Connect with us
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Finance

‘TIS THE SEASON FOR CREDIT CARD DATA THEFT

Published

on

‘TIS THE SEASON FOR CREDIT CARD DATA THEFT 1

Author:  Lucas Zaichkowsky, Enterprise Defense Architect, Resolution1 Security

Synopsis:Financial criminals dance with glee as the shopping season approaches.  If your organization accepts a high volume of credit cards and partakes in the shopping madness or is a payment gateway, you would be taking a huge risk by not being on high alert to identify an attack in progress as we enter the shopping season. This article provides insights into attacks and addresses how to detect targeted attacks in progress and respond before major damage occurs

With Christmas around the corner, the shopping frenzy will begin as consumers find good deals and retailers increase their sales revenues, but they’re not the only ones that benefit from the shopping craze. Financial criminals are well aware that this is the best time of the year to steal credit cards and maximize their own earnings. Now is the most critical time for retailers and online businesses to be vigilant. I’ll explain how and why advanced targeted attacks work.

Lucas Zaichkowsky

Lucas Zaichkowsky

Although news stories on large scale data breaches often focus on malware and how the attackers got in, what goes on behind the scenes is much more elaborate. There’s much that can be learned by studying the full attack lifecycle to identify an intrusion in progress and put a stop to it. Although there are well-established phases of an attack in the data forensics and incident response world, I’m going to focus on a simplified version with three: initial infiltration, lateral movement, and data exfiltration.

Initial infiltration is the point of entry where an attacker gains unauthorized access to your network. Most legacy security investments attempt to prevent any and all systems from being compromised. Although this may have worked 15 years ago when self-replicating viruses and worms were all the rage, those days are gone. Time has proven that preventative defenses amount to barriers with limitations. Additionally, organizations can only secure what’s under their administrative control which makes things tough in an age of BYOD, remote workers, contractors, third party service providers, and connections to trusted partners. Initial infiltration can be anything from a backdoor delivered by spear phishing to a web application exploit to compromised user credentials.

Lateral movement is what an attacker does once they’ve accomplished initial infiltration. If security today is failing miserably, this is the stage where it’s happening. Attackers perform reconnaissance inside the network. They steal passwords for users, administrators, and service accounts. They create their own accounts. They access the network using VPN or another normal mode of access to blend in. They plant various backdoors on dozens or hundreds of systems to ensure persistent access. They snake their way to the data they’re after. Even in the most secure environments using two-factor authentication and tightly limited access, attackers will find overlooked paths, systems they can pivot from, and even modify network device configurations if they have to.

Meanwhile, companies secure and monitor servers housing sensitive data. They tend to forget that regular workstations and non-critical servers are a paradise for hackers to work from, avoiding detection. The data that attackers are after is accessible through means other than compromising specific servers. There’s always a data flow to and from servers with access mechanisms. Advanced attackers excel at uncovering and exploiting access to data flows. Sometimes they plant specialized software for RAM scraping, network sniffing, and keystroke recording. Other times, they modify production code to make copies of the data as it passes through. Sometimes they can simply connect to a server using stolen credentials and send the right commands to retrieve data.

Data exfiltration is what the attacker does to transport data from the point it’s being stolen from to a location outside the corporate environment. They’ll often move stolen data inside the network to a seemingly random system used as a staging ground, then upload it from there to a server on the internet. This goes undetected by obfuscating or encrypting the data, then blending in with normal web traffic. If the attacker made it this far unnoticed, there’s a good chance they’ll continue to steal data unnoticed until you either get lucky and self-discover the compromise or until they start selling the stolen card data on the black market. Statistically, you’ve got about a 1 in 3 chance of self-discovering at best.

How to detect targeted attacks in progress and respond before major damage occurs

Kill chain, intelligence, and analytics are officially in fashion, hot on the heels of Advanced Persistent Threats (APTs). Bonus points if they’re in the cloud with the Internet of Things. Here’s how organizations can proactively hunt for attacks into their networks.

Kill chain analysis and attacking the kill chain are a part of intelligence-driven defense, popularized by the smart people at Lockheed Martin. The kill chain is based on the core premise that attacks follow a lifecycle or sequence of progressive steps committed by the threat actor during an intrusion. By cataloging and studying the tactics, techniques, and procedures of threat actors, you can effectively prioritize preventative defenses and detect an attack in progress. After all, attackers are human and predictable. They’ll reuse hacking tools and repeat what’s worked for them in the past. Even personal habits such as naming conventions tend to get repeated.

In the case of targeted financial crimes, initial entry is usually accomplished by exploiting a web application or compromising the credentials of a vendor that has access into your environment. Knowing that, you can focus on those two points of entry for system hardening and access control while increasing additional monitoring mechanisms to be on the lookout for suspicious activity coming from those sources should they become compromised.

Access to immediate information on recent threats, cybercrime syndicates and industry resourcesprovide up-to-date intelligence on APT and their attackers. Open source intelligence resources name off hacking tools commonly encountered during the lifecycle of an attack such as specific families of RATs and credential stealers. Poison Ivy, Gh0st RAT, Windows Credential Editor, pwdump are just a few tools still commonly used. Samples of other tools such as RAM scrapers are available from places like KernelMode.info and Contagio. Once gathered, incident responders can analyze all these nasty binaries in a lab environment to identify key observable traits: what they look like in memory, network traffic patterns, endpoint changes, and logged activity.

Next, take the data and transform it into indicators of compromise, documented using standards like CybOX, YARA, or OpenIOC. Monitor as many endpoints as possible, network traffic, logfiles, and application data for matches against your indicators.

Follow the kill chain model by gathering intelligence on their attack methodology such as targeting domain controllers and servers where many users authenticate in order to harvest user credentials en masse. Attackers like to use scheduled tasks to execute commands against remote systems. They use well known staging directories like the Windows help folder and the root of Recycler. As you better understand the attacker methodology, you can perform the same steps in your lab environment, document indicators, then monitor everywhere possible.

During the process, you may identify places to harden your system and network configurations to slow an attacker down and frustrate them. You can set up tripwires to detect attempted hacking activity that aligns with their methodology. One good trick is to have emails sent to administrators whenever their admin accounts are being used.

Authoring indicators and putting them to good use may seem like a lot of work, but it puts you in a position where you’re able to detect a real world attack while it’s still in progress. This provides the ability to contain, scope, and remediate before major damage is done.

Analytics on the other hand means mining datasets, pivoting, and correlating to identify patterns and outliers. By searching for outliers (aka Frequency analysis), you can find unknowns that might not belong. Creative thinking skills are very important for performing analytics. Marketing teams have been doing it for years to study consumers. Security practitioners need to do the same, but in their own context.

One of the most effective ways to identify compromise is to perform analytics with the goal of identifying persistence mechanisms (backdoors). Pull back autoruns from every system and sort by frequency of occurrence from least to most, then focus on the uncommon entries in your environment. In fact, if you’ve got limited time to look for compromise, I’d recommend doing this before developing and chasing down indicators of compromise. There will be a lot of noise the first time, but it’s worth the energy. You’ll create a baseline useful for making autoruns frequency analysis a less painful regular activity, effectively focusing only on what’s changed since the prior search.

If you don’t have an enterprise tool to do autoruns frequency analysis, you can still squeak by with a hack job involving SysinternalsAutoruns, Trend Micro HiJackThis, or MandiantRedline. Execute those tools remotely against systems, piping the results out to text files then merge and mine it with the help of a decent programmer or DBA. Be careful to protect the privileged account you use to connect to systems remotely.

Whether you’re a retailer, online business or enterprise this holiday season, increase your proactive scans and hunts for suspicious activities. Happy holidays and good luck in your quest to find an attack in progress!

Finance

Is cash now redundant in western society?

Published

on

Is cash now redundant in western society? 2

By Daumantas Dvilinskas, CEO and Co-Founder of TransferGo

Research from UK Finance has shown that cash consisted of less than a quarter of all payments in 2019, suggesting that as a method of payment, it was already on the decline before the pandemic struck. Evidently, this means that current negative attitudes towards cash have been compounded by COVID-19 and no doubt suggest that fears are growing over how the use of physical currency could be a possible vehicle for virus transmission. In turn, this has caused a shift in consumer behaviour with those stuck at home turning to digital as the only way to spend, send and save money.

But if the usage and popularity of cash was already on the decline – what factors were driving this? Primarily, it’s been a shift in consumer behaviour towards online shopping, and the increasing speed and convenience offered to end users by contactless payments and new services in the fintech market. An example of the latter is in digital money transfer services, which facilitate the flow of money across borders but without the added fees and hidden exchange rates traditional cash-based businesses have.

But what impact will this behavioural shift have on our society, and what does this mean for the finance industry?

The finance industry’s response

With the pandemic bringing country-wide lockdowns, consumers were forced to turn to digital as trips to banks and post offices to make deposits or collect banknotes became inaccessible. Fintechs, who are digital by default, were particularly well placed to support customers by allowing them to send and spend funds by facilitating online transactions through digital payment services.

Additionally, digital lending firms, who were able to move fast in response to the surge in loan applications as a result of redundancies and businesses shutting down, were much more nimble than physical branches and traditional financial institutions. And the demographic of users has widened too, with digital lending platforms seeing not just tech savvy users, but older users in their 40s and 50s turning to their services.

Prior to the pandemic many people, for reasons such as lack of trust, being technophobes or just being creatures of habit, were hesitant to use digital finance services over cash. We expect to see a continued reversal of that as consumers get used to the ease and accessibility that fintechs have bought to the sector.

Remittance sector has already proved that cash wouldn’t reign supreme

This issue of cash vs digital is especially prevalent amongst the migrant worker community. Migrants are often relied upon by their families for income support, and in some cases are the sole source of income. For example, in 2019 remittances amounted to $554bn according to the World Bank, beating all other forms of cross-border financial flows to poor countries.

Alongside the lockdown, we also had to deal with the issue of closed borders, which prevented migrants arriving home with actual cash. Combine that with the closure of most retail finance operations, options for sending physical cash were basically eliminated. Workers therefore needed to find other ways of ensuring their hard earned money could get to those that needed it at home. Digital finance bridged the gap.

Through the benefits of digital, providers can offer guaranteed and fair exchange rates, ensuring that migrants, who may be undergoing financial difficulties, are not stung by hidden remittance fees. They can also provide consistent and accessible support, for example by offering in-country agents who understand local discourse and issues and can help find appropriate solutions. What’s more, these services can offer a seamless customer experience, increased service reliability and perhaps most importantly security. For example, TransferGo recently announced a partnership with end-to-end ID verification companies SumSub and Veriff, which ultimately means that migrants are able to have their identity verified, quickly and reliably, preventing fraudulent activity, without causing a delay to registering for and using the service.

Was this a result of the pandemic or is cash truly on its last legs?

COVID has undoubtedly caused a huge shift in consumer propensity to use cash. Findings suggest over half of consumers had used digital transfers to give money to friends and family at least once during the first month of lockdown, with 20% doing so more than twice.  When you consider that cross border payments are expected to hit $240 billion by 2024 due to an increasingly global and interconnected economy and TransferGo experienced a 63% growth in transactions in April compared to the same time last year, the future is seemingly evident.

The convenience, speed, improved customer experience and security offered to consumers through digital payments will be difficult to surrender – especially as people become accustomed to new ways of working and living.

At the current pace of technological innovation, I can’t help but feel that this is the irreversible direction of travel. It is incumbent on those of us at the sharp edge of innovation in the industry to ensure it remains secure and fit for purpose as the world continues to change around us.

Continue Reading

Finance

FRC’s audit enforcement – more remedial action for auditors?

Published

on

FRC's audit enforcement - more remedial action for auditors? 3

By Andrew Howell and Georgina Jones.

With recent accounting scandals such as Wirecard, we’re seeing a continuing focus on the role of auditors in detecting fraud and, the importance of confidence in the audit process for corporate reporting.

The Financial Reporting Council (FRC), principal regulator of the profession (and accountants in business), recently published its Annual Enforcement Review 2020. It analyses its enforcement actions and outcomes across the past 12 months, identifying key themes and issues, and sets itself performance objectives for the year ahead.

One of the notable themes coming out of the Review is the FRC’s greater focus on the use of remedial action and non-financial sanctions as a means of driving audit quality within audit firms. It seems to us a sensible development.

Despite being criticised for not being tough enough on audit firms (total fines have come down this year, although the trend of fines in individual cases is on the rise), the FRC has focused on measures aimed at achieving lasting improvements in audit quality. Heavy fines, while inevitable in the more serious cases, mark public censure but do not in themselves change practices, and ultimately can reduce a firm’s resources to invest in audit quality. Audit cases dealt with by the FRC are rarely about intentional conduct by auditors. Far more often, they relate to errors of judgement, points missed in audit work, or inadequate processes. Non-financial sanctions can be a much more direct mechanism to promote investment of time and resource into audit improvement across a firm.

FRC’s enforcement powers

The FRC became the “competent authority” for audit in the UK under the Statutory Auditors and Third Country Auditors Regulations 2016 (SATCAR), which came into force following the EU Audit Regulation and Directive. SATCAR requires that the UK has effective systems of investigations and sanctions to “detect, correct and prevent inadequate execution of statutory audit” – which led to the implementation of the Audit Enforcement Procedure (AEP).

Under the AEP, a statutory auditor and/or statutory audit firm may be liable to enforcement action where there has been a breach of the Relevant Requirements of SATCAR 2016, the EU Audit Regulation or the Companies Act 2006. This creates a very low hurdle for regulatory sanction. Any breach of any auditing standard can be sanctioned, however trivial, although the FRC has increasingly been willing to handle the more minor cases through constructive engagement.

The FRC has a wide remit of sanctions at its disposal, which can be imposed singly or in combination. Possible sanctions include permanent or temporary prohibitions on the auditor performing statutory audits or signing audit opinions; exclusion of the auditor as a member of a recognised supervisory body; financial sanctions; declarations that the statutory audit report did not satisfy the relevant requirements; requiring the auditor or firm to cease or abstain from certain conduct  and ordering a waiver or repayment of client fees.

While the FRC may have a greater remit for enforcement action under the AEP than the former Accountancy Scheme, its purpose in imposing sanctions is not to punish, but to protect the public and the whole public interest. The public is after all better served by higher quality audits which lead to higher investor confidence in the company’s financial statements.

Financial sanctions will continue to have an important role in the FRC’s enforcement strategy, particularly with regard the deterrence of future breaches; however, the use of non-financial sanctions continues to increase significantly. Non-financial sanctions are used at all stages of the enforcement process, whether that is as part of its early resolution of cases via the Constructive Engagement process, settlement, or following conclusion of a Tribunal hearing.

Constructive Engagement and remedial action

Constructive Engagement is a process introduced by the AEP for resolving cases where the audit quality concerns can be addressed without full enforcement action. The FRC’s guidance provides that it will be suitable for cases where there has been a minor, technical breach, and there is no real concern about harm to the public or a loss of confidence in the audit process.

Constructive Engagement is a more flexible process, aimed at ensuring that the breach is rectified quickly, and not repeated. It may take any form including written advice, warning letters, discussions or correspondence with the auditor and/or audit firm. Unless the FRC is satisfied that the conduct leading to the breach has already been sufficiently addressed to prevent the risk of recurrence, the outcome of constructive engagement will usually be for the firm to carry out remedial actions (if a breach is identified).

The remedial actions imposed in each case are bespoke to the particular circumstances of the breach, and will often involve amendments to a firm’s audit procedures and/or training and guidance across the firm. Remedial actions are often firm wide rather than limited to the particular audit process, or team, in order to reduce the risk of reoccurrence of the conduct that lead to the breach.

The FRC dealt with 33 cases in Constructive Engagement over the past year, an increase of 73% compared to 2019.

Remedial actions were imposed in 27 of those cases, and were predominantly focused on ways audit firms could improve audit procedure and technical knowledge in problematic areas. For example, firms were required to implement measures requiring audit teams to consult with a firm’s technical team on particular issues such as:

  • require enhanced work to be carried out by specialists such as tax and actuarial specialists;
  • implement better procedures for communication between audit teams and specialists;
  • implement additional audit procedures and training on complex areas;
  • implement guidance for improving the level of documentation on the rationale for conclusions reached.

A recurring problem with FRC investigations is that they take too long. Constructive Engagement provides the FRC with the flexibility to resolve cases more quickly: the average time taken to conclude a matter through Constructive Engagements is eight months, compared to an average of 48 months for the FRC to conclude a case through to a hearing before the Tribunal. The firm can then implement the remedial actions imposed more swiftly, while the FRC can direct its resources to cases involving more serious breaches which warrant full investigation. We expect the trend towards Constructive Engagement to continue in the coming year.

Investigations resulting in sanctions

Over the past year, the FRC imposed sanctions in nine cases in relation to audit matters, 11 of which were financial, as compared to 27 non-financial sanctions. All but one of the cases resulting in sanctions in the past year was a result of settlements.

The total amount of financial sanctions on audit firms alone (pre-discount) was £15.9 million. Financial sanctions were also imposed against six audit partners, totalling £0.7 million (pre-discount). Where financial sanctions were imposed, 30-35% reductions were applied for early admissions and settlement.

The use of non-financial sanctions is clearly a key part of the FRC’s enforcement strategy. Measures imposed over the last year included increased use of reprimands and severe reprimands, requirements for firms to undertake firm wide training, requirements for firms to produce written reports to the FRC on quality performance reviews, requiring firms to implement an ethics board, and increasing the monitoring and support of regional offices.

If firms carry out enough remedial work prior to the conclusion of the matter, further non-financial sanctions may not be required.

The FRC reminds firms in this Review that a further way that they reduce any financial sanction imposed is by providing an “exceptional” level of cooperation with the FRC’s investigation, for example, by self-reporting.

The year ahead

The FRC remains in a state of flux. Following Sir John Kingman’s review in December 2018 and the Brydon and CMA Reviews in 2019, a number of recommendations have been made to the government for the overhaul of audit profession which, if adopted, will have a significant impact on the regulation of audit in the UK. The FRC itself is due to be renamed as the Audit, Reporting and Governance Authority (ARGA). There has been little progress on the legislative front however, with no shortage of recent other distractions on parliamentary time.

The FRC has been recruiting heavily, notably to increase its ability to monitor audit work, which will then feed into more cases for Enforcement. It has also conducted a review of the AEP, and a consultation on proposed amendments to the procedure is expected later this year. It will be interesting to see what changes are proposed to its enforcement strategy. Beyond that, we may see significant upheaval in audit regulation once we return to normal business.

Continue Reading

Finance

How to prepare for the Off-Payroll legislation

Published

on

How to prepare for the Off-Payroll legislation 4

By Dave Chaplin is CEO of IR35 compliance solution IR35 Shield

We now know for certain that the Off-Payroll legislation will take effect from April 2021.  Whether you’re a client, an agency or a contractor, it is vital that you take steps now to mitigate against the damaging impact and costs of the new rules so that all parties can continue to enjoy the mutual benefits of flexible working.  Dave Chaplin is CEO of IR35 compliance solution IR35 Shield and author of IR35 & Off-Payroll Explained  and here he explains how best to prepare.

Preparing for the reform – hiring firms

The Off-Payroll legislation requires hiring firms to determine whether thousands of contractors can continue to operate as they have for decades. The new rules require hirers to conduct an IR35 status assessment of contractors and inherit a degree of tax risk depending on whether they have taken reasonable care in reaching their conclusion. However, the impact of the Off-Payroll legislation for hiring firms stretches far beyond this.

Hirers will, under these new tax rules, be required to pay the employment taxes due on the earnings of ‘inside IR35’ contractors because agencies simply won’t have the financial resources to cover these extra taxes. When you consider that roughly 80% of the additional tax now due from an ‘inside IR35’ engagement under the Off-Payroll legislation is composed of employment taxes, this is a significant cost to bear.

Inability or failure to offer contracts on an outside IR35 basis also threatens:

  • Contractors increasing their rates to counter their own tax loss
  • Employment rights claims from contractors deemed ‘employed for tax purposes’
  • Struggles to attract talent as contractors look elsewhere for outside IR35 contracts

Firms are also required by the legislation to demonstrate ‘reasonable care’ in reaching the conclusions in their status assessments, which is actually the easiest of the challenges to overcome.

Establish your firm’s IR35 risk

The first step is to acknowledge that Off-Payroll compliance will create an ongoing administrative overhead which your firm will have to plan for, whether status assessments are outsourced or conducted in-house.

The second step is to establish your firm’s IR35 risk by assessing your contingent workers.

The significant compliance challenge posed by the Off-Payroll legislation has necessitated innovation by way of automation. Firms tasked with assessing status and maintaining compliance for vast numbers of engagements need solutions that provide immediate assessments and assistance with the more trivial tasks.

When considering online solutions, bear in mind:

  1. Are the Status Determination Statements (SDS) detailed and comprehensive?
  2. Does the solution continue to monitor ‘outside IR35’ engagements throughout the contract for added protection?
  3. Is the service insurance-backed?
  4. Does the provider have demonstrable expertise in IR35 and employment status case law?
  5. Are the solution’s assessments demonstrably consistent with historical IR35 tribunal outcomes?
  6. Can assessments be instantly turned around?
  7. Can the solution provide real-time tax calculations to enable hirers and agencies to understand their impact?
  8. Does the solution make evidence gathering easier?

It is important to establish the credentials of any provider. Almost overnight, a new market for IR35 expertise has sprung up, populated by many unqualified providers without the essential pedigree of legal expertise required.

The importance of enlisting a quality compliance solution or service provider can’t be underestimated. Remember, to gain access to the best contracting talent, you will need to engage contractors on an outside IR35 basis. It’s imperative that any chosen provider doesn’t present a risk to your organisation.

Create contracts and working arrangements that mitigate IR35 risk

Once you have established the greatest risk factors threatening the outside IR35 status of your contractors, these need to be addressed in the contracts and working arrangements. Mitigating these risks reduces the chances of contractors withdrawing from a proposed contract over IR35 status while further minimising your risk of tax liability.

The working arrangements must reflect the written contract and reality. Past tribunal cases have exposed sham contracts, the unrealistic clauses in which are often referred to as ‘window dressing’. If an engagement is firmly caught by IR35 and the proposed contractual amendments aren’t realistic in practice, you will have to accept that the position can’t be rectified.

Insure yourself

At this stage, you will have addressed the assessment status, helping to fulfil the ‘reasonable care’ requirement while mitigating your tax liability risk if HMRC investigates. However, for stronger protection, make sure the provider you work with can offer access to insurance policies for ‘outside IR35’ determinations.

Watertight IR35 compliance practices won’t necessarily deter HMRC from fishing via an investigation, so taking out appropriate insurance will ensure that any investigation costs and liabilities required to defend an investigation by HMRC are covered.

Ongoing monitoring

Ongoing monitoring and evidence gathering throughout the engagement are other crucial compliance processes. With the Off-Payroll legislation effectively dictating that IR35 status assessments be conducted prior to the beginning of the contract; parties must take measures to ensure that the working arrangement continues to reflect the original status determination.

Preparing for the reform – agencies

The preparation required by recruitment agencies is two-tiered. On one hand, as the intermediary, agencies will be expected to contribute to the IR35 compliance process and help negotiate compliant outside IR35 assignments. On the other, agencies will need to identify and implement processes to calculate, pay and report taxes for contractors deemed caught by the legislation.

Though hiring firms are ultimately tasked with assessing the IR35 status of their contractors, they will rely on recruitment agencies to help develop a solution. The input of agencies into this process is especially important, given most engagements consist of two contracts, both of which the agency is involved in – the upper-level contract between the hirer and agency and the lower-level contract between the agency and contractor.

Assist in addressing IR35 risk

Though it is ultimately the hiring firm that decides the IR35 compliance processes to be applied, they may be open to recommendations. The hirer will generally have no prior experience of IR35 and will be relying heavily on the agency to help complete any negotiations. Though they wouldn’t be considered IR35 experts by any means, most recruiters will have handled requests from contractors to make IR35-friendly alterations to arrangements in the past, and so will have some degree of understanding.

All parties stand the best chance of securing a legitimately ‘outside IR35’ arrangement where there is cooperation and clarity throughout the supply chain, and where hirer, agency and contractor are all involved.

Protect yourself with insurance

Though the hirer is responsible for determining the contractor’s IR35 status, agencies face the primary tax liability risk in the event that HMRC challenges an assessment – that is unless the hiring firm has failed to take ‘reasonable care’ when conducting the status assessment. In the public sector, fears over tax liability risk left many agencies reluctant to engage contractors outside of IR35.

However, this is an unhelpful approach which benefits no one. In any case, agencies needn’t be concerned provided they have assisted in ensuring that the necessary measures have been taken to accurately assess IR35. Agencies can gain another layer of protection by securing tax investigation insurance, which provides the expertise and costs necessary to mount a strong defence in the event of an HMRC investigation.

Agencies suffer disproportionately from the Off-Payroll legislation and the issue of administrative costs is probably the most difficult to tackle fairly, which makes it all the more important that agencies play their part in negotiating legitimate outside IR35 arrangements.

Renegotiate margins to accommodate employment taxes

Finally, agencies will also have to consider the cost of employment taxes on fees paid to ‘inside IR35’ contractors and work out with the hiring firm how these are going to be accommodated. This is another liability which really shouldn’t rest with the agency. Being the party that deemed the contractor ‘employed for tax purposes’, the hirer is for all intents and purposes the ‘deemed employer’.

Nonetheless, the legislation dictates that the agency is ultimately liable. As a reminder, employment taxes consist of employer’s NICs (13.8%) and the Apprenticeship Levy (0.5%). This sum is due on top of the contract fee. This is a rather unreasonable cost for a recruitment agency to pay and will therefore need to be sourced elsewhere.

With the rate the agency charges being fixed, one option is to reduce the pay rate being quoted to the contractor. Hirers will need to understand that paying by offering a lower pay rate than before, they are unlikely to be able to attract the same calibre of worker.

The alternative is to increase the rate charged to the hirer so that they at least contribute towards this cost. This could prove awkward, and you will no doubt encounter hiring firms that are reluctant to pay more for what they see as the same resource.

Ultimately, hirers that wish to hire contractors and treat them like employees will need to accept the accompanying additional cost burden.

Preparing for the reform – contractors

Although contractors have few statutory responsibilities when it comes to the Off-Payroll legislation, choosing to take preparatory steps will impact on whether you can continue operating on an outside IR35 basis beyond April 2021. There is no tax risk for the contractor under the new rules, provided they haven’t committed fraudulent activity, but to secure an outside IR35 engagement you must play an active role in the compliance process.

The immediate threat that the Off-Payroll legislation imposes on hirers and agencies is the chance of being investigated by HMRC, and possible tax liability risk. As the public sector reforms have shown, this can prove very effective in seeing parties taking non-compliant, evasive action by conducting and facilitating blanket status assessments, so all contractors are deemed ‘inside IR35’ by default.

As a contractor, it’s your job to help prevent this, and there are plenty of reasons for the hirer and agency to fulfil their compliance requirements. The first of which is the faact that taking ‘reasonable care’ is the necessary requirement for hiring firms to rid themselves of any tax risk. In an Off-Payroll context, this essentially means taking care to ensure that you have arrived at a correct status determination.  Contractors need to make everyone realise that.  The message is clear – start talking to hirers now.

Continue Reading

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

Return to Work Doesn’t Mean Business as Usual When it Comes to Travel and Expense 5 Return to Work Doesn’t Mean Business as Usual When it Comes to Travel and Expense 6
Top Stories3 days ago

Return to Work Doesn’t Mean Business as Usual When it Comes to Travel and Expense

By Rob Harrison, MD UK & Ireland, SAP Concur The last few months have been an exercise in adaptability for...

Why technology is key to the future of auditing 7 Why technology is key to the future of auditing 8
Technology3 days ago

Why technology is key to the future of auditing

By Piers Wilson, Head of Product Management at Huntsman Security The Financial Reporting Council (FRC), which is responsible for corporate governance,...

Staff training crucial for SME recovery post-COVID 9 Staff training crucial for SME recovery post-COVID 10
Business3 days ago

Staff training crucial for SME recovery post-COVID

47% of UK’s top performing SMEs provide regular, formalised training for all staff Despite this, 15% of small businesses report to...

What Is Globalization 11 What Is Globalization 12
Business4 days ago

What Is Globalization

What is globalization? Globalization, or inter-connectedness, is the ever-growing process of integration and interaction among countries, individuals, businesses, and even...

What Is Microsoft Teams 13 What Is Microsoft Teams 14
Business4 days ago

What Is Microsoft Teams

Microsoft Teams is an application and web-based collaboration tool that combines chat, videos, online collaboration, document storage, and collaboration with...

What Is Capitalism 15 What Is Capitalism 16
Business4 days ago

What Is Capitalism

What is capitalism? Is it a great economic system or just another economic system that is not so great? Well,...

How To Start A Youtube Channel 17 How To Start A Youtube Channel 18
Business4 days ago

How To Start A Youtube Channel

How to Start a YouTube Channel For Your Business: Do you have a blog or website? If you do, it’s...

What is URL 19 What is URL 20
Business4 days ago

What is URL

A Uniform Resource Locater, colloquially known as a URL, is an identification to a certain web resource, a directory or...

What Is Seo 21 What Is Seo 22
Business4 days ago

What Is Seo

Search engine optimization, also known as SEO, is the process of increasing the quantity and quality of site traffic from...

How Much Rent Can I Afford. 23 How Much Rent Can I Afford. 24
Business4 days ago

How Much Rent Can I Afford.

How much rent is too much to pay? Sometimes, apartment complexes look at an annual income that’s over forty times...

Newsletters with Secrets & Analysis. Subscribe Now