This time last year, GDPR dominated the compliance agenda for 2018. Like many promised cliff edges, the data protection ravine many feared business would collapse into didn’t quite materialise. While some websites are still blocking users from the EU due to alleged ‘GDPR’ issues, the shift to a new data protection regime seemed to go not too badly. This isn’t because GDPR isn’t being taken seriously, quite the opposite. The promise of eye-watering fines and enforcement action spurred a multi-industry push to get GDPR compliance right.
For that reason, GDPR stays in the lead of our top compliance trends for 2019.
1. Moving from GDPR compliance to best practice
As GDPR day on 25 May 2018 approached, businesses big and small rushed to get their privacy notices updated and flooded all of our inboxes asking us to accept their new terms of re-give consent. Most of this was pointless and unnecessary, not to mention greatly annoying to us all. Plus it exposed a rather gaping failure to grasp the six conditions for processing data under GDPR and the myth that consent is always the best or strongest condition.
GDPR, of course, is about much more than privacy policies. Conducting data audits and implementing privacy by design are equally important internal procedures required under GDPR. Not to mention the requirement to undertake a data protection impact assessment for high-risk processing activities, and have this approved by the ICO before commencing. With less than 50% of businesses considering themselves to be fully GDPR compliant; the need for basic data protection procedures is still a key compliance issue moving into 2019. But for the half of companies who have been working hard on their GDPR compliance plans, the new year should herald a shift from fundamental compliance to best practice.
In the last year, a quarter of businesses changed vendors in response to GDPR and nearly a third said they factor GDPR compliance into who they work with. These numbers will only grow in the second and third years of GDPR, so marking your company out from the crowd by going above and beyond when it comes to protecting personal data should very much remain on the compliance agenda in the new year. Further, in 2018 VinciWorks recorded over 100,000 GDPR course completions, showing just how seriously businesses have taken the EU-wide regulation.
2. More tax evasion crackdowns
Tax evasion is a topic that’s little off the news headlines, but one less frequently considered on the compliance front. While the Criminal Finances Act has been in force since 2017, only a few months ago did we see the first use of an Unexplained Wealth Order against the wife of an Azerbaijani state official convicted of fraud and embezzlement.
The Criminal Finances Act is mainly focussed on the failure to prevent the facilitation of tax evasion and requires many businesses to implement reasonable procedures to do this, similar to the adequate procedures required under the Bribery Act. But the topic of tax evasion compliance is broader than just the Criminal Finances Act.
A new EU directive (DAC6) requires EU intermediaries, including banks, accounting firms, law firms, corporate service providers and others to disclose cross-border arrangements with the national tax authority. While the data does not have to be reported until mid-2020, disclosure is required for all reportable arrangements on or after 25 June 2018. The new rules are designed to help EU tax authorities crack down on tax avoidance and evasion, and have access to a broader range of information about potentially shady tax evasion schemes. Unlike the existing DOTAS regime in the UK, not all of the hallmarks of what makes a reportable cross-border arrangement under DAC6 feature a main tax benefit test.
The international nature of tax evasion and avoidance is also the focus of an OECD crackdown on ‘golden passports.’ Programmes in 21 countries, including EU members Malta and Cyprus, which allow citizenship to be purchased, have been flagged as potentially being “misused to misrepresent an individual’s jurisdiction(s) of tax residence.”
Malta, one of the most popular destinations for a golden passport, has sold EU citizenship to more than 700 people since 2014, most of them from Russia, China and the Middle East. Overall, the EU has gained 6,000 new citizens from golden passports, which can cost anywhere from $150,000 (Saint Kitts and Nevis) to $12m (Austria). The OECD guidance recommends increased due diligence measures for those who have obtained citizenship or residency through one of these schemes, and it may require enhanced AML procedures and a focus on people with those countries’ citizenships to ensure compliance.
3. Cryptocurrencies and the Fifth Money Laundering Directive
If you don’t understand it yet, 2019 is the year to get to grips with cryptocurrency. Knowing your Bitcoins from your blockchains will soon be required by EU regulations. The Fifth Money Laundering Directive (5AMLD) must be implemented into national law by 10 January 2020, so there’s only one year to make sure your company understands cryptocurrency, not to mention complying with the new regulations.
The Fifth Directive provides a legal definition of cryptocurrency, along with designating them and the exchanges and wallet providers as obliged entities, subject to the same AML procedures as other financial institutions. This will require them to conduct due diligence and submit suspicious activity reports where required. At the same time, it is important for institutions not to be biased against cryptocurrency use and automatically flag it as a risk. Due to their nature, cryptocurrencies can actually be more transparent than traditional currency transactions or other financial instruments. Ensuring all staff, in particular risk and due diligence departments, understand the cryptocurrency world is another thing to tick off in 2019.
4. International Sanctions and Iran
In November 2018 the US pulled out of the Iran Deal and sanctions snapped back in place. The CFO of Huawei was arrested in Canada awaiting extradition to the US on charges of violating Iran sanctions. The Trump Administration is expected to squeeze the Islamic Republic even further.
FinCEN has warned that Iran is laundering nearly $4bn of Bitcoin every year in order to evade sanctions. It warned that institutions must review blockchain ledgers for any activity that could have originated in Iran.
Learn more: VinciWorks’ online sanctions training
The breadth of businesses legally required to implement UK sanctions law has vastly expanded in recent years to cover a great deal more than financial services or law firms. Under The European Union (Amendments of Information Provisions) Regulations 2017, it is a criminal offence for businesses in the following industries to fail to report a suspicion of a sanctions breach:
- External accountants
- Law firms and sole practitioners
- Tax advisers
- Trust or company service providers
- Dealers in precious metals and stones
- Estate agents
If there is reasonable cause to suspect someone is subject to an asset freeze or has committed a sanctions offence and that knowledge or suspicion is not reported to the Office of Financial Sanctions Implementation, staff could face imprisonment of up to 12 months and/ or a £5,000 fine. Sanctions compliance is only set to grow in complexity in 2019 as geopolitical relations fragment.
With the UK setting up its own post-Brexit sanctions regime, there will be another set of international sanctions to comply with. To make matters more complicated, the US withdrawal from the Iran Deal and the EU’s decision to stick with it could leave Britain between a rock and hard place as it figures out its own independent sanctions regime.
5. Sexual harassment and whistleblowing
The wave of sexual harassment scandals unleashed by the #MeToo movement shows no sign of abating. In some jurisdictions, this has even led to legislative action such as the Stop Sexual Harassment in NYC Act and doubtless more places to follow.
Harassment and bullying don’t occur because people don’t know any better. People know what’s inappropriate and what’s not. They know what is considered harassment and what’s not. Predators and bullies choose to ignore it because they can, and because they think they can get away with it. We want that to stop. For as long as abusers have somewhere to hide, for as long as people are more comfortable with silence than with transparency, sexual harassment will continue as unchecked as ever.
Putting in place effective sexual harassment training should be very high on the compliance agenda for 2019, but more than that, investigating how effective the procedures that enable people to report harassment must also be reviewed. Training can only tackle harassment embedded in a workplace culture when combined with effective reporting and whistleblowing procedures. The failure or unwillingness to address how people can report harassment and have those reports taken seriously will ensure any additional training or compliance measures won’t go very far. Make sure in 2019 your harassment efforts consider how people can report and assess the effectiveness of those measures. In addition to effective sexual harassment training, businesses should consider implementing whistleblowing portals to ensure staff can easily report inappropriate behaviour anonymously.
6. SRA Handbook reforms
In April 2019 the Solicitor’s Regulation Authority’s (SRA) changes to the SRA Handbook are set to be enforced. Some of the key changes include:
- Price Transparency Rules to cover more services
- Revised Accounts Rules
- Changes to the Insurance Distribution Directive to strengthen client protection
- The Handbook has been reduced from 400 pages to just 67 pages to make it more concise and easier to understand.
VinciWorks recently hosted a webinar covering the upcoming changes to the Handbook. We will also be releasing a new course covering all the reforms. To get notified when the course is ready, complete this short form.