More and More Compliance

Like many professional practices we have spent much of the last few months dealing with various new compliance challenges. Our view is that we are compliant in the various regimes but thought it best to share with you what we have done and what we are still to do.
Part of the work under GDPR (not the sole challenge) is to ensure that suppliers and, where necessary, third parties are GDPR compliant. If they are not we have tough decisions to make. Sadly, only one body has failed to confirm that it is not GDPR compliant – read down to find out who it is.

Reasonable care – HMRC won’t answer the phone

A report indicates that HMRC failed to answer 4,000,000 calls from taxpayers. Their record for call handling has been very poor for years and continues to be so. It is also worrying that HMRC still seems prone to provide incomplete or incorrect answers to some callers. Ironically, HMRC would not put up with such poor compliance from taxpayers, which we think is a bad show – the benchmark should be the same for both HMRC and taxpayers. Indeed, given HMRC’s role in reasonable care, arguably it should be significantly higher.
Please remember that one of the ways to show that you have taken reasonable care is to take advice from HMRC on the call line – yes, the same one that they don’t answer for 4,000,000 callers and the one where the courts have decided that HMRC has no liability if they get the answer wrong.
If you do call HMRC and are lucky enough to get through, please ask for the CCELL reference for the call – this makes the call record easier to track down if HMRC disputes any advice was given at a later date (or indeed, what the advice was). Ask HMRC for a copy of their file note – some will give it whilst others refuse. In any event: –

  1. Write down what you are going to ask them beforehand, along with any supplementary questions; and
  2. Write down their replies; and
  3. Write down any names that you are given by HMRC (it is usually first names only, which they would not accept from a taxpayer); and
  4. Stay on the line until you are satisfied you have all the information you need and have read the technical notes back to HMRC for their agreement; and
  5. Keep your record, dated and timed, somewhere safe – and somewhere you can find it in four years’ time!

Remember, taking advice from an adviser that you believe knows what he or she is doing also counts as “reasonable care”. As for Artificial Intelligence, there are no guidelines on using that for tax queries so for the time being I suggest it is avoided. Please remember that the pensions and CEST routines on HMRC’s website have been found to be at best unreliable.

EU VAT Modernisation – the vassal state option

An EU project has been ongoing to modernise VAT. Remarkably the UK has remained involved despite Brexit. Indeed, HMRC is claimed to be a driver to help stamp out fraud costing an estimated £56bn a year across the EU.
And even more remarkably, HMRC tells us that the modernised VAT system will be implemented across EU member states, and the UK whether it is in or out of the EU, from 1 January 2021. Yes, be clear, the UK’s intention is to take its lead on VAT from the EU irrespective of what our politicians are telling us. That would also indicate that the European Court of Justice would remain the highest court for VAT following Brexit. I bet you didn’t read that in the Daily Mail!
My personal view is that this is just common sense. The EU will, hopefully, remain our largest trading partner and having a parallel VAT system is far more sensible than divergent VAT systems. It is just a pity the UK won’t be able to directly influence the development of VAT once we leave the EU – this seems to commit us to VAT rules agreed by the EU27 (the dreaded “vassal state” option).

GDPR – New engagement letters

Yes, I’m sick of it and it has cost us a fortune in time as well as cash costs, just like you.
We are GDPR compliant. We have amended our client management system to include a record to prove that we are compliant.
However, because the standard draft professional engagement letters were updated and published by the accounting and tax bodies just a few weeks ago, we will be reissuing all of our engagement letters. I know that this will be as much of an annoyance for you as it is for us, but our hands are tied.
We will also amend our rates effective from 1 July 2018. This will involve dropping some fee bands which are rarely used, and also involve our first increase in some hourly rates since 2006. No, that is not a typo. Our costs have increased by over 25% since then and we can hold our rates no longer. I’m afraid the latest set of compliance costs was the straw that broke the camel’s back.


We are compliant and will be ready to go on 1 April 2019.
We are Xero partners and will use the package for all of our VAT clients, both UK and overseas. We chose this route for a number of reasons, but the key one was that we know MTD will follow for personal tax and corporate tax, so we will also be ready for those changes (no double dip of compliance costs in this respect for us!).

Trust and Service Company Providers (“TCSP”)

Through the Chartered Institute of Taxation, we have been registered for the TCSP legislation. We have also amended our accounting software, so we can maintain and provide when we receive an enquiry, a list of our clients for whom we provide these services.
However, given the loose wording of the measure, we have made enquiries of the CIOT as to whether TCSP clients include: –

  • clients where we act as UK VAT Agent. We think this is likely to be the case
  • clients where we act as tax representative. We think that this is likely to be the case
  • clients where we are a 64-8 agent with HMRC – we do not believe that this will be the case as the principle address for the client will be the client’s address
  • clients where we are the representative within the Tribunal. We think not as, despite Tribunal correspondence being addressed to us.

We have also enquired whether someone undertaking such roles, but who is not UK based can be registered under TCSP in the UK. At present it seems not almost certainly because they cannot pass the “fit and proper” test within the legislation based on what has been published so far. If we are correct in this, it would seem to prevent, for example, agents in other countries, including other EU member states, from taking any of these roles.
We suggest you check with your service provider what they are doing in this respect.

DBS checks on owners and senior staff

As a body supervised for money laundering purposes (in our case by the Chartered Institute of Taxation), we are now required to carry out standard DBS checks on all owners and senior staff.
For once we have no quibbles as we have already carried out enhanced DBS checks on ALL staff in accordance with our vulnerable customers policy.

Anti-Money Laundering (“AML”) Record Keeping

We have adopted a new software package to carry out our AML identification checks. We have checked that it is GDPR compliant. The new package includes a record keeping element, but we have also amended our new practice management software to provide a record. The intention for the future is to maintain the records solely within the client management software (which we have checked is GDPR compliant).

Personal and Corporation Tax Software

We have adopted new personal tax software which can be used via the cloud. We have confirmed that it is GDPR compliant.
We understand that along with our new accounting software, we will be MTD compliant for personal and corporation tax.

Windows 10 via Office 365

We now operate on this windows package across all machines used within the company. We are assured that it is GDPR compliant and is secure.
However, we are looking to implement further security measures in the coming months. Because we cannot share passwords under GDPR (a nonsense in my view), I can assure you that your data will be secure when we use this software and strictly any files created should be saved on our practice management software (we are slowly migrating from Dropbox which is in itself GDPR compliant). However, forgotten passwords looks like it may be an issue given that they are now required to be changed regularly!


We have tried on several occasions, both directly and through our professional body, to establish whether HMRC is GDPR compliant. We have not received a reply.
Given that they have difficulty in updating addresses across their various records, we have had to take the view that HMRC is neither exempt from GDPR nor compliant.
This does create issues for professional advisers in particular in responding, say, to HMRC information notices. You must respond within a fixed time frame or the taxpayer gets a penalty. We recommend that advisers seek agreement from their clients to respond to HMRC whether HMRC is GDPR compliant. It is possible that advisers are covered in any event (there is a test they can follow on the ICO website which will help determine this).
However, we do not recommend that this is left to chance as I’m afraid that this is one of those damned if you do and damned if you don’t situations.

A second professional body seeking to extend its remit

We are supervised by the Chartered Institute of Taxation. However, a second professional body has sought to extend its remit to our activities, which demands the right to see client records. At present we are trying to resist this approach as we believe that it could represent unauthorised access to personal data, contrary to GDPR.
However, the approach is forceful, and we are seeking the advice of the ICO before making a decision. Just to be clear, we refuse to be bullied by a professional body, much as we refuse to be bullied by HMRC. If it is right to provide the information to that body, then we will do so. But not until we are satisfied that the privacy of our clients has been protected.
In the meantime, we have been advised to include the possibility of that second body having access to client records in our new engagement letters.
Naturally, if we are to provide such access our own compliance costs will increase.

Newsletter sign up

We have had an above average sign up to the GDPR compliant opt-in newsletter. Thank you if you have signed up.
However, if you do not receive the newsletter by email (we do not publish all newsletters on our LinkedIn and Facebook pages) please sign up  (it is on the right-hand side of all of our pages). You will also find our privacy policy published on the website. It is quite simple, as it has been for many years now – we only use the information to send out the newsletter – no other marketing.

Steve Botham