by a person representing the company.

Such a person includes not just employees but agents and anyone who provides services for and on behalf of the company. If an associated person is found to have been engaged in a facilitation offence, the company will only have a defence if it can prove that it had reasonable procedures to try to prevent the facilitation of tax evasion (RPPs), or that it was not reasonable in all the circumstances to expect it to have any procedures in place at all.

A criminal conviction could have a serious detrimental impact on a company's reputation and, a company would also face a significant fine and could be barred from bidding from public sector contracts.

However, research conducted by Pinsent Masons, the law firm behind Out-law.com reveals that 55% of FTSE100 companies have not yet addressed the issue of tax evasion or their approach to combatting facilitation of it in their published documents. This contrasts heavily with anti-bribery and corruption where over 90% of the FTSE100 have published statements.

HMRC's guidance and approach to tax evasion

Any delay in responding to the CCOs may in part be due to the nature of HMRC's guidance, which fails to provide a definitive list of actions that a company should take to avoid a prosecution. Rather, the guidance offers a broad overview of the principles a company should consider.

HMRC outlines six principles underpinning the reasonable procedures defence:

  • risk assessment;
  • proportionality of risk based procedures;
  • top level commitment;
  • due diligence;
  • communication (including training); and
  • monitoring and review.

These principles are similar to those that apply to the 'adequate procedures' defence available to companies prosecuted under the Bribery Act for failing to prevent bribery. However, in its guidance on the CCOs, HMRC highlights that although there may be some overlap with procedures required to prevent bribery and tax evasion, the CCOs need to be distinguished from the Bribery Act offences. HMRC has clearly stated that a business would not be considered to have RPPs solely on the basis that it had good anti-bribery procedures.

Businesses cannot afford to be complacent; HMRC is taking an increasingly aggressive approach towards businesses that may be connected to tax evasion in some way.

In addition, based on the current pilot for its enhanced Business Risk Review (BRR), HMRC appears to be ready to automatically fail any group which cannot demonstrate it has a proper CCO programme in place.

Running a risk assessment

The first step to ensure a business has RPPs is to undertake a comprehensive risk assessment, to establish a business's exposure to the CCOs. An effective risk assessment will be one that identifies the risks of facilitation of tax evasion within the organisation by both employees and other associated persons, whilst at the same time identifying potential gaps in the existing control environment.

It will be essential to ensure that there is 'top level commitment' to the risk assessment, which broadly means that senior members of the business, most likely the board of directors can demonstrate their understanding of the new offences and actively demonstrate their support for the risk assessment process. This is often achieved by the board receiving high level training on the CCOs and the need for the business to have RPPs, followed by a minuted board decision to undertake a risk assessment. From an evidential perspective, it is also helpful if this decision is then communicated across the business. Finally it is vitally important the business acts on any gaps it identifies and that proper resource is provided by senior management to deliver on an implementation project.

Common Implementation Issues

Here are some examples of some areas where companies are leaving themselves exposed. 

'Low Risk' BRR rating

A common mistake has been for a business to regard itself as being exposed to a low level of risk because it considers itself to be fully tax compliant. This view is often prevalent amongst large businesses that have been classified as 'low risk' under HMRC's BRR. However, as things stand, a low risk rating by HMRC reflects how compliant the business is with regards to its own taxes; whilst the CCOs are focussed on tax evasion by a third party. This approach may change if the criteria for the new BRR criteria take the CCOs into account.

Not properly understanding where risks might lie

Non-financial services businesses can fall into the trap of taking an instinctive view that they must be low risk. But closer examination may paint a different picture. A business may engage extensively with private companies, where the risk of evasion is higher. They may use a lot of off-payroll workers where the temptation to dress up the facts to 'ensure' self-employment status may be great. Insufficient attention may be paid to the risks in emerging markets, particularly Africa and Asia, where we commonly see a strong focus on ensuring payments made are not bribes but not on whether those payments are being properly taxed.

Contractual protection as a sole prevention procedure

Businesses may attempt to use contractual provisions alone to reduce their exposure to the risk of prosecution under the CCOs. These businesses may seek to insert provisions into agreements with contractors and other third parties, requiring them not to commit or facilitate tax evasion. Although these provisions are advisable they are not sufficient alone to constitute RPPs and should be introduced as part of the wider risk assessment process.

Failing to respond substantially to risks identified through the risk assessment

There is also a risk of a business taking the view that the risk assessment process is a box ticking exercise, the business has in reality already pre-determined that limited changes will need to be made. Some businesses may not even consider it necessary to have a written anti-facilitation policy, or at least not one which is published online.

Counterparty-specific due diligence

One of the key guiding principles is the need to undertake due diligence on associated persons. It is not sufficient to look at associated person risks at a general level of abstraction or on a one-off basis. Due diligence needs to be applied at a more micro level. It is important to understand which employees deal with higher risk customers and suppliers, and the best way to do this is ensure that, where proportionate, individual counterparties that employees deal with are individually scored as to the risk of being engaged in tax evasion that each poses. Equally, consideration needs to be given to putting non-employee associated persons through similar per-person due diligence.

Larger companies, particularly those in the financial services sector should already have extensive per-person due diligence programmes, so changes to control procedures may not be as extensive as for those companies with minimal due diligence procedures. Nevertheless, it would come as no surprise if HMRC were to target the financial services sector when attempting its first prosecution under the CCOs, given the sector's history. Therefore, despite the pre-existence of sophisticated due diligence procedures financial services companies should not be too complacent.

Are RPPs a compliance requirement?

Ultimately, it will be for a business to decide how to manage its exposure to the risk of criminal tax offences being committed by its employees and other associated persons, but it only takes one person to do so for the company to be placed under investigation. If it happens, lack of intention or knowledge on the part of the business is not a defence. The only thing that matters is whether the company can show it had the right controls in place.

It is not actually a legal requirement to conduct a risk assessment or implement RPPs, and a company could take a chance that none of its associated persons will ever engage in such activity. However, even that does not seem to be an option as HMRC brings CCO exposure into their risk parameters. HMRC seems to be pre-warning businesses, to get their houses in order and ensure that they have procedures to prevent the facilitation of tax evasion. A prosecution is on the way....it's simply a matter of when......

Jason Collins and Penny Simmons are tax experts at Pinsent Masons, the law firm behind Out-law.com. This update is based on an article which appeared in Tax Journal on 28 September 2018