Blogs

Two front doors. One with a correct number and one with a made up number

Preventing a repeat of Dreamvar

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

Dreamvar – more than a year on …….. so, what has changed?

It’s likely most conveyancers will shudder when they hear the name Dreamvar. It’s the case that changed the liabilities and responsibilities of lawyers and conveyancers when dealing with residential property transactions. But in practice, what has actually changed since this case?

Firstly, a brief background for those unfamiliar with the details of the case. The case involved the liability of solicitors in cases of identity fraud. A fraudster posed as the seller of a property in London worth about £1million and succeeded in selling the property to an innocent buyer, Dreamvar. Once the property was sold the fraudster seller and the purchase monies disappeared. Dreamvar went on to sue his solicitor, for negligence (in contract and tort) and for breach of trust. He also sued the fraudster seller’s solicitor in negligence, for breach of warranty and breach of trust.

The High Court ruled that only Dreamvar’s solicitor could be liable and dismissed all claims against the fraudster’s solicitors. This seemed a little harsh given the solicitors acting for the fraudster had not taken sufficient steps to verify their client’s identity as required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

The case therefore eventually made its way to the Court of Appeal. The Judge ruled the solicitors representing the fraudulent property vendor should share responsibility along with those representing the duped buyer of any losses. The Court of Appeal ordered both firms involved to make financial contributions.

However, it wasn’t just the solicitors involved that were in the firing line, the Law Society was also criticised. The case discussed the Law Society’s Code for Completion by Post (“The Code”) and argued that its processes did not consider the prospect that a sale is not genuine.

The Law Society agreed that their Conveyancing Protocol (“The Protocol”) and The Code needed updating and confirmed they intended to take the courts comments into account when making the amendments. And true to their word, the Law Society updated The Code and The Protocol this year.

The Law Society have made it clear that there are no changes in substance to the Code. Their revisions to the Code aim to make it clearer that the seller’s solicitor only gives undertakings where there is a genuine sale, thereby providing better protection for purchasers.

Similarly, with The Protocol the Law Society confirmed the number of steps have been reduced, however the obligations under the Protocol remain the same. They have made some procedural changes that you should be aware of, especially if are acting for the seller. In particular, the Protocol now states that Solicitors in CQS firms who are acting for the seller must

Obtain instructions for dealing with remittance of gross/net sale proceeds and details provided by the seller of UK bank account for remittance of proceeds. Obtain evidence that the bank account is properly constituted as an account conducted by the seller for a period of at least 12 months. Confirm that remittance will be made to that account only.

This means the solicitor must, if they are a CQS firm, request details of the bank account for the sale proceeds and they must also obtain evidence that the account belongs to the seller, showing that they have had and been using the account for at least 12 months.

This is a great way to ensure the purchase funds are going to the correct person! Only last month a woman named Sarah Broadbelt was jailed for 20 months for fraud and possessing a false identity document, after she sold a property for £75,000 back in 2015, without the real owner knowing. This case shows the lengths criminals are willing to go in order to commit this type of crime. Broadbelt went as far as changing her name by deed poll to that of the property owner’s so that she could apply for a passport and open bank accounts! That is real dedication!

Had the new Protocol and Code been in place (and been followed) it would have been far more difficult for Broadbelt to pose as the real owner of the property given that she, as the seller, would have been required to provide at least 12 months bank statements to show that not only was the bank account in her name, but it had also been in use by her for those 12 months.

So, what should you be doing now?

If you haven’t already, review The Protocol and The Code and ensure you have the right policies and procedures in place to enable your staff to follow them – do your firm and staff know about the need for further details about the seller’s bank account?

Don’t forget to communicate the changes to the relevant staff – there’s no point in updating policies and procedures if no one is told they have changed (they don’t have a crystal ball!)

Even if you are not CQS Accredited, it is good practice to follow The Protocol and The Code, it is not only there to protect your client and your firm but you as their solicitor/conveyancer too!

Get in touch

If you’d like to know more about the services we have to offer, get in touch with one of our experts today.

Preventing a repeat of Dreamvar Read More »

Woman's hands typing on laptop

Conflict checking – Are law firms getting it right?

Blogs, Legal Compliance, Regulatory Compliance /

Having worked in several different law firms over the past 10 years, it has been interesting to see how each firm has dealt with conflict checking differently.

Many medium to large law firms have teams running conflict checks for the firm. From my experience however in many of these firms the individuals running these conflict searches are simply looking for a match in data. But…. are they given enough training on the legal concepts surrounding conflicts of interest to really know what to look out for and to identify conflicts and potential conflicts.

Most smaller firms don’t have the resources to have a dedicated team to deal with conflict checking and it is therefore the responsibility of the fee earner to conduct a conflict check themselves. However, as a fee earner, is this “non-chargeable time” spent actually checking all the relevant parties? In some cases I fear not!

When I first started my legal career I worked as a paralegal dealing with debt recovery matters. I worked for a smaller firm so responsibility for conducting conflict checks was on me, which, having never been given any real training, proved quite difficult. Because of the lack of training I ended up opening a file and suing one of our client’s subsidiaries … whoops!

It is important to remember however that a conflict check is only as good as the data stored in a firm’s case management system. Firms need to make sure they have enough controls in place to ensure they are capturing the correct data for a conflict check to be properly carried out and have any value.

It then comes down to how a potential conflict of interest is dealt with. When I was buying my first property, I was informed by the estate agent that the Seller had instructed the same solicitor as me, but that this was “fine” because the Seller’s solicitor was based in a different office. Thinking back to this now with the legal experience I have, it is clear that, this was a conflict of interest and more should have been done by my Solicitor to make me aware of the possible implications and risks (rather than leaving it to the estate agent to tell me). I can’t really complain, they did a great job, however I do wonder what safeguards they actually had in place.

In November 2018, Sleigh Son & Booth solicitors were fined £2k and ordered to pay £20k in costs for acting where a conflict of interest breach may have arisen. The firm had acted for both vendor and purchaser in 9 conveyancing transactions where they had failed to advise either the vendor or purchaser that it was acting for the other and in 8 conveyancing transactions without obtaining either clients’ consent to do so. . The worst part was they had controls and protocols in place, they were just simply breached or forgotten.

This begs the question, should law firms be thinking more about what happens if they get it wrong?

Here are a few points I think Law Firms should consider when looking at conflict checking;

1. Training – Make sure your employees receive the training they require for their role and level of experience in respect of conflicts of interest and that they are aware of any internal systems, policies and procedures. It is always worth doing refresher training, as things do change!

2. Related Parties – Make sure all the relevant parties have been checked (You wouldn’t want to go suing one of your client’s subsidiaries!)

3. Data – It is important that all client and matter related parties are added to the case management system so they can be picked up in future conflict checks.

4. Potential conflict of interest? – Make sure you deal with any actual or potential conflict of interests appropriately. Do you require client consent, information barriers or do you simply have to decline to act? Remember the consequences if you get it wrong!

Get in touch

If you’d like to know more about our services, simply get in touch with one of our experts today.

Conflict checking – Are law firms getting it right? Read More »

Money notes piled up with the face of a man on the notes peering through

Suspicious minds – What’s the definition of suspicion in AML?

Blogs /

The AML legislation imposes a positive duty on lawyers, in certain circumstances, to report any suspicion that their client is engaged in money laundering. Given that such a duty is, on the face of it, in conflict with fundamental obligations on solicitors to act in the best interests of their clients and keep what they say confidential, one would be forgiven for thinking that the law would provide a clear definition and guidance as to the meaning of suspicion. “Suspicion” in AML is a key concept in the proceeds of crime legislation in establishing the mental element required not only to prove there has been a failure to report offence, but also to prove the commission of the substantive money laundering offences. Given the severity of the consequences of a conviction under the money laundering legislation, it is crucial that those in practice understand what suspicion means.

You may be surprised to learn that, despite its significance, “suspicion” is not defined anywhere within the proceeds of crime legislation, nor within the recommendations of the Financial Action Task Force, not in any of the Money Laundering Directives from the European Union. Instead, it has been left for the courts to interpret and define the concept.

How have the courts interpreted “suspicion”? The courts have made clear that in criminal law, ordinary words should be given their ordinary meaning and their definition is not a question of law.

So far so good. But considering the dictionary definition of the word does not give a straightforward answer. Different dictionaries each give slightly different definitions. The word “suspicion” does not describe one state of mind. It actually covers a range of states of mind ranging from a mere inkling to believing something is highly probable or even true.

Which definition of “suspicion” has the courts adopted? Many judges have grappled with the question and there have been several cases over the years, many of which make interesting reading. The leading case is that of R v Da Silva where Longmore LJ said the essential element was that “the [person that suspects] must think that there is a possibility, which is more than fanciful, that the relevant facts exist. A vague feeling of unease would not suffice. But the statute does not require the suspicion to be “clear” or “firmly grounded and targeted on specific facts”, or based upon “reasonable grounds”.

This case makes it clear that suspicion is a relatively low threshold and is subjective – while it has to be genuinely held, it doesn’t have to be reasonably held. Although the courts have declined to introduce a reasonableness test, or set a standard for the strength of suspicion needed, the statement that it needs to be more than fanciful suggests that the suspicion does need to have some basis in fact. One of the difficulties is what is the boundary between unease and suspicion – it’s not an easy concept to define.

Reasonable grounds for Suspicion

The eagle eyed amongst you will notice that the failure to report offence in S 330 of the Proceeds of Crime Act applies not only if a person knows or suspects, but if a person has “reasonable grounds” for knowing or suspecting that another is engaged in money laundering. Does this mean that a person can be guilty of the failure to report offence even without any mental element, in other words that it is a strict liability offence? The recent case of R v Sally Lane & John Letts (AB & CD) [2018] UKSC 36 sheds some light on this. This case was concerned with the suspicion of one of the principal offences under the Terrorism Act and asked the question of whether the phrase “reasonable cause to suspect” in s17(b) of the Terrorism Act 2000 has the same meaning as “reasonable suspicion” – in other words did the Prosecution have to establish actual subjective suspicion. The Supreme Court concluded that there was no requirement for proof of actual suspicion – so as long as the Prosecution could establish there were reasonable grounds to suspect, it did not also have to establish actual suspicion. Applying this to the money laundering regime and the failure to report offence if the Prosecution can show that the person was aware of facts which, when considered objectively, would provide reasonable grounds for knowledge or suspicion, that would be enough to establish guilt even if the person didn’t have actual knowledge. The requirement to prove what was actually known to the person rather than what they ought to have known shows that the offence cannot be committed by negligence alone, but recklessness rather than intention would be enough to establish the mental element.

Suspicion of What?

In the context of the reporting offences, fee earners are generally encouraged to report to the MLRO any suspicions they have, even if just a vague feeling of unease or something they can’t put their finger on, and I don’t think anyone would want to discourage that. But if you are the MLRO considering making an external report, something more concrete is needed, namely that you suspect that money laundering (or terrorist financing) is taking place. And for money laundering there must be criminal property.

In the 2008 case of R v Anwoir the court held that money laundering could be proved in two ways:

by showing that property derives from conduct of a specific kind and that that conduct is unlawful, orby evidence of the circumstances in which the property is handled, which are such as to give rise to the irresistible inference that it can only be derived from crime.

In essence the relevant threshold will be reached if either you know or suspect a specific type of criminal conduct has taken place such as fraud or tax evasion and that it has generated criminal property. This is likely to be the case if you have received information, either from the client themselves, or a third party, or a law enforcement agency, or if it has been reported in the media. Alternatively, you may not have received any information but if there are a series of warning signs which can’t be satisfactorily explained and taken together give the irresistible inference that the funds must be criminal.

What are some of the warning signs?

The following are the type of things that may give rise to a suspicion that a person is engaged in money laundering:

  • Transactions which have no apparent purpose and which make no obvious economic sense
  • Transactions outside the ordinary range of services normally requested by the client
  • A client who refuses to provide information without reasonable explanation
  • A client who uses a business relationship for a single transaction or for a very short period of time
  • Routing of funds through third party accounts without reason
  • Use of offshore accounts, companies or structures in circumstances where the client’s needs do not support such economic requirements
  • Attempts to launder proceeds through a cash intensive business (as criminals often do) where the cash-flows appear too large or the profit margins too high
  • Unusual settlement requests, for example where unusually large sums of cash are offered or cash is being sent by persons who are not clients of the firm or where the source of funds or the way in which settlement is to take place is unusual
  • Using the firm for banking services only, e.g. receipts of funds into client account, all or some of which prove not to be needed for any subsequent transaction, followed by a request by the client for onward transmission of the funds through the banking system to a third party
  • Formation of companies without any apparent commercial or other purpose
  • Property Transactions – fictitious buyers, payment of deposit direct to seller, sales at undervalue

This is not a complete list and my suggestion would be to familiarise yourself with the Law Society guidance in relation to this.

In June 2019, following a consultation which began in 2018, the Law Commission published its review and recommendations in respect of the SARs regime. That report acknowledged that suspicion is a complex and knotty concept, that the test is often misunderstood and not properly applied by reports, and that this has resulted in high volume poor quality SRAs, many of which are made for defensive reasons rather than because of genuinely held suspicion. However, having analysed responses to the Consultation, the Law Commission declined to recommend providing a statutory definition of suspicion. It did recommend that the Secretary of State be required to publish guidance on suspicion and that there be a prescribed form for the making of SARs (the format to be left to an advisory group). It stopped short of recommending the raising of the reporting threshold to require reporting only where there are reasonable grounds to suspect money laundering. It did however recommend that an Advisory Board should undertake a review as to whether to increase the threshold after carrying out further research on the quality of disclosures under the current regime.

Conclusion

In conclusion, it looks as though the current position, whilst arguably less than ideal, is set to remain for a while longer. In these circumstances, our best advice is to ensure that firstly, when considering whether you are obliged to make a report, you make a full note of the factors and the information you have considered and your reasoning in arriving at your conclusion as to whether you suspect or not, and secondly, that your grounds for suspicion and identification of the criminal property are clearly set out in any external SAR.

Get in touch

If any of our AML services can be of assistance, please get in touch with one of our helpful experts today.

Suspicious minds – What’s the definition of suspicion in AML? Read More »

Woman looking at screen in office, contemplating

The ICO has teeth, and is not afraid to use them!

Blogs, Data Protection, Legal Compliance /

So, we all knew that the ICO had been equipped with a fine set of gnashers by the GDPR and DPA legislation. What we didn’t know was what it would take to get them to bare them or actually use them. Or what the consequences of an ICO mastication would look like when the bits had been spat out.

Well this last week has given us some strong clues in the shape of the BA and Marriott International reports giving details of proposed penalties. Both proposed fines are, in real terms, huge at £183M and £99M respectively. Both organisations are considering appeals.

But are the fines in line with expectations? They certainly fall well short of the maximum possible under the GDPR. Speculation when the BA breach first hit the headlines was that the total damage could end up well north of £1bn once damages paid to individual data subjects and costs had been taken into account, with the fine fines accounting for up to half the final sum. In the event, the proposed fine amounts to more like 1.5% of their world-wide turnover rather than the 4% maximum permitted by the Act.

It will therefore be very interesting to read the decision notice in each case once they are issued. In previous reports published by the ICO it appears that it is the attitude of the firm to the handling of the breach, the levels of co-operation in dealing with the fallout, and the data protection culture of the firm as a whole that are the influential factors when the level of punishment for a breach is considered.

What is clear though is that even if the punishment thermometer can be reduced to a factor of, say, 1.5% of turnover this is a highly significant sum to bear for any size of firm. Would your firm be able comfortably to digest it?

For fines aren’t the whole story. There may well be other costs to pay in damages to affected data subjects, not to mention the reputational damage to the firm as a whole. And this is without taking into account the often significant time expenditure in investigating and reporting on the breach, working on putting it right with possibly large numbers of data subjects, working with the ICO in their investigation, and retraining of staff in data protection awareness and minimisation of risk. How many organisations have made provision in their financial statements for the possibility of breach related fines?

So, in analysing the events of the past few days: –

Don’t…

  • Think that the GDPR and DPA don’t apply to you? They Do!
  • Think that the ICO won’t act if you have a breach? They clearly will!
  • Relax in the mistaken belief that to have a set of paper policies alone is sufficient to demonstrate compliance? It’s not!
  • Forget to keep your Statement and Data Protection related policies and procedures under regular review and updated? The Regulation requires it!
  • Ignore the importance of regular awareness training for all staff at all levels and for new staff inductions to place an appropriate level of emphasis on the firm’s data protection culture? It’s a vital contributor to effective breach recognition and management!
  • Afraid of enlisting outside help? A third pair of eyes can assist objectively and save huge amounts of valuable internal time!

Do…

  • Ensure that DPOs/persons responsible for data protection or Heads of Compliance are fully aware of their responsibilities.
  • Ensure that your Privacy Statement is up to date and the internal contact details are accurate.
  • Ensure that your DP policies are up to date and regularly reviewed, and the reviews documented.
  • Ensure that your IT systems are up to the task and, if appropriate regularly “pen” tested and the findings acted upon.
  • Ensure that your DP team is meeting regularly, and their meetings and action plans documented.
  • Ensure that a regular refresher awareness and breach awareness and management training programme is in place for all levels of staff.
  • Ensure that your outsourced contracts contain provisions dealing with the Controller/Processor elements of DP and that their own DP operation is compatible with your requirements.
  • Ensure that there is an embedded data protection culture in the firm that is perceived to be – and is – led from the top.

Get in touch

The ICO’s actions this week have issued a statement of intent to be ignored at our peril – how does your DP package shape up?

If you’d like more information on data protection, or would like to find out how we can help, simply get in touch with our experts today.

The ICO has teeth, and is not afraid to use them! Read More »

Someone speaking at a conference with a room full of delegates

Ark Group Conference Panel

Anti-Money Laundering, Blogs, Legal Compliance /

I attended the Ark Group Annual AML Conference in London yesterday to speak on the panel about the challenges for MLROs who are also fee earners in their firm.

The session posed questions to the audience, and we, the panel, put our two penneth in.

Joining me on the panel was Alex Ktorides from Ince Gordon Dadds, Colette Best from the SRA and the chair was my Taskforce colleague Guy Wilkes

The first question was about how challenging MLROs find combining their compliance obligations and fee earning roles.

Most voted very challenging, (4 out of 5), which I absolutely agree it can be. Interestingly, if unsurprisingly, nobody voted it not challenging!

The main points I shared were:

Culture is key – without strong support and a culture of buying into Compliance you will fail. If we fail to tackle non compliance in firms, our compliance programmes will collapse! Colette agreed, where a firm has a person who refuses to comply, they will expect a firm to deal with it and may themselves deal with that individual.

Don’t put things in your policies which you know don’t work – don’t set yourself up to fail. Check things work, introduce controls so you know things work. Don’t leave things for the SRA to discover. Make sure people can make an assessment of risk when you ask them to, don’t say people can’t open a file without the client ID if you know that’s impossible.

Have controls so you aren’t caught out. Audit the controls. If you let fee earners open a file before client ID is completed, make sure you’ve set a deadline and that that is monitored and enforced.

Litigation need to know too! Don’t forget to make sure your litigation teams also have AML training and appreciate the risk that on boarding a client they are happy to deal with may cause AML issues if they also instruct the firm to carry out transactions.

Get a process in place for source of funds and source of wealth. Tell your teams they won’t spot money laundering if they think the extent of their obligations is to get a passport and utility bill, that’s doesn’t prevent money laundering #baddieslivesomewhere!

Get in touch

If you’d like to know more about our AML services, simply contact one of our experts today.

Ark Group Conference Panel Read More »

keyboard with the pound sigh key under a magnifying glass

Price Transparency: An opportunity not to be missed!

Blogs, Legal Compliance, Regulatory Compliance /

As part of the recently launched Teal Compliance Officer Training Programme, I ran a webinar session running through all the requirements in relation to Price Transparency and the impact it is having on firms.

The first thing I would say is that the new rules create a market of opportunity on which you can take stock and look at your pricing structure, how you price and the services you offer to your clients. The stated aim of the new rules is to provide good quality information to potential and existing consumers to enable them to make the best decision for the type of service they require and within their budgets.

A lot of firms are focusing on the perceived negative impact, e.g. that it is “big brother” or that other competitors will undercut their fees and poach clients. But by focusing on that firms risk missing opportunities. The research which was commissioned in 2016 by the Competition & Market’s Authority (“CMA”) concluded that generally speaking there is insufficient information available to consumers and small business, in relation to the price, range and quality of legal services on offer. This was particularly evident in relation to the conveyancing market.

The majority of consumers looking for legal services said that if better information about price, quality and range of legal services was available online that would help them in making a decision as to which firm to approach.

Consumers also said that firms with a “digital badge” displayed on their website, would give them greater confidence about the services on offer and could in fact be the deciding factor on whether or not to use a firm.

To recap on what is required under the new rules:

I have done some of my own research looking at how firms have improved price transparency on their websites. Some firms have absolutely got it spot on, however I have to say I am quite surprised by the number of firms who are not yet publishing transparent information and those whose attempts to be compliant have fallen short of what is required. The CLC and SRA have already started to undertake reviews of firms regulated by them. Whether firms want to accept the rules or not, you still have to comply.

If you are not sure how to ensure you are compliant with the new rules, or you just need a sense check then we are here to help, for example by running pricing workshops to give you the opportunity review and update all the services that you charge for.

The new rules are designed to stop those firms who add on the “hidden” costs at the end of a transaction, leaving the client confused, and uncertain as to how they are going to pay for those additional fees. Introducing transparency, guidance on services offered, what is and isn’t included will assist clients in assessing what is right for them from both a personal and financial perspective.

A lot of firms are using online calculators, and these are a great way of providing an estimate where the onus is on the client to provide the correct information. Again, if this information changes you can make it clear the fee may change accordingly. There is evidence to suggest that, particularly in conveyancing, the use of online calculators is assisting in winning business. Some firms have platforms which also automatically send the terms of business letter out, so you could arrive in the office in the morning with new clients already committed to working with you. These are fantastic examples of what you can do to be compliant under the new rules and maximise business potential. What’s not to like?

My top tips for making sure you are up to speed with price transparency include:

  • Use price transparency as an opportunity to revisit your current fee structure and prices
  • Ensure that your website contains all relevant information about the range, quality and price of your services
  • Obtain and display your digital badge
  • Communicate and provide training in price transparency to all staff
  • Remember to update relevant policies and marketing materials

Get in touch

If you’d like to know more about our website audit service, simply get in touch with one of our helpful experts today.

Price Transparency: An opportunity not to be missed! Read More »

Two screens on a desk containing data spreadsheets

Time to audit data compliance?

Audit, Blogs, Data Protection /

We’re nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit data compliance?

Why do I need to complete a data compliance audit?

An audit allows an organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that

“The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”.

This is often referred to as the ‘accountability’ principle – completing and audit will allow an organisation to demonstrate accountability with the principles.

If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.

Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.

Initial Audit/GAP Analysis

If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.

You should consider:

  • Do you have the relevant policies and procedures?
  • Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it?
  • Do you have up to date data flow maps showing how data moves through your organisation?
  • Do you have a process for dealing with data subject requests within one month?
  • Do you have a process for dealing with data breaches and incidents?
  • Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?
  • Do you have contracts in place with anyone who processes data on your behalf?
  • Do you have training scheduled or already completed?
  • Do you have a culture of privacy by design and default including a DPIA process?

Annual Compliance Audit

Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.

For an annual audit you should consider:

  • Are your policies and procedures up to date?
  • Do they reflect any process changes which have taken place?
  • Refresh your data audit – are your data flow maps up to date?
  • Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?
  • Are data subject requests being responded to within one month?
  • Are data subject complaints being responded to promptly?
  • Is training up to date?Is there a good level of employee awareness?
  • Do you have contracts in place with all your data processors?

Report to the Board

Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.

How can Teal Compliance help?

Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Get in touch with our experts today.

Time to audit data compliance? Read More »

Lettered cubes spelling out the word "Consent"

Teal Tales: Consent for missing CDD information

Anti-Money Laundering, Blogs, Legal Compliance /

We get many calls from firms who have unusual compliance queries. They are my favourite calls!

Today’s tale is a common one, and the issue it raises is a common misconception. In fact, we had 2 calls about this on the same day, with similar issues.

“We’re ready to complete, there is a third-party funder, we’ve asked for source of funds information, but it’s not forthcoming. Can I get consent?”

The answer to that question will depend on the facts of each case, and whether there is a suspicion of money laundering.

Quite often in these situations I ask the firm what they are suspicious about, they will say, the fact the clients are refusing to provide the information is making me suspicious. And that is true.

However, consent, or a defence against money laundering will only be given if there is a suspicion of money laundering; for there to be money laundering, you need to know or suspect there is criminal property.

So, the next question I ask is what is the suspected criminal conduct, and very often the answer is, “I have no idea” or “I don’t think there is any”.

If the firm can not detail on the Suspicious Activity Report what they think the criminal property is, and the suspected criminal conduct from which it is thought to have come from, the NCA are unlikely to accept it as a valid SAR.

Having no idea won’t get you there, you won’t have the relevant suspicion.

If you can’t get consent for missing CDD information, what can you do?

Regulation 31 stipulates that you must not establish a business relationship with someone for whom you can’t complete your due diligence enquiries. So, if you’re in a position that you can’t complete your CDD enquiries because of an uncooperative client or third party, you may need to withdraw.

Many people who contact us about this are concerned about how to explain to their client without telling them they are suspicious. If you don’t already, you should consider setting out your source of funds and wealth policy at the very beginning, explaining to the client the depth you are likely to go to and then if they do not provide the information, you can point to the policy and withdraw from acting.

If you are already in receipt of funds, the situation will be a lot more difficult, you may need to press the client further for the information, and keep returning to the question, do you suspect any criminal conduct.

Get in touch

If you have compliance questions and need help, why not try our Ask Teal service. For more information, contact our experts today.

Teal Tales: Consent for missing CDD information Read More »

Mindful policies

Blogs, Legal Compliance, Risk Management /

This morning I was looking at a post on LinkedIn which generated a lot of comments and interest. The post is about a mobile phone policy which a content marketing business felt it needed to implement, apparently written, according to the managing director, by the younger staff, and not by management.

Now, reading the comments, it’s suggested by some that this is a clever piece of content marketing to demonstrate the businesses ability to get engagement, but whether it is or not, I’ve seen that policy before, often, in law firms.

“Failure to close the photocopier lid is a disciplinary offence.” “No more than 1 person in the kitchen at any one time.” “The toilet roll is kept in the managing partners office and must be returned after use.”

These examples of policies are not made up for clickbait. They are policies which were in place in the first law firm I worked in. Now we’re talking 22 years ago, but just last year someone sent me a picture of a sign on the back of a bathroom door (which clients can use) which said in red capitals – DO NOT LEAVE THIS TOILET WITHOUT CHECKING IT HAS FLUSHED PROPERLY. IF NECESSARY, FLUSH AGAIN.

I find myself reflecting on what is happening in these businesses to motivate people to write such things, what are their frustrations, concerns, worries? Worries about productivity, wasted costs, cleanliness, and in respect of the mobile phone policy, possibly security. These are absolutely legitimate issues which need to be addressed, but I would suggest that sometimes the ways these policies are written is counterproductive.

Whilst the policy or notice itself may have the desired effect – we never left the photocopier lid up for example, what does this do for morale, and culture. Now this isn’t my area, I know people much better placed to talk about culture, but I do know about policies, and I would urge anyone writing them to think about the unintended consequences. Whenever we introduce controls, unless people properly understand the rationale, there is a risk they won’t comply. That they’ll dismiss it and will work around it.

Also consider how the policy might be interpreted. Avoid writing them when you’re frustrated! In one of the comments the MD of the company with the mobile policy was asked did it apply to him, and he said, he needed his mobile phone on the desk, and he could “restrain himself” from getting drawn into social interaction during the day.

I recently caught a Simon Sinek (who I love!) video about allowing our children access to mobile phones is damaging them and ultimately causing a problem for managers in the work place as people are addicted to them. I don’t disagree with him, but dismissing this as – they can’t restrain themselves, so I am going to threaten them with a ban – doesn’t seem to me to be the best way of tackling this.

Communication, explaining the impact, understanding why it is an issue, and arriving at a negotiated solution is going to be much better than issuing policies which can alienate people, breed resentment, and cause exactly the lack of productivity you were afraid of in the first place.

Be mindful when writing your policies, leave aside for a moment what your intention is, and put your self in the mind of the reader. Am I saying what I mean, will they understand why we need it to be this way, will they feel talked down to by the language? The more engaged the reader is, the more likely they are to comply.

Get in touch

If you’d like help with your policies and procedures, simply get in touch with one of our helpful experts today.

Mindful policies Read More »

Stack of paperwork with 2 stamps on top. One marked "Regulations" and one marked "Rules"

The Data Protection Regulations Amendment 2019

Blogs, Data Protection, Regulatory Compliance /

Draft Regulations to create a ‘UK GDPR’ were published by the Government this week to ensure that the UK is ready for Brexit. The Data Protection Regulations Amendment 2019 introduce a large number of technical amendments to the GDPR, Data Protection Act 2018 (DPA18) and the Privacy Electronic Communications Regulations 2003 (PECR). The Withdrawal Act makes provision for the GDPR to form part of UK domestic law from 30th March 2019 as a ‘UK GDPR’.

But what does this mean in practice?

  • The text of UK GDPR is fundamentally the same as the GDPR which came into force on 25th May 2018, but it will correct language deficiencies from the European text
  • Extra-territorial application is retained – non-UK controllers and processors that sell into the UK or monitor UK residents online will have to comply with the UK GDPR
  • In some circumstances, non-UK controllers will need to appoint a representative within the UK
  • Previous EU adequacy decisions are revoked BUT the UK will deem EEA countries, EU and EEA Institutions and Gibraltar as having adequacy decisions
  • The ICO will be responsible for standard contractual clauses to facilitate the export of personal data from the UK and will not need EU Commission approval
  • The ICO will continue to be able to authorise new binding corporate rules
  • The ICO will be responsible for any tasks previously undertaken by other EEA Supervisory Authorities for processing of personal data or UK residents
  • PECR will be amended to align the definition of consent with the UK GDPR

UK based businesses that deal solely with UK based personal data will largely remain unaffected. But, if your business deal with non UK business partners and there is a transfer of UK personal data then you will need to review carefully whether any of the changes will affect you (don’t worry Team Teal can help!).

The Regulations still need to be approved by Parliament so watch this space.

Get in touch

If you need help with data protection and GDPR, get in touch with our experts today.

The Data Protection Regulations Amendment 2019 Read More »