A Dozen Investigations of the Corporate Offence of Failing to Prevent Facilitation of Tax Evasion

Tax Evasion

The Criminal Finances Act has been in force since 2017. While there have been no prosecutions as yet, HMRC are currently investigating thirteen potential violations of the Corporate Criminal Offence of failing to prevent the facilitation of tax evasion.

The Act places responsibility on businesses to make sure none of their employees are involved in helping someone evade their taxes. If they do, and if the business failed to have “reasonable procedures” to prevent or expose it, then the business itself could be found guilty and liable for some pretty steep fines.

This offence is broad-reaching. It can be committed whether or not the company is UK-based or established under the law of another country, or whether the associated person who performs the criminal act of facilitation is in the UK or overseas.

The Six Guiding Principles of The “Reasonable Procedures” Defence

Under this legislation, businesses can be held responsible for the actions of their employees, whether or not the business was aware of an employee’s criminal activities. A business’ only defence is to take “reasonable measures” to ensure that its employees do not facilitate tax evasion. Government guidance recommends the following six “reasonable measure” principles:

  1. Risk assessment
  2. Proportionality of risk-based prevention procedures
  3. Top level commitment
  4. Due diligence
  5. Communication (including training)
  6. Monitoring and review

1. Risk Assessment

A company should conduct an assessment of the risk that an employee could actually facilitate tax evasion. Companies in the financial services, legal and accounting sectors are obviously at a higher risk. Companies that handle large sums of cash or facilitate large transactions might inadvertently serve as money laundering conduits.

Regardless of the results, this risk assessment process should involve senior management, be well documented and reviewed periodically.

Some of the risk factors that could affect a company include:

  • Country risk – some countries are perceived as having high levels of secrecy or used as tax shelters
  • Sectoral risk – some sectors pose a higher risk of facilitating tax evasion than others, such as financial services
  • Transaction risk – certain types of transaction give rise to higher risks, such as complex tax planning structures
  • Opportunity risk – could someone facilitate tax evasion?

Click here to take the VinciWorks tax evasion risk assessment

2. Proportionality of Risk-based Prevention Procedures

The new law does not require burdensome procedures designed to perfectly address every conceivable risk. Rather, a company should document policies and procedures and allocate resources that are proportionate to its risk profile.

The precise prevention procedures will differ for each organisation, but they are likely to include common elements. For example:

  • A clearly articulated tax evasion policy with commitment from top-level executives
  • An overview of the strategy and time-frame to implement prevention policies
  • A clear pathway for reporting wrongdoing
  • Protection for whistle-blowers (with no retribution)
  • A commitment to compliance over profit or bonuses

3. Top-level Commitment

The top-level management of a company should be committed to preventing the criminal facilitation of tax evasion. They should foster a culture within the organisation in which activity intended to facilitate tax evasion is never acceptable.

4. Due Diligence

The organisation should apply due diligence procedures, taking an appropriate and risk based approach in respect of persons who perform or will perform services on behalf of the organisation in order to mitigate identified risks. Organisations may choose to conduct their due diligence internally or externally. This may be done by internal audit teams or external consultants.

An organisation may, upon conducting a risk assessment, decide that services provided to a certain group of its clients pose a higher risk of being misused to perpetrate a tax fraud. As a result, they may apply increased scrutiny over those providing services to those clients, or over those who provide those services to address the specific risks of tax evasion facilitation identified.

5. Communication (including training)

This is probably one of the most important defences. It is important that a company ensures awareness and understanding of its policies amongst those who provide services on its behalf. The organisation may feel that it is necessary to require its representatives to undertake fraud or potentially tax evasion-specific training, depending on the risks it is exposed to. This would be to ensure that they have the skills needed to identify when they and those around them might be at risk of engaging in an illegal act and what whistle-blowing procedures should be followed if this occurs.

These training provisions are modeled after the training requirements in the Bribery Act.

VinciWorks’ tax evasion training teaches employees how to spot tax evaders, and what reporting procedures are required of them. The training will likely cover:

The organisation’s policies and procedures, which include provisions of The
Act and any other regulatory rules and principles:

  • An explanation of when and how to seek advice and report any concerns or suspicions of tax evasion or wider financial crime, including whistleblowing procedures
  • An explanation of the term ‘tax evasion’ and associated fraud
  • An explanation of an employee’s duty under the law
  • The penalties relating to the person and corporate entity for committing an offence under the act
  • The social and economic effects of failing to prevent tax evasion.

6. Monitoring and Review

A company must monitor and review its prevention procedures and make improvements where necessary.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.