Blogs

People sat talking and laughing in a group

Compliance Culture: Communication is key!

Blogs, Compliance Training, Legal Compliance /

The legal industry can be a mixture of things, both good and not so good.   People tend to focus on the things that drive them, whether it’s the bottom line of fee income, helping clients or having to make what some people may see as ruthless decisions for the success of the business. However, I also see leaders in firms who consider people as their biggest asset, whether that is their staff, suppliers or their clients, and who lead by example and deal with making decisions in an ethical way.

There will always be occasions where decision makers in a firm and managers/supervisors must deliver difficult news.   It is often the case that is not the news itself that can leave individuals disappointed or upset, but the way that news was delivered.

Throughout my career I have always tried to put myself in the shoes of the person at the receiving end of the news, good or bad, and consider how that person may be feeling.   And key to that is wherever possible engage in face to face conversations. With the technology we have around us, I do think that we sometimes use it as a barrier to avoid these difficult conversations.  However, emails and instant messages can easily come across in a way that we didn’t intend, and where they have used them to “save time” can be counterproductive, leaving us to deal with the fall out from the miscommunication.   Worse still, I have seen individuals delegate the task to someone else who is clearly not equipped to handle such situations.

The key to successful communication is to have considered the best approach beforehand and considered the best interests of the recipient.   We may not always get it right, but this can be a great starting point.  We all hold the key to effective communication within our firm – have you revisited yours to make sure the key is used in the best way?

 

Get in touch

For more information about our services, simply contact one of our experts today.

Get in touch

Compliance Culture: Communication is key! Read More »

Delegates sat at a conference

Teal Compliance and Lockton Conference 2018

Blogs, Compliance Training, Legal Compliance /

 

The Teal Compliance and Lockton Conference 2018 takes place on the 26th April 2018 in London.  With so much change afoot in the world of compliance, the theme for this year’s conference is ‘Navigating a year of change’.

As a team we have all been working hard to pull together an agenda which covers all the key updates and provides perspectives from industry experts on practical application of the changes to regulations – from AML to GDRP to Code of Conduct.

The agenda

The full agenda has now been released:

  • Chair’s Welcome
  • Opening Comments – Robert Bourns, Chair of the Law Society Board and former President.
  • Session 1 – Anti Money Laundering update – Amy Bell, Chair of Law Society’s AML Taskforce and Mark Heffer, AML Consultant with Teal Compliance.
  • Session 2 – The Importance of Ethics – Sarah Mumford, Interim Director of Risk, Trowers & Hamlins LLP and independent legal risk consultant
  • Session 3 – All Things Data – Emma Willis, GDPR Consultant at Teal Compliance and Edward Whittingham, Business Fraud Prevention Partnership
  • Session 4 – Cyber Risk Mitigation – Dave Williams, TrustedIA and Mark Hawksworth, Cunningham Lindsey
  • Session 5 – Managing Risk: The Insurers View – Panel: Adam Curran, Inter Hannover, Jay Bowey, Pelican, Anthony Judge, Omnyy
  • Session 6 – New Code of Conduct – Ian Johnson, The Institute of Legal Financial Management and Paul Wilkinson, Audit Compliance Ltd
  • Session 7 – Getting it Right! – Amy Bell
  • Session 8 – Technology in Compliance – Vicky Simpson, Teal Compliance, Matt Hodges-Long, CEO TrackMyRisks, Graeme Port, Head of Product at encompass Corporation
  • Closing remarks and drinks reception

In addition the whole of the Teal Team will be available throughout the the day and many of our associates will be leading speaking session, alongside high profile external speakers from the world of risk, compliance, insurance and regulation.

The aim

The aim of the Conference is to prepare you for the year of change and to challenge you in terms of thinking about risk and compliance.   There are firms who are taking unnecessary risks by not having sufficient “know how” or resources.  This is of course something that Team Teal can assist you with.

The speakers on the day will guide you through a series of perspectives from a risk/insurance point of view to GDPR and Cyber Crime. Panel Discussions will take place and will provide you with the opportunity to ask questions and the Team will be available after the Event to follow up on any requirements.

Get in touch

Early Bird tickets are on sale from now until the 18th March and can be found on our events page.

Alternatively, find out more about our training packages or contact our experts today.

Teal Compliance and Lockton Conference 2018 Read More »

Back of two police officers

Do we need to ‘change up’ AML Training?

Anti-Money Laundering, Blogs, Compliance Training, Legal Compliance /

 

I have been training in AML for 13 years. I love it, I love spreading the word, helping staff in law firms understand the risks they face, and what to look out for to try and identify someone trying to use them to launder money.

Sopranos, The Wire, Breaking Bad and McMafia have all played a part in raising the awareness of how the baddies launder money, but we need to make sure that the training is relevant to lawyers, and their staff.

I’ve trained countless numbers of MLROs in those 13 years. I’ve never met any who did not accept and appreciate the need to have their firm understand the anti money laundering legislation and how to apply it in their firm.

That said, I have been talking about the same methods in which the money launderers operate for most of those years, car washes, take-aways, and memorably (if you’ve been on the course you’ll remember) nail bars. All of those are still relevant, but there are new ways in which the criminals are operating and it is critical that we gain an understanding of those in order to protect our firms, the people who work for us and the wider society who are damaged by money laundering and the activities of serious and organised crime.

What about your construction clients who are using sub-contracted labour, who are in turn victims of human trafficking, what about the person who is lucky on fixed odds betting machines, who has really been pumping the machine with the proceeds of selling drugs on bicycles on street corners in your town. It’s on your doorstep, I just want to help you see it.

For that reason, I am delighted to have Mark Heffer join us at Teal Compliance. Mark is a Financial Crime Consultant, Accredited Financial Investigator and former Detective Constable. He served for over 25 years with the Devon and Cornwall Constabulary with the Serious and Organised Crime Branch and specialised in crime such as money laundering, complex fraud, human trafficking, drug trafficking, bribery and corruption.  He is an expert in all aspects of POCA, money laundering, confiscation, restraint, and SARs and has a reputation for bringing a very real world, hands on approach to his consulting work.

He supports law firms with a range of services including:

  • Expert training and investigation in all aspects of Financial Crime, Anti Money Laundering, Compliance and Fraud.

  • Bespoke investigations for Business and Private Clients – managing reputational risk

  • Assisting firms with the perils of Restraint/Production Orders

Together, we have written new AML courses, which focus on these new tactics being deployed by the baddies, and how they target not just you, but manipulate the banks, accountants and estate agents, before they get to you, the lawyers, adding layers of legitimacy which can be difficult to unravel. We’re running a webinar for MLROs on the 8th March which will focus on these tactics, and how to spot and avoid them. Visit our events page for more details.

Mark and I are also taking bookings for our brand new in house course. It is a 90 minute course, fully incorporating the 2017 regulations and full of relevant examples of how firms are targeted. In house training can be incredibly cost effective, with up to 100 people trained a day for £1250 plus VAT (and travel expenses)

Get in touch

If you need help with AML compliance or need compliance training, simply get in touch with one of our experts today.

Do we need to ‘change up’ AML Training? Read More »

Big Ben and the House of Commons

The Data Protection Bill – What do I need to know?

Blogs, Data Protection, Legal Compliance /

 

The draft Data Protection Bill [HL] 2017-19 will get it’s second reading in the House of Commons today, Monday 5th March 2018, moving one step closer to receiving Royal Assent.  In preparation for the second reading, the House of Commons issued a 60-page briefing paper which includes a summary of the Bill and the House of Lords debates[1].

In May 2018, as we all know, there will be some changes to the EU’s data protection framework – the General Data Protection Regulation (GDPR) will apply from 25th May and as it is a Regulation it does not need to be transposed into domestic law.  But prior to that, the Police and Criminal Justice Directive, also known as the Law Enforcement Directive (LED), needs to be transposed into UK law by 6 May.

GDPR

GDPR widens the scope of the previous Data Protection Directive, (which was the EU legislation that unpinned the Data Protection Act 1998), to provide data subjects with greater protection for their personal data and also extends data subject rights.  The Regulation reduces the principles from 8 to 6, but introduces 8 data subject rights, some of which are a continuation of rights under previous legislation, (like subject access requests), but some are new.  Data controllers must be able to demonstrate compliance with all the principles (accountability) and there are new obligations for data processors.

LED

The LED will apply to both the cross-border and domestic processing of personal data for law enforcement purposes and repeals the previous 2008 Framework Decision.  The Directive is designed to protect the personal data of individuals involved in criminal proceedings, whether they are witnesses, victims or suspects.  In addition, it is anticipated that the LED will “facilitate a smoother exchange of information between Member States’ police and judicial authorities, thereby improving cooperation in the fight against terrorism and other serious crime in Europe.[2]

An overview of the LED can be found here.

Council of Europe Convention on Processing Personal Data

The Council of Europe is not an EU institution and the UK will continue to be a member after Brexit.  The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No108) was the first binding instrument on data protection.  The UK ratified the Convention in August 1987 and it entered into force on 1 December 1987:

“[The Convention]…protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the trans frontier flow of personal data.”[3]

The Convention will be modernised and will reflect the same principles as GDPR.  A draft version is available online https://www.coe.int/en/web/data-protection

The Draft Bill

The draft Data Protection Bill (‘the Bill’) has a number of purposes:

  • It sets out how the UK would apply the derogations available under GDPR

  • It will bring the Law Enforcement Directive (LED) into UK law

  • It updates the laws governing personal data processing by the intelligence services

  • It aims to ensure that the UK would be able to freely exchange data with the EU post-Brexit

  • It will repeal the Data Protection Act 1998

The Bill was originally introduced into the House of Lords on 13th September 2017, but it’s passage has been slow due to a number of concerns around the age of consent for children to have access to information society services, immigration control and freedom of expression in journalism.

GDPR allows Member States a limited number of derogations, and following consultations in 2017, the Government confirmed it would exercise those derogations in the following areas:

  • The age of consent for children to access information society services

  • Processing criminal conviction and offence data

  • Automated individual decision-making

  • Freedom of expression in the media

  • Research

The Bill was introduced to the House of Lords on 13th September 2017 and following much debate it was introduced to the House of Commons on 18th January 2018.

The Department for Digital, Culture, Media and Sport (DCMS) factsheet provides a succinct summary of what the Bill will do –

The Bill is split into seven Parts and eighteen schedules:

  • Part 1: Bill overview and definition of key terms
  • Part 2: General data processing in line with GDPR and other general data processing in areas outside the scope of EU law
  • Part 3: LED and law enforcement processing
  • Part 4: Nation Security Processing through a modernised Council of Europe Convention
  • Part 5: Functions and Duties of the Information Commissioner – including requirement to publish codes of practice of data sharing, direct marketing, age appropriate design for online services likely to be accessed by children
  • Part 6: Enforcement regime and ICO Powers
  • Part 7: Various issues including regulation to be made under the Act, penalties for offences and the Act’s territorial application

The Briefing Paper also includes a summary of the House of Lords debates for those who are interested in reading more http://researchbriefings.files.parliament.uk/documents/CBP-8214/CBP-8214.pdf which the full debate transcripts are available of the House of Lords website.

So, for those of you using the 80 days (inc weekends and bank holidays) to prepare for GDPR what does this mean?  Well, if you don’t carry out any national security or law enforcement processing then your GDPR preparations will stand you in good stead, although you may want to glance at the draft Bill and specifically the section around the Information Commissioner and Enforcement.  If you do carry out national security or law enforcement processing, then you have probably already been preparing for the changes under the LED but you will need to familiarise yourself with the Parts of the Act that are relevant to you.  Everyone will need to monitor the Governments Brexit negotiations, as once we leave the EU the UK will be a ‘Third Country’ and there may be additional requirements to enable the transfer of data between the EU and member states.

Get in touch

If you need further advice, find out more about our Ask Teal service, or simply contact one of our helpful experts today.

 

 

[1] https://researchbriefings.parliament.uk/ResearchBriefing/Summary/CBP-8214#fullreport

[2] European Commission, Questions and Answers – Data protection reform packages, 24 May 2017 – http://europa.eu/rapid/press-release_MEMO-17-1441_en.htm

[3] https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108

The Data Protection Bill – What do I need to know? Read More »

two large skyscraper buildings

AML – the size and nature test

Anti-Money Laundering, Blogs, Legal Compliance /

 

Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires that a firm which is regulated, implements internal controls where appropriate to the size and nature of the firm.

These controls are:

  1. Appoint a person to be responsible for compliance with the regulations
  2. Screen relevant employees, both before the appointment is made and ongoing thereafter
  3. Establish an independent audit function

So, what should the ‘controls’ look like and what is the appropriate ‘size and nature’?

Controls

In my experience, in legal services we don’t have many controls in place. Our colleagues in other industries, such as financial services have lots. A control exists to check the efficacy of a policy and procedure. By way of an example, I am betting your firm has a confidential waste policy, “you must not put client information or confidential data in the normal waste paper bin”. You will have a procedure which says “You must put confidential waste in the bin for confidential shredding”. Very few firms however have a control which says “we will check the waste paper bins weekly to ensure that no confidential data has been put in there”.

It’s great to have policies and procedures, but we usually only find out if they are effective when something goes wrong, by which time it’s too late to avoid the damage that the policy and procedure was designed to avoid.

The Regulation 21 controls are designed to make sure you have someone who is tasked with making sure that the regulations are complied with, we have people who know how to comply with them, and that we check that they are working.

Size and Nature

Implementation of these controls depends on the size and nature of the firm. When we were drafting the guidance at the Money Laundering Task Force we grappled with how does a firm decide on the size and nature. It’s not an easy thing to define. The Legal Sector Affinity Group decided on:

Factors you may consider when determining whether it is appropriate to apply those controls include:

  • The number of staff members your practice has

  • The number of offices your practice has and where they are located (including whether your practice has overseas offices)

  • Your client demographic

  • The nature and complexity of work your practice undertakes

  • The level of visibility and control that senior management has over client matters

(taken from the draft Legal Sector Affinity Group Guidance).

Sole practitioners who do not employ any staff are not caught by this by virtue of regulation 21(6).

In practice, I think firms will have appointed their COLP as being responsible for compliance (which is arguably already their job by virtue of the SRA authorisation rules). I think firms will be obtaining references for new staff, at times carrying out more rigorous criminal records type checks, and will be thinking about testing staff understanding after training courses.

I think less straight forward is establishing whether a firm needs an independent audit function. My personal view, (rather than of the Law Society) is that a firm does not have to be very big in order to be required to do this. Take this example, a firm that has about 50 people, across 2 offices, with all the staff collecting and recording their own due diligence, and lawyers making decisions about what sorts of inquiries to make regarding the purpose and nature of the transaction. Does the MLRO know that his policies are adhered to and are effective? If, hand on heart, he would say no, an audit would give him that visibility. The mischief the control is trying to get at is to ensure that the firm knows if the Policies, Controls and Procedures they have in place are working.

So if you decide you are the size and nature to need an independent, who is going to do it?  Do you have staff the with requisite knowledge and capacity to carry out the audit? Are they able to acting independently? I think that resourcing alone would be a struggle for many of the smaller firms, and indeed a fair few of the larger firms, who might have an audit function, but without the necessary experience in AML.

An audit should include review of the policies and procedures, interviewing staff and reviewing files and accounts processes to ensure that the policies and procedures are deployed correctly.

Help

With that in mind, we have put together a package of support for firms who can’t resource their audit internally. We can:

  • Review existing policies and procedures, including firm and matter risk assessments

  • Carry out on site review of systems, policies and procedures

  • Interview staff members to test understanding

  • Provide feedback of observations and recommendations for improvement

In addition we can help

  • Rectify policies and procedures

  • Develop controls to ensure constant visibility as to compliance

  • Provide tailored in-house training to all staff members to embed learning

  • Provide ongoing support and monitoring

Get in touch

If you are still unsure how the AML size and nature test applies to your firm, get in touch with one of our experts today.

AML – the size and nature test Read More »

Pinboard with a note pinned on saying "What's your goal?"

What are your compliance goals?

Blogs, Legal Compliance, Risk Management /

 

At the start of 2018 most us will have sat down and set personal new year resolutions. There are two questions I would ask:

  1. How many of those resolutions are you maintaining?

  2. Out of those resolutions, were any of them business focused?

Whether you are the decision maker in the firm or an employee it is always good to have goals to focus on.  Compliance underpins both the individual and firm wide goals, without it you are almost certainly not going to succeed.

At the very least whilst you may think you are succeeding without compliance, it will only take one complaint that leads to a negligence action or a rogue fee earner that will bring the walls tumbling down.  The foundation of any law firm is Compliance – how good would it be to achieve all your goals and sleep at night without the worry of “what if”?

Even in the most compliant firms partners will still at one time or another have that feeling of something going wrong, usually in the middle of the night.  At Teal we are here to make sure that those 3.00am wake up calls are few and far between.

Prevention is better than cure and sometimes the not knowing how to deal with something is far worse than the issue itself.

If you were building a house or a block of flats, you would not do so without the appropriate planning permission or foundations.  Building a block of flats on the same foundations as a single or double story house is a risk that we can all see.

You may not be able to see the risks in your own firm, which is where Teal can assist.  We know what to look for, how to deal with the warning signs and put systems in place.  We will set goals for you which we know you will be able to achieve.

Compliance is not about setting people up to fail, it’s about being realistic in training your staff, so they know what to look out for and question.  It’s about being preventative and having the knowledge of what is truly happening in your firm.  Not turning a blind eye because that fee earner bills a higher amount.  It’s about the culture and fit of the employees within your firm.  It’s your integrity, ethics and your reputation.

So, if we were to look at your compliance goals – what would they be?

Get in touch

We can help you achieve your compliance goals through a range of services we have to offer. Simply get in touch with one of our experts today to find out more.

What are your compliance goals? Read More »

What’s a DPO and does my business need one?

Blogs, Data Protection, Legal Compliance /

 

A ‘DPO’, or Data Protection Officer is the person in a business who has been appointed to deal with all data privacy related matters.  Under the current Data Protection Act there are no mandatory requirements to appoint a DPO, although some businesses that process a high volume of data may have someone in that role already.

There has been a lot of confusion over the last few months about whether the implementation of GDPR [1] (on 25th May 2018) or the introduction of the Data Protection Bill 2017 means that businesses do now have to appoint a DPO.  The answer to that question is, no, not all businesses need to appoint a DPO BUT that doesn’t necessarily mean that it’s not in your business’ best interest to have someone who is solely responsible for data privacy matters.

GDPR

The GDPR requirements are set out in Article 37: –

“The controller and the processor shall designate a data protection officer in any case where:

  1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

  2. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

  3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”

GDPR also points out that it is ‘entirely reasonable’ to share a DPO with other organisations.  The role could also be performed by a current employee alongside their existing duties.

The Data Protection Bill

The Data Protection Bill [2] will introduce GDPR into UK legislation, only necessary because of Brexit (GDPR is a Regulation so applies to all member states without the need for domestic legislation).  The Bill will cover GDPR which applies to ‘general processing’, but also the Law Enforcement Directive [3] which must be transposed into domestic law by 6th May 2018.  Finally, the Bill also covers processing for National Security, currently not covered by either GDPR or the Law Enforcement Directive.

Under the Bill, the GDPR requirements around DPOs will stand and the only addition is in Part 4, chapter 3 which relates to law enforcement processing:

“-s69(1) The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.”[4]

Best Practice

Whilst you may not be under a mandatory requirement to appoint a DPO, it is considered best practice to appoint someone to be responsible for data privacy matters.  With GDPR, the Data Protection Bill and then proposed changes in respect of E-Privacy, the importance data privacy and protection is not going to diminish any time soon.  After all, it’s not a case of simply ticking a box that says you are compliant with the legislation.  The concept of privacy by design is now a requirement of GDPR, and teamed with the requirements to demonstrate ongoing accountability, it’s important to have a data protection ‘champion’ within your business to ensure that privacy, data protection and data subjects rights remain in the forefront of everyone’s minds.

Get in touch

For more information about data protection compliance, simply get in touch with one of our experts today.

[1] General Data Protection Regulation (GDPR) Regulation (EU) 2016/679)

[2] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf

[3] DIRECTIVE (EU) 2016/680

[4] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf, Part 4, Chapter 3, Section 69(1)

What’s a DPO and does my business need one? Read More »

Magnifying glass on a blue table

Know your clients to avoid AML penalties

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

I was recently at an event speaking about AML legislation. As my attentive audience sat eagerly taking notes, one delegate raised her hand to ask about client verification, and the how’s of doing it correctly. Silence struck the room quite quickly as the realisation hit all the delegates – this was something they needed to consider and manage effectively to avoid AML penalties. It sounds straight forward but get it wrong or miss something and the penalties to your business can be steep.

The easiest, cost effective option, by which to verify your clients is E- verification.  Nowadays, E-verification is a viable option used by many corporate firms that are looking to streamline an already complex process, and can be used as a tool to verify identification provided.  Having said that, it’s important to remember that additional, non- electronic checks, may need to be conducted, simply to prove that the person in front of you is who they say they are!

Using E-verification is becoming increasingly important, especially as the new regulations stipulate domestic PEP checks are required.  The market is bombarded with variations of what is available, some offering standard checks and others offering basic packages with add-on’s depending on your firm’s risk appetite. To be sure you’ve covered it all, when choosing an AML provider, follow the tips below to enable you to choose the best provider.

An address verification service:

Verify the address that has been provided to you and confirm this is current

Document validation check:

Validate the passport or driving licence and confirm this is a Government issued document and not a fraudulent copy.

Mortality check:

Confirm the person exists and is not deceased, as you may be dealing with someone who is an impersonator adopting a different identity.

Politically exposed screening:

Any match, be it a domestic or an international PEP, associated persons or family, requires an enhanced due diligence check to be carried out, along with the assessment of any risks involved with appropriate internal MLRO approval.

Sanctions screening:

Check your match is an exact match by comparing the photograph provided (where available) to identity documents and that dates of births are consistent.

Negative news check:

Are there any CCJ’s registered or is your client linked to any fraud or bribery allegations or convictions?

Bank details validation/verification check:

Where bank details have been provided, check these are legitimate as any errors may cause further delay in rectifying issues with the bank later.

When running e-verification checks it would be good practice to ask your provider to confirm searches do not:

  • Affect the credit rating of the individual/corporate rating and;
  • There is an audit trail of all searches ran and;
  • The storage of such data is compliant with General Data Protection Regulation (“GDPR”)

As I have said, E-verification does not, on its own, fulfil the requirements of client due diligence. You should also consider:

What is the intended business relationship:

Don’t be afraid to confirm with the client the details of the work you are proposing to do for them and whether this is a one-off transaction or an ongoing business relationship.

Are source of funds consistent with the business:

Is a UK or an international bank used to process the transaction and where is the money due to come from?

Additional requirements

Consider any requirements for lenders to see physical identity documents to combat identify fraud.

Get in touch

To find out more about the AML services we have to offer, contact one of our experts today.

Know your clients to avoid AML penalties Read More »

Three stacks of pound coins

GDPR – ICO fee changes from 1st April 2018

Blogs, Data Protection, Legal Compliance /

 

As we are all aware, the GDPR implementation deadline of 25th May 2018 is fast approaching….. in fact it’s just over 15 weeks away.  But were you also aware that the requirements for data controllers to register with the ICO, and the fees for registration are changing on 1st April 2018?

Under the current rules, organisations that process personal information are required to register (notify) with the ICO as data controllers.  The notification includes explaining what personal data they collect and what they do with it.  At the point of notification, the data controller is required to pay a fee, currently £35 per year for organisations with less than 249 employees, and £500 for all other organisations.

After 25th May 2018 there will no longer be a requirement to notify the ICO in the same way.  Under GDPR, data controllers are to be accountable by maintain records and conducting assessments of processing activities.

However, there is a provision under the Digital Economy Act that means there is still a legal requirement for data controllers to pay the ICO a data protection fee.  As with the notification fee now, the data protection fee will be used to fund the ICO’s data protection work as all money received in fines is passed directly back to the Treasury.

The Digital Economy Act paves the way for a new funding system.  The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data.  The size of the fee will still be based on a organisations size and turnover, but will also consider the amount of personal data being processed.

The final fee structure will go live on 1st April 2018 but is likely to be a three-tier system:

  • Tier 1: annual fee of up to £55 applied to small and medium firms that do not process large volumes of data;

  • Tier 2: annual fee of up to £80 applied to small and medium firms that process large volumes of data;

  • Tier 3: annual fee of up to £1000 for large businesses;

  • And a direct marketing top-up fee of £20 for organisations that carry out electronic marketing activities as part of their business.

If your renewal is due prior to 1st April, then you will simply renew under the old system and the new structure will not affect you until your following renewal.

‘new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.’

Get in touch

For more information about Data Protection Compliance and the GDPR, get in touch with our experts today.

GDPR – ICO fee changes from 1st April 2018 Read More »

Hands typing on a laptop

Top 4 AML things you need to tackle in 2018

Anti-Money Laundering, Blogs, Legal Compliance /

The wicked, the criminals, are continuously innovating, and creating new ways to make money out of crime. They are also money laundering, on an epic scale. The scale of money laundering in the UK is thought to be £90bn a year.

2017 was a year of change in AML and financial crime, with the long awaited Money Laundering, Terrorist Financing, Transfer of Funds (Information on the Payer) Regulations 2017 (MLR), and the Criminal Finances Act. There was plenty to think about and do. But it doesn’t stop there. The wicked don’t, so we can’t. Here are 4 things you will need to tackle in 2018.

1. Final Guidance

The Legal Sector Affinity Group have prepared guidance for firms on MLR 2017, which is currently in draft form on the Law Society’s website. The guidance has been submitted to HM Treasury, and is currently going through the approval process. It is hoped the guidance will be finalised within the next couple of months. Once the final guidance is released, firms will need to take steps to finalise their policies and procedures.

2. Independent Audit Function

Regulation 21 MLR requires that a firm, where appropriate to the size and nature of its business, establish an independent audit function to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures. Firms will need to consider how to resource this, whether they can do that internally or externally, and consider the scope. Many firms already include CDD in their file review process, but audit may be much wider, reviewing accounts and risk assessment processes.

3. Implementation of the Criminal Finances Act (CFA)

2017 saw the introduction of the CFA, and the Corporate Offence of Failing to Prevent the Criminal Facilitation of Tax Evasion. Firms also need to be aware of the provisions around the extension to the Moratorium Period (r10), the new Information Sharing Powers (r11) and Further Information Orders (r12) which came into force on the 31st October 2017. Policies and procedures for dealing with these may need to be introduced, and staff training delivered, particularly in relation to the Information Sharing Powers, and how to respond should someone seek to share information about a client with them.

4. Amending Directive to 4MLD

On the 15th December the amending directive to the fourth Money Laundering Directive was agreed. This revision of the 4MLD, aims to:

  • increasing transparency on who really owns companies and trusts by establishing beneficial ownership registers;
  • preventing risks associated with the use of virtual currencies for terrorist financing and limiting the use of pre-paid cards;
  • improving the safeguards for financial transactions to and from high-risk third countries;
  • enhancing the access of Financial Intelligence Units to information, including centralised bank account registers

Member states will have 18 months to implement these changes, so firms may need to make further changes to their policies and procedures soon.

It is clear we are a long way off from “Business as Usual” in AML, with a lot of change still to navigate and embed.

Get in touch

For more information about our AML services, simply get in touch with our experts today.

Top 4 AML things you need to tackle in 2018 Read More »