Why Company Card Policies Matter in 2026

A company credit or debit card is one of the most powerful tools a business can give employees — and one of the riskiest without proper guardrails. Company card policies define who can use business cards, for what purposes, and under what spending limits. They protect the business from unauthorized expenditures, simplify bookkeeping, and ensure full compliance with local tax authorities.

According to the Association of Certified Fraud Examiners, expense reimbursement fraud costs organisations a median of £26,000 per incident. A clear, well-enforced company card policy dramatically reduces this exposure. Without a written policy, employees may assume any business-related purchase is automatically permissible — leading to overspending, misuse, or honest mistakes that become costly to untangle at tax time. This guide walks you through what a strong policy should contain, how to implement it, and the best practices leading finance teams use in 2026.

What Is a Company Card Policy?

A company card policy is a formal document that governs the issuance and use of corporate credit cards, charge cards, or prepaid business debit cards. It creates a contractual framework between the employer and the cardholder, defining rights and obligations on both sides. It typically covers: eligibility criteria for cardholders, individual spending limits per transaction and per period, permitted and prohibited expense categories, receipt and documentation requirements, approval and review processes, and consequences for policy violations.

A well-drafted policy also protects employees: it eliminates ambiguity about what is reimbursable, reduces the risk of inadvertent policy breaches, and provides a clear escalation path when unusual situations arise. Finance teams benefit from reduced back-and-forth at month-end, cleaner audit trails, and faster reconciliation cycles.

Key Elements of a Strong Company Card Policy

1. Cardholder Eligibility

Not every employee needs a corporate card. Define clearly which roles are eligible — typically department heads, frequent business travellers, procurement officers, and senior managers. Cards should be issued based on documented business need, not seniority, and approval must come from the employee's direct manager plus the finance department. Keep an active register of all issued cards, including cardholder name, issue date, spending tier, and any restrictions. Review this register quarterly and revoke cards when roles change or employees leave.

2. Spending Limits

Set both per-transaction and monthly limits appropriate to each role and responsibility level. Typical tiers for a mid-size UK business might look like this:

• Field sales representatives and junior staff: £200 per transaction, £1,500 per month
• Department managers and team leads: £500 per transaction, £3,000 per month
• Senior managers and directors: £1,500 per transaction, £7,500 per month
• Executive team: £3,000 per transaction, reviewed and approved annually by the board

Out-of-limit purchases require explicit pre-approval with a written business justification. Review limits annually — what worked three years ago may not reflect today's business operations or inflationary pressures. Out-of-country purchases may warrant a separate international spending limit or require prior notification to the card issuer to prevent fraud blocks.

3. Permitted and Prohibited Expenses

Permitted expenses typically include: business travel (flights, rail, hotels within per-diem limits), client entertainment within approved thresholds, office supplies up to a defined single-purchase value, software subscriptions directly tied to the employee's role, professional membership fees, and approved conference or training fees. For client entertainment, require documentation of the business purpose and attendees.

Prohibited expenses include: personal groceries or household purchases, alcohol outside of approved client meals, cash advances, gambling and lottery purchases, personal streaming or subscription services, gifts not tied to an approved gift policy, and any purchase for a family member or third party not associated with the business. Make this list specific and exhaustive — vague language like "non-business purposes" creates ambiguity that employees will interpret differently and auditors will question.

4. Receipt Requirements and Documentation Standards

Every company card transaction must be matched with a valid receipt or invoice within five business days of the transaction date. Acceptable documentation includes: itemised digital receipts showing items purchased, quantities, and VAT breakdown; e-invoices meeting HMRC requirements; VAT invoices for purchases over £250; and bank statements for recurring subscription charges where no per-use receipt is generated. For meals and entertainment, document the business purpose and names of attendees.

Lost receipts are not a blanket excuse. Require a written statutory declaration or manager-signed explanation form. More than two lost-receipt incidents in a rolling 12-month period should trigger a formal review of the cardholder's documentation habits. Tools like Bill.Dock automate receipt capture — employees photograph receipts immediately after purchase via mobile app, the system matches them to card transactions automatically, and managers receive real-time alerts for exceptions. This eliminates costly end-of-month scrambles and reduces the audit risk substantially.

5. Expense Codes, Cost Centres, and VAT Allocation

Require employees to assign each transaction an appropriate cost centre, departmental budget code, and VAT treatment. For UK businesses, correctly identifying input VAT on business expenses is essential for accurate VAT returns — mistakes here can lead to claw-back demands from HMRC. For EU-based businesses operating under VAT OSS or with cross-border supply chains, the rules are more complex and should be specified explicitly for common purchase types. Automating this coding step through expense management software reduces the burden and improves consistency across the organisation.

6. Approval and Review Process

A two-step review process is the industry standard: first-line approval by the cardholder's direct manager (who confirms business purpose and reasonableness), followed by a finance team review (checking coding accuracy, limit compliance, and documentation completeness). For high-value transactions above a defined threshold, explicit pre-approval should be required rather than retroactive sign-off — this creates a stronger control and a clearer audit trail.

7. Cardholder Responsibilities and Card Security

Each cardholder must sign an acknowledgment confirming they have read and agree to the policy. Key responsibilities: keep the card secure, never share it, use it only for business purchases, report loss or theft immediately, submit all expenses with documentation by the deadline, and stay informed about policy updates. The card remains company property at all times.

8. Consequences for Policy Violations

A proportionate escalation path: a formal written warning for a first-time minor violation, card suspension for significant unauthorised purchases, card revocation and salary deduction for confirmed personal charges, and disciplinary action up to termination for intentional fraud or repeated serious violations. For criminal fraud: police referral and civil recovery.

Common Company Card Policy Mistakes

Even well-intentioned policies fail when they contain these common flaws:

• No periodic review: A policy written in 2019 does not account for remote work, SaaS subscription proliferation, or current fraud patterns. Commit to annual reviews with finance, HR, and legal sign-off on changes.
• Overly complex approval chains: If obtaining pre-approval for a £150 conference ticket takes five business days and four signatures, employees route around the system. Streamline to a maximum of two approvers, with time-bound escalation if approval is not received within 48 hours.
• Vague receipt rules: "Keep receipts" is insufficient guidance. Specify the acceptable file formats, the submission deadline (days, not weeks), the retention period (seven years to cover HMRC requirements), and the exact digital storage location.
• One-size-fits-all spending limits: A £500 per month limit is appropriate for junior staff making occasional purchases but paralyses a department manager who runs monthly team events. Tiered limits matching role and responsibility solve this without compromising control.
• No digital audit trail: Paper-based approval chains are slow, prone to loss, and opaque to auditors. Modern expense management platforms create an immutable digital record of every transaction, approval, and exception.

Implementing the Policy: A Step-by-Step Approach

1. Draft collaboratively: Involve HR (employment law compliance, disciplinary procedures), legal (liability clauses, data protection), and finance (practical spending limits, coding requirements). Each team catches blind spots the others miss.
2. Get executive sign-off: Board or CFO approval lends the policy genuine authority and signals company-wide commitment. Without senior sponsorship, finance teams struggle to enforce it against resistant managers.
3. Communicate clearly: Roll out with a training session, not just an email. Walk through real scenarios: what counts as a valid receipt, what to do when a purchase is close to the limit, how to handle a client dinner where the receipt is unclear. Employees who understand the rationale comply far more readily.
4. Automate enforcement where possible: Use expense management software to enforce spend limits at the card level (so the transaction declines if it exceeds the limit), automatically flag out-of-policy submissions before they reach a manager's inbox, and route approvals digitally with time stamps and audit logs.
5. Audit regularly: Run quarterly spot-checks on a random sample of transactions across all card tiers. Share aggregate findings — not individual names — in a finance newsletter to maintain awareness and deter complacency.

Frequently Asked Questions

Who is responsible for paying a company card bill?

The company is responsible for the card statement and all charges on it. However, if an employee makes an unauthorised personal charge — intentionally or inadvertently — the company can reclaim that amount via salary deduction (requiring prior written agreement in the employment contract) or through a formal written repayment plan. The policy should specify the recovery mechanism, including applicable interest for unresolved amounts.

Can an employee refuse to use a company card?

Generally yes — employees cannot be compelled to hold or use a company card if they have a reasonable objection. However, for roles where frequent business purchases are an inherent job function, a refusal without good reason may be addressed through normal performance management channels, particularly if it creates an administrative burden on the business. Check employment law in your jurisdiction before making card use a contractual requirement.

How long should company card receipts be kept?

HMRC requires business expense records to be retained for a minimum of six years from the end of the tax year to which they relate. EU tax jurisdictions typically mandate five to ten years depending on the country. For a simple, consistent rule across all jurisdictions, a seven-year retention period for all expense documentation is a safe and widely adopted default.

What happens if a company card is lost or stolen?

The cardholder must immediately contact the card issuer to freeze or cancel the card, then notify the finance department and their direct manager in writing. The policy should include the card issuer's 24-hour emergency number prominently. Most major issuers provide zero-liability protection for fraudulent transactions reported promptly — prompt reporting is therefore both a policy requirement and in the employee's own interest. A replacement card should be issued only after the incident is logged and, for suspicious circumstances, a brief internal investigation is completed.

How can technology reduce company card policy violations?

Modern expense management platforms address violations at two levels. Prevention: spend limits are programmed at the card level so out-of-policy transactions are declined automatically; merchant category codes can block entire purchase categories (for example, no cash advances or no luxury retail). Detection: real-time alerts notify managers immediately when a transaction is flagged; AI-powered anomaly detection identifies suspicious patterns across cardholder populations. Tools like Bill.Dock combine both layers, reducing the compliance burden on finance teams while maintaining the full audit readiness demanded by modern tax authorities and corporate governance standards.

Conclusion

A company card policy is not a bureaucratic formality — it is a foundational financial control that protects the business from fraud, supports employees in making correct decisions every time they swipe, and keeps the books clean for annual audits and tax filings. Investing a day to draft, review, and deploy a rigorous policy pays dividends in reduced fraud exposure, faster month-end closes, and more confident audit responses for years to come.

If you are ready to move beyond a policy document and enforce spending rules automatically at the card level, tools like Bill.Dock help finance teams build automated card controls, seamless receipt capture, and digital approval workflows into a single platform — turning your policy from a document on a shared drive into a live system that enforces itself every time an employee makes a purchase.