View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
September 24, 2018updated 06 Nov 2018 4:44pm

As the New Corporate Criminal Offences Turn One, The Tech Sector Should Take Note

"Ambiguity can make it difficult for tech companies to quantify what compliance with this legislation looks like and has caused some to stumble at the first hurdle"

By CBR Staff Writer

This September 30 represents the first anniversary of the new Corporate Criminal Offences (CCO): failure to prevent the criminal facilitation of tax evasion. It is a timely reminder to tech companies to consider corporate governance and compliance risk issues, as the tech sector’s rapid growth, as reflected in rising revenue and profit figures for large multinational tech companies, has led to greater public scrutiny of the industry.

Nabeel Osman, , Barrister and Senior Manager in the Regulatory and Commercial Disputes team, PwC

It is estimated by the National Audit Office that tax evasion costs the UK economy over £4.4 billion a year. An overlooked risk can potentially expose businesses to serious consequences, as violations of CCOs could attract criminal sanctions including unlimited fines, alongside significant reputational damage.

It is therefore imperative that in response to emerging legislative and regulatory reform, organisations identify and respond to potential risks in a timely and proportionate fashion, including adopting a zero tolerance approach to both tax evasion and its facilitation.

Corporate Criminal Offence: What it  Means for the Tech Sector

What makes the Corporate Criminal Offence especially challenging for tech firms is that while two new offences were introduced via the Criminal Finances Act 2017 (CFA) a year ago, there is no positive reporting requirement, although HMRC has published guidance setting out how companies should respond.

In essence, organisations falling into the CFA’s definition of a ‘Relevant Body’ (typically any incorporated company or partnership) can now be held liable where one of their associated persons (any person or company providing services for or on their behalf) facilitates a tax evasion offence. Foreign corporates may also be prosecuted for failing to prevent UK tax evasion offences, as well as companies which evade foreign tax where there is a UK nexus to the tax evasion. This is crucial for tech firms which have business connections across several countries.

Where tech companies can show that they have had regard to the six guiding principles set out in HMRC’s guidance – (1) risk assessment; (2) proportionality of procedures; (3) top level commitment; (4) due diligence; (5) communication and training; and (6) monitoring and review – they should be able to rely on the statutory defence of ‘reasonable prevention procedures,’ irrespective of whether those procedures successfully prevented the tax evasion offence in question.

What your Business Should be Doing                                                   

The requirement for procedures to be proportionate to the underlying risk faced by an organisation is non-prescriptive and the CFA provides no definition of ‘reasonable’. This ambiguity can make it difficult for tech companies to quantify what compliance with this legislation looks like and has caused some to stumble at the first hurdle.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Aside from HMRC’s guidance, there is currently no industry specific guidelines for the technology sector, so each company operating in the industry must assess both the thematic risks inherent in the sector as well as the specific risks posed by its own business, before focusing on what steps can be taken to ensure a proportionate response.

Kate Langley, Solicitor and Manager in the Regulatory and Commercial Disputes team, PwC

Industry bodies in the financial services sector have published guidance which may in part be helpful to tech firms in providing examples of the highest standards of compliance, where applicable. Existing compliance programmes within technology sector, such as those relating to Anti-Bribery and Corruption, Anti-Money Laundering, Cyber Security, Data Protection, Sanctions and Modern Slavery may be leveraged in the process of assessing the risk of tax evasion offences being facilitated by an associated person.

Documented Risk Assessment

As a precursor to ensuring proportionality, completing a risk assessment with specific focus on the CCOs is vital. HMRC guidance requires that business heads ‘sit at the desk’ of their employees, agents and those providing services for or on their behalf and ask whether they have a motive, the opportunity and the means to criminally facilitate tax evasion offences. While companies may feel that existing controls and procedures are adequate for other purposes, without preparation of a facilitation of tax evasion risk assessment document, HMRC have made it clear that the statutory defence will not be available.

Therefore, the CCO risk assessment should be unique to the organisation.  It must record and monitor relevant risks and identify where there might be CCO specific gaps in existing control frameworks which can be enhanced (it is not always necessary to develop new standalone policies).

Implementation, Communication and Review

Where gaps are identified during the risk assessment process, prevention procedures implemented to counter these gaps should be proportionate to the type of risk in issue. While excessively burdensome procedures can be avoided, formal policies should be adopted and maintained.  This may take the form of updates to contractual clauses and relevant policy documentation; top-level communications; and CCO specific staff communication (e.g. workshops, e-Learns etc.).

It should also be noted that the risk faced under the CCO legislation is not static. Tech companies must develop ongoing corporate governance and ownership over their reasonable prevention procedures. This should include proportionate review and update of risk assessment documentation, reassessment where there is a material change in business activity or jurisdictional exposure and, where necessary, annual training requirements.

Although not from the technology sector, the importance of effective and demonstrable implementation was highlighted in R v Skansen Interiors Limited (April 2018) when a jury considered, for the first time, a UK Bribery Act 2010 (UKBA) ‘adequate procedures’ defence (based on the same six guiding principles as the CCO ‘reasonable procedures’). What might particularly be of relevance to many tech firms is that, as an SME, the defendant company argued that its low-risk local client base meant limited anti-bribery and corruption efforts were sufficient for the purposes of relying on the UKBA statutory defence.  The jury rejected this argument, and while it is not possible to ascertain their reasons for doing so, it is notable that the prosecution referred to the statutory UKBA guidance, especially with respect to insufficient training and communication.

As one can see from the increased spending and activity within HMRC’s investigations team, there is a greater regulatory movement against tax evasion. Tech companies need to take reasonable steps to ensure they have reasonable prevention procedures in place.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.