Financial Institutions and the Failure to Prevent Facilitation of Tax Evasion Offences: Key Implementation Steps
The new offences of "failure to prevent the facilitation of tax evasion" under the Criminal Finances Act 2017 (CFA) take effect on 30 September 2017. In readiness, HMRC has published its finalised Guidance on "reasonable prevention procedures." The new offences pose particular challenges for the financial services sector. Although firms will not be expected to have completed all aspects of implementation by 30 September, firms must move quickly to complete initial steps including risk assessments and implementation plans. In this Briefing we consider key implementation actions, and which of these should be prioritised.
Scope of Liability and Relevance to Financial Institutions
We addressed the scope of the new offences in our separate Client Briefing (click here). To recap, the new offences will make relevant organisations criminally liable if they fail to prevent the facilitation of tax evasion by their employees and other "associated persons" (Associates). While the CFA does not impose a mandatory requirement for policies and procedures, putting these in place is recommended on the basis that doing so will provide a defence. The extent of the procedures that are appropriate will vary widely depending on firms' risk profiles. Many financial institutions – firms which provide simple products such as consumer loans, general insurance and other non-investment products – may face comparatively low risks since their products may be less attractive to clients seeking to evade taxes. There is greater potential exposure for firms such as wealth and asset managers, as well as investment banks and other firms who manufacture bespoke investment or other financial products.
Liability for Associates in a Financial Services Context
An important issue is the liability for Associates' conduct. Sales of financial products are often intermediated by distributors, advisers or brokers. Firms who interface directly with investors or end-clients – such as financial advisers or wealth managers – face potential liability where, for example, customer-facing staff become aware that clients are seeking to use particular investment structures or vehicles in order to evade tax but nevertheless provide the service or product to the client. For firms who manufacture products and sell them through a chain of intermediaries, knowing involvement by the intermediary in tax evasion by the underlying client or investor could result in liability for the product manufacturer. However, this will depend on the nature of the intermediary relationship. In many distribution chains, there may be sufficiently arms-length relationships between independent product providers and distributors which mean that one party is unlikely to be an "Associate" of the other. However, the position may be different for agency models or where the relationship involves a degree of control.
As explained in our earlier Client Briefing (click here), the CFA has extra-territorial effect. Organisations based outside the UK may choose to implement procedures where their business models expose them to material UK risk (for example, where they deal with UK taxpayers), potentially badging any programme under a broader global tax compliance banner. UK firms' procedures should address the risk of overseas tax evasion where relevant.
Key Immediate Priority Steps
The Government has made clear that organisations' procedures may become more sophisticated over time, and there is a recognition that some procedures (such as training programmes and new IT systems) will take time to roll-out. Whilst this pragmatic approach provides some comfort, there are various minimum steps that should be prioritised, in particular:
- demonstrating a clear commitment to compliance by setting measures in train, including an implementation plan;
- securing top-level commitment and initial communication plan; and
- commencing a Risk Assessment.
Given that the CFA does not impose a mandatory requirement for policies to be put in place, the fact that such steps are not taken by 30 September will not in itself give rise to any criminal liability. However, firms are likely to want to have taken these steps prior to 30 September as a defensive measure. The FCA is also likely to expect that firms it regulates address these matters, and firms will remain subject to existing counter-financial crime obligations under the FCA Rules. We expand below on these immediate priorities and other implementation measures for financial institutions, in light of HMRC's Guidance.
The Government's Six Principles – Implementation by Financial Institutions
HMRC's Guidance follows six general principles. Financial services is, unsurprisingly, flagged by HMRC as a higher risk sector. 1. Risk Assessment Assessing the firm's tax-specific risks should be an immediate priority. Any risk assessment should cover off areas such as:
- product/service risk (i.e., the risk inherent in the type of product or service or the specifics of any investment structures offered, the way in which investor returns are calculated or paid and the tax implications);
- client risk (i.e., risks posed by the type of client, its investment objectives and the rationale for the client's purchase of the product or service);
- jurisdictional risks – considering where the client is located and any jurisdictions used for (i) the domicile of investment vehicles, or (ii) the holding of assets or cash including via third party custodians; and
- Associate risks – firms will want to develop a picture as to which intermediaries, consultants, product manufacturers or other third parties may constitute Associates. Firms should form a view based on the nature of the legal relationship between the firm and the relevant third party. The Guidance refers to an employee, agent or other person who performs services for or on behalf of the firm. Firms will also want to consider the practical risk of the relevant Associate engaging in conduct that could facilitate tax evasion.
Assessing risks is, of course, a feature of day-to-day life in a financial institution. Firms should be able to draw on their usual methodology for assessing other types of risks for their tax-specific risk assessment, and may want to consider the FCA's Financial Crime Guide, AML related guidance such as the Joint European Supervisory Authorities (ESAs) guidelines and the UK JMLSG Guidance. 2. Proportionality of Risk-Based Prevention Procedures A set of procedures should be designed and practical implementation steps proposed based on the outcome of the risk assessment. The Guidance makes clear that there is no need to put in place "excessively burdensome procedures" to eliminate all risk, but something "more than mere lip-service" is called for. When assessing the proportionality of any procedure the Guidance suggests firms take into account the "opportunity" available to facilitate tax evasion, what "motives" such as reward or recognition may be present, and the "means" - i.e., how easy would it be? Firms should consider the following:
- Policies: whether a specific tax policy is to be developed, or whether to combine this with AML or other counter-financial crime procedures. For higher risk firms, it may be appropriate to have a specific policy document.
- Integration with existing controls. Any new procedures will need to fit alongside or within other processes/controls that firms have in place. For example, wealth managers may wish to build tax-related questions into client on-boarding documentation that is already used to comply with suitability requirements under the FCA's Conduct of Business Rules. More generally firms will want to consider alignment with AML procedures.
- Guides for Front Office staff: Specific guidelines might be developed for client-facing staff on the questions that should be put to customers to assess tax compliance or specific "red flags" that should trigger internal escalation.
- Customer Agreements: From a legal perspective (as well as a compliance perspective) firms would also advised to check the language of customer agreements to consider whether existing representations and warranties are adequate or whether new tax compliance language should be implemented.
- Reporting: what processes should be in place to escalate suspicions that tax evasion is being committed or facilitated. Given that tax evasion is a predicate offence for the purposes of the Proceeds of Crime Act 2002, it would be logical to integrate this with other SAR reporting procedures. A suspicion of tax evasion may trigger a requirement to report to the National Crime Agency.
- Transaction specific mitigation measures. Firms should consider to what extent they will obtain, and place reliance on, third party tax opinions on transactions and ensure that any such requirements are built in to policies and transaction approval processes, to the extent that this is not already the case.
- Project Plan: Any procedural design should be accompanied by an implementation plan which sets out clear steps against a timeline for roll-out.
3. Top Level Commitment
HMRC has been clear that this is an area of priority from a timing perspective ahead of the 30 September deadline. The FCA's expectations on senior management as to financial crime risk are also relevant. Firms should address the following:
- Leadership Awareness: Ensure that senior management are fully briefed on the new offences, and what the firm's plans are for compliance, ahead of 30 September.
- Senior Management Responsibility: Firms should consider assigning responsibility for implementation and ongoing compliance to an individual at senior level.
- Internal communications: Depending on their readiness more generally, firms should consider preparing a communication from the company's leadership / senior management to be sent out to all or higher risk staff prior to 30 September. However, if procedures / policies remain under development it may be more effective to do this at a later date.
4. Due Diligence
Subject to the overall risk, due diligence procedures should be applied to Associates or other third parties who have been identified as relevant during the Risk Assessment. Firms may consider:
- Use of Existing Procedures: Firms are likely to have existing due diligence procedures, which cover reputational and financial issues. These procedures might not require significant adaptation – but firms should consider them through a tax-specific lens.
- Specific Assurance: Firms may want to enquire as to what their Associates are doing to comply with the CFA. Firms could ask for a summary of the procedures that have been put in place and any specific risk assessment that is relevant to business done with or through the firm.
- Agreements with Intermediaries: firms may want to build contractual provisions into agreements with intermediaries or other third parties particularly where they are higher risk. Provisions may include additional representations and warranties as well as reporting, audit or other rights to enable ongoing monitoring to be done.
5. Communication and Training
Firms should ensure that there is appropriate communication and training internally and externally where this is justified by the risks. In addition to any internal communications, we would expect this to involve:
- External communications: consider whether any external communication is appropriate – for example, whether any communication to intermediaries or other Associates is needed either prior to or after the 30 September date, depending on the state of readiness of underlying procedures.
- Training: identify higher risk employees and calibrate training content appropriately. Whilst the law does not require the firms' staff to become tax experts, front office staff dealing with products that are wrapped for tax purposes should be expected to have a working knowledge of relevant tax regimes, and staff dealing with customers from foreign jurisdictions might be trained on local tax regimes as relevant. In many higher risk firms, such knowledge and awareness may well be held already. Beyond this, a basic level of training as to the CFA offences and the risks posed by non-compliance might be built in to broader compliance training given as part of staff induction and periodically.
- Associates: Depending on the nature of any Associates' own internal compliance programmes, firms may decide to offer or require training by Associates
6. Monitoring and Review
Firms will want to consider what ongoing measures will be put in place to monitor compliance and review the effectiveness of due diligence and other procedures. Whilst monitoring itself may be for the future, firms should consider building appropriate monitoring rights into contractual documentation with customers or Associates to enable future monitoring, as well as mechanisms for reporting of potential breaches. Financial institutions' broader compliance monitoring programmes and internal audit functions can be expanded as necessary to address tax matters specifically.