Tax Relief for Ransomware Payments

[Lambs]

Dear All,

I have asked HMRC 3 times now what is their official policy on the deductibility of ransomware payments and had no response. I am no lawyer, but I believe that these are payments that could be termed as being made in response to blackmail or extortion. And yet they are rife, and to all intents and purposes a common (albeit highly undesirable) business expense.

Any thoughts? Do people think they are allowable / should be allowable?

Kind regards,

Lambs

[pawncob]

HMRC don't like crime, so they disallow any expenses relating thereto. BIM43180

A deduction for a payment induced by blackmail or extortion may be denied where, for example:

ransom is paid by an employer to obtain the release of a kidnapped employee,
payments are made by businesses to buy off threats to damage their premises or to poison food, medicine etc.
However, subject to the disallowance of payments which are incidental to the payment of the blackmail itself (see BIM43101), other expenses arising out of blackmail may be allowable. For example, normal principles will usually apply to the extra cost of:...........................etc

Note the "MAY BE". There's always hope.

[Lambs]

Hi P,

Thanks for the reply, and I am familiar with the BIM. I see the later paragraphs from the BIM suggesting deductibility as maybe the cost of recovering backups to replace damaged data in this context, rather than any payment actually made to the pirates / buccaneers themselves. I am asking because I think that the natural assumption by many businesses - perfectly understandable - is that it would be allowable for tax purposes. And they would be aghast to find out later on (if at all). And actually it might affect their decision if they were to factor in the effective additional cost of the loss of relief.

I also think that given its prevalence, it should NOT be disallowed. This is not The Sweeney £50k or fingers in the mail. It's hitting thousands of small businesses up and down the land. Of course, I realise why HMRC is being cagey. But they are going to have to bite the bullet at some point.

Regards

Lambs

[SteLacca]

If you look at the general principals of tax, what is relievable for one person is chargeable on another, and so HMRC get their pound of flesh eventually.

However, the proceeds of crime are rarely taxed, and so why would HMRC allow a deduction for those paying?

[someone]

And actually it might affect their decision if they were to factor in the effective additional cost of the loss of relief.

HMRC might say "mission accomplished" (although in that case they should be making the situation clear)

[bd6759]

s55 ITTOIA 2005 is quite clear that the cost cannot be deducted.

[Lambs]

Very many thanks for your various contributions.

St, I believe that while your argument has some merit, it is not a principle per se. Given that a payment may be made to a wide range of persons - in business or otherwise - who are not taxable in the UK (charities, councils, overseas entities, etc.) it is really only the fact that profits tax is so pervasive that the observation has some attraction. Of course, the principal criterion is that an expense is incurred wholly and exclusively for the purposes of the trade, etc., save for capital and other exclusions as specified. HMRC may not "like" the idea that a tax-deductible expense doesn't end up getting taxed as income in someone else's hands, but that is not what the law requires.

I do appreciate that there is some justification or a form of logic behind disallowing expenses incurred that might encourage crime to be committed, but I would distinguish between where a business (for example) contemplates paying a bribe or similar to win more business, and a business being locked out of its computer records save for a payment of £500. In the former case, the business has some control and is participating of its own volition, whereas in the second case, a perfectly legitimate business may face extinction through no fault of its own.

I should also make 2 further points:

(1) If memory serves, there used to be a special regime for Northern Ireland, at a time when (and in a place where) protection / ransom was endemic. in other words, when it became a common or garden expense, it was allowed.

(2) Businesses are being forced to use computers by the government. They are not just time-saving devices or potentially advantageous but they are now mandatory, for companies and for employers. And soon for all businesses whose turnovers exceed the VAT threshold, etc. I accept that agents could take on the burden but making that a necessity rather than a choice would be to divorce what I would call an underlying principle, being that a taxpayer is responsible for his or her own affairs, from the pro quo that a taxpayer should be empowered to manage his or her own tax affairs. (And yes, I do appreciate* you will struggle to find that in ITTOIA!). To put it another way, would it really be conscionable for HMRC to deny tax relief if businesses were locked out of their mandated MTD software and had to pay a ransomware demand to get back in?

As tax specialists, we can argue the finer points and that is fine and meet. It is our profession and we are the "experts". But we are also advocates for our clients, and arguably for businesses and taxpayers generally (for if we are not, then who is?). I can guess how things would play out if you told one of your "Average Joe" clients that they couldn't get tax relief on a ransomware payment to retrieve vital business documents and I am pretty sure you could too. I would argue that sometimes the omnibus test has its merits, and this is one of those times.

Regards all,

Lambs

*It has lately dawned on me that not only are we all practising hypocrites, but if I have gotten to the end of the day without spotting my offence, it's more likely to be because I was too dozy to notice than because it didn't happen. At least today's is captured in black and white, for posterity.

[Lambs]

...what, you mean there could be more than one a day? Daaaaaang....