FRC and regulatory intervention
Although (for now) the FRC and RPBs cannot generate civil liabilities for accountancy and audit firms (unlike the FCA which can impose remediation and redress schemes on its regulated firms), regulatory intervention can be time consuming and costly to deal with, as well as having a significant adverse reputational impact.
For the biggest firms auditing or working for public interest entities, the FRC is the biggest regulatory threat. The introduction of its Audit Enforcement Procedure has arguably lowered the threshold for investigation, from "misconduct" (requiring behaviour that falls significantly short of expected standards) to a "breach of relevant requirements" (which, arguably may bring any breach of standards to within its remit). The FRC also now has enhanced investigation powers, meaning it can compel any person to provide it with information and it can carry out on-site inspections of audit work on firms with just 2 days' notice.
Add to this, the FRC's ongoing sanctions review and its seemingly increasing appetite for imposing larger fines, and the regulatory risk for accountants grows in impact – even if it remains a low frequency risk.
Tax avoidance legislation
Whilst by no means restricted to accountants, this year has seen the introduction of the Criminal Finances Act on 30 September 2017. This introduces a new corporate criminal offence of failing to prevent criminal facilitation of tax evasion. The aim of the offence is to require firms to put in place reasonable procedures to prevent individuals providing services on its behalf from dishonestly or deliberately facilitating tax evasion.
The offence is one of strict liability but a firm will have a complete defence if it has put in place reasonable preventative procedures or if it can show it was not reasonable to expect the firm to have such procedures in place. It seems unlikely that accountancy firms will be able to show it would not be reasonable to have reasonable preventative procedures in place. So it will be essential that proper consideration is given to identifying and implementing reasonable preventative procedures with reference to the HMRC's 6 draft guidance principles and the Chartered Institute of Taxation's introductory note.
In addition to this new criminal offence, the Finance (No. 2) Act 2017 is likely soon to introduce the ability for HMRC to impose penalties on any "enabler" of abusive tax arrangements that are defeated in court or at the tribunal. Thus, penalties will no longer be limited to the tax payer but will also be able to be imposed on anyone who is responsible for designing, marketing or otherwise facilitating someone to enter into the abusive arrangement. It seems very likely that accountants involved in clients entering such arrangements will inevitably be caught as "facilitators", and so be at risk of facing HMRC penalties.
Over the last few years, solicitors' firms found themselves to be targets of "Friday afternoon fraud". However as they have improved their risk management processes fraudsters have increasingly targeted accountants, especially those involved in payroll or bookkeeping for their clients.
These frauds are often perpetrated by individuals hacking into the email accounts of clients or suppliers and sending the professional what appears to be a legitimate instruction (say, to change bank details for payroll or to make payment to client's supplier). The risk to the professional is that they could be liable for allowing the fraud to occur if proper procedures are not in place, such as double checking changes in payment details by telephone confirmation.
Separately, internal cyber security remains an extremely high priority for most accountants' firms. The recent hack on Deloitte's IT system demonstrates that even the most sophisticated firms remain at risk from cyber-attack. The potential consequences, for firms holding highly sensitive financial information for their clients, can be very serious indeed.
Related to cyber security, from 25 May 2018 the General Data Protection Regulation (GDPR) will apply in the UK. The GDPR introduces significant new obligations on firms to develop clear policies and procedures to protect personal data. The GDPR also imposes more stringent requirements for responding to data breaches, including compulsory notification to the Information Commissioner's Office within 72 hours in most instances where a breach has occurred. What's more, breaches of the GDPR could result in fines for as much as the higher of 4% of a firm's annual worldwide turnover or Euro 20 million.
There are many steps that organisations need to take in order to ensure compliance and protect their data, brand and reputation. These range from reviewing privacy notices and policies regularly, reviewing systems for recording consent to ensure there is an effective audit trail, to embedding privacy into any new processing or product that is deployed. As such, ensuring compliance with the GDPR will be top of many firms' risk management priorities for the coming months.
Robert Morris is a solicitor and partner at professional services firm RPC and a member of RPC's Professional and Financial Risks Group. He specialises in dealing with claims against and regulatory matters involving accountants, auditors and other financial professionals.