Company card policy: How to write one that actually works

Most company card policies start out with good intentions. But in practice, a vague policy can lead to more rejected claims because employees are left guessing at what's allowed, whilst your finance team chases breaches instead of preventing them. It also means tax liability. Under the CWG2 guide, card spend that fails the "wholly and exclusively for business purposes" test becomes a taxable benefit in kind, reportable on a P11D form with Class 1A National Insurance contributions for your company.

All the more reason to look into your current card policy and make sure it’s as good as it can be.

The trouble is, even a well-intentioned policy can drift. The document ends up in a shared drive, and its enforcement depends on whoever reviews it that week. Before long, what the policy says and what actually happens are two different things.

This guide covers the sections your policy needs, the UK regulatory requirements behind them, and how to build enforcement into the spending process itself rather than layering it on after the fact. It's based on UK tax and employment guidance available at the time of writing and is not legal or tax advice. Consult a qualified adviser for decisions specific to your company.

Where company card policies go wrong

Most company card policies fail because of three main reasons: the rules are too vague to follow, the controls are too rigid to work, or the enforcement varies from one manager to the next. A Capture Expense analysis of over 371,000 expense claims between 2024 and 2025 found that 78% of rejected claims stemmed from vague or incomplete information.

Rigid controls make it worse. Layered sign-offs and limited card access push employees toward workarounds, especially if they need fast approvals. In practice, those workarounds can undermine audit trails and make spend harder to monitor.

When enforcement depends on human judgement, different managers can apply the same rules differently. In this case, the Institute of Chartered Accountants in England and Wales (ICAEW) highlights the card fraud risk. Inconsistent enforcement creates a specific vulnerability to senior override.

These problems share a root cause. The policy was written as a rules document, but nobody built the rules into the systems people use every day. The result is a false choice that most finance teams know well. Either you become the bottleneck, or you give people autonomy and lose visibility over how they spend.

What your company card policy should cover

A company card policy (sometimes called a corporate card policy or company credit card policy) should cover seven sections, from eligibility and spending limits through to personal use rules and consequences for misuse. A well-structured version removes most grey areas before they reach your inbox. If you've ever had to make a judgement call on whether a team dinner counts as entertainment or a staff function, you know how much time those ambiguities cost.

Here's the full list:

• Eligibility criteria and cardholder agreements

• Approved and prohibited expense categories

• Spending limits by role and transaction type

• Receipt and VAT documentation requirements

• Approval workflows and escalation thresholds

• Personal use prohibition and tax consequences

• Consequences for misuse and card return procedures

Each of these sections solves a specific grey area that costs your team time. Here's what to include and why.

Who is eligible for a company card?

Without clear criteria, card requests turn into ad hoc negotiations and nobody knows who's meant to have one. It helps to define eligibility by role, seniority, or function rather than by informal request. Specify which employment types qualify (permanent employees, fixed-term contractors, and agency workers) and note that contractors and agency workers require separate legal review under HMRC employment status rules. Every cardholder should sign a cardholder acknowledgement before receiving their card.

Approved and prohibited expense categories

The clearer you are about what employees can and cannot spend on, the fewer grey-area claims you'll need to chase. An explicit positive list ("business travel, accommodation, client entertainment, office supplies") paired with an explicit negative list ("personal purchases, gambling, and cash withdrawals") removes the judgement calls that lead to rejected claims and wasted time.

For UK tax purposes, remember that entertainment rules differ from the rules for staff functions. Your expense policy should make these distinctions explicit so employees aren't surprised when claims are handled differently.

Spending limits

How strict should your limits be? Too tight and employees might have to work around the policy. Too loose and you're reviewing every other transaction at month-end. You'll want to set limits at three levels: per transaction, daily, and monthly. Tier these by role. A junior employee's stationery budget is different from a senior manager's client entertainment allowance, so their per-transaction limits and approval requirements should reflect that difference.

Receipt and documentation requirements

At quarter-end, your finance team shouldn't be sorting through a folder of card terminal slips trying to piece together which transactions qualify for VAT reclaim. That's the situation a weak documentation policy creates. A credit card slip alone is not sufficient evidence for VAT reclaim. VAT Notice 701/48 covers corporate purchasing cards and how VAT is accounted for when they are used to buy goods and services.

Ideally, you would require employees to submit full VAT receipts, showing the supplier's VAT number, VAT amount, and date, within five working days of the statement date. A brief business purpose statement alongside the receipt protects you during HMRC enquiries and makes card reconciliation faster for your team.

Rules your policy needs to enforce

The sections above tell employees what they can spend on and how to document it. These next three are where most policies get tested, because they cover the questions nobody wants to answer twice: who signs off, what counts as personal use, and what happens when someone breaks the rules.

Approval workflows

Every approval step you add slows spending down. Every step you remove reduces visibility. The challenge is finding the level where your finance team trusts the process and your employees don't feel like every coffee order needs a signature.

Define who approves what, at which thresholds, and in what sequence. A common structure is for line managers to approve up to a set amount, with finance reviewing anything above that threshold after the line manager has already signed off.

If your programme includes both corporate-liability cards (where the company pays the issuer directly) and individual-liability cards (where the employee pays and claims reimbursement), your policy should state which model applies. The liability model affects how personal use is treated and who carries the tax exposure, so your P11D reporting provisions need to reflect the distinction.

Personal use rules

Someone on your team will eventually tap the wrong card at a petrol station. How your policy handles that moment matters more than you'd expect.

Personal use of a company card is a taxable benefit in kind under HMRC rules, which is why this is one section where precise language pays off. You're required to report any personal expenditure on a P11D form, and the employee will be liable for income tax on the benefit's value. Your company will also incur Class 1A National Insurance contributions.

According to the Low Incomes Tax Reform Group (LITRG), the taxable benefit is the amount paid by the employer for any goods or services bought on the card, unless those are purely for business purposes. Including a clear repayment timeline gives both sides clarity from the outset.

Consequences for misuse, card security, and return

Nobody enjoys writing this section, but the first time you need it and it isn't there, you'll wish you had. Your policy should set out a graduated framework. A written warning and mandatory repayment for a first minor breach. Card suspension and formal disciplinary proceedings for repeated breaches (and be exact on the number of breaches). Immediate cancellation with referral to authorities for fraud.

If your policy includes a salary deduction clause for recovering unauthorised spend, you'll need to comply with the Employment Rights Act, which requires either a specific clause in the employment contract or prior written consent from the employee. The cardholder agreement signed at card issuance is a practical place to obtain this consent.

The same section should require employees to report lost or stolen cards immediately and return their card upon resignation, extended leave, or role change.

How to enforce your policy without chasing receipts

If your current enforcement process involves your finance team sending reminder emails that get ignored, you already know the problem. The most effective approach to enforcement is building the rules from your policy directly into your payment system. Compliance becomes the default rather than something someone has to chase.

Card-level controls prevent violations before they happen. You configure the card itself with spend limits, merchant category restrictions, and geographic controls. If your policy prohibits gambling, the card declines the transaction, with no human intervention and no awkward conversation.

Automated receipt enforcement transfers the chase from your finance team to the system. Instead of your finance team chasing employees for missing receipts, the system does it. One approach is to automatically block spending for repeat offenders until outstanding receipts are submitted. This means the conversation about compliance happens between the employee and their card, not between the employee and their finance controller.

For example, Silverfin, a 200-person financial reporting platform, needed spend controls that could scale with a growing team without adding back-office headcount. According to Tom Libbrecht, VP Finance at Silverfin:

Based on Spendesk data, customers using automated receipt enforcement achieve up to 98% receipt collection rates.

That's the difference between chasing receipts at month-end and not thinking about them at all.

Pre-approval workflows embedded in the spending process mean approval happens before the money leaves. You configure sequential workflows so that spend under a certain threshold is approved by the line manager alone, and your finance team only sees requests that exceed a higher threshold.

Keeping your policy current

Assign a named owner and build version control into the document. Even a strong policy will drift out of alignment if nobody is responsible for maintaining it.

One specific review trigger is already on the calendar. From April 2027, mandatory payrolling of most benefits in kind will largely replace the current P11D process, although P11Ds will still be required for certain benefits such as employment-related loans and accommodation. If your policy references P11D reporting, it will need updating.

Your card programme also generates personal data, so your policy should include a data protection section. Reference your staff privacy notice, confirm Article 6 as your lawful basis under UK GDPR, and state a minimum six-year retention period to satisfy HMRC record-keeping requirements.

Writing a policy your newest employee can follow

The test of a company card policy isn't whether your finance team can explain the rules. It's whether your newest employee can make their first company purchase and get it right without asking anyone a question. That means the document defines the rules clearly, your spending systems enforce them automatically, and your review cycle keeps them aligned with how your company actually operates.

If you're building or revising your company card policy and want to see how automated card controls, receipt enforcement, and approval workflows work in practice, Spendesk offers a guided demo aligned with the policy sections covered in this guide.

Frequently asked questions about company card policies

What is the difference between a corporate card and a company credit card?

"Corporate card" is a broad term covering any card issued by a company for business spending, including charge, prepaid, and virtual cards. "Company credit card" specifically refers to a revolving credit facility where balances can be carried month to month. The distinction matters for your policy because the liability model and spending controls differ between the two.

Can employees use a company card for personal expenses?

No. Personal use of a company card creates a taxable benefit in kind under HMRC rules. Your policy should prohibit personal use explicitly and define a repayment process for any accidental personal transactions, including the timeline for repayment.

How do you set spending limits on a company card?

Set limits at three levels: per transaction, daily, and monthly. Tier them by role or seniority. Spend management platforms let you configure these limits at the individual card level and enforce them automatically at the point of transaction, which means your policy rules become spending rules rather than guidelines people can overlook.

How long do you need to keep company card records?

Under HMRC's general record-keeping rules, you should retain card transaction records for a minimum of six years from the end of the accounting period. This covers both tax compliance and potential audit requirements.