In 2019, with changes to US foreign policy, Brexit uncertainty and the implementation of new laws, such as PSD2, there was a lot to contend with in the world of compliance. In the background, while compliance legislation continued to advance and become stricter in order to protect consumers, there were high profile cases appearing in the public eye with companies like Facebook being fined $5billion dollars for violating consumer rights.
In 2020, we expect that in line with this progressive legislation, companies will be more proactive around their approach to compliance and move away from the ‘tick box’ approach that once was. Workloads will increase and the regulators will be focussing on outcomes rather than processes. Expectation on compliance in its entirety will become stricter and regulators will increase both the number and quality of checks carried out.
The main trends to look out for this year are as follows;
According to Reuters, EU banks payed over $16 billion in fines between 2012 and 2018 as a result of lax money-laundering checks, so it is no surprise that anti-money laundering prevention is at the top of the compliance agenda for 2020. On the 10th of January this year the 5th Anti-Money Laundering Directive (5AMLD) came into force for European Union (EU) member states and it included several updates from its predecessor — 4AMLD. The directive is intended to support the European Union’s AML/CFT regime and to address a number of emergent and ongoing issues to mitigate the growing risk of money laundering activity.
While many of the items 5AMLD intends to govern are already covered under 4AMLD, amendments to note lie in the vulnerabilities of;
• Cryptocurrencies — which are now defined as digital representations of value that can be digitally transferred, stored or traded and are accepted as a medium of exchange. Practically, under 5AMLD this means companies trading in cryptocurrencies are under an obligation to perform customer due diligence (CDD) and submit suspicious activity reports (SARs) on a regular basis.
• Prepaid cards — now have a set limit on the amount that can be stored on them (€150) which, according to Christopher Baines the Head of Compliance at Pockit, is “a step in the right direction and restricts the [money laundering] options open to criminals”.
• Politically exposed people (PEPs) — EU member states must create and publicise a list of PEPs and regularly monitor them under the revised legislation.
• High-risk third countries — additional due diligence required for companies doing business with high-risk countries. This includes obtaining information on the reasons for proposed transactions and details on the source of Ultimate Business Owner (UBO) funding and wealth.
- GDPR compliance heightens
It’s almost two years after GDPR was implemented by EU member states to protect current and prospective customer’s personal data — a consequence of that legislation has been the requirement for organisations to develop better compliance processes. Now that GDPR is moving out of the ‘new’ phase, regulators are starting to bare their teeth with stricter expectations and tougher penalties for non-compliance. The main target of GDPR breaches by the ICO to date have been large, multinational organisations who have been subject to large fines (see British Airways, Marriott Hotels) and while this will continue, we expect to see attention turn towards smaller businesses who should by now have had the chance to ready their processes and procedures to ensure compliance when handling personal data.
- Digitising compliance for speed, effectiveness and accuracy
The volume and complexity of compliance rules and regulations are increasing and so too are the wide range of individual regulators monitoring them. Just like in the IT industry, firms are turning to digital solutions so as not to become completely overwhelmed and importantly, to keep up with pace of change. The sheer volume of regulatory requirements and continued variations to them makes regulatory interpretation and reporting very difficult for businesses and, in the absence of digital assistance, the speed and accuracy of this reporting can be severely impeded.
While it is costly and data quality often poor it remains necessary for organisations to find ways to digitise their compliance processes and this is becoming more popular in banking for transactions like customer identification and authentication. Digital solutions can improve speed and operational accuracy for firms and ensures split-second processing, it can reduce the need to recruit more staff as well as the costs and human error factor associated with doing so. However, when finding ways to digitise, firms must keep GDPR and Data Privacy laws in mind to avoid regulatory breaches.
- Open Banking adoption
In 2015 Open Banking was introduced to offer customers a secure way to take control of their financial data and share it with multiple organisations including other banks. Open banking was first released by the Competition and Markets Authority (CMA) to create more competition and innovation with the financial services industry and in 2019 it showed some promising signs — rebalancing the market and working in favour of consumers and SME’s. Successful proof points have emerged such as, material demand from third parties, exciting propositions in development and we are seeing the very early stages of customer adoption.
While many businesses have adapted to enable open banking, the journey will continue this year following a request from the (CMA) and the Open Banking Implementation Entity (OBIE) who have launched a consultation into its future. A revised roadmap is due to be submitted to the CMA by the end of January 2020 and it is yet to be seen what this will mean for the financial service industry.
- Brexit and 'right to work'
On the 31st December 2020 it is expected that the free movement of EU Nationals to the UK will end following the withdrawal agreement transition period. So although the same rules will continue to apply during the transition period, any EU Nationals (optional for Irish citizens) residing or working within the UK currently, or, arriving into the UK before 31st December 2020, who wish to continue exercising their right in the UK will need to register under the EU Settlement Scheme by 30th June 2021. Irish citizens will retain the right to work in the UK without registering.
From a compliance perspective it is therefore highly likely that companies will need to look at how they can support their EU workforce based in the UK with meeting the above requirements and conduct a wholesale audit of its processes for 2021: revisiting all right to work checks to ensure they are compliant for employees under the new scheme (once published) that will be introduced post the transition period and that employees have the necessary right to work documentation to satisfy the new rules (i.e. likely to be visas for EEA/Swiss workers coming into the UK in 2021).
Legal and Compliance departments will be charged with drafting plans and even contingency plans against their own plans, for how their firm can continue to operate, thrive and grow in a post-Brexit world.
The complexity of the legal and compliance landscape is heightening and being driven with good intent from regulatory bodies to protect customers from the risks associated with financial crime and money laundering. In order to stay ahead, firms must approach compliance proactively and be aware that having checks in place is no longer sufficient with attention from the regulators now turning to the outcome of those checks. For most companies simply adding more people the problem is not an option so in line with pressure to regulate, new ways to digitise compliance must be found
For more information on our compliance services offering click here www.astoncarter.com