Does your business have robust cyber security?

cyber securityRansomware attacks are a lucrative market that have netted cyber thieves an estimated £19 million in the last two years, according to Google research. I am sure the real figure is much larger.

Cyber-security company Malwarebytes researched more than 1000 businesses in US, UK, France, Germany, Australia and Singapore, and found that UK businesses are the worst at dealing with ransomware with almost 20% believing they had no chance of preventing a malware attack.

In April 2017, the UK’s Department for Culture, Media and Sport, published the Cyber Security Breaches Survey 2017. It revealed that only 37% of businesses had segregated wireless networks, or any rules around the encryption of personal data and a mere third (33%) had a formal policy that covers cyber security risks. Just 32% documented such risks in business continuity plans, internal audits or risk registers and only 29% have made specific board members responsible for cyber security.

Scary stuff and it’s not going to go away given how lucrative cyber theft can be with an estimated loss of £1,570 to an “average” business and around £20,000 loss to larger companies – not something to be ignored especially in the current difficult UK economic climate.

Not only this but imagine the risk to businesses’ reputation if its system is hacked and its client database is stolen, especially when new and more stringent protections are due next May when EU’s General Data Protection Regulation (GDPR) comes into force.

The elements of a robust cyber security set-up

According to the April Government survey the most common types of breaches are related to staff receiving fraudulent emails (in 72% of cases where firms identified a breach or attack). The next most common related to viruses, spyware and malware (33%), people impersonating the organisation in emails or online (27%) and ransomware (17%).

So, the potential weak spots are therefore people, technology vulnerabilities and processes.

People: lack of communication between teams and lack of training can make a business vulnerable. Reduce risk by making sure everyone is cyber security aware, can identify suspicious communications and regularly updated on the latest scams. Every employee should know how to check the email address of a sender to confirm it is really the same person as named in the sender box. Employers should limit employee access to only those parts of the system and databases relevant to their work and install secure authentication procedures before they can access sensitive data. Ideally data should be encrypted, particularly if using cloud-based storage.

Technology vulnerabilities:  remember the recent WannaCry ransomware attack that decimated UK hospitals still using the Windows XP system? Keeping systems up to date and rigorously installing patches as soon as possible is a must. Open-access Wi-Fi is also foolish, even though many hospitality businesses offer access as a service to customers.  If you do, make sure it is password protected and change the passwords regularly. Also ensure servers are protected by a firewall, usually one in a dedicated computer that doesn’t have any data stored in it so that sniffer ware can’t see data in the computer and can’t access the protected servers.

Processes: security contracted out to third party providers, such as website hosts, can introduce a dangerous complacency, in assuming that security is being taken care of. Make sure you check regularly that updates are carried out promptly and if the company offers remote 24-hour monitoring and backup it is worth paying for.

While it may not be possible to make a business 100% cyber-secure, there is a lot that can be done to minimise the risks.

Many SMES will benefit from the delayed timetable changes to Making Tax Digital

tax timeProposed changes to the roll-out of the UK Government’s plans for businesses to keep digital records and report quarterly online are expected to be approved this month but at least they will be rolled out rather than introduced immediately.

I have previously expressed concern about the impact of quarterly reporting by SMEs, especially as most only see their accountant once a year when they report annual accounts as required under current legislation.

The timetable and other changes mean that from April 2019 only businesses with a turnover above the VAT threshold (currently £85,000) will have to keep digital records and only for reporting their VAT under new scheme, called Making Tax Digital (MTD).

It will also mean that businesses will not be asked to keep digital records or update HMRC quarterly for other taxes until at least 2020.

The Government has made it clear that it wants to test the new system thoroughly before rolling it out making it even possible that the deadline may slip further.

HMRC is expected to start a small-scale pilot of MTD for VAT by the end of this year, then widen the scope into a larger pilot starting Spring 2018.

The Government has also announced that MTD will be available on a voluntary basis for the smallest businesses, and for other taxes.

This means that businesses and landlords with a turnover below the VAT threshold will be able to choose when to move to the new digital system. They will also be given at least two years to adapt to the changes before being asked to keep digital records for other taxes.

The changes are expected to be approved during passage of the Finance Bill 2017, expected to take place this month, September 2017.

The changes have been welcomed by business groups, particularly by the FSB (Federation of Small Businesses) whose chairman Mike Cherry said it was a very positive decision and a welcome relief to the smallest businesses that were “already facing a hugely challenging economic climate”.

The main elements of director duties

directors chairBeing a company director carries with it many responsibilities, some laid down by the company’s articles of association, others requiring compliance with various laws and in particular understanding their duty of care and how to avoid breaching the Company Director Disqualification Act 1986.

Directors have a responsibility to guide a company, not only in its compliance with company law but also in the best interests of its ability to operate profitably, and to be mindful of the company’s obligations not only to shareholders but to its employees and suppliers as creditors, as well as its customers and the general public.

They must put the interests of the company before their own and be mindful of the company’s financial position at all times.  While the Company Secretary might carry out the administration and compliance with statutory and regulatory requirements the directors are responsible for all decisions and actions by everyone on behalf of the company and therefore should oversee their activity.

Directors also have specific obligations where a company becomes insolvent. Under the Insolvency Act 1986 (IA 86), they must act to minimise further potential loss to creditors.

They must therefore be careful not to continue to trade in a manner that causes further detriment to creditors, nor to prefer themselves or other parties by paying specific creditors, selling assets under value, or knowingly trading fraudulently.

Continuing to trade is a decision that should be taken by the board of directors with a note made of any dissent. The decision to continue to trade and the reasons why the directors believe this is in the best interests of creditors (not the company) should be recorded in the minutes.

Director duties are covered by a wide variety of laws and regulations

Individually and collectively directors have a duty of care to both employees and members of the public such as compliance with Health and Safety regulations and should be aware of their liabilities under the Corporate Manslaughter and Corporate Homicide Act 2007. This includes actions by their employees.

They must also ensure that the company complies with the Companies Act 2006 and other legislation relating to Employment, Competition, Bribery, the Supply and Sale of Goods, Data Protection and a ton of industry-specific legislation.

In a wider sense, a company’s board of directors should determine and oversee the company’s strategic objectives and policies and monitor progress towards achieving them.

They have responsibility for appointing senior management and ensuring accounts are up to date and that they are aware of the financial position. They must also account for the company’s activities to relevant parties, including shareholders, and can be held to account by the press, Parliament and public bodies.

You can download a free, comprehensive guide to directors’ duties from our knowledge bank


HMRC is dialling up the pressure to collect overdue tax

overdue tax sinking companiesMany of our new clients are contacting us after a visit from HMRC (HM Revenue and Customs) who are becoming much more proactive with businesses whose payments are overdue.

Non-payment and ignoring letters from HMRC in the past often meant they would leave you alone but this is no longer the case. They now have real time information about the payment of PAYE as well as knowing from the returns how much VAT and corporation tax is due. This information is making it easier for HMRC to track late payments. Whether a failure to pay on time or file returns on time HMRC are geared up for dialling up the pressure.

Despite an inability to pay, HMRC is supportive of those who contact them early and is still approving Time to Pay arrangements, but ignore them and expect a reaction.

In addition to letters and phone calls HMRC are increasingly using enforcement officers to visit the business’ premises to collect payment or seize goods.  Their schedule of fees is:

  • Notice fee of £75;
  • Visit fee to take control of goods £235 plus 7.5% of the tax owed that is over £1,500;
  • Non-payment removal fee of £110 plus another 7.5% of the tax owed that is over £1,500;
  • Interest may also be charged on the amount due.
  • £60k £4,700

The visit normally results in significantly increased costs with officers may are demanding fees of up to £2,000 for the visit or 7% of the amount owed in relation to an enforcement notice.

Despite a phone call from the collection officer fixing a week’s notice before visiting, a new client had just received a visit in respect of VAT arrears of £60,000. The client wasn’t able to pay so the enforcement officer distrained (seized) assets but didn’t remove them saying they would return a week later. The following day the director paid the bill which now included an additional £4,700 in fees. Having paid they contacted K2 to say they couldn’t now pay other bills, fortunately we were able to help.

Had the company known more about the collection process, they could have saved themselves £4,700 in fees.

HMRC powers and its collection options

When a business has reached this point, it has invariably failed to respond to a number of approaches from HMRC, starting from ignoring initial letters warning that payment is due.

The process from there on most likely will result in either a visit by an enforcement officer or a Winding Up Petition. It may also result in a demand for a security bond. While security bonds are rare for trading companies they are becoming increasingly common with new companies that have been started up following the insolvency of a company run by the same directors.

Enforcement visits are carried out by field agents who have the right to issue enforcement notices (also called distraint warrants) to seize assets for sale at auction. They don’t have to actually remove the goods when they visit but the notice has the effect of transferring control from the company to the enforcement officer such that they cannot be removed without committing pound breach, a criminal act which has been covered by other blogs.

As an alternative or a final stage after goods have been removed, HMRC tends to apply to the courts for a Winding Up Petition.

Businesses should keep track of cash flow and their ability to pay PAYE, VAT and corporation tax liabilities on time. Persistent late payment of these indicate that a business is in financial difficulties but in most instances any late payment is a one-off. If not then a time to pay arrangement with HMRC won’t solve the underlying problem and in such instances advice from turnaround or insolvency professionals most likely will be necessary.

In the hope that the problem is simply a one-off, the message is clear: respond to HMRC communications sooner rather than later. The problem will not go away and can only get worse the longer it is left.

HMRC’s collection processes were further strengthened in November 2015, by the introduction of the power to recover debt directly from cash held in bank and building society accounts in addition to existing powers to seize and sell assets.

In addition, HMRC has been increasingly outsourcing collection to private debt collection companies to recover overdue income tax payments and to claw back overpaid tax credits.

In March 2017 CityAM reported that HMRC’s spending on the use of these agencies had increased by 92% to £24 million in 2016. Since private companies can also charge debtors this will only add to the overall bill for those targeted.


New regulations – improving or gold-plating Fintech compliance?

Fintech compliance across the EUFrom January 2018, new rules and regulations are being introduced covering businesses that provide services to clients linked to ‘financial instruments’ and the venues where those instruments are traded.

The Markets in Financial Instruments Directive II (MiFID II) is an EU directive transposed into the home law of all single-market members. MiFID II imposes new rules designed to “give customers more protection and force greater transparency across everything from fixed income to swaps”, according to the Financial Times. The paper describes it as “the biggest regulatory shake-up of European financial markets in a decade” – and a much-delayed reaction to the 2008 financial crisis.

MiFID II’s goals are to achieve a shift in trading towards more structured marketplaces, to improve execution, encourage orderly trading within markets and provide consumers with lower and more explicit costs of trading and investing.

Not only will MiFID II have an impact on firms’ data storage resources to support this new, deeper reporting but the same will also have implications for the security of that storage.

MiFID II significantly updates current FCA (Financial Conduct Authority) sourcebooks on such activities as the secure recording and archiving of telephone calls with consumers, extending the records of conversations covered to include anyone involved in the chain of a trade, including financial advisers, both human and robotic.

MiFID II stipulates a minimum period of data retention – albeit potentially at cross-purposes to its sister directive, GDPR. MiFID II will affect everyone engaged in the dealing and processing of financial instruments from finance business and their operating models, systems and data to data, people and processes in companies classified as “investment firms” according to Thomson Reuters. The definition of these entities is deliberately wide and vague.

Fintech companies – especially those regulated in an EU home market – are struggling to comply with the new regulations in time for the deadline. Fintech firms big and small are inundated by the scope of change driven by the directive; the immoveable implementation date and the lack of specific detail and guidance on what has to be done and how, at a national and EU-level.

It does not help that a rolling pattern of consultation and discussion of some specific regulations remain under discussion. The UK’s FCA has frequently chosen to ‘gold plate’ EU directives in order to promote the UK as stable and well-regulated location for financial services, adding to the regulatory burden of firms in the UK compared to their counterparts in the rest of the EU.

However, the FCA has published some guidance on its website and a PDF guide to help businesses through what parts of the regulations are relevant to them.  Fintech firms may also sign up for email updates from the FCA.

Fintech for SMEs

Fintech mobile phone bankingFintech is a topic much discussed in business publications, often in hyperbolic terms, but very few can define it precisely.

Initially, Fintech, short for financial technology, was the word for the technology used in the plumbing as the back-end of established consumer and trade financial institutions.

However, according to the online financial dictionary Investopedia, Fintech now denotes a range of technological innovations in the financial sector, including in financial literacy and education, retail banking, investment and crypto-currencies like bitcoin.

This wider definition more accurately describes the range of possibilities for SMEs to use financial services and engage with the financial sector especially as some Fintech services, we would argue, are revolutionary and open up services that were previously only available to large companies.

Part of the problem lies with the mainstream banks, lenders and most of the traditional suppliers of financial services including factoring, invoice discounting, fund raising and advice, who have remained deeply conservative in the way they do things and the way they charge for their services. Many have not benefited from the technology revolution, or if they have they haven’t passed on that benefit to SMEs.

How can SMEs benefit from Fintech?

SMEs can benefit from significantly reduced costs by bypassing traditional ways of using financial services, and in many instances by bypassing the traditional suppliers.

Fintech has done much to disrupt traditional models, for example, peer to peer lending via firms like Ratesetter and Zopa and equity crowdfunding via CrowdCube or Seedrs has grown. These online platforms now provide alternative sources of lending and investment to SMEs who no longer need to use their bank or finance brokers to fund their business.

Entrepreneurs can, via an online platform, pitch directly to the world for loans or investment in their companies and ideas. While they may still have to produce a sound business model and show that there is a market for their idea, online models can speed up the funding process dramatically.

Another benefit of Fintech has been mobile payment and currency conversion as innovative methods of swiftly and economically transferring funds across geographical borders. Online and cross border payments are undergoing a secondary Fintech revolution with Blockchain technology and crypto currencies like Bitcoin and Ethereum gaining traction.

Blockchain, as an open, distributed ledger system that records transactions between two parties efficiently in a verifiable and permanent way, is likely to fundamentally change the way we do business and offers opportunities that none of us have yet considered.

Payment systems, such as Go Cardless, Paypal and Stripe alleviate the cost and bureaucracy of invoicing and collecting payment, removing the need for debit cards, credit cards and expensive merchant service accounts.  This is of benefit both to consumers buying online and to businesses selling goods or services to consumers and to other businesses.

Other areas where Fintech offers fast and efficient services are in monitoring, tracking and managing accounts and financial transactions. Mobile technology provides users with information in their hand to provide accurate information and allows entrepreneurs to make timely decisions.

Finally, for those who have the skills and knowledge, the opportunities for developing ever more innovative and useful Fintech ideas and converting them into a viable business are only going to increase.

Business failure can be a self-fulfilling prophecy

nusiness failureIt is often also a predictable inevitability.

The financial website Investopedia defines irrational exuberance as unsustainable investor enthusiasm that drives asset prices up to levels that aren’t supported by fundamentals.

Eventually, this becomes an unsustainable “bubble” as in the so-called “tulipmania” in the Netherlands during the 1630s, the dot com bubble of the late 1990s and more recently the collapse of many lending organisations through artificially high property prices that resulted in the 2008 Credit Crunch.

The result? Business collapse, often with repercussions well beyond those at the centre of the crisis.

Over-confidence among SME business owners may lead to failure, albeit anyone leading a company must have some self-belief and confidence to make a success of a business.  Taking risks should be based on a calculated strategy underpinned by a consideration of the risks versus the prospects of success.

But the opposite may also apply and equally lead to a business failure. Lack of confidence in a strategy and a reluctance to take risks may result in a business playing safe and stagnating. This can be due to managers not really believing their strategy will work and thereby anticipating failure in a way that reinforces their expectation. This is often the case when manages play it safe.

This may be exacerbated if the company is led by a CEO who is cautious and conservative, and who does not encourage new ideas.

It is common in businesses that have a blame culture where any new initiatives are suppressed.

But that is not how successful entrepreneurs, like the late Steve Jobs, create successful, growing companies.  Jobs was famous for ignoring preconceptions about what can and cannot be done.

What other influences increase the likelihood of business failure being a self-fulfilling prophecy?

Short term thinking can affect a business, not only when it leads to pressure from investors for profits and dividends at the expense of investment and growth.  It can mean that the CEO or business owner is distracted from thinking strategically for the longer term.

Caution over investing can become counter-productive especially when the general business and economic climate is pessimistic and businesses sit on money that could be invested. Over time this reduces productivity by not replacing old plant and equipment or hardware and software to the point where they are costing excessive time and money to maintain or use.

Failure to keep up to date with the latest innovations can lead to a business losing ground against its competitors and eventually losing customers and orders.

It takes a combination of courage and caution, wisdom and daring to keep a business growing and moving forward – and the help of a mentor or adviser to add perspective and help avoid a predictable inevitability.

What kinds of unreasonable demands should prompt SMEs to decline contracts?

saying no to an offer The natural inclination of most SMEs is likely to be to accept almost all new orders from clients and customers, but there are times when this can be counter-productive.

A study by Hitachi Capital published in early summer revealed that almost half of SMEs had turned down work due to “unreasonable demands”, rather than because they felt unable to deliver the work.

The main reasons cited were contracts that were priced too cheaply, unfair payment terms or with unreasonable and unrealistic requirements on such things as completion dates.

The findings support research carried out two years ago by the FSB (Federation of Small Businesses) that found that half (52%) of small firms had been stung by unfair contract terms with suppliers, costing nearly £4 billion in the previous three years.

But it takes considerable courage and clear thinking for a SME to walk away from potential new work, especially in an uncertain economic climate like the current one.

What to consider when making a decision to decline contracts

Companies need to preserve their reputations and their ethics and therefore this should also be taken into account when assessing the merits of a new order.

If the potential new client is trying to impose an unrealistic time constraint on completing the order, accepting the work and then being unable to deliver could rebound in damaging its reputation with existing clients. It can also be expensive if penalties are imposed by the client.

There may also be ethical considerations that are part of a business’ identity that could be compromised by the demands of a new client.  If, for example it is a local prepared food manufacturer that sources ingredients through the Fairtrade scheme, pressure from a potential new customer for an unreasonably low price could force it to source cheaper ingredients that would compromise its ability to support Fairtrade.  This would not only compromise the SME’s own ethics but potentially its reputation with existing customers.

The practical considerations include costs involved and capacity to deliver.

SMEs should set prices at a level that is viable, both in terms of purchasing raw materials and covering manufacturing costs at a level that ensures a reasonable profit.  It makes no sense to accept an order that would compromise this.  This would apply also to unreasonably lengthy payment terms leaving the business to carry the costs of fulfilling an order for some time before being paid.

Ideally, when approached by a new customer, a business should issue a contract stating the terms and conditions it expects to be met if it is to accept the order.  It could include the requirement for a deposit, say 30%, to be paid at the start of the agreement, perhaps if appropriate an interim payment and another on the date on completion.

Credit risk should also be taken into account as few SMEs can afford to lose money due to customers going bust or simply not paying, leaving the SME to incur the huge financial and time costs involved when chasing payment from determined non-payers.

While inevitably the potential customer may try to negotiate to modify terms, if they prove obdurate then it would be better to walk away.

Another issue that could affect costs and ultimately whether a business decides to pursue a new order is the often lengthy and complicated process, including many pages of form-filling and supporting evidence that is often involved in tendering for public sector contracts.

Again, a careful analysis of the costs involved in the bidding process, the time involved and the attention demanded of staff away from what they would otherwise be doing will give some idea of whether it is worth pursuing.

Ultimately a lot of this is about bullying and the bottom line is that no SME should allow itself to be bullied into complying with unreasonable demands.

Does your SME need a Company Secretary?

compliance meterWhile a public company is legally required to have a Company Secretary, since April 2008, private Limited Companies are not.

However, if the private company’s articles of association state that it should have one, this clause should be removed from the articles or the company is legally required to have an appointed Company Secretary at all times.

There may still be advantages for a SME to appoint someone specific to the role that is carried out by a Company Secretary, given the duties involved.

What does a Company Secretary do?

The Company Secretary is usually appointed by the directors and the person in the role is responsible for the company’s efficient administration particularly in ensuring compliance with statutory and regulatory requirements.

He or she must also ensure that decisions of the board of directors are implemented.

While in a private company the Company Secretary is not required to have specific qualifications, unlike in a public company, it makes sense for a person appointed to the role to have a thorough knowledge of their duties and if possible to gain chartered status with the Institute of Chartered Secretaries and Administrators (ICSA).

Alternatively, some SMEs use a suitably qualified outside specialist, such as their accountant, to take care of Company Secretary duties.

Historically the Company Secretary was responsible for producing accounts, dealing with finance, insurance, personnel and legal matters but most of these functions are now outsourced with the role becoming one of administering the board of directors, maintaining board and shareholder minutes and registers, and ensuring the company complies with regulatory requirements such as filing annual returns and changes to the registers.

Why do we recommend SMEs appoint a Company Secretary?

Most SMEs can’t afford a dedicated Company Secretary but they still are required to comply with all manner of regulations and all too often the directors have too much on their plate to deal with boring administrative functions. As a result, when something goes wrong it is normally because something basic wasn’t done but the consequences can be catastrophic, for example failure to renew insurance or check fire extinguishers are maintained with inspections up to date. Even though most compliance related functions are now outsourced, those doing them need monitoring and the documentation needs maintaining.

We advocate that one person should be responsible for overseeing all the non-operational aspects of a business and that producing accounts, dealing with finance, insurance, HR, health & safety and legal matters all come under the Company Secretarial remit for a SME.

The Company Secretary can be the chief executive, an independent director or professional adviser or a responsible member of staff but whoever it is needs be organised, sufficiently experienced and have the time to do the job.

It need not be onerous as most of the functions can be outsourced. It can also be combined with other functions but the real benefit in having one person nominated as Company Secretary is that they are clearly responsible for all the non-operational activities and can report on these matters to the board.

The costs to a business of dispute resolution

dispute resolution clashing antlersIn an ideal world, most SME business owners would like to think that their business is so efficient and well-run and with such consistently good relationships with customers and suppliers that there is no likelihood of any dispute arising.

In reality, with the best will in the world given that people can be volatile or even unreasonable it is wiser to be prepared for the possibility that a situation may arise that results in a dispute that has to be resolved.

If it happens the associated costs may be so great that the result could be business failure.

By costs, we are not only referring to money, though if in the worst case the dispute ends up in court the financial costs of lawyers and court fees can be high, and more so where a court ruling goes against the business resulting in awarding costs against it including the other sides lawyers’ fees.

Add to that the worry and stress, and the time taken in trying to resolve the issue and preparing for court. Dealing with disputes is both distracting and takes focus away from the business itself, quite apart from uncertainty of the outcome.  There is also the risk that litigation can spiral out of control. These are also costs.

Whether the dispute is small enough to be referred to the small claims court or something larger the outcome may be damage to relationships with suppliers or customers.

Too often small disputes spiral out of control with disastrous consequences for some but for many it is an unwelcome and uneconomic distraction.

Alternative forms of dispute resolution

There are two main routes that a business could follow rather than trying to settle things in court.

One is to appoint a neutral third party, acceptable to both sides. This person would help them both clarify the issues under dispute and negotiate a mutually acceptable solution. Once agreement has been reached the parties would draw up and sign a binding agreement.  This process is called mediation and is considerably less costly than dispute resolution in a formal court setting. It depends heavily on the skills and expertise of the mediator and the willingness to arrive at a consensus.

A slightly costlier, but still less so than a court case, is the process of arbitration.  Again, this depends on a mutually acceptable neutral person whose judgement will be accepted as being impartial.  Normally the disputing sides will be required to sign an agreement stating that the arbitrator’s decision is binding on them. The arbitrator will then examine the evidence, hear both sides’ arguments and then impose a settlement.

Either of these two alternatives must surely be preferable to ending up in the adversarial situation that exists in a court of law, not only for saving costs (both financial and otherwise) but ultimately in saving a business from the risk of failure.

Given the cost saving it may be worth reviewing the relevant clauses in contracts to make an alternative dispute resolution option binding instead of the standard terms used in most agreements that refer to court as the default resolution procedure.