Search This Blog

Thursday, 2 January 2020

You Have 9... No, wait, 8 Days To Comply With The Changes To The Money Laundering Regs

Not only do the recent changes to the Money Laundering Regulations widen the range of firms who have to comply, but there are also changes to the requirements for customer due diligence, risk assessments, policies, controls, procedures and training for firms already in scope. You have until by 10 January 2020 to comply with most of the changes. I've summarised most changes here. Let me know if you need assistance.

Changes to Scope of the MLRs
The range of firms covered by the MLRs now includes letting agents, art market participants; cryptoasset (e.g. virtual currency) exchange providers and custodian wallet providers. 

The definition of tax adviser is also extended to those who provide material aid or assistance on tax; and certain limits are lowered for e-money transactions and new restrictions are imposed on acquiring anonymous prepaid card transactions. 

Law enforcement authorities and the Gambling Commission can obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.

Changes to due diligence requirements

When you adopt new products, business practices (including new delivery mechanisms) or technology you must take appropriate measures in preparation for, and during, that process to assess - and if necessary mitigate - any money laundering or terrorist financing risks change may cause.

If your firm is a parent, you must establish and maintain throughout your group all the various policies, controls and procedures for the purposes of preventing money laundering and terrorist financing - including for data protection and sharing information and including policies on the sharing of information about customers, customer accounts and transactions.

You must take appropriate measures - and keep records to prove - that you train your employees and agents whose work is relevant to your AML compliance or the identification or mitigation of the risk, prevention or detection of money laundering and terrorist financing. The training must be in the law relating to money laundering and terrorist financing, and related data protection requirements; as well as how to recognise and deal with suspicious transactions and other activities or situations which may be related to money laundering or terrorist financing.

The triggers for applying customer due diligence measures now include:
  • at appropriate times for existing customers, on a risk based approach; 
  • when you become aware that the circumstances of an existing customer relevant to your risk assessment for that customer have changed;
  • when you have a legal duty to contact an existing customer for the purpose of reviewing any information relevant to your risk assessment and relates to the beneficial ownership of the customer, including information which enables you to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer; 
  • when you have to contact an existing customer to fulfil a duty under the International Tax Compliance Regulations 2015.
The obligation to understand the ownership and control structure of a customer applies whether the customer is a body corporate or other legal person, trust, company, foundation or similar legal arrangement.

Where you've exhausted all possible means of identifying the beneficial owner of the body corporate and either you haven't succeeded or you aren't satisfied that the individual identified is in fact the beneficial owner, you must keep written records of all the actions you've taken to identify the beneficial owner and take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it, as well as all the actions you've taken and any difficulties you encountered in doing so.

Before establishing a business relationship with a customer, you must collect proof of registration or an excerpt of the relevant company or partnership registry (as the case may be) and report to the relevant registrar any discrepancy between information relating to the beneficial ownership of the customer that you collect from the register and information that otherwise becomes available to you in the course of carrying out your duties under the MLRs.

There are new triggers for carrying out 'enhanced' customer due diligence measures, as well as a specified (non-exhaustive) list of measures.

The thresholds for applying customer due diligence in the context of e-money are significantly reduced.

There are new restrictions on acquiring anonymous prepaid card transactions.

Law enforcement authorities and the Gambling Commission can now obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.


Friday, 27 December 2019

UK Firms: Why Not Simply Process EEA Residents' Personal Data In the EEA?

It's time for UK businesses to get creative in dealing with Brexit and all its uncertainties. As I've explained here, the processing of personal data relating to EEA residents is a particular problem. The UK is 13th on the list of countries that will be waiting for the European Commission to declare the UK personal data regime to be 'adequate' to transfer that data as of right (as happens now).

So, rather than bring personal data into the UK from the EEA, you could - as many already have - simply incorporate an entity within the EEA to hold the data and determine the means and purposes of processing there. That EEA entity could do the processing itself within the EEA or outsource that to an EEA-based processor with the right experience and expertise. Ireland, for example, is the top AI hub in the EU and it can be a simple matter to transfer existing English law contracts to a new entity there, particularly as Irish law is so similar.  

Only the aggregated results would need to come in to the UK.


Open Finance: The FCA's Call For Input

The FCA has called for suggestions by 17 March 2020 as to how it can support more open access to customers’ financial data. A few thoughts here, with an article to follow in the coming weeks...

The major stumbling blocks, as ever, are genuine customer problems/demand and supplier appetite, which tend to be focused quite narrowly; and who gets access to the data and for what purpose. 

One suspects that the Nirvana of a single consumer 'dashboard for everything' remains a long way off. We’ve seen broad-based initiatives before, like the UK government’s ‘midata’ programme from 2011. Key challenges remain customer identity and authentication on a broad scale, as opposed to channels more closely aligned with specific customer activities. In July 2019 the Government Digital Service and the Department for Digital, Culture, Media & Sport were still calling for evidence of how the Government can support improvements in identity verification and the development (and secure use) of digital identities generally. 

Yet there have been genuine advances around more defined customer activities. The FCA itself cites the second payment services directive and related standards designed to open up the payments market, for instance. These were partly a response to strong demand for new, unregulated services that were already providing access to current account data and enabling the remote initiation of bank transfers. Those competing to provide these services were encountering a distinct lack of co-operation from the current account providers (mainly banks). Specific regulation was forthcoming and has duly helped account information and payment initiation services proliferate and scale. But regulation did not itself catalyse either the demand or the services themselves. 

At any rate, it will be interesting to see whether the FCA receives evidence of other existing but nascent 'open finance' type services whose growth is genuinely stymied by issues that can be resolved by regulation. Whether such use-cases are sufficiently distributed across the range of day-to-day activities in which customers are engaged to constitute generally 'open finance' will be interesting to discover but of secondary importance. 

Of course, the elephant in the room is who will have access to all the data and for what purpose. In this respect, it would be particularly interesting to know when the FCA and PRA will begin to actually audit the use of artificial intelligence by financial services providers, rather than merely survey the industry on a self-disclosure basis. If they're true to form, we'll see a few major train wrecks first...

Are You Caught In The Wider Net Of The New Money Laundering Regs?

As a late Christmas present, the UK government issued the long-awaited amendments to the money laundering regulations ("MLRs") that must take effect by 10 January 2020. The changes impose customer due diligence and transaction monitoring obligations on letting agents, art market participants; cryptoasset (e.g. virtual currency) exchange providers and custodian wallet providers. The definition of tax adviser is also extended to those who provide material aid or assistance on tax; and certain limits are lowered for e-money transactions and new restrictions are imposed on acquiring anonymous prepaid card transactions. I've summarised some of the key aspects below, but there is no substitute for getting advice on your specific circumstances. Let me know if you need assistance.

Whether your activities fit the various definitions may not be easy to decipher. Crypto-currency exchange and wallet providers have been in discussion with the authorities for many years, and the impact there is reasonably clear. The definition of "letting agent" and the impact on the property market, however, deserves a blog of its own.  The impact on the art market is also difficult to address...

Art Market Participants

Recent allegations reveal that a complex web of people and international locations are often involved in art fraud. Not only does this type of fraud itself produce dirty money, but high prices, inconsistent record-keeping, subjective valuations, questionable authenticity and anonymity also create a fertile environment for laundering cash generated by other crimes. Digital technology and encrypted communications have made it increasingly hard to detect and prove fraud and money laundering after the fact. Prosecution of art fraud across national borders has been difficult.

Prior to MLD5, "high value dealers" fell within the scope of the AML regime, and these were defined as:
"a firm or sole trader who by way of business trades in goods (including an auctioneer dealing in goods), when the trader makes or receives, in respect of any transaction, a payment or payments in cash of at least 10,000 euros in total, whether the transaction is executed in a single operation or in several operations which appear to be linked."
The MLRs have now been amended to also apply to an “art market participant”, meaning a firm or sole practitioner who either: 
(i) by way of business trades in, or acts as an intermediary in the sale or purchase of, works of art and the value of the transaction, or a series of linked transactions, amounts to 10,000 euros or more; or 
(ii) is the operator of a freeport when it, or any other firm or sole practitioner, by way of business stores works of art in the freeport and the value of the works of art so stored for a person, or a series of linked persons, amounts to 10,000 euros or more;
A “work of art” means anything which in a long list in section 21 of the Value Added Tax Act 1994.

A “freeport” means a warehouse or storage facility within an area designated by theTreasury as a special area for customs purposes pursuant to section 100A(1) of the Customs and Excise Management Act 1979 (designation of free zones).

What Does Compliance Involve?

Those caught by the MLRs must at least apply certain "customer due diligence measures", including verifying the identity of the customer (subject to certain thresholds or triggers) and the ultimate beneficial owners of the money and assets involved:
  • before establishing a business relationship; 
  • if they suspect money laundering or terrorist financing; 
  • if they carry out a funds transfer of more than a 1,000 euros; or
  • if they doubt the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification. 

Additional requirements apply in some cases. For instance, art market participants must also apply customer due diligence measures consistent with how that role is defined:
  • in relation to any trade in a work of art when the firm or sole practitioner carries out, or acts in respect of, any such transaction, or series of linked transactions, whose value amounts to 10,000 euros or more; 
  • in relation to the storage of a work of art when it is the operator of a freeport and the value of the works of art so stored for a person, or series of linked persons, amounts to 10,000 euros or more.

You must also understand the nature of your customer’s business and its ownership and control structure. If you can’t complete that due diligence, or enhanced due diligence where it is appropriate to make further checks, then you must cease dealing with the customer and file a suspicious activity report (SAR) with the National Crime Agency (NCA).

You will also need to monitor transactions with your customers for suspicious activity, which must also be reported to the NCA.

The Proceeds of Crime Act makes all forms of money laundering a criminal offence, and creates other offences such as failing to report a suspicion of money laundering and “tipping off” a suspected money launderer, which applies to staff and your nominated money laundering reporting officer (MLRO).

The Fraud Act 2006 also sets out offences committed by false representation, failing to disclose information and abuse of position.

The Data Protection Act 2018 and the EU General Data Protection Regulation require you to take appropriate security measures against the loss, destruction or damage of personal data. You also remain responsible when you pass data to a third-party for processing or to countries that do not have adequate data protection regimes.

The MLRs require a risk-based approach to compliance. It’s not enough that you comply, because you must be able to demonstrate that you comply, if challenged. That means written policies and procedures; good records of obligations performed, training, compliance monitoring; and taking steps to remedy gaps or failings identified. Your written AML policy should show that you and your staff are aware of the requirements and how you go about meeting them. You should also have a set of detailed, written AML procedures that show exactly how you and your staff will satisfy the commitments in your AML policy.

Again, while I've summarised some of the key aspects of AML compliance here, there is no substitute for getting advice on your specific circumstances. Let me know if you need assistance.

Anonymity In Central Bank Digital Currency Systems

The European Central Bank has been wrestling with the issue of how to allow a certain degree of privacy in electronic payments using digital cash issued by central banks ("central bank digital currency" or "CBDC"), while complying with anti-money laundering and counter-terrorist financing (AML) requirements. 

Eurozone central banks believe they have now established a proof of concept for anonymity in CBDCs based on a simplified payment system using distributed ledger technology (DLT). This proof of concept allows users some degree of privacy for lower-value transactions, while still ensuring that higher-value transactions are subject to mandatory AML checks. Each user's identity and transaction history cannot be seen by the central bank or intermediaries other than that chosen by the user. Automated enforcement of limits trigger additional checks by an AML authority. 

While the ECB believes that the proof of concept will be instrumental in assessing how CBDCs could work in practice, it says the prospect of central bank initiatives should not discourage or crowd out market-led solutions...

Tuesday, 3 December 2019

Recent Adventures In Artificial Intelligence

My most recent Dublin trip was timed to take in the SCL event on bias in artificial intelligence, the second in a series following the SCL's Overview of AI in September.

This time Dr Suzanne Little of the School of Computing at Dublin City University explained the types of challenges that introduce bias.

Three further events are planned for Dublin in 2020, drilling into how we should assess the performance of AI, whether transparency is possible without explainability and the thorny issues relating to liability when AIs are wrong.

Assessing Performance 

While giving us some insights into bias, Suzanne Little also explained that 'confidence' in AI is quite different to 'accuracy'. The measurement of accuracy/error and confidence intervals is explained here, for example.

Transparency

The UK's Alan Turing Institute and the Information Commissioner are consulting on best practice for how to explain decisions made with AI, with a view to ensuring a legal person remains responsible and accountable for what an AI decides.  This is aimed at senior management, as well as compliance teams.

This issue is particularly important given that we often don't know that we are exposed to decisions made by artificial intelligence.

Liability

How to determine who should be liable when artificial intelligence goes wrong is also the subject of a recent report published by the European Commission.  


Friday, 11 October 2019

What Does Gov.uk Say You Need To Do Now To Prepare for Brexit?

Wow, I just plugged the data about my own professional service business into the UK Government's "Get Ready for Brexit Check" and set out below is what I got... 

As you read it, remember that free trade deals do not cover the export/import of services to anywhere near the extent that the UK trades in services under the principle of free movement of services as an EU member state. So, any form of Brexit effectively means "No Deal" for services.

All I can say is that I'm very relieved that I did my Brexit-proofing last year!

...

Based on your answers, we know:
  • You own or operate a business or organisation
  • You work in professional, legal and business services
  • Your business sells goods or services in the UK
  • Your business provides services in the EU
  • You do not employ EU citizens
  • You exchange personal data with EU organisations
  • You process personal data from the EU
  • You use websites or services hosted in the EU
  • You provide digital services to the EU
  • You use or rely on intellectual property protection
  • You use or rely on IP copyright protection
  • You do not receive EU or UK government funding
  • You do not sell products or services to the public sector
  • You are a British national
  • You live in the UK
  • You are employed in the UK
  • You plan to travel to Ireland

Your business or organisation

Check if you need to change your conformity assessment or conformity marking to sell your CE marked goods in the UK or EU
In most cases you can continue using the CE marking in the EU and UK (although in some cases you may need to transfer your certificate of conformity to an EU conformity asssesment body) - but if your good requires UKCA marking and you have not used it, then it will not be valid for sale in the UK.
Do it as soon as possible

Get legal advice if your business is merging with an EU company
If you do not follow the rules, you may be investigated by the Competition and Markets Authority (CMA) and the European Commission.
Do it as soon as possible

Check if you need to appoint a representative in the EU, and label your goods with your EU importer's details
If you do not meet the requirements, you may not be able to export goods to the EU.
Do it as soon as possible

Check if your employees need a visa or work permit and meet any requirements for their profession to work in the country they’re going to
You or your employees may not be able to enter or work in some countries.
Do it as soon as possible

Check if you need to change how you do accounting and reporting
You may breach reporting requirements in EEA countries if you do not make any changes you need to.
Do it as soon as possible

Check how to label food if you're selling it in the UK or EU
You may not be able to sell goods in the EU if they're labelled incorrectly.
Do it as soon as possible

Check if you need to pay a tariff on goods you import from the EU
Your goods will be held at customs if you do not pay the correct tariff.
It takes more than 4 weeks

Sign up to search for contracts to sell goods or services to the UK public sector
You won't receive notifications of new UK public sector contract opportunities.
Do it as soon as possible

Check if you need to change your contracts to broadcast licenced content outside the UK
You may not be able to broadcast outside the UK if you do not get extra copyright permissions.
Do it as soon as possible

Check if you need permission to sell someone's intellectual property in the EEA, if you've already sold it in the UK
You may not be able to export your intellectual property protected products from the UK to the EEA without the right permission.
Do it as soon as possible

Do it as soon as possible

Exchange your UK Driver Certificate of Professional Competence (CPC) for an EU Driver CPC
You will not be able to drive a lorry, bus or coach for an EU operator if you do not have an EU Driver CPC.
Read the guidance: Driving in the EU after Brexit
Do it as soon as possible

Check how to get approval to sell vehicles and vehicle parts in the UK and the EU
You will not be able to sell vehicles or vehicle parts in the UK and the EU if they are not approved correctly.
It takes more than 4 weeks

Check what steps you need to take in order to import goods from the EU
If you do not get your business ready, you may not be able to import goods into the UK from EU countries.
Do it as soon as possible

Disclose your designs before 31 October if you want unregistered protection in the UK and EU
If you do not do this before 31 October, you’ll only have protection where you first showed your design, either the UK or the EU.
Do it as soon as possible

Check what you need to do if you're a lawyer with an EU or EEA qualification to still work or provide legal services in the UK
You may not be able to continue working or providing legal services in the UK if you do not prepare.
Do it as soon as possible

Check what you need to do if you own a UK legal services business
You may not be able to continue providing legal services in the same way if you do not get your business ready.
Do it as soon as possible

Check what you need to do if you're a lawyer with a UK qualification to still work or provide legal services in the EU
You may not be able to continue working or providing legal services in the EU if you do not prepare.
Do it as soon as possible

Check which carbon pricing policies you need to comply with before and after exit day
You may not comply correctly with emissions reporting and carbon pricing regulations, which could lead to a fine.
Up to one week

Check if your employees need to make social security contributions in the UK as well as in the EU, EEA or Switzerland
Your employees may not be entitled to healthcare or benefits in the country they work in.
Do it as soon as possible

You may not need to do all these actions ahead of the 31 October deadline. The action you may need to take may change subject to negotiations and your own circumstances.