Corporate Criminal Offenses: Reasonable Prevention Procedures One Year On

Published On June 10, 2019

The Corporate Criminal Offences (CCO)  for failing to prevent the facilitation of tax evasion legislation have been in force since 30 September 2017. As a consequence of these measures, responsible organisations will need to be able to demonstrate that they have proportionate and reasonable procedures in place in accordance with HMRC’s six guiding principles where their business activities could bring them into contact with those who could be evading tax or facilitating the evasion of tax. Examples of what this looks like in practice include:

  • Conducting and documenting a CCO risk assessment;
  • Communication from senior management raising awareness with staff and other associated persons;
  • Training for staff in higher risk positions;
  • Remediation of identified control gaps (including updates to policies and procedures); and
  • Establishing an assurance programme to monitor the effectiveness of key controls.

These actions will help mitigate the risk of facilitation of tax evasion risks and enable organisations to rely on the statutory defence of ‘reasonable prevention procedures’ if required. The legal, financial and reputational consequences, in the event of a prosecution of an organisation which does not have reasonable procedures in place to prevent the facilitation of tax, are likely to be significant.


HMRC’s approach to tax governance has evolved in recent years with the introduction of the Senior Accounting Officer (SAO) regime; Tax strategy publication; Country by Country reporting as well as the introduction of the Corporate Criminal Offences for failing to prevent the facilitation of tax evasion, which took effect on 30 September 2017 via the Criminal Finances Act 2017 (CFA). Additionally, following consultation that concluded in 2018, HMRC is now running a pilot of their enhanced Business Risk Review (BRR) process for large businesses with a greater focus on tax governance and risk management. BRR will enable HMRC to target resources more effectively towards those it deems to be higher risk.

This article focuses on examples of what organisations have been doing to demonstrate implementation of reasonable prevention procedures, includes analysis from tax experts regarding the ongoing review of the UK tax compliance framework and discusses HMRC’s CCO ‘self-reporting’ mechanism.

The Criminal Finances Act 2017

As the CFA has now been in force for over a year, HMRC’s expectations from affected businesses continues to grow. Coupled with increased scrutiny of businesses’ tax affairs more generally, tax compliance and tax governance is currently high up on the corporate agenda.

Under the CFA, there are two predicate offences, firstly a tax evasion offence is required before corporate liability can be triggered. Relevant bodies (typically, but not limited to, companies and partnerships) (organisations) can be liable under CCO with respect to both UK and overseas tax (where there is a demonstrable UK connection) if an ‘associated person’ (defined broadly as employees and third parties providing services for or on behalf of the organisation) criminally facilitates the tax evasion offence (the second predicate offence).

Many organisations may feel that they do not need to take any action in response to the CCO requirements, because they are responsible and compliant. However, the issue here is the fact that this is a strict liability offence which arises as a consequence of the actions of those who are associated with the organisation and those they interact with when acting on behalf of the organisation. Organisations essentially have a responsibility to take steps to prevent such acts taking place.

The ‘Reasonable Prevention Procedures’ defence

The statutory defence of ‘reasonable prevention procedures’ is available to organisations which have in place – at the relevant time – proportionate and risk-based prevention procedures. Given CCO is wide reaching and has extra-territorial scope, organisations have had cause to carefully consider HMRC’s CCO guidance to ensure they can rely on this defence where needed.  HMRC requires organisations to show that they have taken measures to mitigate the risk in line with its six guiding principles, which are:

  1. a documented risk assessment;
  2. implementation of proportionate procedures;
  3. evidence of top-level commitment;
  4. due diligence;
  5. communication and training; and
  6. ongoing monitoring and review.

Further to significant reputational damage, penalties which can be imposed following a conviction under CCO include unlimited fines. The fines are highly likely to be punitive and be based on the egregiousness of the facilitation, as well as ancillary orders (such as for confiscation and prohibition from tendering for public contracts).  These penalties are separate from how the predicate tax evasion and facilitation offences may be dealt with (e.g. a personal fine or term of imprisonment where appropriate).


In circumstances where it may not be possible for organisations to identify every risk and therefore capture all instances of facilitation, in terms of what would be considered “reasonable” for the purposes of the statutory defence under CCO more generally, HMRC has previously suggested that organisations should think about what a reasonable person (i.e. on a jury) would think should have been done by way of preventative steps.

Unlike HMRC or the SFO, a jury is highly unlikely to contain financial crime or tax specialists or have any prior knowledge of this legislation. Therefore, organisations should consider how they would convey to a juror that the steps taken by way of prevention procedures are reasonable in the circumstances.

What are organisations doing?

Organisations are continuing to respond to the introduction of CCO and whilst some are still in the initial stages of conducting their Risk Assessment, others have advanced to the implementation stage, rolling out enhanced controls and sustainable measures which form part of the organisation’s wider risk control framework. Below are some practical examples of what organisations have been doing in response to each of HMRC’s six guiding principles:

Risk assessment

A first step in assessing CCO risk exposure is to conduct an impact assessment with key stakeholders across the organisation. A meeting with business unit heads along with leaders of key internal functions such as Tax, Legal, Finance, HR and Compliance is an effective way to raise awareness of CCO and devise an appropriate action plan.  Typically, such a workshop should include an assessment of the key potential risk areas, categories of associated persons and resources available.

An impact assessment workshop enables organisations to carry out a documented risk assessment exercise, as required by HMRC, which should be proportionate to the business in accordance with its size, industry and complexity.  Each potential risk should be assessed in terms of likelihood and potential impact on the business. This should be combined with an analysis of existing control frameworks to identify what can be leveraged to mitigate CCO risk.

The outcome of this process will be a documented risk assessment, which should seek to inform the business as to what remedial action is required to establish its ‘reasonable prevention procedures’ defence. It is important to recognise that a risk assessment is a not a “one off” exercise but something that should be reviewed periodically to tackle potential new risks (as demonstrated in R v Skansen [2018], a recent UK Bribery Act prosecution).


Implementation of relevant preventative procedures is key to successfully rely on the reasonable prevention procedures’ defence. It is not enough to simply complete a risk assessment without a reasonable, measurable and proportionate plan to address the gaps in the control framework.  Implementation can be very challenging, especially where there is difficulty establishing ownership and accountability of the risk areas across the business. Organisations should seek to leverage their existing control frameworks for managing other economic crime risks, such as fraud, bribery, sanctions, money laundering and also Tax risk (e.g. SAO framework).  For a number of businesses, some of the identified tax evasion risks will be mitigated by these pre-existing control frameworks. It is important however to formalise the control framework for CCO as proof of reasonable procedures. Once this exercise has been completed, a timetable of practical steps should be agreed so that the organisation can phase in recommendations made in the risk assessment.

Top level commitment

Attendance of the General Counsel, the Head of Tax and the CFO at the impact assessment workshop is quite normal to demonstrate senior stakeholder “buy in”.  Thereafter, it is important to identify a senior individual (or a committee) within the organisation who remains responsible and accountable for CCO; this is often a role assumed by an organisation’s Compliance Function.

Due diligence

To comply with HMRC’s guidance, organisations should be able to evidence that they have undertaken appropriate due diligence of those persons who might fall into the definition of ‘associated persons’ and under the CFA. A risk-based approach is recommended such that higher risk associated persons are subject to higher levels of scrutiny. For example, routine onboarding procedures may include Know Your Customer (KYC) checks and contracts with standard terms and conditions, whilst those organisations perceived to be higher risk may be subject to more rigorous checks, asked to provide written confirmation of compliance with the CFA and require advanced internal approvals.

Communication and training

To show that reasonable prevention procedures have been effectively communicated across the organisation and relevant individuals have been sufficiently trained, an internal and external communication (e.g a blanket mailshot) with more detailed training for staff in high risk roles may be appropriate.  Compliance training through classroom style workshops or via e-learn are popular with organisations.

Monitoring and control

As with all effective risk management frameworks, CCO is an evolving standard.  Organisations must monitor the effectiveness of its preventative procedures and respond to both external and internal developments accordingly. For example, we are seeing Internal Audit or independent reviews from inside or outside the organisation being carried out to monitor the effectiveness of key controls.

Compliance frameworks: a tax perspective

Whilst HMRC advocate the need for businesses to proactively undertake ongoing monitoring and review as part of meeting obligations under legislation such as CCO, the impetus to do this applies to other tax governance areas too.  For example, the SAO regime will reach its ten-year anniversary this year and in the past few years has seen a steady increase in scrutiny over the main duty obligation including the first challenge to a penalty to be considered by the First Tier Tribunal in 2017 with Thathiah v HMRC. HMRC’s “SAO: What good looks like?” guidance issued in 2016 highlights the importance placed on implementing, maintaining and monitoring a risk-based testing programme and being able to evidence what has been done.

An approach of reactive testing once a deficiency has materialised only allows organisations to focus on proven failures, and does not help the organisation to prevent risks from materialising in the first instance. There has also been considerable growth in activity as testing is recognised as an integral part of a risk management framework.  Consequently, this has become an area where the market has embraced support from internal audit and compliance functions, often supplemented by external advisors where specific expertise is required.

HMRC Business Risk Reviews (BRR)

HMRC is currently running an enhanced BRR Pilot following earlier consultation with the intention that it will be rolled out to customers during 2019/20. The level of risk assigned will be determined with reference to three core areas: (i) Systems and Delivery, (ii) Governance, and (iii) Approach to Tax Compliance. Having a control framework (including documented tax risk registers, tax policies and procedures) with evidence of regular testing will all be indicators of low risk. A lower risk rating will bring benefits such as less interventions, higher degree of certainty in terms of tax position meaning less audits and quicker responses to clearance applications.  

As a year has now passed since the implementation of the CCO rules, HMRC have highlighted that failure by the company to provide evidence that it has considered and responded to CCO requirements will be regarded as an indicator of “High Risk”.

Andy Olymbios, leader of PwC’s London regional tax reporting strategy practice says: “As the compliance and governance requirements increase for Groups, it is imperative for Groups to formalise and be able to prove that controls and processes exist and are being tested for design and operating effectiveness. This enables Groups to minimise unexpected errors but also manage penalties and reputation”.


HMRC has set up a CCO self-reporting website, calling upon representatives from organisations to proactively self-report facilitation of tax evasion.  It is suggested that as part of ongoing validation, monitoring and review “timely self-reporting will be viewed as an indicator that a relevant body has reasonable procedures in place”.  

Prompt self-reporting does not preclude an organisation from prosecution but could be taken into account when making decisions about prosecution and/or applicable penalties. HMRC may take the view that Deferred Prosecution Agreements (DPAs) may only be available to organisations who proactively self-report instances of wrongdoing.

However, there is no requirement to self-report in this way and any corporate may wish to seek legal advice prior to making any self-report. In many cases it may be more appropriate for organisations to first raise any issues with their HMRC Customer Compliance Manager or through other means as opposed to by a “postbox” email address.

In addition, firms operating in the regulated sector may have separate obligations including under the Proceeds of Crime Act 2002 to submit a Suspicious Activity Report (SAR).  In such circumstances the SAR must be submitted to the National Crime Agency prior to self-reporting to HMRC.

This brings about a great need for organisations to ensure that their “reasonable prevention procedures” are clearly documented, up to date and accessible so that in the event facilitation of tax evasion is identified they can submit an accurate and timely self-report to HMRC. In addition, prior to any self-report, the organisation should ensure that they seek legal advice as to the form and content of any report to the authorities.


CCO forms part of the government’s wider emphasis on tax transparency and increased focus on organisations self-governing on tax matters. The regime is designed  to create an environment which makes it difficult for tax evasion to take place by targeting the controls and safeguards within a business to ensure that it is less and less likely that employees and relevant third parties can exploit weaknesses within an organisation’s tax and wider risk management control framework.

Whilst CCO has only been in force for 18 months, the legal, financial and reputational consequences for organisations not having reasonable prevention procedures in place pursuant to the CFA have been such that CCO has quickly become a key part of the financial crime prevention suite.

Following HMRC’s six guiding principles as discussed in this article will help mitigate facilitation of tax evasion risks and enable organisations to rely on the statutory defence of ‘reasonable prevention procedures’ if required.