Alastair Lauder, Head of Transformation, P2 FinCrime

With ISA season in full swing, the word on the street is that HMRC is planning a review of ISA processes and controls to monitor and reduce the opportunity for fraudulent activity. ISA investors are only allowed to open one of each type of ISA – either a cash ISA or a stocks and shares ISA – in the same tax year and the allowance is £20,000 for each type.

But HMRC is concerned a high number of customers aren’t following this rule. Some customers might have multiple ISAs at multiple providers, but as the individual allowance is £20k per different type of ISA, if they hold more than their allowance, they are guilty of fraud, intentionally or not.

ISA audit planned for the coming months

Worried about the level of ISA rule infringement, apparently HMRC is planning an ISA audit in the coming months, hoping to spot flaws and evidence of transgressions. Aware of this, many banks are scurrying around, trying to identify their risks so they can self-disclose and plan how to close the control gaps. So if you are a bank or an ISA provider, what steps do you need to take to help investigate and fix the gaps before HMRC comes knocking?

1. Sort their own house out: it’s important to have implemented processes and controls designed to identify and manage ISAs. For example, account opening verification and an internal reconciliation on the number of customer accounts are important steps. Establishing customers’ individual tax status is also important information to retain.
2. Evidence: ability to demonstrate to HMRC that controls are working by supplying evidence either through ongoing monitoring and quality assurance (QA) or robust management information (MI). So what could be used as evidence? QA testing and results. Conduct ad hoc ISA reviews to support QA testing. Collate MI packs and committee meeting minutes to demonstrate discussions and challenges. Provide documented processes and have a control library in place.
3. One ISA account per customer: banks and ISA providers need to go through ISA accounts with a fine toothcomb and make sure only one account for any one individual has been opened. This could be enforced through internal reconciliation and reporting controls and logging customers’ tax status. A customer verification process could also help establish and demonstrate this.
4. Ensure customers stay below the ceiling: banks and ISA providers need to ensure customers only invest the requisite money into one cash ISA and one stocks and shares ISA per provider per year. This could be enforced through internal account balances and reconciliations, MI reporting and customer verification.
5. Up to date data: ISA providers need to ensure all records are up to date in preparation for a sample request from HMRC. Using QA testing on records would help you do this. This could be enforced through training and testing staff knowledge and understanding on records management requirements and processes, this could be further demonstrated through additional QA reviews.

For banks it might seem just another regulatory hoop to jump through. But it’s important that bodies like HMRC or the FCA are consistent in their approach to reducing fraudulent activity, whether that relates to money laundering, investment scams, phishing – or ISA fraud. So, for banks, wealth managers and other ISA providers, they just need to ensure they have their ISA house in order and do it quickly.

To speak to P2 FinCrime about preparing for a HMRC ISA fraud review, please email me at alastair.lauder@p2consulting.com or call +44 (0) 7425 160 549.