Skip to main content

Revisiting the Corporate Criminal Offences legislation

Gary Gardner and Andy Briggs review the Corporate Criminal Offences legislation and the resulting compliance risks and unlimited fines that many businesses are unknowingly exposing themselves to.

The Criminal Finances Act 2017 introduced new Corporate Criminal Offences (CCO) for the failure to prevent the facilitation of tax evasion. This legislation introduced a legal obligation from 30 September 2017 for businesses to have Reasonable Prevention Procedures (RPPs) in place to prevent its associated persons from facilitating tax evasion.

However, while many large groups have engaged in regular dialogue with HM Revenue & Customs (HMRC) in this area, and are fully compliant, an Ipsos MORI report dated December 2018 suggested that at that point, only 25% of companies were aware of the Criminal Finances Act 2017, with this figure increasing for large businesses (those with more than 250 employees)[1]. With unlimited fines for failure to comply with the legislation, many businesses (particularly smaller taxpayers) are likely to be unknowingly exposing themselves to significant risks in this area.

A group’s approach to the CCO legislation will be a key area of focus in any due diligence reviews as well as being one of the indicators of HMRC’s Business Risk Review + approach.


Only 25% of companies were aware of the Criminal Finances Act 2017, according to Ipsos MORI

Overview of the legislation

The rules introduced by the Criminal Finances Act 2017 apply to all companies and partnerships and apply to both domestic and foreign tax evasion across all taxes and duties. There are three stages that apply to the offences, all of which must occur for an offence to arise:

  • Stage one: an incidence of criminal tax evasion by a taxpayer (either an individual or a legal entity) under existing law.
  • Stage two: the criminal facilitation of the tax evasion by an associated person of the company or Partnership (someone who performs services for or on behalf of the company or Partnership) acting in that capacity. This must be a deliberate and dishonest action by the individual.
  • Stage three: The company or Partnership failed to prevent the facilitation of tax evasion by not putting in place reasonable procedures to prevent the act of tax evasion.

While the rules apply to both UK domestic and foreign tax evasion, the foreign offence is narrower in scope, as it requires the foreign company or Partnership concerned to have some form of UK presence.

HMRC activity

HMRC have actively enforced the CCO, and as of 27 May 2021, had 14 live investigations, and another 14 live cases under review. They have also rejected another 40 cases after review. The investigations and potential cases cover 10 different business sectors, and a range of business sizes.

It is important to note that the offences are based on strict liability. Therefore, a taxpayer can commit an offence under the legislation even if it had no knowledge of the associated person’s facilitation activities or the underlying tax evasion Once an offence is committed the company’s sole or only defence is to be able to demonstrate that it had reasonable and proportionate prevention procedures in place, despite the failure to prevent the facilitation.

If a company fails to prevent the facilitation of tax evasion by an associated person, it will have committed an offence. If it cannot demonstrate that it had reasonable and proportionate procedures in place it will be convicted and will face the following sanctions:

  • Unlimited fines
  • Ancillary orders against the company
  • Confiscation orders/serious crime prevention orders
  • Loss of licences/opportunity to bid for public contracts
  • Reputational damage.

While there have been no convictions to date under the CCO legislation, the above statistics indicate that the CCO is high on HMRC’s agenda, and as such should be taken seriously by taxpayers. Tackling tax evasion is a key priority of the UK Government, and with the strict liability and unlimited fines, the CCO represents a powerful tool in HMRC’s armoury for enforcement.

Next steps

With HMRC heavily focused on enforcement of the CCO, it is advisable for companies to take action to ensure compliance with the legislation. Most businesses can expect HMRC to ask if a risk assessment has been undertaken and documented and what prevention procedures have been put in place and documented.

It should be noted that for the UK offence, HMRC will investigate and work with the Crown Prosecution Service (CPS) to secure a conviction. For the foreign offence the Serious Fraud Office (SFO) will investigate with a view to securing a conviction.

It is important to note that an investigation by either HMRC or the SFO is a criminal investigation and not a civil tax enquiry and consequently is much more intrusive and can involve dawn raids and court orders for information to be provided at very short notice

HMRC’s procedure involves selecting staff to interview regarding CCO. The questions asked are likely to include what awareness the staff member has of CCO, their awareness of the company’s policies, risk assessment and preventative procedures in response to the CCO legislation, and also to see if staff members understand the characteristics of tax evasion.

With HMRC heavily focused on enforcement of the CCO, it is advisable for companies to take action to ensure compliance with the legislation.

The Government guidance on CCO[2] identifies six guiding principles to inform the actions necessary to take to ensure compliance:

  1. Risk assessment – the company or Partnership should assess the nature and extent of its exposure to the risk of an offence. This should be documented and kept under review.
  2. Proportionality of risk-based prevention procedures – the level of procedures required to mitigate the risks identified will depend on the nature of the risks, as well as their complexity and size. The procedures should not be overly burdensome for the organisation, but the rules do require reasonable action to be taken.
  3. Top level commitment – the top-level management should demonstrate their commitment to compliance with the legislation and should build a culture of commitment within the organisation.
  4. Due diligence – all parties who perform services for or on behalf of the organisation should be subject to appropriate due diligence processes to mitigate risk.
  5. Communication (including training) – the policies and procedures put in place should be communicated throughout the organisation, with training used to educate staff (and other associated persons) of the requirements.
  6. Monitoring and review – the organisation should monitor and review the policies and procedures periodically to identify necessary changes.

As a first step, taxpayers should familiarise themselves with the CCO rules, and undertake a firm-wide risk assessment, which will inform the organisation of the risks of criminal facilitation occurring. Following the risk assessment, any additional procedures identified should be implemented, and all staff provided with training.

How we can help

As tax advisors, we have experienced team members who can help clients understand the CCO rules and the obligations that these give them. We can also assist in developing and implementing a plan of action to address this, such as:

  • advising on how to approach and undertake a risk assessment
  • preparing or reviewing policies and communications
  • training of staff
  • reviewing the effectiveness of internal controls
  • reviewing existing CCO responses and recommendations for improvement
  • Providing ongoing support, including subsequent risk assessments

If you would like to learn more or discuss how this could potentially impact your business, please contact a member of our team whose details are listed on this page.

[1] Evaluation of corporate behaviour change in response to the corporate criminal offences (December 2018)


Check the impact of the Spring Budget Statement with our Tax Calculator Visit our Spring Budget Hub