The Criminal Finances Act 2017 introduced two new criminal offences, which are targeted at all corporate entities but also include partnerships and charities. The CCO rules apply if such an entity fails to prevent its ‘associated persons’, broadly, anyone acting for or on behalf of the entity, from facilitating either UK or overseas tax evasion.
An associated person is defined as an individual or entity performing services for or on behalf of the entity when the facilitation takes place. This could include, amongst others, employees, subcontractors, consultants, agents and suppliers.
Three steps must exist for an offence to be prosecuted under the CCO rules:
- Stage 1: criminal tax evasion offence by an individual or corporate taxpayer
- Stage 2: criminal facilitation, requiring deliberate or dishonest behaviour, of this tax evasion offence by an ‘associated person’ of the entity
- Stage 3: The entity failed to prevent the ‘associated person’ from committing the criminal act at stage two
The only defence an entity has under the CCO rules is that it had reasonable prevention procedures in place to stop the facilitation from taking place. If prosecuted, penalties for corporate entities are severe.
Approach to compliance
An organisation’s only defence against prosecution under CCO is that it had reasonable procedures in place to prevent the facilitation of tax evasion.
It is critical to undertake a risk assessment, to implement reasonable prevention procedures, including appropriate training, and to ensure that ongoing monitoring takes place.
As organisations are required to ensure a proportionate and reasonable response to the rules, our approach is tailored to the level of risk faced by each business, framed around HMRC’s six guiding principles:
- Risk assessment
- Proportionate prevention procedures
- Commitment from senior management
- Due diligence
- Communication and training
- Monitoring and review
How can we help?
Our tax experts help numerous businesses to understand their obligations under the CCO rules, assess their risks and implement prevention procedures by, in particular:
- Undertaking risk assessments
- Giving support with policies and communication
- Providing training to businesses through group workshops and e-learning modules
- Reviewing prevention procedures and internal controls, including benchmarking against similar businesses
- Advising on potential breaches
- Undertaking health checks on organisations’ response to CCO
- Ongoing monitoring of risk assessments and reasonableness of prevention procedures
Frequently asked questions about Corporate Criminal Offence
What is the Corporate Criminal Offence of failing to prevent tax evasion?
The Criminal Finances Act 2017 introduced two new criminal offences, which are targeted at all corporate entities but also include partnerships and charities. The CCO rules apply if such an entity fails to prevent its ‘associated persons’ (broadly, anyone acting for or on behalf of the entity) from facilitating either UK or overseas tax evasion.
The only defence an entity has under the CCO rules is that it had reasonable prevention procedures in place to stop the facilitation from taking place.
What are the potential penalties?
If prosecuted, penalties for corporate entities are severe, including but not limited to:
- Potentially unlimited fine
- Implications for regulated entities such as losing licenses
- Potentially prevented from bidding for public contracts
- Reputational damage
How is HMRC investigating businesses under the Criminal Finances Act 2017?
As at 13 May 2022, HMRC had seven investigations and 21 potential investigations into facilitation of tax evasion across a range of business sectors and business sizes.
HMRC has allocated additional roles to fraud investigation since the introduction of the Criminal Finances Act 2017 and HMRC case managers have been trained to discuss the CCO with large businesses. It also forms part of HMRC’s Business Risk Review checklist.
New cases are often being identified through HMRC’s usual tax evasion investigations under either civil or criminal powers. Where tax evasion is found to have occurred, HMRC then considers whether or not the tax evasion was facilitated by an ‘associated person’ of a relevant entity. By tracing the tax evasion through to an entity, HMRC is then able to enquire as to whether or not that entity has done a CCO risk assessment and test its prevention procedures.
We are a small business with strong internal controls. Do we need to do a risk assessment for facilitation of tax evasion?
Undertaking a risk assessment is recommended for all organisations, regardless of size or sector. It may not be necessary to implement significant prevention procedures if the risks faced are minimal. In order to determine this, an initial risk assessment should be undertaken and the findings documented.
HMRC guidance states that "it will rarely be reasonable to have not even conducted a risk assessment."
Can we use our existing financial crime and business controls and policies to ensure compliance with the CCO?
These provide a useful framework from which to develop prevention procedures against tax evasion and facilitation of tax evasion.
It is important to ensure that existing procedures are appropriately tailored to target tax evasion and tax fraud; simply adding ‘tax’ to existing policies, for example, is unlikely to be sufficient.
Who is responsible for preventing facilitation of tax evasion in an organisation?
The CCO risk assessment will likely require input from individuals across the business and will almost certainly involve experts in finance, tax, legal, risk and compliance, among others.
Overall responsibility for ongoing monitoring often falls to one of these teams, depending on the size and structure of the organisation.
Regardless of where the responsibility lies, it is critical that a team or an individual takes ownership of CCO risk management.