UK: HMRC brings first prosecution for corporate criminal offence of failure to prevent facilitation of tax evasion

Are your prevention procedures still reasonable in light of this landmark prosecution and the introduction of the new corporate criminal offence of failure to prevent fraud?

Why should I read this?

In a landmark development, HMRC has brought its first prosecution against a UK company, accountancy firm Bennett Verby Limited, for failure to prevent facilitation of UK tax evasion under the Criminal Finances Act 2017 (CFA 2017). CFA 2017 introduced two corporate criminal offences (the CFA 2017 offences) for failure to prevent the facilitation of either UK or overseas tax evasion.

This prosecution is the first under the CFA 2017 offences since the offences were introduced in September 2017. The development is consistent with HMRC’s increasing focus on the CFA 2017 offences – as at 31 December 2024, HMRC had 11 live investigations in relation to the CFA 2017 offences, with a further 28 live opportunities under review – which forms part of the UK government’s continuing efforts to “close the tax gap”.

The new prosecution is a stark reminder of HMRC’s powers under CFA 2017 and it brings into sharp focus the importance of entities having reasonable prevention procedures in place in relation to potential tax evasion facilitation by associated persons, as such procedures constitute a defence to prosecution under the CFA 2017 offences.

The prosecution is timely, given that section 199 of the Economic Crime and Corporate Transparency Act 2023 will introduce, from 1 September 2025, a new corporate criminal offence of failure to prevent fraud (the FTP fraud offence). As with the CFA 2017 offences, it is a defence under the FTP fraud offence if the relevant corporate organisation had reasonable prevention procedures in place at the time the fraud offence was committed.

From a tax perspective, it is notable that a “fraud offence” for the purposes of the FTP fraud offence includes the common law offence of cheating the public revenue, which includes dishonest acts or omissions that are intended to prejudice HMRC.

What should I do?

The maximum penalty on criminal conviction for the CFA 2017 offences and the FTP fraud offence is a potentially unlimited fine. Other possible consequences of the offences include exclusion from participation in public procurement processes, notification obligations, confiscation or serious crime prevention orders, regulatory proceedings, satellite litigation and reputational damage. CFA 2017 compliance is routinely considered as part of HMRC’s Business Risk Review+ process applied to larger taxpayers.

In light of HMRC’s increasing focus on the CFA 2017 offences, and the introduction of the FTP fraud offence, corporate entities should be reviewing their prevention procedures. The primary reason for the introduction of the CFA 2017 offences was to encourage the adoption of reasonable prevention procedures by corporates and therefore, through corporates “self-policing” the actions of their associated persons, reduce occurrences of tax evasion. The same policy reason (i.e. reducing instances of fraud) applies to the FTP fraud offence. This first prosecution under the CFA 2017 indicates that the “failure to prevent” offences are being taken seriously, and that criminal enforcement can take place.

Even those firms that undertook a robust initial risk assessment in response to the introduction of the CFA 2017 offences, and implemented recommended prevention procedures, should be ensuring their procedures are up to date, given that most businesses will have changed (potentially substantially) in the period since the introduction of the CFA 2017 offences and the principles of reasonable prevention procedures require periodic monitoring of those procedures and regular updates to reflect any changes to the business and associated risk.

We regularly assist clients with their CFA 2017 compliance, including by:

advising on how a corporate may fall within the scope of the CFA 2017 offences;
auditing current prevention procedures and recommending proportionate improvements;
undertaking or updating risk assessments; and
assisting with the implementation or updating of reasonable prevention procedures – including the delivery of CFA 2017 training.

Existing CFA 2017 reasonable prevention processes will not extend to the wide range of factual scenarios in which the new FTP fraud offence may be committed. This is because of the wider scope of the fraud and related offences relevant to the new offence and the different business units it is likely to affect within most organisations. However, it may be possible for in scope businesses to incorporate some of the reasonable prevention procedures required in relation to the FTP fraud offence into their existing CFA 2017 procedures (and their prevention procedures in relation to the related corporate criminal offence under the Bribery Act 2010 of failure to prevent bribery), thereby reducing the disruption and cost to the business of addressing the new offence. The starting point for this is to carry out a risk assessment to identify the areas of overlap where there are risks of associated persons committing offences, and where policies and procedures will then need adapting.

HMRC has published guidance setting out procedures that relevant bodies may decide to put in place to seek to prevent associates from committing fraud offences relevant to the FTP fraud offence. The framework implemented by relevant organisations should be informed by the following six principles, which are intended to be flexible and outcome-focussed (and mirror those recommended for the CFA 2017 offences and the failure to prevent bribery offence):

top level commitment;
risk assessment;
proportionate risk-based prevention procedures;
due diligence;
communication (including training); and
monitoring and review.

What else do I need to know about the CFA 2017 offences and the FTP fraud offence?

Despite the similarities between the CFA 2017 offences and the FTP fraud offence (both being “failure to prevent” offences), there are some differences. Notably, the FTP fraud offence applies only to “large organisations”, which broadly means organisations which meet two or more of the following conditions in the financial year immediately preceding the year of the fraud offence: turnover of more than £36 million; balance sheet total of more than £18 million; and more than 250 employees. These criteria apply differently to corporate groups and subsidiaries. In contrast, the CFA 2017 offences contain no such restriction and may be committed by a corporate entity or partnership of any size.

Although these strict size criteria apply to the new FTP fraud offence, it is likely that many smaller organisations that are not within their strict scope will wish to put reasonable procedures in place in any case, due to contractual requirements of counterparties or the possibility of being acquired in the future and then falling within the scope of the offence.

For further information regarding the CFA 2017 offences and the FTP fraud offence, including a discussion of the similarities and differences between the offences, please see our previous briefing: The new corporate offence of failure to prevent fraud vs the corporate criminal offences under the Criminal Finances Act 2017.

Register now for your free, tailored, daily legal newsfeed service.

UK: HMRC brings first prosecution for corporate criminal offence of failure to prevent facilitation of tax evasion

Filed under

Topics

Organisations

Laws

Popular articles from this firm

Better late than never…Welcome clarity from the UK Supreme Court on JCT termination provisions *

Updata: Your quarterly privacy & cybersecurity update *

Global Sustainability & ESG Insights - December 2025 and January 2026 *

Commercially Connected Shorts - 11 February 2026 *

Global payment matters - January 2026 *

Professional development

Related practical resources PRO

Related research hubs

HM Revenue and Customs (UK)

United Kingdom

White Collar Crime

Tax