Feel Safe, Call Teal

0333 987 4320

Day: 2 February 2020

Don’t forget to pay your ICO fee!

The UK Information Commissioner’s Office (ICO) has recently launched a campaign to send reminders to all UK registered companies to ensure that they comply with their legal obligation to pay an annual data protection fee, where this applies. This is the start of an extensive project by the ICO to ensure that the fee is paid by everyone who needs to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt – this fee replaces the old annual registration fee. If you are an organisation holding personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it’s likely that you’ll need to pay the fee. The ICO maintain a public register of those registered, so your clients will be able to check whether you take your data protection obligations seriously.

The amount of the data protection fee depends on a company’s size and annual turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60 (you can reduce the cost by £5 if you sign up by direct debit). As it’s a statutory fee, no VAT is payable on the fee. The ICO provides a useful self-assessment tool which will calculate how much you need to pay (see self-assessment) – and is definitely worth using to ensure that you are paying the correct amount. In terms of exceptions, charities pay £40 regardless of size or turnover and public authorities only need to go by staff numbers. There are a number of exemptions; you don’t need to pay a fee if you are processing personal data only for one or more of the following purposes: staff administration; judicial functions; maintaining a public register; accounts and records; not-for-profit purposes; advertising, marketing and PR; personal, family or household affairs and processing personal information without an automated system such as a computer.

Since introduction of the latest data protection fee in May 2018, over half a million organisations have registered with the ICO to pay it. However, between 1 July and 30 September 2019 the ICO issued 340 monetary penalties to organisations who haven’t paid the fee. You are breaking the law if, as a controller, you process personal data or are responsible for the processing of personal data, for any of the non-exempt purposes and you have either not paid a fee or not paid

the correct fee. In addition to a fine, the ICO names the majority of those failing to pay. This clearly has reputational implications for your business.

The very fact that GDPR exists at all suggests that data protection is being taken more seriously than before. Although fines tend to be the ICO’S last resort, the data protection fee is going to be vital to the ICO if it’s to function properly as whilst money received from fines is passed to the Government, the data protection fee is used by the ICO to fund its data protection work. Clearly, if organisations ignore the requirement to pay en masse, this could drive the ICO to flex its muscles by making an example of some of them.

If your fee is a renewal you should receive a payment reminder from the ICO – but don’t rely solely on this and ensure you diarise the payment date as a key date, so you don’t end up with fine which could easily have been avoided. If you don’t pay when you need to, you’ll receive a notice of intent from the ICO 14 days after expiry. You’ll then have 21 days to pay or make representations as to why you think you don’t need to. If you still don’t pay or fail to notify the ICO that you no longer need to pay, you may be issued with a fine of up to the maximum penalty of £4,350 (150% of the top tier fee) – so it’s clearly important that you pay the correct fee, if due, and on time.

The benefits of Electronic Verification

The world of electronic verification is an ever-evolving industry, with some providers supporting features like facial recognition, authentication of documents, direct access bank account information, and PEP and Sanctions screening.

Electronic verification should provide you with a level of certainty that the individual is who they say they are and, for corporate entities, that a legal entity exists and has an active company status.

Electronic identification can be used either as part of a wider process or, where appropriate, as the only source of identification. Before using any provider, you may want to consider the following:

The information supplied by the data provider is considered sufficiently extensive, reliable, and accurate.The provider allows users to capture and store the information they have used to verify an identity.

There are several benefits achieved by using electronic identification and verification (EV):

Improved Customer Experience

Using EV can assist in streamlining your current verification process. It can lead to enhancing the overall client experience making it easier for the client to submit identity documents securely in a matter of minutes ready for teams to receive and review.

Quicker Onboarding of Clients

Faster access to transmitted documents can reduce the time it takes to conduct Customer Due Diligence (CDD) and onboard the client. Adopting this approach may also help you carry out a risk assessment quickly to decide whether you would like to act for the client . It may even form part of your decision-making process when assessing any risks during the course of the instruction.

Document Verification

Most current providers allow you to verify documents. If you are interested in this feature just remember your provider is verifying the authenticity of the document having been issued using the machine-readable zone (MRZ code). It is important to remember a documentation verification check is not verifying the identity of the person, it is verifying the document.

Identity Verification

If you are a firm looking to verify the identity of a person some providers offer a different feature which includes biometric data and facial recognition. Here the client is usually asked to take a live photo of themselves using an app and identity documents are uploaded. The picture and identity documents are compared by the system and all including the results are transmitted electronically to the firm as a pass/fail. The system is verifying the identity of the individual, which can help firms address issues where obtaining a correctly certified identity is a concern.

Clear Audit Trail

UK/EU providers are usually GDPR compliant, offering you a secure place to save all searches for a period of time, and helping you demonstrate a clear audit trail. Remember to check that your terms and data protection statements specify the use of authorised third parties to process personal data.

Increased Accuracy

Automating your CDD process can make a manual task easier to manage and give increased accuracy. Politically exposed persons and sanctioned designated individuals/entities are automatically highlighted as risks. In addition, automating your take-on process by using digital technology to compare documents can improve quality and eliminate human error when comparing documents using the untrained eye.

Teal Compliance can help you shortlist a provider that is right for your business. For more details get in touch at hello@tealcompliance.com or give us a call on 03339874320.

Buying properties with funds from China

Well, the NCA certainly put the cat amongst the pigeons recently at The Law Society’s Anti Money Laundering Conference.

This is something I’ve been talking to clients about for about 5 years. In that time there have been some misunderstandings, both on the part of practitioners and law enforcement.

The issue surrounds the foreign exchange controls on money leaving China. Individuals in China are generally prohibited from removing more than $50,000 from China a year (“Notice of the State Administration of Foreign Exchange for Further Improving the Management of Personal Settlement and Sale of Foreign Exchange” and they are further prohibited from using the funds to purchase property.

If there are exceptional circumstances where a Chinese citizen needs to transfer funds in excess of the annual USD 50,000 limit e.g. due to permanent emigration and need to buy a house, they are required to do so through an authorised bank where additional documentation would need to be submitted.

You will, no doubt, be aware that in the UK we don’t have foreign exchange controls.

Some have assumed that because of that, the funds cannot meet the test of criminal property, that test being that the funds are the proceeds of an offence in a foreign jurisdiction, an offence which is also a offence in the UK.

However, there is a school of thought and I agree with them, that the funds could become the proceeds of crime due to fraud, which is certainly an offence in both jurisdictions. When money in transferred the remitter may need to make a declaration about the providence of the funds and the purpose of the transfer.

If the remitter lies in that declaration (about the ownership or future use of the funds) then a fraud may be committed and the funds tainted.

There are some ways in funds can be moved without breaching the controls, for example, we understand if the money is moved to Hong Kong first, it is unlikely to trigger the exchange controls.

I come across firms quite frequently who are grappling with this issue, and whilst every case will depend on the facts, what is clear is that it is critical to identify how the funds have left China as early as possible, because if a SARs is needed the NCA may well take the full 7 working days to process it.