Having reached the end of the transitionary period, the EU did not give the UK “equivalent” status in financial services and although both sets of regulations are presently harmonised, the EU can withdraw the current arrangements of equivalence rights at 30 days’ notice without the UK being able to contest the decision. The situation where UK has to now negotiate with individual EU nations’ regulations, magnifies the compliance challenge of knowing and applying the rules.
The EU has not yet given the UK’s data protection regime an adequate or equivalent status even though it is entirely based on the EU GDPR. Transmission of personal data from the EEA to the UK is not considered as transfer to a third country for a period of six months, as long as the UK does not change its data protection laws during this period.
The UK is likely to diverge from the EU very soon with regard to trade and financial sanctions, where it has already made provision in its Sanctions and Money Laundering Act 2018 to set its own list of sanctioned individuals, businesses and entities. HM Treasury introduced these lists in December 2020, and firms will need to screen their customers and suppliers against these lists.
As the UK’s vaccination program continues its progress and the Covid-19 virus weakens its effect on the country, the restrictions associated with it will start to ease. As this happens it is likely that many businesses will need to reassess their disrupted operating models and look forward to a new normal.
It is likely that many businesses will have seen a change in employee expectations on working practices, possibly forever. Many will want to return to the office whilst others will have balanced working from home with family life, happy that they can save money on travel and other expenses.
Many technology companies will inevitably move to a full remote working model but for financial services, the outcome is likely to be more fluid. Most likely, a significantly larger portion of the workforce will want to work remotely for part of their working time, with many wanting the option to split time between office and home.
Firms will therefore need to look again at their compliance risks, as they did in March 2020 but this time on a longer-term basis. Remote oversight is likely to form an important component of risk management, including the management of compliance risks including that of conduct risk, which will be a significant challenge.
The issues are many and varied, including the management of front office staff, ensuring that documentation is properly maintained and disposed, trades are carried out in a timely manner and client access via telephone is maintained where necessary. In addition, the prevention of market abuse, inappropriate advice and lack of adherence to sales procedures will all put increased pressure of compliance departments to embed appropriate processes and procedures across the flexible working structure.
Money laundering – 6AMLD
The Sixth Money Laundering Directive (6AMLD) was transposed into national laws in December 2020 and set to come into effect in June 2021. The UK has opted out of complying directly with 6AMLD as the Government takes the view that existing legislation is already largely compliant and in many cases the UK goes much further.
The main changes are:
- A list of 22 offences will reflect the changing nature of money laundering and include new offences such as cybercrime, insider trading and environmental crime.
- Criminal liability will now be extended beyond those who actually commit the crime to include aiding and abetting and attempting and inciting money laundering as crimes. This will make it easier for financial authorities to go after those who act as accomplices in money laundering schemes.
- Extension of criminal liability to legal persons. Only individuals could be convicted for committing financial crimes, now this has been extended to include companies or partnerships. Also, if the FCA can show a lack of supervision within a firm which results in money laundering then senior managers can be liable for any penalties.
- Maximum imprisonment for money laundering offences increases from 1 to 4 years. Additionally, any sentence may be supplemented with sanctions and fines (up to €5 million), including the complete shut-down of a business.
- EU member states are now required to cooperate with one another in the prosecution of money laundering crimes.
Whilst 6AMLD has not been formally incorporated into UK AML legislation it is important that all regulated entities that operate in Europe ensure they are fully compliant.
The FCA has had this as a priority for over a year and has been urging firms to ensure that vulnerable customers are treated fairly and consistently by demanding embedded fair treatment in their culture, policies and processes.
With the economic outlook still looking downbeat for many going into 2021, it is vital that firms remain vigilant to signs of vulnerability into 2021 and ensure their response, policies and practices do not lead to further detriment or harm for vulnerable customers.
In its 2020/2021 business plan, the FCA reinforced its commitment to fighting financial crime and intends to keep up the pressure of enforcement action where necessary, especially in the areas of internal and external fraud. Preventing fraud is more difficult when individuals are not able to directly interact with fellow workers and real time monitoring for fraud activity is much more onerous. The FCA will be closely monitoring how firms operate their anti-fraud controls in the future. Compliance officers need to ensure staff are adequately trained and educated on the subject of fraud awareness and apply this knowledge and understanding in their day-to-day work.
There will be a continued focus on a major change in the ways in which data is collected from firms and subsequently analysed. The FCA and PRA have published data-led strategies which uses new intelligence to identify harm and rectify more quickly. The ways in which the regulators use data are likely to change as well and will be reflected in greater supervisory activity. It is thought that a deeper understanding of consumer behaviours will lead to a closer focus on how firms achieve satisfactory consumer outcomes.
Firms will need to build added protection for the rights of individuals whose data they are processing. This includes Data Protection Impact Assessments (DPIA) where there is a perceived risk to individuals’ personal data.
The FCA is focusing on the longer-term resilience of businesses and have already made firms aware of how they expect them to demonstrate their resilience. The FCA have asked firms to identify key business services and then put in place measures to show how these would perform in stressed conditions. Firms need to identify impact tolerances and demonstrate the points of greatest tolerable stress.
Following on from the FCA’s consultation paper its final proposals will be published sometime this year. Firms need to start preparing very soon by identifying important business services and assessing the associated impact tolerances. Additionally, firms need to produce and implement internal and external communications to accompany disrupted services plus demonstrations as to how these plans will be able to operate in practice.
If you need any help and advice with these or any compliance, regulatory or risk management issues please get in contact with Dan, Simon or one of the team.