What Is a Corporate Criminal Offence (CCO) Policy?

A Corporate Criminal Offence (CCO) policy sets out how your organisation prevents the facilitation of tax evasion under the Criminal Finances Act 2017. This guide explains what one is, why it matters, and how to create one with practical examples.

· Neil Cameron · Compliance · 8 min read
A Corporate Criminal Offence (CCO) policy sets out how your organisation prevents the facilitation of tax evasion under the Criminal Finances Act 2017. This guide explains what one is, why it matters, and how to create one with practical examples.

Key Takeaways

  • A Corporate Criminal Offence (CCO) policy sets out how your organisation prevents the facilitation of tax evasion, as required by the Criminal Finances Act 2017.
  • Your company can be held criminally liable if an associated person facilitates tax evasion, even if senior management had no knowledge of it. The only defence is proving you had “reasonable prevention procedures” in place.
  • The Act applies to all UK businesses regardless of size. There is no exemption for startups, though HMRC expects your response to be proportionate to your risk.
  • A well-structured CCO policy covers commitment, scope, risk assessment, prevention procedures (aligned to HMRC’s six principles), reporting, and consequences.
  • Beyond the legal risk, a documented CCO policy increasingly shows up in due diligence and security questionnaires, so it doubles as a commercial asset.

What is a Corporate Criminal Offence (CCO) Policy?

A Corporate Criminal Offence (CCO) policy is a formal document that sets out how your organisation prevents the facilitation of tax evasion. It exists because of the Criminal Finances Act 2017, which introduced two corporate criminal offences in the UK: one covering the facilitation of UK tax evasion, and another covering the facilitation of foreign tax evasion.

Here is the critical part: under this legislation, your company can be held criminally liable if a person acting on its behalf facilitates tax evasion, even if senior management had no knowledge of it. The only defence available is proving that you had “reasonable prevention procedures” in place. A CCO policy is the foundation of those procedures.

In plain terms, a CCO policy is your organisation’s written commitment to preventing anyone associated with your business (employees, contractors, agents, partners) from helping someone else evade tax. It outlines the controls, responsibilities, and processes you have in place to make sure that does not happen.

Why does a CCO policy matter?

If your company does not have a CCO policy and someone associated with your business facilitates tax evasion, your organisation faces criminal prosecution. There is no “we didn’t know” defence. The only defence is demonstrating that you had reasonable procedures in place to prevent it.

This is not a theoretical risk. HMRC has been clear that it expects organisations of all sizes to assess their risk and put proportionate measures in place. The penalties for a conviction include unlimited fines, and the reputational damage can be significant.

Beyond the legal risk, a CCO policy increasingly comes up during due diligence. If you are selling to enterprise customers or going through security and compliance reviews, expect questions about your approach to preventing the facilitation of tax evasion. It is one of those policies that rarely gets attention until someone asks for it, and then you need it immediately.

What does a CCO policy typically include?

A well-structured CCO policy covers several key areas:

1. Statement of commitment

A clear declaration from senior leadership that the organisation has zero tolerance for the facilitation of tax evasion. This sets the tone from the top and signals that compliance is taken seriously at every level.

2. Scope

The policy should define who it applies to. This goes beyond employees. It covers contractors, agents, intermediaries, suppliers, and any other “associated person” as defined under the Criminal Finances Act 2017.

3. Risk assessment

A description of how your organisation identifies and evaluates its exposure to the risk of facilitating tax evasion. This should be proportionate to the size and nature of your business. A 20-person SaaS company has a different risk profile than a multinational with hundreds of third-party agents.

4. Prevention procedures

The specific controls you have in place. These typically align with the six guiding principles published by HMRC:

  • Risk assessment: Identifying where the risks lie
  • Proportionality of procedures: Matching your controls to the level of risk
  • Top-level commitment: Senior leadership engagement and accountability
  • Due diligence: Vetting associated persons for tax evasion risk
  • Communication and training: Making sure people know what is expected of them
  • Monitoring and review: Regularly checking that your procedures work and updating them when needed

5. Reporting and whistleblowing

A clear process for anyone to report concerns about potential tax evasion facilitation without fear of retaliation. This should specify who to report to, how reports are handled, and what protections exist for whistleblowers.

6. Consequences

What happens if someone breaches the policy. This typically includes disciplinary action up to and including termination, as well as a note that criminal conduct will be reported to the relevant authorities.

Examples of tax evasion facilitation

To make this concrete, here are some scenarios a CCO policy is designed to prevent:

Example 1: A contractor helping a client hide income. An accounting firm’s contractor knowingly helps a client structure payments to avoid declaring taxable income. The firm had no knowledge of this, but because the contractor is an “associated person,” the firm is liable unless it can show reasonable prevention procedures were in place.

Example 2: An employee turning a blind eye. A sales team member at a software company suspects that a reseller partner is under-reporting revenue to reduce their tax liability. The employee does not report the concern because the partnership is commercially valuable. If the reseller is indeed evading tax and the employee’s inaction amounts to facilitation, the software company could face prosecution.

Example 3: A payment intermediary operating offshore. A company uses a third-party payment agent in another jurisdiction. That agent structures payments in a way that helps the end client evade foreign taxes. Under the second CCO offence (facilitation of foreign tax evasion), the UK company can be held criminally liable.

In each of these cases, the company’s defence rests entirely on whether it had reasonable procedures (including a CCO policy) in place and was actively enforcing them.

Who needs a CCO policy?

Technically, the Criminal Finances Act 2017 applies to all businesses operating in the UK, regardless of size. There is no exemption for startups or small companies.

In practice, HMRC expects your response to be proportionate. A seed-stage startup with five employees and no third-party agents has a lower risk profile than a large professional services firm. But “lower risk” does not mean “no risk,” and having a documented policy, even a straightforward one, is far better than having nothing.

If you are going through SOC 2 preparation, responding to security questionnaires from enterprise buyers, or building out your compliance documentation for the first time, adding a CCO policy to your set is a smart move. It is one of those documents that takes a few hours to create but can save you from a serious legal exposure.

How to create a CCO policy

You do not need to hire a law firm to produce a CCO policy, though legal review is always a good idea for the final version. Here is a practical approach:

  1. Conduct a risk assessment. Map out who your associated persons are (employees, contractors, agents, resellers) and where the risk of tax evasion facilitation could arise.
  2. Draft the policy. Cover the key sections outlined above: commitment, scope, risk assessment, prevention procedures, reporting, and consequences.
  3. Align with HMRC’s six principles. Make sure your prevention procedures address each of the six guiding principles. This is what HMRC will look at if your procedures are ever tested.
  4. Communicate it. A policy sitting in a Google Drive folder that nobody has read offers no protection. Make sure your team knows the policy exists, understands their responsibilities, and knows how to report concerns.
  5. Review it regularly. Your risk profile changes as your business grows. Review the policy at least annually, and update it when you add new partners, enter new markets, or change your business model.

CCO policies in security questionnaires

If you regularly respond to security questionnaires or vendor assessments, you will likely encounter questions about your approach to preventing financial crime, including tax evasion facilitation. Having a documented CCO policy gives you a clear, referenceable answer.

This is where your compliance documentation works together. Your CCO policy sits alongside your anti-bribery policy, your code of conduct, and your broader compliance framework. When a prospective customer asks “what procedures do you have in place to prevent financial crime,” you can point to specific documents, specific controls, and specific training rather than giving a vague answer. It is the same reason small teams can handle security questionnaires without a dedicated compliance department: when your policies are structured and accessible, the answers are already written.

This is one of the reasons we built ResponseHub. When your policies and records live in one place, AI can draft accurate, cited answers to security questionnaires in minutes rather than days, and keeping a well-organised security questionnaire knowledge base means your CCO policy is ready the moment a buyer asks about it.

The bottom line

A CCO policy is not optional window dressing. It is a legal requirement in substance, if not in name: the Criminal Finances Act 2017 requires reasonable prevention procedures, and a documented policy is the clearest way to demonstrate you have them.

For growing SaaS companies, it is also a commercial asset. It shows enterprise buyers that you take compliance seriously, it gives your team clear guidance on what is expected, and it protects your organisation from criminal liability that could arise from the actions of a single associated person.

Get it written, get it communicated, and get it reviewed regularly. It is one of those policies where the cost of not having it far exceeds the effort of putting it in place.

Back to Blog

Related Posts

View All Posts »