At a high level, what is CCO? 

CCO refers to a piece of legislation that was brought in as part of the Criminal Finances Act in 2017 and is part of suite of measures that have been introduced by HMRC aimed at tackling tax evaders and enablers.

HMRC has indicated that the legislation seeks to bring about a “cultural change” in how prevention procedures over tax evasion are embedded within an organisation, from top-level commitment downwards.

It essentially means that a “relevant body” (company or partnership) can be found guilty of a criminal charge, where someone associated with that business has facilitated tax evasion, and where the company has not done enough to have prevented this from occurring.

What do you mean by associated?

The definition of an “associated person” is deliberately wide reaching, and will include all employees, suppliers, contractors, agents and anyone else deemed to be acting for or on behalf of the organisation.

Why do companies need to take this seriously?

A successful prosecution could lead to unlimited financial penalties, a public record of conviction and severe reputational damage. It may also require disclosure to professional regulators in the UK and overseas, and prevent the body being awarded public contracts.

Do these rules only apply to large businesses?

No. CCO applies to all businesses of whatever size or sector and so there is something to be done by everyone and now.  I would encourage all organisations to ensure their CCO response is up to date.

During the pandemic period there has been significant business disruption and undoubtedly an increased risk of fraud. For businesses to maintain their cash flow position (and even their viability) there are often pressures to cut or reduce costs in the face of lost revenue and falling profits.

Where there is increased pressure on costs, staff reductions, employees working from home, or management focused on critical functions only, the risk of fraud generally, and specifically tax fraud, inevitably will increase.

These pressures, coupled with increased opportunity, such as enhanced government support schemes can drive “good people to do bad things” – for example, either seeking to evade tax or assist in the facilitation of tax fraud.

As a bare minimum what should a business be doing to manage their CCO compliance?

While CCO applies to all companies and partnerships, the response to the legislation needs to be reasonable and proportionate to the risk the organisation faces, (ie, the risk of persons associated with it committing tax evasion facilitation offences). This will depend on the nature, scale and complexity of the relevant body’s activities.

However, HMRC expects all businesses to identify what risks exist within their business and, where necessary, to implement procedures proportionate to that risk to prevent associated persons from criminally facilitating tax evasion. Organisations are encouraged to “sit at the desk” of their associated persons and consider the means, motive and opportunity that may lead to someone facilitating tax evasion.

And it is not enough simply to rely on existing control frameworks – organisations need to take CCO-specific steps. If you haven’t assessed your CCO risks, you may not be able to prove that you have taken reasonable steps to prevent facilitation from occurring.

Who should be involved in this work?

HMRC makes clear in its guidance that there should be oversight of the risk assessment by senior management. In large businesses the responsibility for managing the risk assessment may be delegated below Board level; however HMRC expects to see commitment from top-level management in all businesses. Many large businesses we work with are assigning overall responsibility at Board level and documenting Board CCO Policies.

In terms of actually carrying out the risk assessment, it is recommended that representatives from any part of the business where there is the opportunity to influence financial transactions with associated persons are involved. Typically, this includes HR, finance, accounts receivable/payable, and sales departments, and also procurement, tax and legal where these functions exist.

What else may businesses want to consider?

Companies should ensure that they have adequate due diligence procedures in place, capable of identifying the risk of criminal facilitation of tax evasion by associated persons. The broad scope of the legislation means that it is not just about what is happening within the business but also the supply chain – which is why due diligence is so important.

Internal and external communications which make clear the organisation’s zero tolerance policy towards facilitation of tax evasion, and training of staff would also be expected to form part of reasonable prevention procedures.

Communications should, again, be proportionate to the risks faced by the business, but may include internal email memos, updates to employee or supplier codes of conduct and internal and external website postings. Some large businesses have chosen to incorporate a CCO statement into their published Tax Strategy. We are also increasingly seeing CCO clauses being incorporated into contractual terms.

With regard to training, employees should be aware of the organisation’s CCO policies and receive training containing sufficient detail for them to understand the red flags to be aware of in their roles, and how to deal with any concerns they may have. Many businesses are now using eLearning modules to ensure that they can reach across large employee populations.

Are there any business sectors considered to be higher risk?

Certain sectors are susceptible to a higher risk of facilitating tax evasion than others, such as financial services, tax advisory and legal firms. But there are a number of potential elevated risk areas that could apply to other sectors.

Businesses who have associated persons based in countries considered high risk from a money laundering and bribery perspective should be aware of this. And organisations should consider whether the types of transactions, projects, business relationships, products or customers they deal with pose greater levels of risk.

Are there any risk management procedures which need to be undertaken on an annual or periodic basis to manage CCO?

It is expected that businesses will periodically review and update their risk assessment documents.

Business risk will change and evolve over time, maybe due to changes in the organisation’s activities, or it could be a result of external factors. For example, it is anticipated all businesses will need to look at how COVID-19 has altered working practices this year. It is important that businesses consider the impact on their risk assessment of such changes and take appropriate action thereafter.

Training and communication measures (as referred to above) should also be revisited periodically to ensure ongoing awareness and understanding of the organisation’s CCO risks and policies. 

In addition, whistleblowing and escalation processes should be reviewed on an ongoing basis to monitor CCO reports, and these should be fed into the risk assessment.

From your experience are there any areas which regularly highlight CCO risk for companies?

Any supply chain which is extended or particularly complex, can result in increased risk. The use of off-payroll labour, either directly or via agencies, is also an area where risk levels can be heightened. 

For larger corporates, how does the CCO process feed into the Senior Accounting Officer process? 

SAO and CCO are entirely separate pieces of legislation. SAO is all about ensuring that the accounting processes in place are robust enough to ensure that the company’s tax calculations are accurate and the right amount of tax is being paid. 

While there may be some overlap, controls considered for SAO purposes may not extend to covering risks of facilitation of tax evasion by a third party, and so for CCO any review of controls needs to be approached from a different angle.

Does CCO affect HMRC’s Business Risk Review Process?

CCO does now very much feature as part of the large corporate HMRC Business Risk Review. Where a company is found not to have taken adequate steps to manage CCO risk, this will be seen to be indicative of the company being higher risk in terms of their internal governance and could contribute to an overall non-low risk review rating.

Are there any clear areas or sectors which are causing problems? Any sectors which are of particular focus under these rules and leading to CCO investigations? 

HMRC currently has 13 live cases, with another 18 under review. It is understood that these span 10 different business sectors, including financial services, oil, construction and labour provision, and sit across all HMRC customer groups from small business through to some of the UK’s largest organisations. As such there do not appear to be any common issues, sectors or size of business that can be pinpointed.

We do know that, so far, the cases have typically been identified from existing HMRC criminal tax evasion cases, where HMRC has subsequently identified that there is a facilitation element. This would appear to be a logical starting point for HMRC.

What should a business do if they identify that an associated person has facilitated tax fraud?

There is a mechanism for making a self-report to HMRC under the CCO legislation. However, it is important that any business considering making a self-report takes legal advice prior to doing so, as it would potentially be reporting that it has committed a criminal offence (by virtue of failing to prevent the facilitation offence). It would subsequently be up to the business to prove having a defence in place.

It should be noted that self-reporting does not guarantee that a company or partnership will not be prosecuted, but it may be taken into account by HMRC, prosecutors and the courts.

More support

ICAEW has published guidance: Failure to Prevent Tax Evasion (The Criminal Finances Act 2017) and the HMRC Investigations Handbook (published by Bloomsbury Professional) includes some detail on the Corporate Criminal Offences.