Corporate criminal offence

The failure to prevent the facilitation of tax evasion, known as CCO, constitutes a strict liability criminal offence. According to the Act, the relevant body is liable if it fails to prevent persons associated with it from criminally facilitating tax evasion.

A person is ‘associated’ with the relevant body if they’re an employee, agent or other person who performs services (regardless of contractual relationship) for or on its behalf. It’s an intentionally broad definition. 

It’s a strict liability offence, meaning that the relevant body doesn’t need to have been guilty of deliberate dishonesty; the criminal offence arises automatically where evasion and facilitation of that evasion occurs. 

An offence may arise in respect of UK tax evasion irrespective of the circumstances of the relevant body, and also in relation to the evasion of non-UK tax if the relevant body has sufficient links to the UK.

The only defence against a criminal charge is that the relevant body has implemented reasonable prevention procedures. Without this defence, the organisation could face a criminal conviction and unlimited fines.

HMRC is actively pursuing criminal investigations in relation to CCO. We’re seeing HMRC raising the matter as part of broader communications in respect of our clients’ affairs, which indicates a heightened focus on it.

The offence is directly linked to the tax affairs of a third party, so even a compliant organisation can be vulnerable to a criminal charge if they have not implemented reasonable prevention procedures.
Although HMRC’s published guidance recognises that, in certain limited circumstances, it may be reasonable for an organisation to not implement any specific procedures, it also states that ‘…it will rarely be reasonable not to have even conducted a risk assessment.’

A relevant body’s response to the offences may sit within existing governance, risk assessment and due diligence frameworks designed to tackle risks in areas such as corruption and money laundering. 

However, as this offence specifically focusses on the tax affairs of third parties, any existing frameworks will need to be updated and associated risk assessments refreshed.

Where frameworks are absent, and risk assessments have not been undertaken, these issues will need to be addressed. 

HMRC has identified six key principles that should inform relevant bodies about the implementation of reasonable prevention procedures. 

1. Risk assessment

This is the starting point. It requires relevant bodies to identify sources of risk, existing mitigation and means for addressing risks. The exercise requires a high level of understanding of the offence and what is needed for the reasonable prevention procedures defence to apply based on the relevant body’s specific activities.

2. Proportionality of risk-based prevention procedures

This step involves either adapting existing or developing new governance frameworks to address the specific risks highlighted by the risk assessment. The procedures should be proportionate and specific to the risks identified, including the nature of the relationship with the third party and its geographic location.

3. Top level commitment

It’s fundamental to have board level commitment to the principles behind the Act – ie zero tolerance of tax evasion and the facilitation of tax evasion. This may be evidenced through the board’s involvement in implementing reasonable prevention procedures and communicating them throughout the business.

4. Due diligence

Appropriate due diligence procedures must be in place to ensure that proportionate further checks are carried out on anyone flagged during the risk assessment.

5. Communication (including training)

The policies and procedures implemented must be clearly communicated throughout the business. Staff need to be appropriately trained, with a specific focus on those in the highest risk positions.

6. Monitoring and reviewing

It’s fundamental that relevant bodies review their CCO risk framework regularly. Policies and procedures should be embedded in the business, and relevant bodies should implement a monitoring and testing programme to ensure procedures operate as planned. This includes periodically updating due diligence checks on relevant categories of associated persons.

The coronavirus pandemic presented an exceptional change of circumstances for many businesses. The pandemic may have led to the implementation of various emergency measures (some of which may have become embedded), which could compromise reasonable prevention procedures previously implemented, or introduce new areas of risk.

Following the government’s significant financial outlay during the pandemic, there may be pressure on HMRC to increase compliance yield from investigation activity and make examples of those involved in wrongdoing. 

The Business Risk Review + (BRR+) enables HMRC to assess the risk of non-compliance of large corporates, taking into consideration the governance and control environment the business operates in. 

Several indicators are tested during the review, and the absence of a CCO risk assessment or appropriate controls is, in HMRC’s view, an indicator of a higher risk taxpayer.