The Criminal Finances Act 2017 (the Act) introduced a Corporate Criminal Offence for the Failure to Prevent the Facilitation of Tax Evasion (CCO). The Act requires all ‘relevant bodies’ (companies, limited liability partnerships and partnerships) to implement reasonable procedures in order to prevent the criminal facilitation by ‘associated persons’ (including employees, directors and anyone acting for or on behalf of the relevant body) of tax evasion by a third party.

There are no de-minimis thresholds and so the Act applies to all relevant bodies irrespective of size.

  • What is the offence?
  • What is HMRC's approach?
  • Organisation's procedures
  • Guiding principles by HMRC
  • Impact of Covid-19
  • Business Risk Review +

What is the offence?

The failure to prevent the facilitation of tax evasion, known as CCO, constitutes a strict liability criminal offence. According to the Act, the relevant body is liable if it fails to prevent persons associated with it from criminally facilitating tax evasion.

A person is ‘associated’ with the relevant body if they’re an employee, agent or other person who performs services (regardless of contractual relationship) for or on its behalf. It’s an intentionally broad definition. 

It’s a strict liability offence, meaning that the relevant body doesn’t need to have been guilty of deliberate dishonesty; the criminal offence arises automatically where evasion and facilitation of that evasion occurs. 

An offence may arise in respect of UK tax evasion irrespective of the circumstances of the relevant body, and also in relation to the evasion of non-UK tax if the relevant body has sufficient links to the UK.

The only defence against a criminal charge is that the relevant body has implemented reasonable prevention procedures. Without this defence, the organisation could face a criminal conviction and unlimited fines.

What is HMRC's approach?

HMRC is actively pursuing criminal investigations in relation to CCO. We’re seeing HMRC raising the matter as part of broader communications in respect of our clients’ affairs, which indicates a heightened focus on it.

The offence is directly linked to the tax affairs of a third party, so even a compliant organisation can be vulnerable to a criminal charge if they have not implemented reasonable prevention procedures.
Although HMRC’s published guidance recognises that, in certain limited circumstances, it may be reasonable for an organisation to not implement any specific procedures, it also states that ‘…it will rarely be reasonable not to have even conducted a risk assessment.’

Organisation's procedures

A relevant body’s response to the offences may sit within existing governance, risk assessment and due diligence frameworks designed to tackle risks in areas such as corruption and money laundering. 

However, as this offence specifically focusses on the tax affairs of third parties, any existing frameworks will need to be updated and associated risk assessments refreshed.

Where frameworks are absent, and risk assessments have not been undertaken, these issues will need to be addressed. 

Guiding principles by HMRC

HMRC has identified six key principles that should inform relevant bodies about the implementation of reasonable prevention procedures. 

1. Risk assessment

This is the starting point. It requires relevant bodies to identify sources of risk, existing mitigation and means for addressing risks. The exercise requires a high level of understanding of the offence and what is needed for the reasonable prevention procedures defence to apply based on the relevant body’s specific activities.

2. Proportionality of risk-based prevention procedures

This step involves either adapting existing or developing new governance frameworks to address the specific risks highlighted by the risk assessment. The procedures should be proportionate and specific to the risks identified, including the nature of the relationship with the third party and its geographic location.

3. Top level commitment

It’s fundamental to have board level commitment to the principles behind the Act – ie zero tolerance of tax evasion and the facilitation of tax evasion. This may be evidenced through the board’s involvement in implementing reasonable prevention procedures and communicating them throughout the business.

4. Due diligence

Appropriate due diligence procedures must be in place to ensure that proportionate further checks are carried out on anyone flagged during the risk assessment.

5. Communication (including training)

The policies and procedures implemented must be clearly communicated throughout the business. Staff need to be appropriately trained, with a specific focus on those in the highest risk positions.

6. Monitoring and reviewing

It’s fundamental that relevant bodies review their CCO risk framework regularly. Policies and procedures should be embedded in the business, and relevant bodies should implement a monitoring and testing programme to ensure procedures operate as planned. This includes periodically updating due diligence checks on relevant categories of associated persons.

Impact of Covid-19

The coronavirus pandemic presented an exceptional change of circumstances for many businesses. The pandemic may have led to the implementation of various emergency measures (some of which may have become embedded), which could compromise reasonable prevention procedures previously implemented, or introduce new areas of risk.

Following the government’s significant financial outlay during the pandemic, there may be pressure on HMRC to increase compliance yield from investigation activity and make examples of those involved in wrongdoing. 

Business Risk Review +

The Business Risk Review + (BRR+) enables HMRC to assess the risk of non-compliance of large corporates, taking into consideration the governance and control environment the business operates in. 

Several indicators are tested during the review, and the absence of a CCO risk assessment or appropriate controls is, in HMRC’s view, an indicator of a higher risk taxpayer.


Our support

Our team combines tax, risk management and tax dispute resolution specialists. This group includes individuals with experience of working both for and in disputes with HMRC, with an awareness of the many ways tax evasion can take place.

Using the depth and breadth of our multi-disciplinary experience, we formulate a flexible yet robust approach to helping clients build their response to the CCO provisions, and to monitor and implement reasonable prevention procedures.

Our approach

We take the time to thoroughly understand the specific risk environment of our clients. We tailor our support to our client’s needs and can assist with:

  • facilitating risk assessments to identify where the facilitation of tax evasion could happen;
  • supporting the documentation of potential associated persons;
  • assisting with policies and communication, including training;
  • advising on due diligence requirements for taking on new suppliers; and
  • advising on controls to be tested.

For an initial discussion about CCO, how it applies to your business and the support we can offer, please speak with your usual RSM contact or get in touch with Paul Marcroft.

Corporate criminal offence

Failing to prevent the facilitation of tax evasion

Download our guide to learn what could make you liable, the consequences, next steps and how RSM can help.