Chris Davidson CBE (KPMG) sets out practical steps for relevant bodies to take in light of the new corporate criminal offence.
Question
The Criminal Finances Bill contains provisions for a new corporate offence for failing to prevent tax evasion. These are expected to come into force by September 2017. What steps should companies take now?
Answer
All ‘relevant bodies’ falling within the scope of the new ‘failure to prevent’ offence are asking that question. This is something that needs action now. Unless you ensure you have reasonable procedures in place by 31 August 2017, you will risk committing a strict liability offence, and you could face an unlimited fine if a person acting on your behalf commits a predicate offence of aiding or abetting someone to evade tax criminally.
The rules have been explained (see the article ‘Corporate failure to prevent facilitation of tax evasion’ (Jason Collins & Tori Magill), Tax Journal, 11 November 2016), but what needs to be done in practice? HMRC is not expecting ‘paranoid’ procedures; it is, though, expecting relevant bodies to implement reasonable procedures. There is no simple system that will protect every business from the risk of prosecution. All businesses, though, can work through a simple five stage process to assess their own particular circumstances.
Stage one – initiation: It is first important to understand the legislation and guidance. The final guidance is not yet available, but HMRC has published an updated draft of the government guidance (see www.bit.ly/2e8cne0). Some organisations are well advanced in producing drafts of guidance for businesses in particular sectors.
Next, work out who in your organisation needs to be involved. Don’t be complacent and leave this solely to your tax department to handle. Although the new law is driven by the government’s desire to clamp down on evasion, it’s fundamentally about business conduct, and thus you should consider financial crime, compliance and your chief risk officer to lead the project.
Create a project team with personnel drawn from all relevant functions to lead the work you will need to do. Ensure the team has the resources it will need to fulfil its remit.
Stage two – mobilisation: Mobilisation requires an understanding of tax evasion and facilitation. There is a danger that this will be seen as concerning complex arrangements involving offshore trusts, special purpose vehicles, etc. But this risks missing simpler criminal activity: is someone telling lies, trying to confuse, or producing false documents?
You should then conduct a risk assessment. This is critical; if it is done badly, you will have no chance of showing that your procedures meet the statutory test of being ‘reasonable in all the circumstances’. Other than for the simplest of businesses, this is likely to need at least two stages.
First, a high-level risk assessment should review the entire business operations, including business support functions, and categorise them as high, medium or low risk. Providing tax, investment or banking advice to rich internationally mobile individuals will be high risk; while retailing in the UK to high street customers will be lower risk. Remember, though, that even in areas which appear low risk, there can be the potential to facilitate tax evasion. For example, selling low-value goods to individuals who pay by credit card, debit card or cheque may appear low risk, unless they ask for the receipt to show something different from the actual transaction so they can claim the VAT back.
Be live to the risk of your staff or agents helping someone lie to a tax authority. Assume that some of your clients will be evading tax however careful you are; if you can identify them, you should be working for HMRC! Do not assume that all your staff will comply with your processes; if they are prepared to break the law by aiding and abetting tax evasion, they will have no qualms about getting around your systems. Therefore, you should assume that someone acting on your behalf will commit a predicate offence of facilitating tax evasion. You will have to rely on your procedures being reasonable in all circumstances (and regarded as such by HMRC, the SFO or a jury). Make sure the scope of your risk assessment is wide enough and includes your suppliers and contractors. The six pillars on which the legislation is based include ensuring you have appropriate due diligence in relation to associated persons, so do not restrict your efforts to your own employees.
Stage three – planning: This stage starts with more detailed risk assessments focusing in those areas identified as high or medium risk. Involve staff working in these areas, as they will understand the local loopholes in your processes. The objective is to map out the procedures you will need in order to meet the statutory test. You should draw on what you already do, where appropriate responses are in place. Adapt your anti-bribery or anti-money-laundering controls, if they can be deployed as part of your response. Run a gap analysis to identify where you need to introduce new controls. Cross-check your plans against HMRC guidance and any sector specific guidance. There will be guidance for financial services and doubtless for other sectors. You will not be expected to follow this slavishly if it is wrong in your circumstances. But remember that if you can’t explain why you didn’t follow the guidance, hindsight will mean you may struggle to persuade a jury that your procedures were reasonable.
Stage four – implementation: You may have new controls to design and roll out. This may require changes in your IT software, contracts with suppliers to be rewritten, and monitoring procedures to be expanded. There will also be staff training to write and deliver. Send a ‘tone from the top’ message to staff when the changes in processes and accompanying training are rolled out.
Keep track of time as you map and deliver all this. If it is not possible to complete everything by 31 August 2017, HMRC will be understanding, as long as you are proceeding with pace and continue to do so. It will not be so understanding if the delay was caused by a late start or if you fail to give this project sufficient priority.
Stage five – monitoring: What happens after 31 August 2017, when you hope to have completed the project and have procedures in place that are reasonable in all circumstances? Do not assume the job has been completed. You will need assurance that your procedures are operating effectively, so you need to monitor them. You need to be alert to changes in the guidance and also to learn from experience, so that you can show continuous improvement in your systems.
Ultimately, the acid test will be whether you can demonstrate, when criminal investigators call, that your procedures were reasonable on a particular date. So, at each of the stages above, keep an accessible record of everything you do and why.
Chris Davidson CBE (KPMG) sets out practical steps for relevant bodies to take in light of the new corporate criminal offence.
Question
The Criminal Finances Bill contains provisions for a new corporate offence for failing to prevent tax evasion. These are expected to come into force by September 2017. What steps should companies take now?
Answer
All ‘relevant bodies’ falling within the scope of the new ‘failure to prevent’ offence are asking that question. This is something that needs action now. Unless you ensure you have reasonable procedures in place by 31 August 2017, you will risk committing a strict liability offence, and you could face an unlimited fine if a person acting on your behalf commits a predicate offence of aiding or abetting someone to evade tax criminally.
The rules have been explained (see the article ‘Corporate failure to prevent facilitation of tax evasion’ (Jason Collins & Tori Magill), Tax Journal, 11 November 2016), but what needs to be done in practice? HMRC is not expecting ‘paranoid’ procedures; it is, though, expecting relevant bodies to implement reasonable procedures. There is no simple system that will protect every business from the risk of prosecution. All businesses, though, can work through a simple five stage process to assess their own particular circumstances.
Stage one – initiation: It is first important to understand the legislation and guidance. The final guidance is not yet available, but HMRC has published an updated draft of the government guidance (see www.bit.ly/2e8cne0). Some organisations are well advanced in producing drafts of guidance for businesses in particular sectors.
Next, work out who in your organisation needs to be involved. Don’t be complacent and leave this solely to your tax department to handle. Although the new law is driven by the government’s desire to clamp down on evasion, it’s fundamentally about business conduct, and thus you should consider financial crime, compliance and your chief risk officer to lead the project.
Create a project team with personnel drawn from all relevant functions to lead the work you will need to do. Ensure the team has the resources it will need to fulfil its remit.
Stage two – mobilisation: Mobilisation requires an understanding of tax evasion and facilitation. There is a danger that this will be seen as concerning complex arrangements involving offshore trusts, special purpose vehicles, etc. But this risks missing simpler criminal activity: is someone telling lies, trying to confuse, or producing false documents?
You should then conduct a risk assessment. This is critical; if it is done badly, you will have no chance of showing that your procedures meet the statutory test of being ‘reasonable in all the circumstances’. Other than for the simplest of businesses, this is likely to need at least two stages.
First, a high-level risk assessment should review the entire business operations, including business support functions, and categorise them as high, medium or low risk. Providing tax, investment or banking advice to rich internationally mobile individuals will be high risk; while retailing in the UK to high street customers will be lower risk. Remember, though, that even in areas which appear low risk, there can be the potential to facilitate tax evasion. For example, selling low-value goods to individuals who pay by credit card, debit card or cheque may appear low risk, unless they ask for the receipt to show something different from the actual transaction so they can claim the VAT back.
Be live to the risk of your staff or agents helping someone lie to a tax authority. Assume that some of your clients will be evading tax however careful you are; if you can identify them, you should be working for HMRC! Do not assume that all your staff will comply with your processes; if they are prepared to break the law by aiding and abetting tax evasion, they will have no qualms about getting around your systems. Therefore, you should assume that someone acting on your behalf will commit a predicate offence of facilitating tax evasion. You will have to rely on your procedures being reasonable in all circumstances (and regarded as such by HMRC, the SFO or a jury). Make sure the scope of your risk assessment is wide enough and includes your suppliers and contractors. The six pillars on which the legislation is based include ensuring you have appropriate due diligence in relation to associated persons, so do not restrict your efforts to your own employees.
Stage three – planning: This stage starts with more detailed risk assessments focusing in those areas identified as high or medium risk. Involve staff working in these areas, as they will understand the local loopholes in your processes. The objective is to map out the procedures you will need in order to meet the statutory test. You should draw on what you already do, where appropriate responses are in place. Adapt your anti-bribery or anti-money-laundering controls, if they can be deployed as part of your response. Run a gap analysis to identify where you need to introduce new controls. Cross-check your plans against HMRC guidance and any sector specific guidance. There will be guidance for financial services and doubtless for other sectors. You will not be expected to follow this slavishly if it is wrong in your circumstances. But remember that if you can’t explain why you didn’t follow the guidance, hindsight will mean you may struggle to persuade a jury that your procedures were reasonable.
Stage four – implementation: You may have new controls to design and roll out. This may require changes in your IT software, contracts with suppliers to be rewritten, and monitoring procedures to be expanded. There will also be staff training to write and deliver. Send a ‘tone from the top’ message to staff when the changes in processes and accompanying training are rolled out.
Keep track of time as you map and deliver all this. If it is not possible to complete everything by 31 August 2017, HMRC will be understanding, as long as you are proceeding with pace and continue to do so. It will not be so understanding if the delay was caused by a late start or if you fail to give this project sufficient priority.
Stage five – monitoring: What happens after 31 August 2017, when you hope to have completed the project and have procedures in place that are reasonable in all circumstances? Do not assume the job has been completed. You will need assurance that your procedures are operating effectively, so you need to monitor them. You need to be alert to changes in the guidance and also to learn from experience, so that you can show continuous improvement in your systems.
Ultimately, the acid test will be whether you can demonstrate, when criminal investigators call, that your procedures were reasonable on a particular date. So, at each of the stages above, keep an accessible record of everything you do and why.