Eric Brotten (eric.brotten@optum.com) is Director of International Compliance Programs at Optum in Eden Prairie, Minnesota, USA.
We are well into 2018, and many of us are starting to plan for an annual compliance risk assessment. However, if your company does business in the UK, you may have two new potential areas of compliance risk. With your Finance, Accounting, and Tax colleagues, you will need to confirm the establishment of programs to support compliance with the UK’s Criminal Finance Act (CFA) and the Reporting on Payment Practices and Performance Regulations (RPPPRs). Both made their way into the regulatory landscape in April 2017. If you’re lucky, your colleagues will know what you’re talking about and have an adequate program in place. For those of us not so lucky, there are some immediate practical steps that can be taken.
UK CFA compliance
The UK government brought the CFA into Royal Assent on April 27, 2017, and the CFA became effective on September 30, 2017. The CFA is a corporate criminal offence aimed at companies that fail to prevent the facilitation of tax evasion in the UK or any other jurisdiction. In other words, a company is criminally liable for failing to prevent the facilitation of tax evasion committed by associated persons such as employees, vendors, agents, service providers, etc. Non-compliance consequences include unlimited fines, public record of conviction, criminal prosecution, disclosure, and inability to trade (ineligible for public contracts).
As a corporate offence, the CFA provides a statutory defense if, at the time of the offence, the company had reasonable prevention procedures in place to prevent associated persons from committing the tax evasion facilitation offence. The UK government, through Her Majesty’s Revenue & Customs (HMRC) office, issued guidance in September 2017 stating that prevention measures should follow six principles: proportionality of risk-based prevention procedures, top-level commitment, risk assessment, due diligence, communication (including training), and monitoring and review.
Using HMRC guidance, there are several steps you can take immediately to start down the compliance path if a formal compliance program is absent at your company.
Proportionality of risk-based prevention procedures
What industry is your company in? Where does your company do business outside the UK? Do you have a branch office or an actual incorporated body? Answering these basic questions will help you determine the scope of compliance program your company will need. For example, a mid-size car parts manufacturer operating in the UK and EU may only have an overall low/medium risk; whereas a global full-service banking, finance, and investment services firm may be an overall high risk. Depending on your situation, some basic new company and/or employee policies may be adequate. Others may choose to update their vendor contract to have specific compliance statements. On the far spectrum, your company may need software to monitor transactions.
Top-level commitment
Regardless of proportionality, you can immediately work with your communications team and senior management to send a communication or email to all staff indicating the importance of compliance and the steps your company is taking to comply with the CFA. In operation, if you do distribute an email communication, you will want to ensure distribution is for all UK staff (i.e., England, Scotland, Wales, and Northern Ireland).
Risk assessment
You should already have a risk matrix tool to conduct your annual compliance risk assessment. In that sense, here you can simply expand your matrix to include some of the HMRC recommended risk categories as identified in anti-corruption guidance, such as country, sectoral, and transactional. For country risks, you could use any of the readily available country corruption indices in a “high,” “medium,” “low” fashion. A similar approach could be used for sectoral and transactional risks, thereby creating a matrix like the one in table 1.
Country risk (scale of 1-3) | Sectoral risk (scale of 1-3) | Transactional risk (scale of 1-3) | Impact (scale of 1-3) |
CFA risk rating ((Country + Sectoral + Transactional)/3)x Impact) |
---|---|---|---|---|
1 | 2 | 1 | 1 | 1.333333333 |
Due diligence
Here you need to recognize that the different moving parts of your company may require more or fewer compliance procedures and oversight depending on the identified risk, and those differences should be documented and actions against explained. For example, if you have a partner in the Cayman Islands that supplies accounting software, you may request a higher level of background checks on the supplier’s staff than your internal payroll administration staff.
Communication (including training)
In addition to the aforementioned senior management to staff email, you may find your company is suited to make an external declaration of steps taken by publishing a transparency statement or incorporating a compliance statement into existing tax transparency statements and published policies. Additionally, although future years may warrant a formal staff training module, already being one year into compliance, there are numerous white papers readily available from various law firms and consultancies that have high-level concepts that can act as a foundation for creating a basic staff training module. Training should be targeted based on your company’s risk level, but a good starting point is identifying and training staff in Finance, Accounting, Tax, Payroll, Invoicing/Payments, and advisory (legal, financial, life, etc.) roles.
Monitoring and review
Again assuming your company already conducts an annual compliance risk assessment, the CFA simply becomes another category to include in that risk assessment. You may even include the CFA as a specific risk assessment interview question: “Do you know of any new motives, opportunities, or means by which the company or company employees have or could facilitate tax evasion?” And, as you would with other topics, CFA program compliance artifacts, policies, and procedures should be reviewed at some ongoing interval to confirm alignment and relevancy to current business practices.
Lastly, when in doubt, many companies also hire consultancies to assess compliance gaps and recommend adequate implementation measures.