3 minute read 14 Dec 2017
back of man looking at immersive code

How to respond to the new corporate criminal offence compliance

All financial institutions with activities or customers in the UK need to review and amend their policies and procedures

Main points of the new legislation

Sections 45 and 46 of the 2017 Criminal Finances Act created a new corporate offence of failure to prevent the facilitation of tax evasion, which came into force on 30 September 2017. The new offence means a corporation can be held criminally liable if its employees, or anyone else providing services for or on its behalf, assist a taxpayer in evading their tax liabilities. Penalties include unlimited fines.

  • The legislation includes a defence of having reasonable procedures in place to prevent the facilitation of tax evasion. This is similar to the “adequate procedures” defence in the Bribery Act. 
  • The aim of the legislation is to create an environment that fosters corporate monitoring and self-reporting of criminal activity. 
  • In most organizations, complying with the new legislation will require coordination between tax, financial crime, compliance and legal departments. It will also create new governance and control burdens. 
  • Breaching the legislation is a criminal offence punishable by potentially unlimited fines. There is also likely to be significant reputational damage.

Key challenges for compliance

For all organizations, the new CCO presents challenges in four key areas:

  1. Facilitation risks
    Unlike existing anti-money laundering (AML) controls, the CCO focuses on facilitation risks — thus exposing banks to the actions of dishonest employees or third parties. Financial institutions need to consider whether their existing or new controls could be circumvented by associated persons, making them liable to prosecution.
  2. Associated person risks
    Like the Bribery Act, the CCO requires the organization to consider how the rules apply to third parties over which they may have little control. Clearly, identifying the risks related to these associated persons is key. Ensuring that controls are in place to cover all of them is a significant challenge.
  3. Ownership and accountability
    Complying with the CCO requires a mix of tax and financial crime expertise, supported by resources to conduct risk assessments and ensure changes are implemented properly. Establishing ownership and accountability is vital, but it is made more complex by the fact that there is no obvious “home” for this team.
  4. Leveraging existing controls effectively
    Achieving effective compliance with the CCO requires the organization to focus its efforts on the areas of highest risk and make use of existing controls. At the same time, the risk assessment and implementation planning must be robust and honest, in order to ensure that all relevant risks are addressed fully.

Next steps

When planning and implementing prevention procedures that will stand up as reasonable under legal scrutiny, it is vital for firms to consider:

  • Each of HMRC’s six principles in turn, and the related steps 
  • The existing controls they have in place to address these risks 
  • The need to enhance or improve these existing controls

Wherever possible, existing controls should be reused to address the risks raised by the new CCO. New controls should only be implemented when existing controls cannot be enhanced to address them.

With the new offences now in force, organizations must act swiftly to implement any additional controls needed across their organization, and embed those controls into BAU.


The CCO is now a fact of life for financial institutions and completing risk assessment under the new legislation is just the start. It’s time to make the journey to embed compliance into BAU. Download the full report (PDF)

About this article


EY FS Insights

Minds Made for Financial Services