Compliance Agenda

Overview of Compliance
Lukasz Bohdan - Director of Assurance

Money Laundering and Sanctions

Briget Midwinter – Chief Cashier

Tax Compliance
Sally McKinlay – Head of Tax
How can we solve an issue
like compliance?

Finance Conference
Lukasz Bohdan
Director of Assurance

24 November 2021
Outline

1. Do we really have an issue and need to do something about it?

2. How can we tackle it: suggested approach and principles to guide

the work

3. We need to work together and prioritise what needs to be done

4. Emerging list of priorities

5. Next steps
What’s the issue we are trying to address?
We don’t truly understand the extent of the problem as our reporting and
assurance arrangements are underdeveloped but based on what we do
know…

•In some, although important (!) areas the University* is not compliant with
the law (e.g. GDPR, H&S) and its own policies and does not follow current
good practice (e.g. counter-fraud, whistleblowing), consequently:

•We are sitting on a number of risks which expose the University to a range of
significant/unpalatable consequences (see next slide)

* Here the University means the Group, i.e.

including subsidiary companies
So what if we do nothing? Some consequences…
Regulatory
intervention (e.g.
ICO, CMA)
Financial losses
Not able to meet
(regulatory fines,
funders’
compensation,
requirements
loss of grant funding)

Uninsurable risk
Reputational
Major Incident and/or higher
damage
insurance premiums

Management time
and costs of
Corporate and
investigations,
personal liability
disciplinary
Impact on processes etc.
recruitment and
retention
What are we going to do about this? Develop a
prioritised programme of work, mindful of other
competing demands
Some suggested principles to guide this work

•Risk-based approach  – focus on mitigating the greatest risks first, but mindful of the need to:
– work in partnership and distribute the necessary work between the centre v. divisions/departments/faculties
– consider other workload impacts on divisions and departments and timetable work accordingly
– start with the areas where there is support for action

•Doing it with you, not to you  – engaging with divisions, departments faculties and services. Where possible use the existing fora for
engagement

•Make best use of resources – look at end to end processes and respective roles of central functions, divisions, departments/ faculties

•Don't let the perfect be the enemy of the good  – informed by good practice, but pragmatic, proportionate solutions that fit the
Oxford’s context

•Subsidiarity – issues tackled at the lowest possible level

•Minimum standards  – balance between consistency and local discretion

We need to work together and prioritise…

Registrar’s SLT agreed the following criteria

• Known high risk (on the University Risk Register or Principal Committees’/Divisional Risk
Registers and/or identified through internal audit/ other assurance work – e.g. GDPR

• Divisional/departmental priority / support to tackle – e.g. GDPR, CoI, Export Controls

• Divisional/departmental capacity to tackle – i.e. absolute headroom and picking the right
time so this work fits around other things already going on
Risk, Compliance and Assurance areas in need of development –
with University-wide impact
Area Priority Impact on
departments / divisions
International Collaboration, Security and Export Controls M-H L

Research funders’ conditions H H

Fraud, Anti-Bribery, Money Laundering, Whistleblowing H L

Health and Safety H H

Conflicts of Interest M L-M
GDPR H M-H

Research with people ? ?

Fundraising/donations ? ?

Global mobility – tax etc. ? ?

Cyber security H L-M

Business continuity (enabler) M M

Risk management (enabler) H L

So where do we focus first…

• Core compliance: fraud, anti-bribery, Conflicts of Interest

• Data protection: actions in response to audit findings and priorities agreed with Divisions

• Health and Safety: implementation of H&S Review recommendations

Roles and Responsibilities – all tiers part of a
seamless, networked whole..

• Central functions/services (e.g. Safety Office, Compliance) centres of excellence: strategy;

framework; policies; facilitate prioritisation; templates, guidance, step-by-step protocols;
support with low-frequency, high complexity cases; supporting central governance
(Committees); develop materials. Capability building and professional networks.
Commission, deploy and operate IT systems/tools. Making sure right information is on the
website/SharePoint etc. Then flow through:

• Divisions: leadership, support, conduit between the centre and departments/ faculties.
Division-specific centres of excellence Assurance over departmental/faculty activities.
Manage the complete picture of demand coming from ‘the centre’

• Departments/Faculties: local leadership: setting expectations; dealing with case work (low
complexity, high volume); investigations etc.
Next steps
• Further engagement with Divisions, HAFs DAs and local champions to fine-tune the approach and agree timing and
priorities

• Pilot/implement the approach:

Tackle one issue a term (e.g. aspects of GDPR; export controls): first, the ‘centre’ develops the framework, tools, templates,
training etc. Next, take advice and test/pilot with a small group of departmental/faculty reps. Then, the following term,
we ask departments/ faculties/ services to tackle the issue (with the Divisions acting as a conduit, supporting the work ).
Enabled by:
– Engagement with HAFs, local champions and senior academics (e.g. via Divisional Registrars and Divisional GPCs)
– Upskilling people on the ground: professional networks; training; coaching etc.
– Termly ‘push’ with supporting materials (e.g. template emails, case studies etc.)
– Better processes and systems
Q&A

1. Do you agree with the diagnostic and the need for change?

2. Do you have any comments on the approach?

Participation

•https://www.sli.do/

•Use #821058 to take part when asked to do so

Money Laundering

Definition of Money Laundering:

– “Exchanging money or assets that were obtained criminally, for money or other
assets that are ‘clean’. The clean money or assets don’t have an obvious link with
any criminal activity. Money Laundering also includes money that’s used to fund
terrorism, however it is obtained.”
Legislation:
– Proceeds of Crime Act 2002 (amended by Serious Organised Crime and Police Act
2005)
– Terrorism Act 2000 (amended by Anti-Terrorism Crime and Security Act 2001, and
Terrorism Act 2006)
– Money Laundering Regulations 2017
– Criminal Finances Act 2017
 Which sectors/businesses
might be considered high
risk for Money Laundering?

ⓘ Start presenting to display the poll results on this slide.

16
What to look out for…

• Large cash payments

• Complex company structures/shell companies
• Having paid up front, student then withdraws and asks for a
refund, possibly to a different account
• Overpayment received, then a refund requested
• Unexpected cash payments direct to the bank
• Payments to/from ‘high risk’ countries
• Children/relatives of PEPs or sanctioned individuals
• Lack of supporting documentation/due diligence
• Payments from seemingly unrelated 3 rd parties
Risk mitigation measures

• Reject cash for student/course fees/invoices etc.

• Only accept payment by electronic means (e.g. bank to
bank transfer, or credit card etc.), a method with a
transparent and readily identifiable audit trail
• Always verify source and evidence of the origins of funds
• Apply Enhanced Due Diligence when funds originate from
(unknown) third parties, or through shell companies etc.
• Extreme care when dealing with refund requests
Sanctions
 Which countries should
we be concerned about in
relation to sanctions?

ⓘ Start presenting to display the poll results on this slide.

22
Sanctioned countries

BROAD SANCTIONS
•North Korea – banks will not facilitate any payments (directly or
indirectly) to/from
Iran – have to seek permission from the bank prior to making or
receiving a payment. Unlikely to be approved.
NARROW SANCTIONS
•Other countries – Seek advice before making or receiving a
payment: Cuba, Syria, Crimea, Venezuela, Sudan,
•Care needed: Russia, Afghanistan, Myanmar, Belarus (and
others)
Due diligence
“Due diligence is the investigation or exercise of care that a
reasonable business or person is normally expected to take
before entering into an agreement or contract with another
party”
Should be undertaken when accepting
•Donations
•Research
•Student/Course Fees
•Taking on new customers/suppliers (KYC)
See AML web page https://finance.admin.ox.ac.uk/anti-money-laundering-guidance
University responsibilities

• Customer/supplier ID procedures (KYC) – due diligence

• Reporting suspicious activity
• Policies/procedures in place
• Maintain suitable transaction records
• Effective internal controls in place
• Appropriate training for staff
• Awareness – spreading the word
Where we are now

• Money Laundering Guidance available on web

– https://finance.admin.ox.ac.uk/anti-money-laundering-guidance
• Due diligence on donations/research sponsors
• RCA Network
• Reacting to Barclays’ requests for information
• Students - Financial Declaration form
• PWC Internal Audit
•Questions?
Finance Conference 2021
Tax compliance talk
24 November 2021
The Brief

“Update on emerging risks including an overview of the approach

being taken by the University to manage compliance issues, and a
focus on tax compliance, money laundering and sanctions.”
The Tax agenda
•Tax strategy
•Tax fraud – Criminal Finances Act
•The University tax compliance list
•VAT compliance
•Imports/Exports
•Global Mobility
The Tax Strategy
Tax Strategy – been through Finance Committee and GPC – annual process
https://finance.admin.ox.ac.uk/files/taxstrategy2021pdf

The Tax Strategy has four core objectives:

(1) To comply with mandatory tax, compliance and reporting requirements;

(2) To manage the tax risks and opportunities arising from routine operations;

(3) To support furtherance of the University’s charitable objectives.

(4) To communicate and coordinate with HMRC, where appropriate

The Tax Fraud – Criminal Finances Act

Tax Fraud Policy – approved by GPC

https://finance.admin.ox.ac.uk/criminal-finances-act-
2017#collapse2172066

Self-assurance questionnaire – please be aware

Training video
https://finance.admin.ox.ac.uk/criminal-finances-act-old#tab-1165416
The University’s central compliance list

•VAT returns – VAT group and single registrations

•Corporation Tax returns – 33 annual returns (inc LLPs and JVs)
•SDLT returns (land acquisitions)
•International payrolls (currently 8 soon to be 11)
•UK payroll – Charlie Morgan and his team
VAT compliance – an opportunity

•Robust financial systems – changes put through Oracle

•Legislation changes and case law develops
•HMRC rulings – opportunities

For example:
-Definition of medical substances used for medical research
-Software used for medical research
Imports/Exports – big issue

Imports increased to £24m per annum

Exports increased to £9.2m per annum

Freight agents struggling with the volume

Many errors being processed by agents
Practical guidance
A Brief Recap

• International working refers to University staff who conduct their

work – for all or part of the time – overseas, including: fieldwork and
research, working remotely, sabbaticals, etc.
• It is important the University (and its staff) are compliant with laws
and regulations in the overseas location. This includes, but is not
limited to:
• Immigration
• Tax
• Social security
• Employment Law
• Pensions
• Insurance
University Policy

• The University has had a policy in place to manage International

Working requests since March 2021
• The fundamental aim of the policy is to ensure departments with
overseas staff are fully compliant across our key risks areas
• Approval is required from the Head of Department or Head of
Division before the arrangement goes ahead
• There is a 90-day threshold, minimal action is required below this
threshold for practicality reasons but departments should still be
wary of the potential risks
• The policy criteria considers different scenarios and some common
tax and social security exemptions (such as the ‘183 day rule’)
New Shadow Payrolls
Where an overseas tax and/or social security obligation exists, often
the University will be required to register a ‘shadow payroll’ in that
country to facilitate contributions. The payroll does not deliver any net
pay to the employee.
Questions?