Skip to main content
Corporate report

Progress against report recommendations

Published 15 July 2026

Introduction

HMRC commissioned His Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS) to produce a report on our defences against insider risk. The fieldwork took place in January and February 2024.

We are grateful for their work and have acted on it: this page details how we have substantially completed 20 of the 22 recommendations, and the work underway on a pragmatic and proportionate response to the remaining 2.

Recommendations and progress

1. Nominate a member of HMRC’s Executive Committee to be the lead for counter-corruption across HMRC

Make sure that there is a cohesive governance arrangement for all aspects of HMRC’s counter-corruption activities.

Progress: complete

Chief Digital and Information Officer appointed as Insider Threat Lead providing visible senior ownership of the insider risk, security and counter-corruption portfolio. Chief People Officer appointed as the ExCom Senior Sponsor for Insider Threat-strengthening alignment with people risk, employment and recruitment controls, and conduct related activity.

Insider Risk Mitigation Team and Insider Risk Management Service set up to coordinate all activity.

Security and Resilience Oversight Board set up to provide strategic oversight and challenge, and an escalation route to ExCom with regular reporting into HMRC ExCom, and oversight of Permanent Secretary.

Sir Craig Mackey appointed as HMRC Board Security Non-Executive Director. Sir Craig worked as a senior police officer for more than 16 years with five years as a Chief Constable and seven years as Metropolitan Police Deputy Commissioner. In 2019 to 2020, he completed an independent review of Serious and Organised Crime for the government.

Three-year Counter Internal Fraud strategy launched April 2025 — endorsed by the Public Sector Fraud Authority. Annual action plan will track continuous improvement.

HMRC has appointed an independent expert advisor with decades of experience at the most senior levels, including within the security services, to support governance.

2. HMRC should put in place a formal written scheme of delegation for all decision making under the Revenue and Customs (Complaints and Misconduct) Regulations 2010

Progress: complete

Acting on legal advice advising against the creation of a Scheme of Delegation HMRC has introduced a Regulations Decisions Framework in February 2026 to address the intent of the recommendation (The regulations were updated in 2025 and are now applied differently).

3. Change the decision-making process in criminal and relevant misconduct investigations under the Revenue and Customs (Complaints and Misconduct) Regulations 2010

These changes should involve: 

  • giving a more prominent role to Internal Investigations officers who are trained in administering the Revenue and Customs (Complaints and Misconduct) Regulations 2010, and providing Expert Advisory Service officers with the requisite training
  • making sure that in all misconduct and criminal investigation, decision makers are always advised by officers who have been trained on these Regulations
  • making sure there is a greater recognition of any criminality involved, and that due weight is attached to the seriousness of the matter
  • securing compliance with all the regulatory requirements including (but not limited to) always recording misconduct matters properly and referring certain cases to the Independent Office of Police Conduct (IOPC)

Progress: substantially complete

HMRC has ensured there are clearer handovers between Internal Investigations, which leads on criminal cases, and its Employment Advice Service, which handles misconduct cases, which are dealt with under civil law.

Internal Investigations now see any case that involve fraud or criminality — this means it is for criminal justice experts to determine whether they should step in. As well as better, and definitive guidance, a data capture processes make it easier for the teams to share material.

Decision-makers in the most serious misconduct and criminal investigations are advised by officers trained in the Revenue and Customs (Complaints and Misconduct) Regulations 2010. An Internal Investigations investigator will be appointed to the most serious cases.

Introduced new training for decision makers on misconduct investigations. If suspected criminality emerges during a conduct investigation, it will be referred to Internal Investigation.

Processes for misconduct cases have been updated to ensure they are properly recorded and that all mandatory referrals to the IOPC take place in line with legislative and procedural requirements. These have been tightened and more clearly defined.

Further actions:

  • by August 2026 we will finalise and approve the end-to-end process review action plan
  • by August 2026 we will have fully strengthened the end-to-end case triage process to ensure all potentially criminal cases are captured at the earliest point

4. Create and implement a process to produce an effective counter-corruption strategic threat assessment and an associated control strategy

The process should:

  • allow for a more comprehensive assessment, including consideration of misconduct-related matters not referred to or investigated by Internal Investigations
  • lead to the production of a control strategy (or similar document) that specifies the counter-corruption prevention, intelligence and enforcement activities that HMRC should carry out

Progress: complete

HMRC now considers more diverse insider risk data sources, including consideration of misconduct issues that have not been referred to, or investigated by, Internal Investigations.

Prevention controls and activities to reduce insider risk are set out in HMRC’s new internal counter-fraud strategy.

5. Strengthen its counter-corruption governance structure to improve the investigation and prevention of corruption

Progress: complete

New digital reporting tool is now completed by decision-makers when misconduct/gross misconduct cases are closed.

This provides HMRC’s Internal Investigations, Insider Risk, Vetting and System Audit Data Analysis teams with closure reports — making it easier to share HR information where there is a legitimate interest, quickly request additional material where needed, and allows simpler reporting to governance boards.

The tool also supports trend analysis of misconduct and insider activity so hotspot areas can quickly be targeted. The Insider Risk team has access to high-level case data collected by HR so they can identify trends.

6. Develop a programme of internal communications

This is to:

  • inform officers of corruption risks and how to report concern
  • make sure it publicises internally the outcomes of gross misconduct cases and cases where officers have been convicted of corruption-related offences

Progress: complete

All HMRC staff will undertake mandatory Cabinet Office Counter-Fraud, Bribery and Corruption (CFBC) learning. This will be delivered over the next 12 months, followed by targeted risk-based annual refresher training.

All new starters will continue to be required to complete full CFBC learning as part of their induction.

All colleagues in high-risk roles (where the nature of the work, level of access, or degree of influence creates an increased exposure to insider threat, and where misuse of authority, access or information could cause significant harm) will receive in-depth annual refreshers.

Communications framework developed to ensure HMRC communicate insider risk in a way that is consistent, lawful and can act as a deterrent.

Delivery of an ongoing internal campaign is underway. This includes regular awareness activity across HMRC (such as Fraud Awareness Week), supported by targeted communications to audiences or business areas identified as potential hotspots.

Senior managers will land localised communications in specific teams or groups, as per recommendations from the International Public Sector Fraud Forum.

Successful outcomes now being publicised — for example, the prosecution and sentencing of a former HMRC employee — through an all-staff intranet message.

7. Resources

Make sure that there are sufficient:

  • resources employed in investigative and intelligence teams to cope with current and future demand
  • dedicated intelligence analytical resources to support internal counter corruption investigations
  • dedicated prevention officers in Internal Investigations to engage on a wide range of prevention activities

Progress: complete

110 staff are now in post as of 1 June 2026 and this will increase to 125. At the time of the report the team was funded for 114 roles and 93 were in post.

The team are supported by additional specialists across security, HR, data and criminal justice, including the 5,000-strong Fraud Investigation Service.

Better ways of working (including new processes and use of digital systems) have enabled Internal Investigations to complete more investigations — 281 in 2024 to 2025 compared to 148 in 2021 to 2022. The team can move from threat awareness to arrest within 24 hours.

There are now 12 people working full-time on insider risk intelligence. This team was being set up at the time of the report and HMRC shared its recruitment plans with the inspectorate.

Prevention responsibilities are assessed through HMRC’s wider Insider Threat governance, coordinated within HMRC Security. Resource levels will be kept under constant review and are felt to be sufficient.

8. Commission a training needs analysis for all departments that have a counter-corruption role

This is to make sure that:

  • it identifies and understands the training requirements for officers who play an integral role in corruption prevention and investigation
  • it determines the nature, frequency and number of courses required to meet changes in the organisation, and uses this to support the case for funding this training
  • continuous professional development is focused on the most relevant training for the different roles in corruption prevention and investigation
  • training to officers in covert roles is given to them without risking operational security

HMRC should repeat the training needs analysis annually as part of its business planning cycle.

Progress: complete

A new Training Needs Analysis (TNA) has been completed and will be reviewed annually.

All Internal Investigations insider risk and intelligence staff are trained to Level 4 of the Government Counter Fraud Profession and are trained as authorised officers under the Police And Criminal Evidence Act.

A dedicated training SharePoint has been developed for colleagues identified as integral to insider risk work and will be reviewed annually. Completion rates will be measured and reported to ExCom bi-annually.

9. Make sure that training for all officers involved in investigations, including those under the Revenue and Customs (Complaints and Misconduct) Regulations 2010 is comprehensive

Make sure that training covers:

  • the aspects of the Revenue and Customs (Complaints and Misconduct) Regulations 2010 that are the most relevant to the decision-managers role
  • recognising criminal matters that may arise in conduct matters
  • how best to proceed without prejudice to a potential criminal prosecution
  • the relevant disclosure obligations under Criminal Procedure and Investigations Act 1996 (CPIA) 

Progress: complete

All training and supporting materials for decision-makers and other relevant officers refreshed in February 2026. The new material covers all of the points raised by the inspectorate.

10. Carry out a major overhaul of its vetting arrangements and make improvements

Improvements should include:

  • putting in place a complete designated HMRC post list with assigned vetting requirements for all roles
  • introducing an enhanced vetting scheme specific to HMRC (working in parallel to BPSS and NSV vetting) that includes (but isn’t limited to) checks of the Internal Fraud Register, the Barred and Advisory Lists and HMRC’s internal intelligence (Centaur) and case management systems:
    • making sure that, other than in the exceptional circumstances described in the Personal Security policy, the vetting process is complete before applicants for permanent jobs and agency workers take up their posts
    • it should also monitor the number of ‘working at risk’ assessments regularly
  • storing HMRC officers’ vetting details on an HMRC networked system with a back-up system — vetting systems should allow for lawful and appropriate sharing of data between HR, HMRC Vetting and Internal Investigations

Progress: partially complete

Designated post list will be introduced by 31 March 2027.

Enhanced vetting options being scoped with implementation expected by 31/03/2027. Scoping will establish additional checks including Barred and Advisory lists, Centaur and case management systems.

Vetting processes are now completed before agency and permanent workers take up post, unless there are exceptional circumstances. Between 1 January 2025 and 1 January 2026, 4,705 were issued.

HMRC has introduced a proportionate ‘working at risk’ process for a very small number of business-critical roles. This includes controls to mitigate any potential risk. This applied to 17 individuals as of 26 January 2026.

Work on the storage of vetting details on networked systems was completed in March 2026. While current arrangements do not permit lawful data sharing (beyond clearance status) between HR, HMRC Vetting and Internal Investigations, work is continuing to assess whether a suitable legal framework can be put in place to support this.

11. Update the Personnel Security policy

Updates to include:

  • routine reviews for officers with Basic Personnel Security Screening
  • re-vetting of officers following a criminal conviction or where there has been a disciplinary finding of misconduct or gross misconduct
  • reviewed vetting of officers as part of annual management reviews to identify and address any changes in circumstances that may present a corruption risk
  • re-vetting of officers when they change roles to one that requires a higher level of vetting
  • mandating that HMRC verifies, and stores on its systems, the vetting checks of all agency workers by recruitment agencies

Progress: substantially complete

HMRC’s Personnel Security policy has been fully updated to confirm that managers must consider the risk of insider threat as part of routine reviews (at least annually) and the requirement to report concerns. It includes:

  • re-vetting of officers following a criminal conviction or where there has been a disciplinary finding of misconduct or gross misconduct
  • reviewing the vetting of officers as part of annual management reviews where changes in circumstances may present an insider risk
  • re-vetting officers when they change roles to one that requires a higher level of vetting
  • Verification of checks on all agency workers, which are then stored on HMRC systems

Further action: routine reviews for officers with Basic Personnel Security Screening is being established with HMRC currently considering the legal framework for implementation.

12. Carry out a data comparison exercise, in which it compares its personnel data with Police National Database records

Progress: partially complete

HMRC is examining how it can access and use Police National Database records for this purpose. It aims to run a pilot later in 2026 to inform decision making regarding the proportionality and necessity of a wider exercise.

13. Should update its gifts and hospitality policy to prevent misinterpretation

The policy should:

  • make clear that officers should record gifts and hospitality on a central register and that a central team should check those entries for compliance and consistency
  • specify the type of gifts that officers can accept and what should notify to managers
  • include instruction on how officers should record gifts and hospitality and offers of gifts and hospitality

Progress: complete

This is already part of the Government Counter Fraud Functional Standards. HMRC Security reviewed compliance within the department in May 2025 and found the policy and process to be robust. Two minor recommendations were made and accepted.

14. Should develop and implement a single business interests’ policy (including voluntary activities)

The policy should specify:

  • the types of business interests that are likely to be compatible and incompatible with working for HMRC
  • the application and approval process, including the factors that officers, their line management and anyone else who is part of the approval process, should be consider
  • the monitoring and review process

Officers should record all applications and subsequent decision-making on compatibility on a central register. The application, approval and review processes should be managed centrally. The information should be available to Internal Investigations for investigative and intelligence purposes.

Progress: substantially complete

Single business interests’ policy is incorporated within HMRC’s wider Conflict of Interest policy. This sets out:

  • compatible and incompatible business interests
  • application and approval process
  • monitoring and review process

Declarations will be stored centrally from Q3 2026 to 2027 on a central repository, with process oversight from HR Policy. It will have a reporting capability so HMRC can understand and analyse patterns and trends.

Individual declarations will be available to Internal Investigations as required.

All data will be available to RIS analysts to inform HMRC’s risk profile, meeting the intent of the recommendation.

Further action: by December 2026 we will have implemented a central register and annual declaration.

15. Develop and implement a notifiable associations policy

The policy should specify which categories of people are notifiable and the nature of the association that would be needed to make them notifiable.

In line with the College of Policing professional standards counter corruption (prevention) authorised professional practice, the policy should include:

  • how to report the notifiable association
  • the review process
  • the scope for restrictions to be placed on the relationship
  • a requirement to notify changes in the relationship
  • recording methods

Notifications should be reported, recorded and assessed centrally.   Cases of significant risk should be managed through appropriate management action or a service confidence policy.

HMRC should consider whether Internal Investigations should manage the policy and process. This should make sure that the relevant intelligence is managed appropriately and accessible for future investigative or intelligence purposes.

Progress: substantially complete

A notifiable associations policy has been being incorporated into HMRC’s Conflict of Interest policy (as per HMI 14) and developed in line with the HMI recommendations. It sets out reporting, review process, scope for restrictions, requirement to notify changes and recording.

Complex issues will be escalated to HR for specialist advice who will triage and involve Internal Investigations and Security where required.

Conflict of Interest work (HMI 14) now includes a pilot for a central data hub which intelligence analysts can access. Internal Investigations are able to request details of declarations (along with other HR data) as required.

Further action: by December 2026 we will have implemented a central register and annual declaration.

16. Ensure that the policy in respect of drugs and substance misuse includes a ‘with cause’ drugs testing regime

  • explain that using drugs in the workplace or private life is prohibited
  • include an explanation of ‘with cause’ drug testing and the rights and obligations of officers who are tested

Progress: complete

HMRC has established controls to address drug and alcohol misuse, including clear conduct standards.

It already has arrangements in place to carry out drug testing in specific circumstances where this is justified by the nature of the role and associated risks; for example, in safety-critical or security-sensitive contexts.

HMI’s recommendations are more appropriate for a police force rather than a predominantly customer service/office-based organisation. HMRC’s targeted approach is consistent with many large employers.

The system should consider adopting some or all of the categories of corruption-related intelligence defined in the College of Policing counter corruption (intelligence) authorised professional practice, adapting any as appropriate.

Progress: complete

Internal Investigations’ categorisation system broadly aligns with College of Policing authorised professional practice although these do not all meet HMRC and government requirements.

The system is updated in real time, reviewed monthly, and refined as new risks or case types emerge.

18. Make sure Internal Investigations has exclusive access to a secure intelligence and case management system

The system should record and manage its intelligence and investigations appropriately in line with College of Policing intelligence management authorised professional practice.

Progress: complete

HMRC has adopted a secure intelligence, workflow and case management system used extensively across policing and law enforcement. This will manage and record intelligence and investigations in line with College of Policing professional practice.

19. Prioritise and manage intelligence

Make sure:

  • corruption-related intelligence is formally prioritised
  • it introduces a ‘tasking process’ to manage intelligence and direct activity

Progress: complete

Internal Investigations has robust systems for prioritising insider risk related intelligence, supported by daily triage and an auditable tasking process.

Case managers assess each intelligence item for credibility, relevance and urgency, develop strategies, assign actions, and review progress through daily, weekly and monthly processes, including an Intelligence Triage meeting which feeds into its oversight group.

20. By 28 February 2026, HMRC should give Internal Investigations officers access to all HMRC IT systems, including Public Department records

Progress: complete

A limited number of Internal Investigations officers will receive case by case access to all relevant HMRC IT systems, including those documenting employees’ tax affairs where appropriate secured access is necessary.

21. Review how it handles internal reports of wrongdoing

There should be a single policy that distinguishes between making a report of wrongdoing and making a protected disclosure under the Public Interest Disclosure Act 1998.

The policy should ensure that:

  • there is an appropriate process to effectively record information from those reports (in accordance with The Revenue and Customs (Complaints and Misconduct) Regulations 2010 and the Public Interest Disclosure Act 1998)
  • officers who handle reports of wrongdoing and protected disclosures are suitably trained in how to:
    • handle intelligence
    • identify and record crime or conduct matters appropriately
    • deal with protected disclosures

Progress: complete

Single updated policy agreed in February 2026. This sets out how information should be recorded in line with legislation, with training underway.

22. Develop a process for lawful business monitoring and investigations

Develop a process to make sure:

  • Internal Investigations has direct access to all HMRC systems for lawful business monitoring purposes
  • it makes better use of lawful business monitoring to proactively develop corruption intelligence and enhance investigations

Progress: substantially complete

Internal Investigations has access to all HMRC systems necessary for lawful business monitoring and can proactively develop intelligence.

Further action: further enhancements are planned that will give Internal Investigations access to new IT tools to further support intelligence.