More than two years after the Criminal Finances Act (CFA) received royal assent, HM Revenue & Customs (HMRC) has opened investigations under the Corporate Criminal Offence of failing to prevent tax evasion (‘Failure to Prevent Offence’).
Despite the deadline for implementing the CFA having long passed, an IPSOS Mori survey showed a concerning lack of awareness — as only 25% of companies surveyed had heard of it.
Here I analyse some of the main issues facing the legal and compliance community in response to the Failure to Prevent Offence. In addition, I have collated the key points into a checklist on how to drive a proportionate response in practice, in light of the ‘reasonable procedures’ requirement.
Current state of play
At this early stage, in-house lawyers and compliance professionals may not know what ‘good’ looks like. Many will be unsure of the controls that a corporation should deploy to mitigate the facilitation of tax evasion. It is tempting to compare this stage to the period immediately after the Bribery Act came into force. As it’s all new to everyone, the bar is set low and there are no prosecutions yet. There was a perception that a few tweaks in policies and procedures should get you home. But this could prove to be cold comfort. More on that below.
Who owns the risk?
When it comes to who owns corporate tax evasion risk, the picture is mixed to say the least. Various functions, from legal to compliance and tax are seen as joint risk owners. This can be a good thing for promoting a cohesive compliance culture; however, it does raise questions about how clearly roles and responsibilities are being assigned – and if accountability is falling through the cracks.
The truth, of course, is that there is no right or wrong answer when it comes to assigning the risk to a particular part of the business. Yet a number of colleagues in legal and compliance departments may not be aware of existing tax controls that are hugely relevant to combating the risk. So there is good reason to sign up to a collaborative approach, especially at the risk assessment stage.
Practical steps to drive a proportionate response
HMRC’s guidance for the Failure to Prevent Offence should be the starting point for any organisation looking to optimise its legal and compliance programme. Whilst not prescriptive, the guidance covers six key areas as listed below. Each section contains guidance on how to approach it in practice:
Risk assessment
The overwhelming majority of corporations would have conducted some sort of risk assessment during the period leading up to the enaction of the legislation. The approach taken here should be influenced by a company’s internal factors – such as its size, sector, global footprint etc.
A review of your anti-bribery and corruption (ABC) adequate procedures can be a starting point. But it is simply that: a start. It is crucial to be informed about tax-specific risks that are above and beyond ABC and third parties.
Proportionality of risk-based prevention procedures
Don’t boil the ocean. You may already have controls in place that are part of the solution. These can be integrated or adjusted to specifically mitigate corporate tax evasion risk. The involvement of tax colleagues at an early stage is necessary, particularly as I have seen examples of important pre-existing controls that were simply not known to legal or compliance.
Top level commitment
This ought to be the lowest hanging fruit, but it’s surprising how often companies fail to demonstrate this to the requisite standard. Two quick points here:
- Collaborate
Where I have seen this done well, there is a good level of collaboration between compliance and communications departments. This will require planning ahead with targeted messages, for example to coincide with key commemorative dates such as International Anti-Corruption Day.
A common mistake is to only include the CEO, or even worse, only the Chief Compliance Officer, since this risks being perceived as a form of “tick-box” top level commitment. The involvement of other commercial or sales leaders in delivering key compliance messages can be very powerful, as they are often closer to the employees who are at risk on the ground. It is also important to demonstrate that senior leaders are comfortable to speak about key commercial targets in a way that emphasises how these should be achieved in the right way.
- Doing more with less?
Compliance teams are increasingly having to do more with less. You may think that an obvious example of top-level commitment would be to increase investment in compliance. Rather, we have seen organisations enhance their compliance programmes by investing in technology to automate manual processes. Strategic investment is a better indication of commitment than simply increasing funding.
Due diligence
This is the area where reliance on your ABC adequate procedures process is unlikely to suffice. Due diligence presents an opportunity to demonstrate to regulators that, at the crucial stage of forming a business relationship, the company has not only done its homework on associated parties, but that specific tax evasion risk factors have been incorporated into the due diligence process.
With third party populations extending into thousands of entities and people, technology has a key role to play in due diligence. Indeed, an increasing number of businesses tell us that they are using, or intended to use, technology solutions to mitigate tax evasion risk. An innovative use of technology is to automate the screening of third parties against publicly available online tax blacklists and databases.
Communication – including training
Messages to employees, suppliers and other relevant stakeholders need to be easily accessible, targeted and clear. Where problems have been identified, it is important to use effective communication as part of the response and remediation of any issues. Increasingly, regulators want to see evidence that the consequences of wrongdoing have been communicated, where this is relevant.
Monitoring and review
Regulators in the US and the UK now assume you have a suite of policies and procedures, mandatory training and regular messages from senior leadership emphasising the importance of ethics and integrity.
Whilst the Failure to Prevent Offence is at an embryonic stage when compared to the UK Bribery Act and the Foreign Corrupt Practices Act (FCPA), it is clear that this won’t be a reason for the regulators not to insist on the highest standards when assessing the effectiveness of your compliance programme. Whatever your system for monitoring and review you must also demonstrate the effectiveness of your programme.