Shazia Zamir

The benefits of Electronic Verification

The world of electronic verification is an ever-evolving industry, with some providers supporting features like facial recognition, authentication of documents, direct access bank account information, and PEP and Sanctions screening.

Electronic verification should provide you with a level of certainty that the individual is who they say they are and, for corporate entities, that a legal entity exists and has an active company status.

Electronic identification can be used either as part of a wider process or, where appropriate, as the only source of identification. Before using any provider, you may want to consider the following:

The information supplied by the data provider is considered sufficiently extensive, reliable, and accurate.The provider allows users to capture and store the information they have used to verify an identity.

There are several benefits achieved by using electronic identification and verification (EV):

Improved Customer Experience

Using EV can assist in streamlining your current verification process. It can lead to enhancing the overall client experience making it easier for the client to submit identity documents securely in a matter of minutes ready for teams to receive and review.

Quicker Onboarding of Clients

Faster access to transmitted documents can reduce the time it takes to conduct Customer Due Diligence (CDD) and onboard the client. Adopting this approach may also help you carry out a risk assessment quickly to decide whether you would like to act for the client . It may even form part of your decision-making process when assessing any risks during the course of the instruction.

Document Verification

Most current providers allow you to verify documents. If you are interested in this feature just remember your provider is verifying the authenticity of the document having been issued using the machine-readable zone (MRZ code). It is important to remember a documentation verification check is not verifying the identity of the person, it is verifying the document.

Identity Verification

If you are a firm looking to verify the identity of a person some providers offer a different feature which includes biometric data and facial recognition. Here the client is usually asked to take a live photo of themselves using an app and identity documents are uploaded. The picture and identity documents are compared by the system and all including the results are transmitted electronically to the firm as a pass/fail. The system is verifying the identity of the individual, which can help firms address issues where obtaining a correctly certified identity is a concern.

Clear Audit Trail

UK/EU providers are usually GDPR compliant, offering you a secure place to save all searches for a period of time, and helping you demonstrate a clear audit trail. Remember to check that your terms and data protection statements specify the use of authorised third parties to process personal data.

Increased Accuracy

Automating your CDD process can make a manual task easier to manage and give increased accuracy. Politically exposed persons and sanctioned designated individuals/entities are automatically highlighted as risks. In addition, automating your take-on process by using digital technology to compare documents can improve quality and eliminate human error when comparing documents using the untrained eye.

Teal Compliance can help you shortlist a provider that is right for your business. For more details get in touch at hello@tealcompliance.com or give us a call on 03339874320.

Ten point plan for IDD compliance

This blog may appeal to those of you who like me are a little lost when someone talks to you about the Insurance Distribution Directive. Let’s start from the basics, The Insurance Distribution Directive (IDD) is a new European directive that has replaced the Insurance Mediation Directive (IMD). It applies to Firms who conduct insurance distribution activities and its introduction will change the way relevant firms work. The SRA recently announced the approval by the Financial Conduct Authority and the Legal Services Board of its rules to comply with the directive, reflected in the changes made to the SRA Handbook 2011on 1 October 2018.

In summary the Directive aims to enhance consumer protection when buying insurance – including general insurance, life insurance and insurance-based investment products (IBIPs). It also focuses on supporting competition between insurance distributors by creating a level playing field. Like the IMD, the IDD covers the authorisation, passporting arrangements and regulatory requirements for insurance and reinsurance intermediaries. However, the application of the IDD is wider, covering organisational and conduct of business requirements for insurance and reinsurance undertakings. It’s also important to mention in order the demonstrate firms and employees possess appropriate knowledge to perform their duties, CPD of at least 15 hours are required to complete this.

In practical terms the definition of ‘insurance distribution’ in the new directive has been defined as the activities of advising on, proposing, or carrying out other work preparatory to the conclusion of contracts of insurance, of concluding such contracts, or of assisting in the administration and performance of such contracts, in particular in the event of a claim. That means Law firms involved in personal injury, conveyancing and probate will most likely be carrying on insurance distribution activities e.g. arranging for clients’ after the event insurance in a personal injury matter or insurance for defective title in a conveyancing matter.

Another important reference are the SRA rules particularly regarding the SRA Financial Services (Scope) Rules 2001 (Scope rules) and the SRA Financial Services (Conduct of Business) Rules 2001 (COB rules). The specific requirements which relate to insurance distribution activities are set out in Appendix 1 of the COB rules.

Here are 10 steps you may consider when you deal with insurance distribution:

Step 1 – notify the SRA using a FA8 form if you propose to conduct insurance distribution services. The SRA will inform the FCA on your behalf who maintains a register of firms which includes those that are carrying on insurance mediation activities. Before submitting the completed form be sure to provide some basic information like details of your firm’s insurance distribution officer, the identities of shareholders or members that have a holding in your firm that exceeds 10%, and the amounts of those holdings, the identities of persons who have close links with your firm as per close links definition under Article 13 point 17 of Directive 2009/138/EC and information that those holdings or close links will not prevent you exercising your supervisory or regulatory functions. Failing to register when required to do so is likely to be breaching the general prohibition which is a criminal offence under section 23 of the Financial Services and Market Act 2000 and you may find that the contracts of insurance arranged for clients are invalid.

Step 2 – When appointing an insurance distribution officer, you must make sure that they are competent and understand the terms and conditions of policies offered, laws covering the distribution of insurance products, claims and complaints handling requirements, how to assess a customer’s needs.

Step 3 – Make sure that you do not carry on any insurance distribution activities unless you have in place a policy of qualifying professional indemnity insurance. More information about the obligations on you can be found in the SRA Indemnity Insurance Rules 2013.

Step 4 – Consider Rule 3 of the COB rules setting out the sort of information that you must provide about you, your firm and the services you can provide when arranging insurance e.g. inform the client you are regulated by the Solicitors Regulation Authority for this work and the scope of your services, i.e. that you can only carry on insurance distribution activities limited to those not prohibited by your Scope Rules.

Step 5 – Set out information that you will need to give to your clients about any remuneration you receive for arranging the insurance and any fees that might be payable by the client in accordance with Part 8 and 9 of Appendix 1 of the COB rules.

Step 6 – If you collect a fee from a client, you must disclose the exact amount of that fee (not an estimate or range). If the exact amount is not known, then the method of calculation must be provided. Any information you give to the client must be in a “durable medium” being fair, transparent and not misleading.

Step 7 – In addition to providing information about the status of your firm, you must provide your clients with information confirming, that you are an insurance intermediary, as opposed to an insurer and that you cannot manufacture insurance products; whether you provide a personal recommendation in respect of the insurance products offered; whether you act on behalf of the client and/or the insurer. If you act for both you will need to explain in what circumstances you can act for each party, and if you have “10% or more” of the voting rights in an insurer (for example, as a shareholder).

Step 8 – You must in comply with chapter 1 SRA Code of Conduct 2011 “honestly, fairly and professionally in the client’s best interests”.

Step 9 – Comply with outcomes in Chapter 8 of the SRA Code of Conduct 2011 by making sure that your marketing communications, addressed to clients or potential clients are fair, clear and not misleading. Marketing communications should always be clearly identifiable as such.

Step 10 – Ensure you have sent the client a summary document for general insurance products in the form of an Insurance Product Information Document (IPID) before you conclude a contract. The insurer is required to draw up the IPID and must set out the key information a client will need to make an informed decision about the product.

If you have any questions at all about the IDD or insurance generally then get in touch at hello@tealcompliance.com. An initial call is always free.

GDPR: Some practical tips for barristers

[vc_row][vc_column][vc_single_image image=”435″ img_size=”full” alignment=”center”][vc_column_text]

I recently presented at a GDPR and Cybercrime training session for a wonderful group of Fee Earners, who are members of a Barristers Chambers. During training I was asked some very interesting questions and as a group these issues were openly discussed. I was so impressed with the healthy discussions, I thought I would share some of the scenarios and the suggested solutions.

Scenario one

Article 5(1)(f) of the GDPR requires that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”

Very often barristers will take a bundle to Court containing evidence, case management paperwork (e.g. application forms and directions), statements, expert reports and documents relating to a case. Unless the court has specifically directed otherwise, a bundle will normally be contained in one A4 size ring binder or lever arch file limited to no more than 350 sheets of A4 paper.

The file is usually transported by hand by Counsel to the hearing. Quite often Counsel will travel by train and the file is usually kept in a bag and needs to be placed in the luggage compartment quite a way from the reserved seat they have been allocated, especially on a busy train. How can Counsel protect that bag and the contents in this situation?

There are various options you may want to consider:

  • If there is no option but to take a court bundle in a paper file (which will inevitably contain personal data), book a seat with extra leg room, these seats are allocated directly next to the luggage compartments. That way the bag is your view all the time.

  • Ensure the bag is lockable – should the worst happen, and it is stolen, you are protecting the contents as far as you can.

  • Consider taking an electronic copy of the bundle, perhaps on an encrypted USB stick which is password protected for access.

Scenario two

Article 5(1)(a) of the GDPR requires that personal data shall be:

“processed lawfully, fairly and in a transparent manner in relation to individuals”

Privacy notices describe all the privacy information that you make available or provide to individuals when you collect information about them. They help with building confidence with individuals in what you are doing with their personal information. Privacy notices should include:

  • who you are;

  • what you are going to do with their information; and

  • who it will be shared with.

Very often a barrister will have their own ICO number, however, they rarely have a website on which to publish a privacy policy. In practice if they do receive a Subject Access Request from an individual exercising their rights, this will normally be coordinated through Chambers.

The question was asked whether the privacy notice of the chambers could be updated to publish all individual barrister ICO numbers, provide individuals with details of the processing and how to request a SAR and how the Chambers will deal with it?

I have to say this is a very practical approach given most Barristers use Chambers for their administrative duties. Provided you have covered the points listed above and detailed any data sharing activity you may conduct, practically this may be useful way of managing data privacy and ensuring obligatory time limits are met.

Scenario three

The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

One of the ways you can demonstrate compliance is to record your assessment of risks in relation to data security and your processes to mitigate that risk. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

Often Barristers are asked to take on students for work experience for college or sixth form students looking to work in the legal field. The question posed was whether the same obligations imposed on employees are applicable to someone who is onsite for work experience?

Whether the individual is a work experience student, a casual member of staff, an employed Clerk or a Barrister, there should be no distinction. The obligation to ensure they have understood the importance of keeping data subject information safe/confidential and what to do if a data breach has occurred applies to everyone.

Ensure you have carried out adequate due diligence on the work experience student, and consider a confidentiality agreement. Allocate enough time during induction for the student to digest and understand your data privacy policies and procedures and most of all don’t forget to mention in the privacy notice that data is shared with work experience students.

Bribery Act: do you have ‘adequate procedures’?

[vc_row][vc_column][vc_single_image image=”441″ img_size=”full” alignment=”center”][vc_column_text]

Understanding and complying with ‘adequate procedures’ as detailed in the Bribery Act legislation, was highlighted in the recent conviction of London-based Skansen Interiors Limited in March 2018. It is the first time a UK Jury has had to consider what “adequate procedures” should be for the purpose of a defence to the corporate offence of ‘failing to prevent bribery’ under the UK Bribery Act 2010.

The CPS brought proceedings against the Skansen (now dormant) and its senior executive Stephen Banks, Managing Director at the time.  The prosecution claimed Mr Banks had bribed a project manager at a property company to secure a £6 million refurbishment contract.  Mr Banks pleaded guilty to three offences and Graham Deakin, a former project manager at the property company, pleaded guilty to two offences. A date for sentencing is yet to be published by Southwark Crown Court.

The company was successfully prosecuted, despite having self reported to the National Crime Agency. The jury found against the company having adequate procedures in place to prevent bribery. They have heard evidence that Skansen:

  • did not have a policy specifically directed to preventing offences under the Bribery Act;

  • lacked a dedicated compliance officer; and

  • there was no evidence of staff training or confirmation showing employees have read and understood the company’s existing policy.

Under the Bribery Act 2010 a full legal defence can be found where a company has implemented ‘adequate procedures’ prior to an offence. Adherence to the six principles listed below highlights the importance of having these procedures in place to ensure, as a firm you encourage an anti-bribery and corruption culture:

  1. Proportionality – policies and procedures must be in place and be proportionate to the size, nature and complexity of the business activities;

  2. Top-level commitment – top management should show visible support for the company’s compliance policies and activities;

  3. Risk assessment – periodic assessments should be undertaken including internal and external risks;

  4. Due diligence – a risk-based approach should be taken before engaging with a third party to represent your company e.g. agents, consultants, joint ventures;

  5. Communication – policies and procedures should be communicated firmwide;

  6. Monitoring and review – monitor your anti-corruption policies and review these regularly for risks and the effectiveness of your procedures.

TEAL compliance can help you achieve the above objectives and guide you through what is required. We work closely with our clients to ensure they meet their obligatory requirements.  Contact us today for a free initial chat on 0333 987 4320 or email us at hello@tealcompliance.com.

Know your clients to avoid penalties

[vc_row][vc_column][vc_single_image image=”482″ img_size=”full” alignment=”center”][vc_column_text]

I was recently at an event speaking about anti- money laundering legislation. As my attentive audience sat eagerly taking notes, one delegate raised her hand to ask about client verification, and the how’s of doing it correctly. Silence struck the room quite quickly as the realisation hit all the delegates – this was something they needed to consider and manage effectively. It sounds straight forward but get it wrong or miss something and the penalties to your business can be steep.

The easiest, cost effective option, by which to verify your clients is E- verification.  Nowadays            E-verification is a viable option used by many corporate firms that are looking to streamline an already complex process, and can be used as a tool to verify identification provided.  Having said that, it’s important to remember that additional, non- electronic checks, may need to be conducted, simply to prove that the person in front of you is who they say they are!

Using E-verification is becoming increasingly important, especially as the new regulations stipulate domestic PEP checks are required.  The market is bombarded with variations of what is available, some offering standard checks and others offering basic packages with add-on’s depending on your firm’s risk appetite. To be sure you’ve covered it all, when choosing an AML provider, follow the tips below to enable you to choose the best provider.

 

An address verification service:

Verify the address that has been provided to you and confirm this is current

 

Document validation check:

Validate the passport or driving licence and confirm this is a Government issued document and not a fraudulent copy.

 

Mortality check:

Confirm the person exists and is not deceased, as you may be dealing with someone who is an impersonator adopting a different identity.

 

Politically exposed screening:

Any match, be it a domestic or an international PEP, associated persons or family, requires an enhanced due diligence check to be carried out, along with the assessment of any risks involved with appropriate internal MLRO approval.

 

Sanctions screening:

Check your match is an exact match by comparing the photograph provided (where available) to identity documents and that dates of births are consistent.

 

Negative news check:

Are there any CCJ’s registered or is your client linked to any fraud or bribery allegations or convictions?

 

Bank details validation/verification check:

Where bank details have been provided, check these are legitimate as any errors may cause further delay in rectifying issues with the bank later.

When running e-verification checks it would be good practice to ask your provider to confirm searches do not:

  • Affect the credit rating of the individual/corporate rating and;

  • There is an audit trail of all searches ran and;

  • The storage of such data is compliant with General Data Protection Regulation (“GDPR”)

As I have said, E-verification does not, on its own, fulfil the requirements of client due diligence. You should also consider:

 

What is the intended business relationship:

Don’t be afraid to confirm with the client the details of the work you are proposing to do for them and whether this is a one-off transaction or an ongoing business relationship.

 

Are source of funds consistent with the business:

Is a UK or an international bank used to process the transaction and where is the money due to come from?

 

Additional requirements

Consider any requirements for lenders to see physical identity documents to combat identify fraud.