The UK Corporate Criminal Offence (CCO) of Failing to Prevent the Facilitation of Tax Evasion: The evolving response

Almost three years on from the enactment of the UK Corporate Criminal Offence (CCO) of the Failure to Prevent the Facilitation of Tax Evasion legislation, HM Revenue & Customs (HMRC) announced that – as at 31 December 2019 – the first nine investigations had been launched, with 21 more under consideration. 

On 2 June 2020, EY hosted a webcast with the HMRC lead on CCO, Sam Dean, to share our collective experiences and invite nearly 2,000 attendees to respond to polling questions to track progress on their CCO journey. In this article we cover the main points discussed on the webcast and share the results of the polling questions alongside the results of the same questions asked on a webcast 18 months ago. 

We also consider how COVID-19 could change the risk environment and share key insights from the HMRC response to – and learnings from – the first investigations.

The broad reach of CCO: UK and beyond

The CCO rules were introduced as part of the Criminal Finances Act 2017. Previous webcasts and articles, published on our dedicated webpage, have provided more detail into the background to the legislation. A key point to note is that the reach of the legislation is international and wide-ranging, applying to both UK and non-UK tax evasion, and to the facilitation of that evasion both inside the UK and overseas.

The legislation adopts a similar approach to the UK Bribery Act 2010 and focuses on the dishonest facilitation of tax evasion by a person acting for a business. HMRC’s aim is to change industry practice and attitudes towards risk, encouraging organizations to do more to prevent tax crime happening in the first place by persons acting on their behalf. Things are progressing at pace, with all HMRC criminal investigators trained and capable of investigating CCO cases and all existing criminal tax evasion cases assessed for CCO application.

Investigations sit across all HMRC customer groups from small business through to some of the UK’s largest organizations. The number and spread of investigations clearly demonstrate that HMRC is actively enforcing the legislation across all tax and duty regimes and across organizations of all shapes and sizes.

More broadly, HMRC has been actively working with its international partners to combat tax evasion. The UK has joined with Canada, the Netherlands, the United States and Australia to create the Joint Chiefs of Global Tax Enforcement (J5). This operational group focuses on enablers of tax evasion and is already making good progress, so far sharing information on over 50 international investigations. A global day of action took place in 2020 against suspected global tax evasion and identified money laundering of more than £200m in the UK alone.

Criminal investigation powers

Sam Dean stressed on our webcast that it’s important to remember that the failure to prevent the facilitation of tax evasion is a criminal offence. Whilst the penalty may be financial rather than custodial for the corporate entity, it is still a criminal investigation which means HMRC’s criminal powers apply with the whole host of criminal investigation tools that brings. For example, exercising search and arrest warrants without prior notice. It’s entirely possible that the first time an organization is aware of the investigation is when HMRC officers arrive at their premises to arrest an associated person, seize evidence, and request to see what preventative procedures have been put in place by the organization. It is not unlikely for HMRC to take witness statements on the day from other employees, asking about their knowledge of the legislation and what training they have received.

The importance of understanding your risk

The importance of developing a risk assessment as a first step to developing the response to CCO cannot be understated. Working with businesses we have found the range and impact of risks can vary enormously, and you can only assess if your overall response is reasonable by first understanding the risks that you are trying to address.

When embarking on the risk assessment, we start by looking through different lenses of risk identified by HMRC’s guidance to understand how, absent of any existing controls, the facilitation of tax evasion could arise across the business. We take into account factors such as where the business operates around the world, any historic issues in the sector in which it operates, the nature of the goods and services sold, how contractors are engaged, and the nature of transactions with customers and suppliers to understand how their tax evasion could theoretically be facilitated in the conduct of the business.

As risks are identified and prioritised, existing controlling procedures can also be identified and evaluated for design and operational effectiveness. A plan can then be built to address any gaps in controlling procedures. Securing long-term compliance means embedding the processes into business as usual. 

Within Financial Services, and other regulated sectors responsible for carrying out anti money laundering checks, the main area of risk is the customer and wider external risk. There is an increased possibility that a customer may be committing tax evasion and use your facilities/services to carry it out. A focus therefore in Financial Services is to understand how your products and services could be used to facilitate someone’s tax evasion.

Who is responsible in the business for CCO?

A key question when building the response to CCO is ‘who should own the CCO response?’ Tax departments have a role to play in understanding risks. The Legal or Compliance team might own the process due to the parallels with anti-bribery and corruption rules and, as the legislation is concerned with interactions with third parties, this brings departments such as Procurement, Supply Chain, Sales, Finance and HR to the discussion. EY’s experience is that the department that leads on adopting the approach to CCO will vary, however, it is important that all impacted departments play a role in identifying the risks and building the response.

Establishing a defence

Where there has been an instance of the facilitation of tax evasion by an associated person acting for a business, the only defence available to the business against a criminal prosecution is that it had established ‘reasonable procedures’ to address the facilitation risk. We have already touched on the importance of the risk assessment as the first point on this journey. Beyond that, HMRC has set out a further five guiding principles, as follows:

• Proportionality of procedures
• Top level commitment
• Due diligence
• Communication and training
• Monitoring and review

As our webcast poll results highlight, there are still businesses who have not fully implemented reasonable procedures and who are open to risk.

As the HMRC investigations progress, the bar will continue to be raised. Employee communications and training is hugely important. It is timely to reflect on the US Department of Justice (DoJ) guidelines released in June 2020 which highlights the direction of travel we have seen with bribery and corruption enforcement authorities take. It is therefore indicative of where CCO may go, taking a much harder line regarding behaviors and effectiveness of control measures. The DoJ asks for an impact assessment on how training has impacted on employee behavior or operations, which policies are attracting more attention from employees, and testing whistleblowing hotline awareness and whether employees feel comfortable using it.

People can be a key control in identifying facilitation risks in the business. By developing policies which speak to the roles of your people and the risks they could face, having a clear commitment from the top of the organization, bringing this all to life with tailored training, and both encouraging the reporting of risks through a whistleblowing line and fully investigating the risks, many businesses can go a long way to creating an effective control environment.

Data analytics also have an increasing role to play with some of our clients building interactive dashboards pulling on expanded data streams to drive real insights into compliance behaviour. We have recently worked on pre and post COVID-19 analysis implementing control environment for a global beverage business. Many things have changed in recent months and new red flags identified. The results are now helping the Compliance team focus their efforts and prompting questions into the business.

For the Financial Services and regulated sectors, it’s important to recognise that there are added control environments in place, other control legislation and responsibilities, plus additional client and transaction monitoring. Good data management is critical – are you able to identify cases of potential tax evasion through data analytics?

HMRC has emphasised on many occasions the importance of self-reporting as evidencing that reasonable procedures are operating. A dedicated portal has been created to report instances of the facilitation of tax evasion, more detail on which can be found here.

The evolving landscape

When asked how Sam sees the broader landscape evolving, international cooperation is flagged as something that will continue to increase. Some of the largest areas of risk will cut across international boundaries, so a global approach to law enforcement and tax administration response will be key in meeting that head on. CCO gives an incredibly powerful tool to leverage that international cooperation.

HMRC will continue to focus on impact and demonstrating the application of the offences to organizations of all shapes and sizes across all sectors, so we can expect to continue to see a wide spread of investigations. 

How can EY help?

As the HMRC investigation pipeline continues to build, does your organization have a robust CCO response in place? Take our CCO readiness questionnaire to find out. 

EY’s team, incorporating former revenue authority investigators, anti-bribery and corruption experts, criminal and contract lawyers, and risk management specialists, has helped numerous businesses through their CCO journey and can deliver a wide range of services tailored to support your needs, including the following;

• A thorough risk assessment, capturing the full list of risks and controls with dashboard visualisations enabling the business to analyse the results across the third parties, the associated persons and the tax type.
• Developing the framework of communications and policies to implement the top-level governance to address CCO.
• Web-based learning modules tailored to the business to address the risks identified and educate the organization of the risks and policies.
• Revisions to due diligence processes, customer and supplier onboarding, and contractual terms.
• Whistleblowing lines and support to investigate any ‘red flag’ transactions, with the protection of legal privilege where required.
• Building the framework to ensure that key controls are tested, new risks are identified, controls are modified, and the business can be confident that reasonable procedures have been implemented.