Several Brexit-related issues arise for the compliance agenda. We highlight a number in this issue, but there are other important matters too.
Risk Update January 2021
Anti-Money Laundering (AML) and Financial Sanctions (Jan21)
Firms which fall within the changed, wider definition to ‘tax advisers’ need to notify the Solicitors Regulation Authority (SRA) before 10 January 2021 if they have not already done so. A link to the SRA Tax Adviser Guidance can be found on www.legalrisk.co.uk/News, and contains details of the process.
Under regulation 3 of the Money Laundering and Transfer of Funds (Information) (Amendment) (EU Exit) Regulations 2019, the definition of a ‘third country’ is a country outside the UK, as opposed to the previous definition of one outside the EEA. So, for example, the provision of nominee directors or shareholders for a European client or the formation of companies in Europe would be relevant to enhanced due diligence under regulation 33 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
The SRA continues to inspect firms and in some cases led to referral for formal investigation.
A number of themes emerge from their inspection of policies, controls and procedures, staff interviews and file review. These include the requirement (where applicable) for independent audit, screening, firmwide risk assessments (including evidence of the process by which they were produced), matter risk assessments, and treatment of Politically Exposed Persons (PEPs) and other higher risk clients and matters. File reviews have identified issues such as inadequate customer due diligence, insufficient investigation into source of funds (including their origin) and source of wealth.
Independent audit has been raised as an action item even with a provincial practice with fewer than ten partners. In many cases training, even from well-known online providers, has not fulfilled key statutory requirements. The quality of training is important because customer due diligence and ongoing monitoring cannot be the function of the risk and compliance team alone: the role of client-facing staff is critical.
We have audited many leading UK and US based firms and advised on responses to SRA action. We also provide training for compliance teams as well as fee earners and support staff.
Revised guidance from the Legal Sector Affinity Group (LSAG) is expected imminently and it is anticipated that it will be published in advance of obtaining HM Treasury approval. We will provide a link to it on our website when it is available.
Given the partial overlap in issues raised, firms will also want to consider the integration of their AML processes with DAC6/Mandatory Disclosure Regime (MDR) compliance (as to which see further below)
In the United States, The Corporate Transparency Act provides for a new US federal reporting requirement for beneficial owners of companies formed or operating in the USA (with several exceptions).
The UK is no longer implementing EU sanctions. All sanctions regimes will now be implemented through UK regulations.
Professional indemnity insurance and ‘silent cyber’ (Jan 21)
‘Silent cyber’ cover is the provision, of cover for cyber risks in insurance policies which neither expressly include or exclude such cover. Cover under the SRA Minimum Terms and Conditions (MTC) for client claims arising from cyber risks is an illustration of this and may extend cover to missing time limits or otherwise being unable to provide proper service due to a ransomware attack, statutory claims under the Data Protection Act 2018 or GDPR, and ‘Friday afternoon frauds’ where firms have been duped into sending client money to criminals.
Following concerns raised by the Prudential Regulation Authority and a Supervisory Statement in July 2017, insurers were expected to reduce their unintended exposure to cyber risks. We are aware of moves by insurers to restrict the MTC cover which could adversely impact on law firms.
DAC6/Mandatory Disclosure Rules (MDR) (Jan 21)
An unexpected consequence of Brexit was the change to the reporting requirements under the International Tax Enforcement (Disclosable Arrangements) Regulations 2020. Reporting of cross-border tax arrangements to HMRC will still be required but only for arrangements which meet hallmark D, being arrangements which have the effect of undermining reporting requirements under agreements for the automatic exchange of information, and arrangements which obscure beneficial ownership or involve the use of offshore entities and structures with no real substance.
Firms with European offices will still need to address reporting obligations there and given the wider European obligations may wish to make a European office the focus of their reporting compliance. If Systems will be required to pick up any work done in European offices on UK matters, as this may trigger a European reporting requirement where none would arise in the UK.
New legislation will be introduced and it is expected to follow the OECD Model Mandatory Disclosure Rules for CRS Avoidance Arrangements and Opaque Offshore Structures closely.
Data Protection (Jan 21)
The new UK GDPR now applies. The UK has, on a transitional basis, deemed the EU and EEA EFTA States to be adequate to allow for data flows from the UK.
Transfers from the EU to the UK can continue for up to six months under the provisions of the EU-UK Trade and Cooperation Agreement (the “Trade Agreement”), subject to certain provisions.
Privacy notices, terms and possibly other documents will need review, though amendments may not be substantial. UK legislation will no longer count as a ‘legal obligation’ for purposes of data processing in the EU, and likewise EU legislation will no longer count as such in the UK.
Firms will need to consider whether they need to appoint an EU representative if they do not have an establishment there and are offering services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.
Meanwhile, reliance on Standard Contractual Clauses (SCCs) as a basis for international transfers remains a live issue following the decision in Schrems II (see our September 2020 Risk Update and link on www.legalrisk.co.uk/News) and the European Commission’s consultation on the revised SCCs (see www.legalrisk.co.uk/News). These are under review by the Information Commissioner’s Office.
Firms will need to review their arrangements for transfer of data to third countries, and note that following the Schrems II the European Data Protection Board recommended that firms conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere.
Questions have been raised as to whether it is in practice possible to rely on the SCC transferring data to the USA because of the provisions of Section 702 of the Foreign Intelligence Surveillance Act (FISA 702 – “Procedures for targeting certain persons outside the United States other than United States persons”) and Executive Order 12333 (“United States intelligence activities”), but there are reasons to suggest that that may not be a problem in practice so far as law firms are concerned.
Data protection legislation, cases and guidance can be found on www.legalrisk.co.uk/Data.