Regulatory Compliance

Someone typing on a dark laptop

ePrivacy Regulation Update – What’s the latest?

Blogs, Data Protection, Legal Compliance, Regulatory Compliance /

For some time now, the EU Commission has been planning an update to the current ePrivacy Directive (which was implemented in the UK through the Privacy and Electronic Communication Regulations, or PECR for short).  The ePrivacy Regulation will replace the current rules on issues like the use of cookies and electronic marketing and was originally meant to be implemented alongside GDPR but the final text was not ready in time.  So, what’s the latest update?

After significant delays in moving towards a final text for the Regulation, the EU Commission issued an update on 12 June 2018 following policy debates on 8th June and it would appear that further changes have been proposed.

Cookies

Currently websites display cookie banners informing visitors that the website uses cookies for the purposes of data analytics – if you don’t want cookies dropping on your device then the only option is to stop using the website.  The EU Commission had already indicated that under the new rules, internet browsing companies should design functionality to allow individuals to give specific consent for cookies (in fact a small number of organisations have already made this change on their websites).  Following the debate, the options for cookies now include banning the use of cookie walls (claiming it is disproportionate for public authorities to make their websites conditional on the use of cookies) or changing the recitals to clarify the requirements around consent.

B2B Marketing

Currently a large proportion of B2B marketing is carried out on a soft opt-in basis.  This is where the email address has been obtained through the sale (or negotiation for the sale) of a product or service, the individual was told that their email address would be used for unrequested marketing and was given the chance to opt-out at the time of collection, the marketing relates to similar products and services, and each email gives the recipient the chance to opt-out.  The draft Regulation indicates that the EU Commission may seek to bring B2B marketing in line with the requirements for B2C marketing, meaning that the current soft opt-in option will be reversed so that communications can only be sent where the individual has given prior consent.

The updated draft text also allows member states to set a time limit under which organisations may contact individuals for direct marketing purposes. The DMA is continuing to argue against these changes which could cause significant issues for businesses.

Timeline

It is now anticipated that the Regulations will be passed towards the end of 2018 or Spring of 2019 with one year for implementation.

What actions can I take now?

It’s important to document what marketing your business undertakes, your legal basis for the processing and how you obtain contact details.  If you don’t rely on consent, then you may want to start to consider what implications the Regulations will have on your business if they are passed in the current format.

Start to talk to your website provider about the options around cookies now BUT don’t make any major changes until the Regulations are finalised.

Watch this space!  With 3-6 months to go before the Regulation is passed it’s inevitable that further amendments will be made.

Get in touch

If you need any help in the meantime with regulatory compliance, then feel free to get in touch.  An initial chat with one of our associates is always free.

ePrivacy Regulation Update – What’s the latest? Read More »

Someone writing a report

Revised Lexcel Standard: Be prepared!

Blogs, Legal Compliance, Regulatory Compliance, Risk Management /

The Lexcel Legal Practice Quality Mark has been revised and expanded.  Lexcel accredited practices will be assessed against the revised standard from 1st November which means there is plenty for you to be working on. The Law Society Lexcel website gives you more information.

Broadly, these changes align the standard with recent new and revised legislative requirements in relation to data protection and financial crime.

The SRA Code of Conduct 2011 mandatory outcome 7.5 applies whether or not you are Lexcel accredited… ‘you comply with legislation applicable to your business, including anti-money laundering and data protection legislation’.

1. Start planning

There is a lot here to risk assess, develop, train, implement and test before your next Lexcel assessment … and of course to communicate to clients, as appropriate, and to your staff.

With regard to data protection, look at all the Lexcel requirements and you will soon realise that data protection touches all areas of the Standard.

2. Risk assess

You will need to look at the wider picture to assess and manage the risk of breaches and other offences.  A thorough review will include your compliance plan, risk register, policies and procedures, record keeping, monitoring and training.  Are you, for example, maintaining appropriate records of data processing activities, information asset registers, money laundering risk assessments and records?  Remember it is important to keep records of your decision making to evidence compliance and to have robust breach reporting procedures.  You need to understand your vulnerabilities and risks and address these accordingly.

3. Develop documentation

For all these new requirements off the shelf template policies or procedures may be helpful but are not always likely to be sufficient as every practice is different. One size does not fit all.  Examine the profile of your own practice, undertake thorough risk assessments and gap analyses.  Bespoke policies and procedures in plain language and applicable to your business are best practice, and likely to be more robust and easily understood by everyone.

4. Train, implement and test

Ensure your policies and procedures are effective. Undertake audits and spot checks.

Be prepared for assessors (and potentially other bodies), to review your central documentation, follow the audit trails, check your matter files and interview staff for evidence that they understand their responsibilities relevant to their role and have received appropriate training.  Importantly too, are your staff able to identify potential breaches or compliance failures and do they know how to go about reporting this?

A wealth of information and guidance is available on the ICO, Law Society and SRA websites.  As always, Teal blogs are a great resource for practical guidance.

Make sure you check out the Cyber Essentials scheme which, for Lexcel accreditation, firms are now encouraged to achieve.

Take a deep breath, consider your risks, raise awareness in your business, and start your reviews and preparation now.

Get in touch

Most of all, don’t lose sleep! To find out more about our risk management services, simply contact one of our experts today to chat about how we can help.

Revised Lexcel Standard: Be prepared! Read More »

Hand writing the word "Claims" with a blue marker on a glass screen

Claims Management Regulator to become FCA from April 2019

Blogs, Legal Compliance, Regulatory Compliance /

The FCA has recently launched consultation CP15/18 which sets out their proposed regulatory structure for Claims Management Companies (CMCs).  The announcement also confirmed that jurisdiction for complaints would move from the LeO to the Financial Ombudsman Service (FOS); although one wonders how they will cope with an increased number of complaints when they are already a stretched service.

The Consultation proposes extensive regulation for CMCs, including some of the current CMR rules, but also introducing new rules and making all parts of the current FCA handbook applicable as well.

The FCA will regulate 6 activities by introducing 7 new permissions (1 permission for lead generation activities and 6 sectoral permissions covering the activities of advising a claimant, investigating a claim and representing a claimant).  Scotland will also be included in the proposed regulatory regime and claims made under s75 of the Consumer Credit Act 1974 are also within scope.

So, what are the main proposals?

  • Before a CMC agrees a contract with a customer they will be required to give a short summary document containing an illustration or estimate of the fees charged, an overview of the services the CMC will provide, and the tasks the customer will need to do themselves.  Where a statutory ombudsman scheme exists, the summary must confirm that the customer does not need to use a CMC to pursue the claim and may present the claim themselves for free.

  • CMCs must offer a mandatory 14 day cooling off period and this must be detailed in the initial documentation.

  • Where the customer has been introduced by a third-party, the customer must be given information about any fees the CMC has paid to that third-party.

  • CMCs will be required to provide regular claim updates to the customer, even where there has been no progress.  Specifically, where the CMC knows the likely value of a claim then an estimated fee update should be provided.

  • The CMR Client Specific Rule 10 will be carried over to the new rules, requiring CMCs to investigate whether there are other ways the customer can make their claim.

  • CMR Client Specific Rule 14 will also be carried over with a slight amendment – CMCs will need to take reasonable steps to ensure that the customer understands the contract they are agreeing to (including vulnerable customers).

  • CMCs will need to provide customers with a clear explanation of fees and charges whenever a payment is requested.  There will need to be appropriate policies and procedures for dealing with customers in arrears, including specific policies for vulnerable customers.

  • ‘No win no fee’ type adverts will have to include details on the fees which will be charged or how fees are calculated and whether there is a statutory free scheme available to the customer.  All calls to customers will need to be recorded and kept for a minimum of 12 months (even those that result in no further contact with the customer).  CMCs will need to keep a record of electronic communications as well.  The financial promotion rules in PERG 8 will apply.

  • CMCs who purchase leads from third parties must carry out due diligence to determine whether the lead generator is authorised and has appropriate systems and processes in place to ensure compliance with data protection, privacy and electronic communications legislation.

Other FCA rules which will apply –

  • The Senior Managers and Certification Regimes that currently apply to all banks, buildings societies, credit unions and the largest investment firms will be extended to all regulated firms including CMCs.

  • The Individual Conduct Rules, the basic standards of behaviour that people working in financial services are expected to meet, will apply to almost all staff in firms and is not limited to those individuals who are subject to the Senior Managers Regime and Certification Regimes.

  • PRIN, COND, SYSC, DISP, GEN and the standards on how firms treat whistleblowers will all apply.

  • CASS will apply to firms who handle client money.

  • CMCs will be subject to the prudential resources requirement and specific wind down procedures.

  • The usual FCA enforcement procedures in EG and DEPP will apply equally to CMCs.

The FCA will create a new handbook section called the ‘Claims Management: Conduct of Business Sourcebook’ to sit alongside the existing sections.

Further consultations are expected later in the year, but this document is a clear indication a lot of preparation will be needed over the next 10 months to ensure CMCs are up to speed with the requirements.

Any firms with an existing CMR authorisation in April 2019 will be issued with a temporary FCA permission and a landing slot to submit an application for full authorisation.  There is no news yet on what the application process will look like.

The consultation is open until 3rd August and can be reviewed.

Get in touch

If you think your firm could be affected by the new rules or if you have any further regulatory questions, contact our experts today.

Claims Management Regulator to become FCA from April 2019 Read More »

Pillars of a Roman style buildilng

Bribery Act: Do you have ‘adequate procedures’?

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

 

Understanding and complying with ‘adequate procedures’ as detailed in the Bribery Act legislation, was highlighted in the recent conviction of London-based Skansen Interiors Limited in March 2018. It is the first time a UK Jury has had to consider what “adequate procedures” should be for the purpose of a defence to the corporate offence of ‘failing to prevent bribery’ under the UK Bribery Act 2010.

The CPS brought proceedings against the Skansen (now dormant) and its senior executive Stephen Banks, Managing Director at the time.  The prosecution claimed Mr Banks had bribed a project manager at a property company to secure a £6 million refurbishment contract.  Mr Banks pleaded guilty to three offences and Graham Deakin, a former project manager at the property company, pleaded guilty to two offences. A date for sentencing is yet to be published by Southwark Crown Court.

The company was successfully prosecuted, despite having self reported to the National Crime Agency. The jury found against the company having adequate procedures in place to prevent bribery. They have heard evidence that Skansen:

  • did not have a policy specifically directed to preventing offences under the Bribery Act;

  • lacked a dedicated compliance officer; and

  • there was no evidence of staff training or confirmation showing employees have read and understood the company’s existing policy.

Under the Bribery Act 2010 a full legal defence can be found where a company has implemented ‘adequate procedures’ prior to an offence. Adherence to the six principles listed below highlights the importance of having these procedures in place to ensure, as a firm you encourage an anti-bribery and corruption culture:

  1. Proportionality – policies and procedures must be in place and be proportionate to the size, nature and complexity of the business activities;

  2. Top-level commitment – top management should show visible support for the company’s compliance policies and activities;

  3. Risk assessment – periodic assessments should be undertaken including internal and external risks;

  4. Due diligence – a risk-based approach should be taken before engaging with a third party to represent your company e.g. agents, consultants, joint ventures;

  5. Communication – policies and procedures should be communicated firmwide;

  6. Monitoring and review – monitor your anti-corruption policies and review these regularly for risks and the effectiveness of your procedures.

Get in touch

Teal compliance can help you achieve the above objectives and guide you through what is required. We work closely with our clients to ensure they meet their obligatory regulatory compliance and AML requirements.  Contact our experts today.

Bribery Act: Do you have ‘adequate procedures’? Read More »

Magnifying glass on a blue table

Know your clients to avoid AML penalties

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

I was recently at an event speaking about AML legislation. As my attentive audience sat eagerly taking notes, one delegate raised her hand to ask about client verification, and the how’s of doing it correctly. Silence struck the room quite quickly as the realisation hit all the delegates – this was something they needed to consider and manage effectively to avoid AML penalties. It sounds straight forward but get it wrong or miss something and the penalties to your business can be steep.

The easiest, cost effective option, by which to verify your clients is E- verification.  Nowadays, E-verification is a viable option used by many corporate firms that are looking to streamline an already complex process, and can be used as a tool to verify identification provided.  Having said that, it’s important to remember that additional, non- electronic checks, may need to be conducted, simply to prove that the person in front of you is who they say they are!

Using E-verification is becoming increasingly important, especially as the new regulations stipulate domestic PEP checks are required.  The market is bombarded with variations of what is available, some offering standard checks and others offering basic packages with add-on’s depending on your firm’s risk appetite. To be sure you’ve covered it all, when choosing an AML provider, follow the tips below to enable you to choose the best provider.

An address verification service:

Verify the address that has been provided to you and confirm this is current

Document validation check:

Validate the passport or driving licence and confirm this is a Government issued document and not a fraudulent copy.

Mortality check:

Confirm the person exists and is not deceased, as you may be dealing with someone who is an impersonator adopting a different identity.

Politically exposed screening:

Any match, be it a domestic or an international PEP, associated persons or family, requires an enhanced due diligence check to be carried out, along with the assessment of any risks involved with appropriate internal MLRO approval.

Sanctions screening:

Check your match is an exact match by comparing the photograph provided (where available) to identity documents and that dates of births are consistent.

Negative news check:

Are there any CCJ’s registered or is your client linked to any fraud or bribery allegations or convictions?

Bank details validation/verification check:

Where bank details have been provided, check these are legitimate as any errors may cause further delay in rectifying issues with the bank later.

When running e-verification checks it would be good practice to ask your provider to confirm searches do not:

  • Affect the credit rating of the individual/corporate rating and;
  • There is an audit trail of all searches ran and;
  • The storage of such data is compliant with General Data Protection Regulation (“GDPR”)

As I have said, E-verification does not, on its own, fulfil the requirements of client due diligence. You should also consider:

What is the intended business relationship:

Don’t be afraid to confirm with the client the details of the work you are proposing to do for them and whether this is a one-off transaction or an ongoing business relationship.

Are source of funds consistent with the business:

Is a UK or an international bank used to process the transaction and where is the money due to come from?

Additional requirements

Consider any requirements for lenders to see physical identity documents to combat identify fraud.

Get in touch

To find out more about the AML services we have to offer, contact one of our experts today.

Know your clients to avoid AML penalties Read More »

Hands typing on laptop

Where to start with the Money Laundering Regulations 2017

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

 

Writing a blog about becoming compliant with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 is tricky. So much of what you will need to do will depend on the individual risk factors your firm faces. However, here are some things you should think about doing now.

1. Risk Assessment

You need to complete a risk assessment of your firm. I would look at the following areas, and establish the risk of your firm being targeted for money laundering:

  • Who your clients are
  • Where your clients, or their funds are coming from
  • The services you are providing to your clients
  • How you provide services to your clients
  • Size and nature of your business

2. Policy review and amends

Once you have arrived at your risk assessment, you should review your policy. Make sure you amend reference to the 2007 regulations at the very least. It is likely that if you had assessed a client profile as needing enhanced due diligence, it will still be. However do review regulation 33 to see whether any changes are needed. You may find that you do not have to change the requirement to apply enhanced due diligence, although the process is very likely to change.

3. CDD Process

There are a number of practical changes you are likely to need to make to your CDD process

  • You will need to expand the list of information you obtain regarding a corporate client to include information about its constitution, possible from review of the articles of association. This could add considerable time to the process.
  • You will need to consider the impact of the change in the definition of beneficial owners in relation to trust which is now much wider.
  • There the client is owned by a beneficial owner, you will also have to take reasonable measures to verify the identity of the beneficial owner so that you are satisfied you know who the beneficial owner is. Previously verification was only required on a risk sensitive basis.
  • Review your process to identify if your client is a politically exposed person. Under the 2017 regulations a PEP includes domestic PEPs, and the definition has changed to include the governing bodies of political parties, and the boards of international organisations (think FIFA etc). You will need to ensure that a PEP is treated as such until 12 months after they have left post.

4. Internal Controls

First job is to decide whether your firm is of the size and nature where the controls detailed in regulation 21 should apply. You will have considered this as part of your risk assessment. I think having regard to the risk from the type of work you do; the visibility you have of the client and their source of funds will be factors you should consider. If you feel you are of the size and nature, you will need to

  • Appoint a member of senior management to be responsible for compliance with the regulations
  • Carry our screening of employees when they join the firm and ongoing, as to their skills and knowledge to carry out their functions effectively, and their conduct and integrity. You may already be doing this for some employees, such as conveyancers under the CQS requirements
  • Establish an independent audit function. Provided that this function can assess the effectiveness of the policies, controls and procedures in place, make recommendations for improvements, and have those improvements implemented, it does not appear that it needs to be an external function.

5. Operational Issues

a.      Training

All relevant people will need to be trained on AML/CTF and the Data Protection aspect of the Regulations. Given the changes, you may need to look at training sooner rather than later.

 

b.      Record Keeping and Data Protection

  • You need to make sure you keep records you obtain for AML for 5 years from the end of the business relationship
  • After that time, you will need to destroy it unless you are required to keep it by Law, for Court Proceedings, or if the client consents. You will need to obtain this consent from the client
  • You will also need to provide the client with Data Protection information as prescribed by the regulations

 

c.      Dealing with Bank queries on Pooled Client Account

Under the 2007 regulations, Banks could treat the PCA as a low risk product, as long as the firm produced upon request information about the identity of the persons on whose behalf monies are held.

The new Regulations say instead that a bank may apply SDD provided that the

  • Holder of the bank account presents a low degree of risk, and
  • Information on the identity of the person on whose behalf monies are held in the PCA are available on request.

In my experience, very few firms have the relevant permission from the client to be able to share this information. You will need to ensure that you have explained to the client, that if the bank requests information about who you hold funds for, you will be required to provide that information, and that you have the client’s consent to do so.

Clearly there will be a lot of work to do over the coming months.

Get in touch

At Teal Compliance, we make complying easy with a range of AML services. To access support for your firm, simply get in touch with us today.

Where to start with the Money Laundering Regulations 2017 Read More »