Tax evasion facilitation - financial crime compliance risk

Summary

The Criminal Finances Act 2017 (the Act) received Royal Assent on 27 April 2017. Part 3 of the Act introduced two new corporate offences which came into force on 30 September 2017 in respect of the facilitation of the evasion of UK and foreign taxes. The offences make a company criminally liable where it fails to prevent those providing services for it or on its behalf, such as: employees, agents, intermediaries and vendors (referred to as associated persons) from facilitating the evasion of taxes while providing services for the company.

The extra-territorial powers granted to the UK authorities to investigate and prosecute corporates for the evasion of non-UK taxes has been contentious.  However, what has received less attention is the sheer scale of the compliance challenge companies have faced, given the operational and global scope of the offences.  In a short space of time, they have had to risk assess their global businesses and develop an implementation plan to manage the risks. 

Many compliance professionals (particularly those working within financial crime compliance) will have had (or will still have) a role completing risk assessments to document the company’s exposure to the new offences, and also to develop plans for the "rapid" implementation of enhanced controls to address those residual risks identified. However, in many ways, this represents the less challenging part of the process. Often the devil is in the detail of implementing complex regulatory change, especially where pre-existing controls and practices in complex and global organisations require enhancement.

This article addresses some of the key compliance issues and challenges facing companies when seeking to protect the company from the risks posed by these new offences.  

The failure to prevent the facilitation of tax evasion offences 

In order to establish an offence has been committed for either the UK or the foreign offence, the UK authorities must prove to the criminal standard that:

• a person (a company or an entity) dishonestly evaded tax (wherever the taxes were due), and
• a person associated with the company facilitated, knowingly assisted or turned a blind-eye to the evasion of taxes.

The offences are strict liability and do not require the prosecution to prove that the company had any criminal intent.

The foreign offence, which will be prosecuted by the Serious Fraud Office, includes a "dual criminality" test, which means that to be liable, the alleged criminal conduct must constitute an existing offence in the jurisdiction in which the taxes are alleged to have been evaded and would be considered an equivalent dishonest tax evasion facilitation offence were the conduct to have occurred in the UK.

For both of the offences, a company will have a defence where it can prove that it put in place such procedures as were reasonable in all the circumstances to prevent its associated people facilitating tax evasion. HMRC has published guidance designed to help companies understand the “types of processes and procedures” that could be put in place to mitigate the risk of the facilitation of tax evasion (the HMRC Guidance). In some cases, industry bodies have also produced (or are in the process of finalising), relevant sector-specific guidance.

Ownership

One of the first issues companies faced when addressing how they would prepare for the legislation, was the question of "ownership" ie who would lead the risk assessment and ultimately "own" and have responsibility for the risk posed by associated persons facilitating tax evasion. The offences do not fit conveniently within many companies’ existing compliance and front line functions. Typically, companies have formed multi-disciplinary teams to lead on the risk assessment including financial crime compliance, legal, tax and representatives of the business. However, following the completion of the risk assessment a difficulty that arises is who in senior management (and underneath them) will have front line ownership and be accountable for implementing the enhanced controls required.  It will also be necessary to ensure that those controls and the risk assessment are kept updated.

It is also imperative that there is a governance process for whistleblowing, escalating suspicious activity and self-reporting where a company believes it has failed to prevent the facilitation of tax evasion. In order to encourage the disclosure of wrongdoing, the HMRC Guidance says that, “timely self-reporting will be viewed as an indicator that a relevant body has reasonable procedures in place.” On 29 September 2017, HMRC published further guidance specifically on self-reporting for corporates.

The initial implementation period

The offences entered into law on 27 April 2017.  However, it was not until July 2017 that it was confirmed that the offences would come into force on 30 September 2017 (deliberately timed to coincide with the day that foreign governments, signatories to the Common Reporting Standard, were obliged to share with HMRC the details of bank account holders who appear to be UK residents). The speed at which the offences have come into force has given companies a tight timeframe to complete risk assessments.

HMRC has provided limited guidance as to what procedures it expected companies to initially put in place as of 30 September 2017. Companies have been told:

• "Reasonable" procedures will evolve (and become more onerous) over time and should be kept under review.

• The Government expects to see a "rapid" implementation of procedures, focusing on a company’s major risks and priorities, "with a clear timeframe and implementation plan on entry into force." However, it accepts that some procedures (including training and new IT systems) will take time to roll-out.

Taken together, this was interpreted to mean that by 30 September 2017, a company seeking to avail itself of the "reasonable procedures" defence, should have completed an initial risk assessment and developed a plan for "rapid" implementation of enhanced controls (including staff training) to mitigate the residual risks identified.

Risk assessment

At present, companies will be in different positions in terms of the completion of their risk assessments. Some financial institutions, for instance, those with legacy issues regarding the facilitation of tax evasion or with higher risk private wealth and trust lines of business are likely to be at a more advanced stage. Other companies, considered to be at lower risk of facilitating the evasion of taxes (such as hedge funds or building societies), may still be carrying out (or have yet to carry out) a risk assessment.

In relation to those companies who have yet to complete a risk assessment, the process to obtain information on the company’s inherent risks can be carried out in different ways through, for instance, workshops with relevant staff or in a desktop survey/questionnaire for people with relevant knowledge. However, it is essential that a company clearly documents and articulates the tax evasion facilitation risks it is exposed to through a risk assessment process. The process should identify:

• the inherent risks created by the company’s global operations both by its customers and by its associated persons who have the opportunity and motive to facilitate tax evasion
• the financial crime/fraud controls presently in place which directly (or indirectly) control the inherent risk and which may prevent the facilitation of tax evasion, and
• the residual remaining risk to which enhanced controls should focus as part of the implementation of reasonable procedures.

As part of this process, staff carrying out the risk assessment should put themselves in the shoes of the company’s employees to understand how bad actors could facilitate the evasion of taxes.

Implementation plan

The implementation plan will address the residual risks identified by the risk assessment and be used to enhance (or create) reasonable prevention procedures aligned to the six principles set out in the HMRC Guidance. How "rapidly" the plan can be implemented will depend on the organisation and HMRC has acknowledged that some procedures will take longer to roll out (see above). Companies are advised to document the steps to be taken (and any delays), assigning deadlines and owners responsible for implementing action steps.

We set out below the 6 principles with some high-level observations on the type of enhancements that may need to be made to existing controls, policies and procedures to ensure that they are "reasonable" to prevent the facilitation of tax evasion:

1.  The risk assessment

• The findings from risk assessments should be subject to internal challenge - since some parts of the business may not agree with how they have been rated or they were unable, in the time provided up to 30 September 2017, to adequately respond to the risk assessment.
• Some of the higher risk divisions within the company may need a "deeper-dive" to reach a fuller understanding of the residual risks.
• Allocation of "ownership" to a relevant person with responsibility to update (or delegate) the risk assessment on a regular basis.

2.  Proportionality of risk-based prevention procedures

• The controls will depend on the scale and nature of the business and the sector it operates in. All risk-based decisions on controls should be adequately documented.
• The key issue for most companies will be to identify existing financial crime policies and controls that can be leveraged and enhanced to meet the risks of tax evasion facilitation.  

3.  Top-level commitment

• HMRC has put an onus on management to engender a culture in which people within the business know that the facilitation of tax evasion is unacceptable and will have consequences both for the individuals and the company.
• HMRC accept that how this will be communicated will depend on the organisation but is likely to involve an email communication stating a zero-tolerance to assisting tax evasion, escalation channels and sanctions.
• It is not only senior management who are accountable for setting the right tone. The financial services industry guidance has noted the importance of a ‘tone from the middle’, communicated from managers to staff so that they understand how products and services could be used to evade tax and that policies are followed. HMRC itself says: “Communication should be from all levels within an organisation.”

4.  Due diligence

• Leverage existing risk-based due diligence assessments to risk rate clients and associated persons.
• Adopt enhanced due diligence as appropriate for higher risk clients and associated persons (such as those providing tax advisory services or selling products for tax planning). These enhancements may include standard contractual terms, Know Your Client checks, media screening, audit rights and tax compliance attestations.
• Consider enhanced due diligence for employees depending on their role. For instance, customer relationship managers in wealth or corporate tax divisions will be subject to more stringent due diligence, such as criminal background checks, than cashiers in retail divisions.

5.  Communication (including training)

• Tailor training, adopting a risk-based approach, both for employees and certain associated persons (or obtain comfort that they have been trained externally) to ensure that they are aware of, and can identify, tax evasion facilitation risks.
• Employees in higher-risk parts of the company, or identified as providing higher risk services, should be subject to enhanced training including face to face training (in addition to desk-top modules).
• Ensure that an anti-facilitation culture driven by senior management is communicated through relevant corporate documents and policy statements.

6.  Monitoring and review of prevention procedures

• Once controls are embedded, consider what monitoring and testing can be run to ensure controls are working appropriately.
• Develop suitable monitoring and testing, utilising technology, to identify: customer/third party risk (through, for instance, adverse media coverage) and suspicious transactions or payments that may be indicative of tax facilitation risks.
• Develop appropriate reports for escalation of suspicions of misconduct to appropriate compliance teams or management with oversight of the risk, so that timely self-reporting can be considered.

Conclusion

Companies will already have an array of financial crime controls in place which may directly or indirectly mitigate the risks posed by staff (or other associated persons) from facilitating tax evasion. Through the risk assessment process companies should have a good understanding of the risks and the existing controls which mitigate them, which can be leveraged and enhanced. They should also have gained an understanding of areas in which controls are deficient and need to be created to deal with specific risks.

A significant challenge posed by these offences, given their jurisdictional and operational scope, is developing a governance process to ensure that the company’s procedures have appropriate ownership across the company. Further, the procedures can adapt as the risks posed by these offences become better known over time and what constitutes ‘reasonable’ procedures is interpreted by HMRC and through jurisprudence in UK courts.