HMRC Security Demand (Notice of Requirement): A UK director's guide

An HMRC security demand is a formal Notice of Requirement to give Security — a statutory notice issued by HMRC's Securities Team (within Individual and Small Business Compliance) requiring the named taxpayer to deposit cash or provide an approved bank guarantee as security against future tax liabilities. The NOR specifies the amount required, the deadline for payment, and the consequences of failure to comply.

Three things distinguish a NOR from other HMRC enforcement actions. First, it relates to future liabilities (or current arrears combined with anticipated future liabilities), not a quantified past debt. Second, compliance can require a substantial up-front cash payment or bank guarantee — typically tens of thousands of pounds, sometimes more — rather than ongoing payment obligations. Third, non-compliance carries direct criminal liability under the relevant provisions, with potential fines per taxable supply made without the security in place.

NORs are typically served on both the company and individual directors at their home addresses. The directors named on the NOR become personally liable for the security — the corporate veil does not protect them in the way it does in standard creditor-company relationships. This personal exposure is one of the principal commercial concerns where NOR risk is in play.

VAT security: paragraph 4(2)(a) of Schedule 11 VATA 1994

The principal VAT security power is paragraph 4(2)(a) of Schedule 11 to the Value Added Tax Act 1994. The provision empowers the Commissioners, where they think it necessary for the protection of the revenue, to require a taxable person — as a condition of supplying or being supplied with goods or services under a taxable supply — to give security or further security for the payment of any VAT that is or may become due.

The threshold is HMRC's assessment that security is "necessary for the protection of the revenue" — a relatively low and discretionary standard. Once the threshold is satisfied, HMRC can require security as a condition of continuing to make or receive taxable supplies. The taxable person can be the company; HMRC's practice is to also serve the directors personally where joint and several liability is asserted.

PAYE and NIC security: the post-2012 regime

HMRC has had power to require PAYE and NIC security since 6 April 2012, introduced by amendments derived from Finance Act 2011 and supported by amendments to the Income Tax (Pay As You Earn) Regulations 2003 and the Social Security (Contributions) Regulations 2001. The reasons for issuance and the calculation methodology are similar to the VAT regime, although the precise statutory mechanics differ.

The PAYE/NIC regime was a deliberate alignment: HMRC's perception was that the existing VAT-only security power left a gap, with directors of phoenix companies often facing VAT NORs while continuing to default on PAYE/NIC. The post-2012 regime closed that gap. PAYE and NIC security demands now operate substantively in parallel to the VAT regime, although VAT security remains the most common in practice.

Other taxes covered

Beyond VAT, PAYE, and NIC, HMRC has security powers in respect of certain other taxes: Landfill Tax, Aggregates Levy, Insurance Premium Tax, Climate Change Levy, and Machine Games Duty. The exposure pattern in these specialist taxes is similar to VAT but the populations affected are smaller. Corporation Tax is not currently within the security regime.

History of non-compliance

The most common trigger is a track record of non-compliance:

• ›Repeated late filing of VAT returns or PAYE submissions (RTI).
• ›Repeated late payment or non-payment of VAT, PAYE, or NIC.
• ›Defaulted Time to Pay arrangements.
• ›Multiple unpaid balances accruing in successive periods.
• ›Business operating in a sector with elevated default rates and the specific business showing default patterns.

HMRC's analysis is based on its internal compliance scoring and risk assessment models. Companies that have engaged actively with HMRC — even where arrears exist — are typically lower-risk than companies that have not engaged. Failed TTPs are a particular risk factor: HMRC's perception is that the company committed to a payment plan and did not deliver, so future compliance cannot be assumed.

Phoenix company scenarios

Phoenix scenarios are the second principal trigger. Where the directors of a previously failed company set up a new company in the same or similar trade — particularly where the new company acquired assets out of administration, pre-pack administration, or liquidation — HMRC's standard expectation is that a security demand is likely. The rationale is that the directors who were responsible for the previous default may continue patterns of behaviour in the new vehicle.

Pre-pack administration is the highest-risk transaction structure for triggering a NOR. The visible continuity of business (same trade, sometimes same premises, same directors) combined with the visible discharge of historic HMRC debt produces close HMRC scrutiny. Practitioners involved in pre-pack transactions where the purchaser is connected to the seller should treat NOR risk as a near-certainty and plan accordingly.

Risk-based assessment

HMRC also issues NORs based on broader risk assessment without a specific default trigger — for instance, where directors have been involved in multiple failed companies, where there is evidence of director disqualification undertakings, or where the company operates in a sector with elevated risk profile. These NORs are less common than default-triggered or phoenix-triggered ones but follow the same statutory framework.

HMRC is not required to give advance warning before issuing a NOR. Where HMRC believes a warning would increase the risk that liabilities will not be paid (for example, by triggering rapid asset disposal), the NOR can be served without prior notice.

Personal service on directors

NORs are typically served on the directors personally as well as the company — with the directors named jointly and severally liable for the security amount. The personal service generally takes place at the directors' home addresses; this is deliberate, both to ensure receipt and to convey the personal-exposure dimension.

Where multiple directors are named, each is jointly and severally liable for the full security amount. Directors' contribution rights between themselves are private commercial matters; HMRC's right to recover the full amount from any one director is unaffected by inter-director arrangements.

Section 72(11) VATA 1994

Section 72(11) of the Value Added Tax Act 1994 makes it a criminal offence for a taxable person (or a body corporate or any officer of it) to make or receive a taxable supply after a NOR has been served without providing the required security. The offence carries fines up to £5,000 per taxable supply (each invoice typically counting as a separate offence under section 37 of the Criminal Justice Act 1991, which sets the maximum standard scale fine on summary conviction). Fines escalate quickly because each transaction is a separate offence.

The leading recent authority is Pugsley v R — a magistrates' court prosecution of a director and his company for failing to comply with a VAT NOR. The case confirmed that the offence is one of strict liability in respect of the conduct (continuing to make taxable supplies without security) rather than requiring proof of dishonest intent. Defences are available but are technical and procedural rather than substantive defences to the conduct itself.

PAYE and NIC criminal exposure

Equivalent criminal liability exists for PAYE and NIC under the post-2012 regime — with directors potentially facing both summary fines and (in the most serious cases involving deliberate non-compliance) wider criminal exposure. The statutory mechanics differ from the VAT s.72(11) framework but the practical exposure is comparable: continuing to operate PAYE without complying with a NOR can produce criminal prosecution.

Personal director exposure — not just corporate exposure — is the standard pattern. Officers "knowingly concerned" in the company's failure to comply can be charged personally. For directors, the consequences extend beyond the immediate fine: a criminal conviction has commercial and reputational consequences, and may engage director-disqualification proceedings under the Company Directors Disqualification Act 1986.

HMRC's policy on prosecution pending review or appeal

Critically: HMRC's policy is not to prosecute under section 72(11) (or the PAYE/NIC equivalents) where a properly-formulated request for independent review or appeal has been made within the 30-day window. This policy protection is the principal procedural defence against criminal exposure during the review/appeal period.

The protection requires precise compliance: the request must be made within 30 days of the NOR; it must clearly engage the review or appeal mechanism (not a general request to reconsider); and it must be addressed to the correct HMRC team. Pugsley v R is salutary on this point — the defendant's communication that he "would like to put forward a case for the consideration of reviewing the decision" was held by the High Court not to constitute a clear request for an independent review, with the result that the company continued operating without security and was prosecuted.

Practical implication: communications during the 30-day window must be precise. "I am hereby requesting an independent review of the decision to issue the NOR pursuant to section 83 VATA 1994 [or analogous provision]" is the kind of phrasing that engages the review mechanism; ambiguous or hedged language is not. Professional input on the wording is materially important during the window.

30-day independent review

The first procedural protection is to request an independent review by HMRC. The request must be made within 30 days of the NOR. The review is conducted by an HMRC officer not previously involved in the decision; their decision is typically issued within 45 days of the request being received.

Independent review can succeed where: HMRC's risk assessment is unreasonable on the available evidence; the calculation is incorrect; specific officers should not properly be targets of the NOR (where, for example, a director was not connected to the previous default); or there is procedural defect in the NOR. The review is the cheaper procedural route — typically free of court fees, although professional input is usually advisable.

First-tier Tribunal appeal

Appeals to the First-tier Tribunal (Tax Chamber) can be made within 30 days of the NOR (or 30 days of an unsuccessful independent review decision). The Tribunal's jurisdiction is to determine whether HMRC's decision was unreasonable in the public-law sense — not to substitute its own view on whether security is appropriate. Successful appeals therefore typically require evidence of: HMRC error of law, factual mistake, or unreasonable exercise of discretion.

Tribunal appeals are technically demanding. Success rates depend heavily on the underlying facts and the quality of evidence. Where the underlying business has a substantial compliance failure pattern, appeals on the merits typically fail; where there are specific procedural or calculation errors, appeals can succeed in part — reducing the security amount, removing specific directors from personal liability, or directing recalculation.

Time to pay the security itself

Where the underlying NOR cannot be successfully challenged but the amount is unaffordable in a single payment, HMRC can in some circumstances agree time to pay the security itself — typically over a short period (3–6 months). Requests should be made before the original deadline, in writing, supported by financial information demonstrating that the company can pay the security with structure but not as a single payment. Time to pay the security is at HMRC's discretion and is not always granted.

Negotiating reduction or release

HMRC will sometimes agree to reduce or release a NOR where the underlying compliance position improves materially. Strong compliance (full and timely VAT/PAYE returns and payments, clean RTI, prompt response to HMRC correspondence) over the security holding period strengthens any subsequent application for early release. Where a NOR was based on phoenix risk, demonstrated compliance over 6–12 months can support release of the security earlier than the standard hold period.

Sometimes the NOR is the trigger that makes formal procedure the correct commercial response. The pattern arises when:

• ›The company is balance-sheet insolvent or cash-flow insolvent at the time the NOR is served, and the NOR amount is unaffordable alongside trading obligations.
• ›The underlying compliance position is genuinely unsustainable and the security would simply delay an inevitable failure.
• ›The directors face material personal exposure that is better addressed through structured insolvency procedure than through continued trading.
• ›The phoenix scenario that triggered the NOR is itself indicative of underlying instability that a security demand will not cure.

In these scenarios, administration, a Company Voluntary Arrangement, or Creditors' Voluntary Liquidation may be the right procedural response. Each has different implications for the NOR — administration's moratorium under Schedule B1 IA 1986 typically pauses the NOR enforcement; CVA can incorporate the NOR into the proposal; CVL transfers the NOR-derived liability to the liquidation context where it is treated as part of the broader unsecured creditor framework.

The choice of procedure depends on the underlying solvency position, the asset base, the trading viability, the realistic prospects of compliance with the NOR, and the directors' personal exposure profile. This is a fact-specific assessment requiring practitioner input.

HMRC's standard hold periods:

• ›VAT security — 12 months for businesses on monthly returns; 24 months for businesses on quarterly returns.
• ›PAYE/NIC security — 24 months.
• ›Other taxes (Landfill Tax, Aggregates Levy, Insurance Premium Tax, Climate Change Levy) — 24 months.
• ›Machine Games Duty — HMRC may release earlier if it concludes there is no longer a risk of non-payment.

During the hold period, the security can be drawn down by HMRC to meet any tax liabilities that fall due and are not paid. Where the security is fully drawn down, HMRC can issue a fresh NOR for further security. At the end of the hold period, where the security has not been used (the company has met all liabilities on time), it is returned to the company — although the time taken to process the return can be substantial in practice.

If you have received a Notice of Requirement to give Security or are anticipating one based on enforcement history or a phoenix scenario, the first step is a conversation with a licensed practitioner. The conversation will assess whether the NOR is properly issued and properly calculated, whether the 30-day review or appeal route can succeed, whether time to pay the security is realistic, and whether formal procedure is the right response. Decisions are typically required within days. There is no charge for the initial consultation and no obligation arising from it. Confidentiality is absolute.

At IQ Insolvency, every NOR engagement is led by a licensed insolvency practitioner from the first conversation. The IP works with specialist tax counsel where the appeal proceeds to First-tier Tribunal. No call centres. No handoffs. One licensed practitioner, start to finish.

Related reading