The new CCO: how to protect your organisation - KPMG United Kingdom
Share with your friends

The new corporate criminal offence: how to protect your organisation

The new CCO: how to protect your organisation

Find out how to actively protect your organisation from prosecution under this legislation.


Also on


Tax evasion has long been a criminal offence, as has someone helping make that evasion happen. However, the Criminal Finances Act 2017 goes one step further, creating a criminal offence when a company does not stop its representatives from helping the taxpayer evade tax.

The consequences are far reaching. Assume that someone connected with your business is evading tax. Now assume that someone you are responsible for has helped them do it. Once both these things happen, then your company is accountable under criminal law. That means an unlimited fine, significant reputational damage and regulatory interest – all seriously damaging your ability to do business.

If you think this doesn’t apply to your company, think again. Every sector and every business should be concerned with this. Some sectors may be more at risk than others. But all are affected. 

For example, consider any company that makes or sells goods or services. One of your buyers might ask for an invoice that enables them to claim what is clearly a private expense as a business deductible. Or a supplier might want payment to a bank account in a tax haven. If someone in your organisation goes along with either of these scenarios, then the company could be guilty of a criminal offence.

Defensive action

The only way to protect your business is to create a defence: to take reasonable steps to prevent your agents from committing the criminal act. 

How to approach this? The first barrier to cross is a mental one: to understand that this is a business conduct issue, not a tax issue. It’s about setting a standard and telling all your associates that you expect them to keep to that standard and behave in an appropriate way. That’s why the defence project is best led by those who have tackled other financial crime, legal, compliance or business conduct projects.

The first practical step is to conduct a risk assessment. This requires getting the right people and the right commitment, the budget, a project manager and a senior sponsor. It also requires deciding early on what methods to use and how much detail to go into. For example, a big bank will need a number of different risk assessments, while an equity house with a few dozen partners and employees will more likely only need one.

The assessment needs to consider all the inherent risks. Once these are mapped, review controls. Many companies think they can do these two exercises together. But that’s a mistake. You need to ignore your controls and think about what would happen if you didn’t have them. Then think about what controls you have that would stop the egregious behaviour. Are you sure they would stop it? Or would they only stop people who are complying with your controls? 

All this should be done in a proportionate way. This is not about boiling the ocean – it’s about having procedures that are appropriate to the risks involved, not worrying about theoretical small risks. 

To create and maintain a proper defence, senior and middle management need to actively buy in to the principle behind the new rules, setting the right tone and being consistently supportive. Other requirements include carrying out due diligence; communicating and training throughout the organisation; and monitoring and reviewing your procedures regularly. 

Above all, remember it is important this is done properly and is maintained. In any future HMRC investigation, they will not be asking what your defence measures are today; they will be asking about several years ago. That’s why you will need a documented trail of a plan and project which was followed through – and even improved over time.

And if HMRC does come calling, there’s unlikely to be any prior warning. You will suddenly be in the midst of a criminal investigation and will need to account for the steps you took perhaps years before. There will be no chance to remediate.

If that sounds scary, well, it should. But if you mount a proper defence you have nothing to fear. There’s no time to lose: start planning now.


For further information please contact Chris Davidson or Peter Honeywell.

Connect with us


Want to do business with KPMG?


Request for proposal