Blogs

Money notes piled up with the face of a man on the notes peering through

Suspicious minds – What’s the definition of suspicion in AML?

The AML legislation imposes a positive duty on lawyers, in certain circumstances, to report any suspicion that their client is engaged in money laundering. Given that such a duty is, on the face of it, in conflict with fundamental obligations on solicitors to act in the best interests of their clients and keep what they say confidential, one would be forgiven for thinking that the law would provide a clear definition and guidance as to the meaning of suspicion. “Suspicion” in AML is a key concept in the proceeds of crime legislation in establishing the mental element required not only to prove there has been a failure to report offence, but also to prove the commission of the substantive money laundering offences. Given the severity of the consequences of a conviction under the money laundering legislation, it is crucial that those in practice understand what suspicion means.

You may be surprised to learn that, despite its significance, “suspicion” is not defined anywhere within the proceeds of crime legislation, nor within the recommendations of the Financial Action Task Force, not in any of the Money Laundering Directives from the European Union. Instead, it has been left for the courts to interpret and define the concept.

How have the courts interpreted “suspicion”? The courts have made clear that in criminal law, ordinary words should be given their ordinary meaning and their definition is not a question of law.

So far so good. But considering the dictionary definition of the word does not give a straightforward answer. Different dictionaries each give slightly different definitions. The word “suspicion” does not describe one state of mind. It actually covers a range of states of mind ranging from a mere inkling to believing something is highly probable or even true.

Which definition of “suspicion” has the courts adopted? Many judges have grappled with the question and there have been several cases over the years, many of which make interesting reading. The leading case is that of R v Da Silva where Longmore LJ said the essential element was that “the [person that suspects] must think that there is a possibility, which is more than fanciful, that the relevant facts exist. A vague feeling of unease would not suffice. But the statute does not require the suspicion to be “clear” or “firmly grounded and targeted on specific facts”, or based upon “reasonable grounds”.

This case makes it clear that suspicion is a relatively low threshold and is subjective – while it has to be genuinely held, it doesn’t have to be reasonably held. Although the courts have declined to introduce a reasonableness test, or set a standard for the strength of suspicion needed, the statement that it needs to be more than fanciful suggests that the suspicion does need to have some basis in fact. One of the difficulties is what is the boundary between unease and suspicion – it’s not an easy concept to define.

Reasonable grounds for Suspicion

The eagle eyed amongst you will notice that the failure to report offence in S 330 of the Proceeds of Crime Act applies not only if a person knows or suspects, but if a person has “reasonable grounds” for knowing or suspecting that another is engaged in money laundering. Does this mean that a person can be guilty of the failure to report offence even without any mental element, in other words that it is a strict liability offence? The recent case of R v Sally Lane & John Letts (AB & CD) [2018] UKSC 36 sheds some light on this. This case was concerned with the suspicion of one of the principal offences under the Terrorism Act and asked the question of whether the phrase “reasonable cause to suspect” in s17(b) of the Terrorism Act 2000 has the same meaning as “reasonable suspicion” – in other words did the Prosecution have to establish actual subjective suspicion. The Supreme Court concluded that there was no requirement for proof of actual suspicion – so as long as the Prosecution could establish there were reasonable grounds to suspect, it did not also have to establish actual suspicion. Applying this to the money laundering regime and the failure to report offence if the Prosecution can show that the person was aware of facts which, when considered objectively, would provide reasonable grounds for knowledge or suspicion, that would be enough to establish guilt even if the person didn’t have actual knowledge. The requirement to prove what was actually known to the person rather than what they ought to have known shows that the offence cannot be committed by negligence alone, but recklessness rather than intention would be enough to establish the mental element.

Suspicion of What?

In the context of the reporting offences, fee earners are generally encouraged to report to the MLRO any suspicions they have, even if just a vague feeling of unease or something they can’t put their finger on, and I don’t think anyone would want to discourage that. But if you are the MLRO considering making an external report, something more concrete is needed, namely that you suspect that money laundering (or terrorist financing) is taking place. And for money laundering there must be criminal property.

In the 2008 case of R v Anwoir the court held that money laundering could be proved in two ways:

by showing that property derives from conduct of a specific kind and that that conduct is unlawful, orby evidence of the circumstances in which the property is handled, which are such as to give rise to the irresistible inference that it can only be derived from crime.

In essence the relevant threshold will be reached if either you know or suspect a specific type of criminal conduct has taken place such as fraud or tax evasion and that it has generated criminal property. This is likely to be the case if you have received information, either from the client themselves, or a third party, or a law enforcement agency, or if it has been reported in the media. Alternatively, you may not have received any information but if there are a series of warning signs which can’t be satisfactorily explained and taken together give the irresistible inference that the funds must be criminal.

What are some of the warning signs?

The following are the type of things that may give rise to a suspicion that a person is engaged in money laundering:

  • Transactions which have no apparent purpose and which make no obvious economic sense
  • Transactions outside the ordinary range of services normally requested by the client
  • A client who refuses to provide information without reasonable explanation
  • A client who uses a business relationship for a single transaction or for a very short period of time
  • Routing of funds through third party accounts without reason
  • Use of offshore accounts, companies or structures in circumstances where the client’s needs do not support such economic requirements
  • Attempts to launder proceeds through a cash intensive business (as criminals often do) where the cash-flows appear too large or the profit margins too high
  • Unusual settlement requests, for example where unusually large sums of cash are offered or cash is being sent by persons who are not clients of the firm or where the source of funds or the way in which settlement is to take place is unusual
  • Using the firm for banking services only, e.g. receipts of funds into client account, all or some of which prove not to be needed for any subsequent transaction, followed by a request by the client for onward transmission of the funds through the banking system to a third party
  • Formation of companies without any apparent commercial or other purpose
  • Property Transactions – fictitious buyers, payment of deposit direct to seller, sales at undervalue

This is not a complete list and my suggestion would be to familiarise yourself with the Law Society guidance in relation to this.

In June 2019, following a consultation which began in 2018, the Law Commission published its review and recommendations in respect of the SARs regime. That report acknowledged that suspicion is a complex and knotty concept, that the test is often misunderstood and not properly applied by reports, and that this has resulted in high volume poor quality SRAs, many of which are made for defensive reasons rather than because of genuinely held suspicion. However, having analysed responses to the Consultation, the Law Commission declined to recommend providing a statutory definition of suspicion. It did recommend that the Secretary of State be required to publish guidance on suspicion and that there be a prescribed form for the making of SARs (the format to be left to an advisory group). It stopped short of recommending the raising of the reporting threshold to require reporting only where there are reasonable grounds to suspect money laundering. It did however recommend that an Advisory Board should undertake a review as to whether to increase the threshold after carrying out further research on the quality of disclosures under the current regime.

Conclusion

In conclusion, it looks as though the current position, whilst arguably less than ideal, is set to remain for a while longer. In these circumstances, our best advice is to ensure that firstly, when considering whether you are obliged to make a report, you make a full note of the factors and the information you have considered and your reasoning in arriving at your conclusion as to whether you suspect or not, and secondly, that your grounds for suspicion and identification of the criminal property are clearly set out in any external SAR.

Get in touch

If any of our AML services can be of assistance, please get in touch with one of our helpful experts today.

Suspicious minds – What’s the definition of suspicion in AML? Read More »

Woman looking at screen in office, contemplating

The ICO has teeth, and is not afraid to use them!

So, we all knew that the ICO had been equipped with a fine set of gnashers by the GDPR and DPA legislation. What we didn’t know was what it would take to get them to bare them or actually use them. Or what the consequences of an ICO mastication would look like when the bits had been spat out.

Well this last week has given us some strong clues in the shape of the BA and Marriott International reports giving details of proposed penalties. Both proposed fines are, in real terms, huge at £183M and £99M respectively. Both organisations are considering appeals.

But are the fines in line with expectations? They certainly fall well short of the maximum possible under the GDPR. Speculation when the BA breach first hit the headlines was that the total damage could end up well north of £1bn once damages paid to individual data subjects and costs had been taken into account, with the fine fines accounting for up to half the final sum. In the event, the proposed fine amounts to more like 1.5% of their world-wide turnover rather than the 4% maximum permitted by the Act.

It will therefore be very interesting to read the decision notice in each case once they are issued. In previous reports published by the ICO it appears that it is the attitude of the firm to the handling of the breach, the levels of co-operation in dealing with the fallout, and the data protection culture of the firm as a whole that are the influential factors when the level of punishment for a breach is considered.

What is clear though is that even if the punishment thermometer can be reduced to a factor of, say, 1.5% of turnover this is a highly significant sum to bear for any size of firm. Would your firm be able comfortably to digest it?

For fines aren’t the whole story. There may well be other costs to pay in damages to affected data subjects, not to mention the reputational damage to the firm as a whole. And this is without taking into account the often significant time expenditure in investigating and reporting on the breach, working on putting it right with possibly large numbers of data subjects, working with the ICO in their investigation, and retraining of staff in data protection awareness and minimisation of risk. How many organisations have made provision in their financial statements for the possibility of breach related fines?

So, in analysing the events of the past few days: –

Don’t…

  • Think that the GDPR and DPA don’t apply to you? They Do!
  • Think that the ICO won’t act if you have a breach? They clearly will!
  • Relax in the mistaken belief that to have a set of paper policies alone is sufficient to demonstrate compliance? It’s not!
  • Forget to keep your Statement and Data Protection related policies and procedures under regular review and updated? The Regulation requires it!
  • Ignore the importance of regular awareness training for all staff at all levels and for new staff inductions to place an appropriate level of emphasis on the firm’s data protection culture? It’s a vital contributor to effective breach recognition and management!
  • Afraid of enlisting outside help? A third pair of eyes can assist objectively and save huge amounts of valuable internal time!

Do…

  • Ensure that DPOs/persons responsible for data protection or Heads of Compliance are fully aware of their responsibilities.
  • Ensure that your Privacy Statement is up to date and the internal contact details are accurate.
  • Ensure that your DP policies are up to date and regularly reviewed, and the reviews documented.
  • Ensure that your IT systems are up to the task and, if appropriate regularly “pen” tested and the findings acted upon.
  • Ensure that your DP team is meeting regularly, and their meetings and action plans documented.
  • Ensure that a regular refresher awareness and breach awareness and management training programme is in place for all levels of staff.
  • Ensure that your outsourced contracts contain provisions dealing with the Controller/Processor elements of DP and that their own DP operation is compatible with your requirements.
  • Ensure that there is an embedded data protection culture in the firm that is perceived to be – and is – led from the top.

Get in touch

The ICO’s actions this week have issued a statement of intent to be ignored at our peril – how does your DP package shape up?

If you’d like more information on data protection, or would like to find out how we can help, simply get in touch with our experts today.

The ICO has teeth, and is not afraid to use them! Read More »

Someone speaking at a conference with a room full of delegates

Ark Group Conference Panel

I attended the Ark Group Annual AML Conference in London yesterday to speak on the panel about the challenges for MLROs who are also fee earners in their firm.

The session posed questions to the audience, and we, the panel, put our two penneth in.

Joining me on the panel was Alex Ktorides from Ince Gordon Dadds, Colette Best from the SRA and the chair was my Taskforce colleague Guy Wilkes

The first question was about how challenging MLROs find combining their compliance obligations and fee earning roles.

Most voted very challenging, (4 out of 5), which I absolutely agree it can be. Interestingly, if unsurprisingly, nobody voted it not challenging!

The main points I shared were:

Culture is key – without strong support and a culture of buying into Compliance you will fail. If we fail to tackle non compliance in firms, our compliance programmes will collapse! Colette agreed, where a firm has a person who refuses to comply, they will expect a firm to deal with it and may themselves deal with that individual.

Don’t put things in your policies which you know don’t work – don’t set yourself up to fail. Check things work, introduce controls so you know things work. Don’t leave things for the SRA to discover. Make sure people can make an assessment of risk when you ask them to, don’t say people can’t open a file without the client ID if you know that’s impossible.

Have controls so you aren’t caught out. Audit the controls. If you let fee earners open a file before client ID is completed, make sure you’ve set a deadline and that that is monitored and enforced.

Litigation need to know too! Don’t forget to make sure your litigation teams also have AML training and appreciate the risk that on boarding a client they are happy to deal with may cause AML issues if they also instruct the firm to carry out transactions.

Get a process in place for source of funds and source of wealth. Tell your teams they won’t spot money laundering if they think the extent of their obligations is to get a passport and utility bill, that’s doesn’t prevent money laundering #baddieslivesomewhere!

Get in touch

If you’d like to know more about our AML services, simply contact one of our experts today.

Ark Group Conference Panel Read More »

keyboard with the pound sigh key under a magnifying glass

Price Transparency: An opportunity not to be missed!

As part of the recently launched Teal Compliance Officer Training Programme, I ran a webinar session running through all the requirements in relation to Price Transparency and the impact it is having on firms.

The first thing I would say is that the new rules create a market of opportunity on which you can take stock and look at your pricing structure, how you price and the services you offer to your clients. The stated aim of the new rules is to provide good quality information to potential and existing consumers to enable them to make the best decision for the type of service they require and within their budgets.

A lot of firms are focusing on the perceived negative impact, e.g. that it is “big brother” or that other competitors will undercut their fees and poach clients. But by focusing on that firms risk missing opportunities. The research which was commissioned in 2016 by the Competition & Market’s Authority (“CMA”) concluded that generally speaking there is insufficient information available to consumers and small business, in relation to the price, range and quality of legal services on offer. This was particularly evident in relation to the conveyancing market.

The majority of consumers looking for legal services said that if better information about price, quality and range of legal services was available online that would help them in making a decision as to which firm to approach.

Consumers also said that firms with a “digital badge” displayed on their website, would give them greater confidence about the services on offer and could in fact be the deciding factor on whether or not to use a firm.

To recap on what is required under the new rules:

I have done some of my own research looking at how firms have improved price transparency on their websites. Some firms have absolutely got it spot on, however I have to say I am quite surprised by the number of firms who are not yet publishing transparent information and those whose attempts to be compliant have fallen short of what is required. The CLC and SRA have already started to undertake reviews of firms regulated by them. Whether firms want to accept the rules or not, you still have to comply.

If you are not sure how to ensure you are compliant with the new rules, or you just need a sense check then we are here to help, for example by running pricing workshops to give you the opportunity review and update all the services that you charge for.

The new rules are designed to stop those firms who add on the “hidden” costs at the end of a transaction, leaving the client confused, and uncertain as to how they are going to pay for those additional fees. Introducing transparency, guidance on services offered, what is and isn’t included will assist clients in assessing what is right for them from both a personal and financial perspective.

A lot of firms are using online calculators, and these are a great way of providing an estimate where the onus is on the client to provide the correct information. Again, if this information changes you can make it clear the fee may change accordingly. There is evidence to suggest that, particularly in conveyancing, the use of online calculators is assisting in winning business. Some firms have platforms which also automatically send the terms of business letter out, so you could arrive in the office in the morning with new clients already committed to working with you. These are fantastic examples of what you can do to be compliant under the new rules and maximise business potential. What’s not to like?

My top tips for making sure you are up to speed with price transparency include:

  • Use price transparency as an opportunity to revisit your current fee structure and prices
  • Ensure that your website contains all relevant information about the range, quality and price of your services
  • Obtain and display your digital badge
  • Communicate and provide training in price transparency to all staff
  • Remember to update relevant policies and marketing materials

Get in touch

If you’d like to know more about our website audit service, simply get in touch with one of our helpful experts today.

Price Transparency: An opportunity not to be missed! Read More »

Two screens on a desk containing data spreadsheets

Time to audit data compliance?

We’re nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit data compliance?

Why do I need to complete a data compliance audit?

An audit allows an organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that

“The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”.

This is often referred to as the ‘accountability’ principle – completing and audit will allow an organisation to demonstrate accountability with the principles.

If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.

Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.

Initial Audit/GAP Analysis

If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.

You should consider:

  • Do you have the relevant policies and procedures?
  • Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it?
  • Do you have up to date data flow maps showing how data moves through your organisation?
  • Do you have a process for dealing with data subject requests within one month?
  • Do you have a process for dealing with data breaches and incidents?
  • Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?
  • Do you have contracts in place with anyone who processes data on your behalf?
  • Do you have training scheduled or already completed?
  • Do you have a culture of privacy by design and default including a DPIA process?

Annual Compliance Audit

Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.

For an annual audit you should consider:

  • Are your policies and procedures up to date?
  • Do they reflect any process changes which have taken place?
  • Refresh your data audit – are your data flow maps up to date?
  • Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?
  • Are data subject requests being responded to within one month?
  • Are data subject complaints being responded to promptly?
  • Is training up to date?Is there a good level of employee awareness?
  • Do you have contracts in place with all your data processors?

Report to the Board

Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.

How can Teal Compliance help?

Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Get in touch with our experts today.

Time to audit data compliance? Read More »

Lettered cubes spelling out the word "Consent"

Teal Tales: Consent for missing CDD information

We get many calls from firms who have unusual compliance queries. They are my favourite calls!

Today’s tale is a common one, and the issue it raises is a common misconception. In fact, we had 2 calls about this on the same day, with similar issues.

“We’re ready to complete, there is a third-party funder, we’ve asked for source of funds information, but it’s not forthcoming. Can I get consent?”

The answer to that question will depend on the facts of each case, and whether there is a suspicion of money laundering.

Quite often in these situations I ask the firm what they are suspicious about, they will say, the fact the clients are refusing to provide the information is making me suspicious. And that is true.

However, consent, or a defence against money laundering will only be given if there is a suspicion of money laundering; for there to be money laundering, you need to know or suspect there is criminal property.

So, the next question I ask is what is the suspected criminal conduct, and very often the answer is, “I have no idea” or “I don’t think there is any”.

If the firm can not detail on the Suspicious Activity Report what they think the criminal property is, and the suspected criminal conduct from which it is thought to have come from, the NCA are unlikely to accept it as a valid SAR.

Having no idea won’t get you there, you won’t have the relevant suspicion.

If you can’t get consent for missing CDD information, what can you do?

Regulation 31 stipulates that you must not establish a business relationship with someone for whom you can’t complete your due diligence enquiries. So, if you’re in a position that you can’t complete your CDD enquiries because of an uncooperative client or third party, you may need to withdraw.

Many people who contact us about this are concerned about how to explain to their client without telling them they are suspicious. If you don’t already, you should consider setting out your source of funds and wealth policy at the very beginning, explaining to the client the depth you are likely to go to and then if they do not provide the information, you can point to the policy and withdraw from acting.

If you are already in receipt of funds, the situation will be a lot more difficult, you may need to press the client further for the information, and keep returning to the question, do you suspect any criminal conduct.

Get in touch

If you have compliance questions and need help, why not try our Ask Teal service. For more information, contact our experts today.

Teal Tales: Consent for missing CDD information Read More »

Mindful policies

This morning I was looking at a post on LinkedIn which generated a lot of comments and interest. The post is about a mobile phone policy which a content marketing business felt it needed to implement, apparently written, according to the managing director, by the younger staff, and not by management.

Now, reading the comments, it’s suggested by some that this is a clever piece of content marketing to demonstrate the businesses ability to get engagement, but whether it is or not, I’ve seen that policy before, often, in law firms.

“Failure to close the photocopier lid is a disciplinary offence.” “No more than 1 person in the kitchen at any one time.” “The toilet roll is kept in the managing partners office and must be returned after use.”

These examples of policies are not made up for clickbait. They are policies which were in place in the first law firm I worked in. Now we’re talking 22 years ago, but just last year someone sent me a picture of a sign on the back of a bathroom door (which clients can use) which said in red capitals – DO NOT LEAVE THIS TOILET WITHOUT CHECKING IT HAS FLUSHED PROPERLY. IF NECESSARY, FLUSH AGAIN.

I find myself reflecting on what is happening in these businesses to motivate people to write such things, what are their frustrations, concerns, worries? Worries about productivity, wasted costs, cleanliness, and in respect of the mobile phone policy, possibly security. These are absolutely legitimate issues which need to be addressed, but I would suggest that sometimes the ways these policies are written is counterproductive.

Whilst the policy or notice itself may have the desired effect – we never left the photocopier lid up for example, what does this do for morale, and culture. Now this isn’t my area, I know people much better placed to talk about culture, but I do know about policies, and I would urge anyone writing them to think about the unintended consequences. Whenever we introduce controls, unless people properly understand the rationale, there is a risk they won’t comply. That they’ll dismiss it and will work around it.

Also consider how the policy might be interpreted. Avoid writing them when you’re frustrated! In one of the comments the MD of the company with the mobile policy was asked did it apply to him, and he said, he needed his mobile phone on the desk, and he could “restrain himself” from getting drawn into social interaction during the day.

I recently caught a Simon Sinek (who I love!) video about allowing our children access to mobile phones is damaging them and ultimately causing a problem for managers in the work place as people are addicted to them. I don’t disagree with him, but dismissing this as – they can’t restrain themselves, so I am going to threaten them with a ban – doesn’t seem to me to be the best way of tackling this.

Communication, explaining the impact, understanding why it is an issue, and arriving at a negotiated solution is going to be much better than issuing policies which can alienate people, breed resentment, and cause exactly the lack of productivity you were afraid of in the first place.

Be mindful when writing your policies, leave aside for a moment what your intention is, and put your self in the mind of the reader. Am I saying what I mean, will they understand why we need it to be this way, will they feel talked down to by the language? The more engaged the reader is, the more likely they are to comply.

Get in touch

If you’d like help with your policies and procedures, simply get in touch with one of our helpful experts today.

Mindful policies Read More »

Stack of paperwork with 2 stamps on top. One marked "Regulations" and one marked "Rules"

The Data Protection Regulations Amendment 2019

Draft Regulations to create a ‘UK GDPR’ were published by the Government this week to ensure that the UK is ready for Brexit. The Data Protection Regulations Amendment 2019 introduce a large number of technical amendments to the GDPR, Data Protection Act 2018 (DPA18) and the Privacy Electronic Communications Regulations 2003 (PECR). The Withdrawal Act makes provision for the GDPR to form part of UK domestic law from 30th March 2019 as a ‘UK GDPR’.

But what does this mean in practice?

  • The text of UK GDPR is fundamentally the same as the GDPR which came into force on 25th May 2018, but it will correct language deficiencies from the European text
  • Extra-territorial application is retained – non-UK controllers and processors that sell into the UK or monitor UK residents online will have to comply with the UK GDPR
  • In some circumstances, non-UK controllers will need to appoint a representative within the UK
  • Previous EU adequacy decisions are revoked BUT the UK will deem EEA countries, EU and EEA Institutions and Gibraltar as having adequacy decisions
  • The ICO will be responsible for standard contractual clauses to facilitate the export of personal data from the UK and will not need EU Commission approval
  • The ICO will continue to be able to authorise new binding corporate rules
  • The ICO will be responsible for any tasks previously undertaken by other EEA Supervisory Authorities for processing of personal data or UK residents
  • PECR will be amended to align the definition of consent with the UK GDPR

UK based businesses that deal solely with UK based personal data will largely remain unaffected. But, if your business deal with non UK business partners and there is a transfer of UK personal data then you will need to review carefully whether any of the changes will affect you (don’t worry Team Teal can help!).

The Regulations still need to be approved by Parliament so watch this space.

Get in touch

If you need help with data protection and GDPR, get in touch with our experts today.

The Data Protection Regulations Amendment 2019 Read More »

EU flag flying on grey skies

EU-US Privacy Shield and Brexit – What you need to know

After a turbulent few months, the Privacy Shield was re-approved by the EU Commission at the end of last year and with Brexit looming, if you are a Privacy Shield participant there are some steps you may need to take before 30th March 2019 to ensure you can continue to receive personal data from the UK.

I say ‘may need to take’ because it all depends on whether the Brexit Withdrawal Agreement is approved by the UK Parliament. If approved, there is an 18 month transitional period so Privacy Shield commitments will not need to be updated until 31 December 2020.

However, if the Agreement is not approved then Privacy Shield commitments will need to be updated by 30th March 2019 so it is advisable to start to look at this now.

So what do you need to do?

  • Update publicly facing privacy policies to specifically state that Privacy Shield Commitments extend to personal data received from the UK.
  • If transferring HR data then the HR Privacy Policy will also need to be updated.
  • Maintain your certification by completing an annual re-certification.

If you are a UK business that deals with a Privacy Shield Certified business then you should make sure that steps are being taken to make the relevant changes in time.

Get in touch

If you need help with this or any of the other regulatory compliance changes that are happening this year then don’t hesitate to contact us today.

EU-US Privacy Shield and Brexit – What you need to know Read More »

Couple signing an agreement with professional person

Ten point plan for IDD compliance

This may appeal to those of you who like me are a little lost when someone talks to you about the Insurance Distribution Directive. Let’s start from the basics, The Insurance Distribution Directive (IDD) is a new European directive that has replaced the Insurance Mediation Directive (IMD). It applies to Firms who conduct insurance distribution activities and its introduction will change the way relevant firms work. The SRA recently announced the approval by the Financial Conduct Authority and the Legal Services Board of its rules to comply with the directive, reflected in the changes made to the SRA Handbook 2011on 1 October 2018.

In summary the Directive aims to enhance consumer protection when buying insurance – including general insurance, life insurance and insurance-based investment products (IBIPs). It also focuses on supporting competition between insurance distributors by creating a level playing field. Like the IMD, the IDD covers the authorisation, passporting arrangements and regulatory requirements for insurance and reinsurance intermediaries. However, the application of the IDD is wider, covering organisational and conduct of business requirements for insurance and reinsurance undertakings. It’s also important to mention in order the demonstrate firms and employees possess appropriate knowledge to perform their duties, CPD of at least 15 hours are required to complete this.

In practical terms the definition of ‘insurance distribution’ in the new directive has been defined as the activities of advising on, proposing, or carrying out other work preparatory to the conclusion of contracts of insurance, of concluding such contracts, or of assisting in the administration and performance of such contracts, in particular in the event of a claim. That means Law firms involved in personal injury, conveyancing and probate will most likely be carrying on insurance distribution activities e.g. arranging for clients’ after the event insurance in a personal injury matter or insurance for defective title in a conveyancing matter.

Another important reference are the SRA rules particularly regarding the SRA Financial Services (Scope) Rules 2001 (Scope rules) and the SRA Financial Services (Conduct of Business) Rules 2001 (COB rules). The specific requirements which relate to insurance distribution activities are set out in Appendix 1 of the COB rules.

Here are 10 steps you may consider when you deal with IDD compliance:

Step 1

Notify the SRA using a FA8 form if you propose to conduct insurance distribution services. The SRA will inform the FCA on your behalf who maintains a register of firms which includes those that are carrying on insurance mediation activities. Before submitting the completed form be sure to provide some basic information like details of your firm’s insurance distribution officer, the identities of shareholders or members that have a holding in your firm that exceeds 10%, and the amounts of those holdings, the identities of persons who have close links with your firm as per close links definition under Article 13 point 17 of Directive 2009/138/EC and information that those holdings or close links will not prevent you exercising your supervisory or regulatory functions. Failing to register when required to do so is likely to be breaching the general prohibition which is a criminal offence under section 23 of the Financial Services and Market Act 2000 and you may find that the contracts of insurance arranged for clients are invalid.

Step 2

When appointing an insurance distribution officer, you must make sure that they are competent and understand the terms and conditions of policies offered, laws covering the distribution of insurance products, claims and complaints handling requirements, how to assess a customer’s needs.

Step 3

Make sure that you do not carry on any insurance distribution activities unless you have in place a policy of qualifying professional indemnity insurance. More information about the obligations on you can be found in the SRA Indemnity Insurance Rules 2013.

Step 4

Consider Rule 3 of the COB rules setting out the sort of information that you must provide about you, your firm and the services you can provide when arranging insurance e.g. inform the client you are regulated by the Solicitors Regulation Authority for this work and the scope of your services, i.e. that you can only carry on insurance distribution activities limited to those not prohibited by your Scope Rules.

Step 5

Set out information that you will need to give to your clients about any remuneration you receive for arranging the insurance and any fees that might be payable by the client in accordance with Part 8 and 9 of Appendix 1 of the COB rules.

Step 6

If you collect a fee from a client, you must disclose the exact amount of that fee (not an estimate or range). If the exact amount is not known, then the method of calculation must be provided. Any information you give to the client must be in a “durable medium” being fair, transparent and not misleading.

Step 7

In addition to providing information about the status of your firm, you must provide your clients with information confirming, that you are an insurance intermediary, as opposed to an insurer and that you cannot manufacture insurance products; whether you provide a personal recommendation in respect of the insurance products offered; whether you act on behalf of the client and/or the insurer. If you act for both you will need to explain in what circumstances you can act for each party, and if you have “10% or more” of the voting rights in an insurer (for example, as a shareholder).

Step 8

You must in comply with chapter 1 SRA Code of Conduct 2011 “honestly, fairly and professionally in the client’s best interests”.

Step 9

Comply with outcomes in Chapter 8 of the SRA Code of Conduct 2011 by making sure that your marketing communications, addressed to clients or potential clients are fair, clear and not misleading. Marketing communications should always be clearly identifiable as such.

Step 10

Ensure you have sent the client a summary document for general insurance products in the form of an Insurance Product Information Document (IPID) before you conclude a contract. The insurer is required to draw up the IPID and must set out the key information a client will need to make an informed decision about the product.

Get in touch

If you have any questions at all about IDD compliance, insurance generally or regulatory compliance, then get in touch with one of our experts today. An initial call is always free.

Ten point plan for IDD compliance Read More »