This September 30 represents the first anniversary of the new Corporate Criminal Offences (CCO): failure to prevent the criminal facilitation of tax evasion. It is a timely reminder to tech companies to consider corporate governance and compliance risk issues, as the tech sector’s rapid growth, as reflected in rising revenue and profit figures for large multinational tech companies, has led to greater public scrutiny of the industry.
Nabeel Osman, , Barrister and Senior Manager in the Regulatory and Commercial Disputes team, PwC
It is estimated by the National Audit Office that tax evasion costs the UK economy over £4.4 billion a year. An overlooked risk can potentially expose businesses to serious consequences, as violations of CCOs could attract criminal sanctions including unlimited fines, alongside significant reputational damage.
It is therefore imperative that in response to emerging legislative and regulatory reform, organisations identify and respond to potential risks in a timely and proportionate fashion, including adopting a zero tolerance approach to both tax evasion and its facilitation.
Corporate Criminal Offence: What it Means for the Tech Sector
What makes the Corporate Criminal Offence especially challenging for tech firms is that while two new offences were introduced via the Criminal Finances Act 2017 (CFA) a year ago, there is no positive reporting requirement, although HMRC has published guidance setting out how companies should respond.
In essence, organisations falling into the CFA’s definition of a ‘Relevant Body’ (typically any incorporated company or partnership) can now be held liable where one of their associated persons (any person or company providing services for or on their behalf) facilitates a tax evasion offence. Foreign corporates may also be prosecuted for failing to prevent UK tax evasion offences, as well as companies which evade foreign tax where there is a UK nexus to the tax evasion. This is crucial for tech firms which have business connections across several countries.
Where tech companies can show that they have had regard to the six guiding principles set out in HMRC’s guidance – (1) risk assessment; (2) proportionality of procedures; (3) top level commitment; (4) due diligence; (5) communication and training; and (6) monitoring and review – they should be able to rely on the statutory defence of ‘reasonable prevention procedures,’ irrespective of whether those procedures successfully prevented the tax evasion offence in question.
What your Business Should be Doing
The requirement for procedures to be proportionate to the underlying risk faced by an organisation is non-prescriptive and the CFA provides no definition of ‘reasonable’. This ambiguity can make it difficult for tech companies to quantify what compliance with this legislation looks like and has caused some to stumble at the first hurdle.
Content from our partners
Aside from HMRC’s guidance, there is currently no industry specific guidelines for the technology sector, so each company operating in the industry must assess both the thematic risks inherent in the sector as well as the specific risks posed by its own business, before focusing on what steps can be taken to ensure a proportionate response.
Kate Langley, Solicitor and Manager in the Regulatory and Commercial Disputes team, PwC
Industry bodies in the financial services sector have published guidance which may in part be helpful to tech firms in providing examples of the highest standards of compliance, where applicable. Existing compliance programmes within technology sector, such as those relating to Anti-Bribery and Corruption, Anti-Money Laundering, Cyber Security, Data Protection, Sanctions and Modern Slavery may be leveraged in the process of assessing the risk of tax evasion offences being facilitated by an associated person.
Documented Risk Assessment
As a precursor to ensuring proportionality, completing a risk assessment with specific focus on the CCOs is vital. HMRC guidance requires that business heads ‘sit at the desk’ of their employees, agents and those providing services for or on their behalf and ask whether they have a motive, the opportunity and the means to criminally facilitate tax evasion offences. While companies may feel that existing controls and procedures are adequate for other purposes, without preparation of a facilitation of tax evasion risk assessment document, HMRC have made it clear that the statutory defence will not be available.
Therefore, the CCO risk assessment should be unique to the organisation. It must record and monitor relevant risks and identify where there might be CCO specific gaps in existing control frameworks which can be enhanced (it is not always necessary to develop new standalone policies).
Implementation, Communication and Review
Where gaps are identified during the risk assessment process, prevention procedures implemented to counter these gaps should be proportionate to the type of risk in issue. While excessively burdensome procedures can be avoided, formal policies should be adopted and maintained. This may take the form of updates to contractual clauses and relevant policy documentation; top-level communications; and CCO specific staff communication (e.g. workshops, e-Learns etc.).
It should also be noted that the risk faced under the CCO legislation is not static. Tech companies must develop ongoing corporate governance and ownership over their reasonable prevention procedures. This should include proportionate review and update of risk assessment documentation, reassessment where there is a material change in business activity or jurisdictional exposure and, where necessary, annual training requirements.
Although not from the technology sector, the importance of effective and demonstrable implementation was highlighted in R v Skansen Interiors Limited (April 2018) when a jury considered, for the first time, a UK Bribery Act 2010 (UKBA) ‘adequate procedures’ defence (based on the same six guiding principles as the CCO ‘reasonable procedures’). What might particularly be of relevance to many tech firms is that, as an SME, the defendant company argued that its low-risk local client base meant limited anti-bribery and corruption efforts were sufficient for the purposes of relying on the UKBA statutory defence. The jury rejected this argument, and while it is not possible to ascertain their reasons for doing so, it is notable that the prosecution referred to the statutory UKBA guidance, especially with respect to insufficient training and communication.
As one can see from the increased spending and activity within HMRC’s investigations team, there is a greater regulatory movement against tax evasion. Tech companies need to take reasonable steps to ensure they have reasonable prevention procedures in place.
