Understand Your Rights. Solve Your Legal Problems
The report claims that EY failed to report evidence of a criminal gang using black market gold to launder money. It claims that the gang collected cash from drug dealers across Europe then laundered it by buying and selling black market gold.
Here Bambos Tsiattalou, Founding Partner of Stokoe Partnership Solicitors, discusses the case, offering some insight on the exposé, its implications and money laundering challenges in the legal sector as a whole.
An explosive BBC Panorama exposé suggests that EY aided the laundering of drug money through its Dubai office. A former EY auditor turned whistleblower said his bosses would not inform the authorities of extraordinarily suspicious activity. This was despite a litany of suspect activity involving Kaloti gold refinery in Dubai. As Kaloti’s auditor, EY noted the company had paid out some £4bn in cash in 2012 alone, but failed to raise concerns.
[ymal]
A lawyer and head of compliance at Deutche Bank in Dubai, Anna Waterhouse, also raised concerns about Kaloti’s extraordinary levels of cash withdrawals, noting that the company had literally used wheelbarrows to withdraw cash.
Such reports raise serious questions about what can happen when major banks and professional service firms become embedded in jurisdictions where corruption is more common. Yet, while we might not often see people taking wheelbarrows full of cash out of UK banks, we should not be complacent about money laundering in the UK, or Europe more widely.
For example, ABN Amro NV is currently subject to a Dutch criminal probe into its alleged money laundering failures. The bank is far from alone in having questions raised as regards its compliance with anti-money laundering and terror financing rules. In recent years, similar questions have been raised as regards Danske, Nordea, ING and several other European banks.
However, it may be that the legal sector’s money laundering failings are also significant. Last March, the UK’s National Crime Agency director Donald Toon told MPs that 83% of suspicious activity reports came from banks, noting pointedly that, “usually lawyers and accountants” are involved but ’it’s unusual for us to get a report from them.”
For lawyers, the question of whether to make a suspicious activity report can be affected by considerations of legal privilege. However, a major SRA review of 400 law firms has now found that 21% of firms failed to comply with the money laundering rules. The SRA also criticised law firms for using template forms that did not properly address their own specific risks.
For lawyers, the question of whether to make a suspicious activity report can be affected by considerations of legal privilege.
Both law and auditing firms need to adopt a more risk-based approach to money laundering. This is a systemic issue and, as such, requires a systemic response. Nowadays, money can easily move across borders, particularly within the EU’s single market. Therefore, any effective regulatory response must be both systemic and transnational.
The European Commission recognised this last July, with a report urging better implementation of the EU’s existing anti-money laundering and terror financing regime. The Commission specifically suggested turning the EU anti-money laundering directive into a regulation, which would then be directly effective across the EU.
As it stands, member states have significant latitude in terms of how they implement the directive. Making it a regulation would mean exactly the same regime applies throughout the EU, and auditing firms will then be more able to address potential money laundering activities universally.
In addition to new laws, there is a need for greater knowledge relating to money laundering in both the financial services and professional services sectors. Above all, banks and their advisors must be willing to act rapidly and robustly once suspicious activity is detected.
There is a need for greater knowledge relating to money laundering in both the financial services and professional services sectors.
The allegations about EY should serve as a wake-up call to the legal profession. The regulatory trend towards an increased focus on money laundering is clear. We have now seen a number of major banks and other entities suffer significant damage both to their share prices and reputations as allegations of money laundering failures emerged. As lawyers, we have a duty to help our clients both better understand, and fully meet, the regulatory standards required of them in terms of money laundering and terror financing.
It’s good practice to check third-party relationships, not only to adhere to the law, but to mitigate other risks as well.
Here Chris Laws, Head of Product & Strategy at Dun & Bradstreet, looks at the role of the legal sector and government, the harmful impact of bad data, and how investment in clean data and smart technology can equip businesses to tackle financial crime.
From KFC’s supply chain issue to fish and chip shops around the UK unknowingly using illegally imported shark fins in produce, dirty supply chains can have serious reputational and financial risks for businesses.
It’s an issue that universally impacts all of us too. Take money laundering – latest government reports found that money laundering cost every household in the UK £255 last year. Couple that with the UK’s National Crime Agency (NCA) receiving a record number of reports related to money laundering, terrorist financing and similar suspicious activity, and it’s clear how serious of an issue this is.
A recent SRA investigation found that a third of law firms fell short in mandatory risk assessments, while poor training processes meant firms could be unwittingly assisting money launderers. The government reacted by drawing up the Economic Crime Plan for government, law enforcement and businesses to work together to tackle money laundering, fraud and corruption.
The Law Commission’s recommendation of a dedicated advisory board, would enable the UK to improve and support anti-money laundering (AML) prevention practices. Prevention is key for all businesses because money laundering practices can manifest very early in the supply chain, meaning companies are often unaware of any issue.
While it is encouraging to see the government take action, businesses are equally responsible for knowing who they are working with in their supply chain.
[ymal]
The increasing sophistication of criminal organisations and their ability to hide illegal activities within supply chains is a significant challenge for businesses. That’s why it’s more important than ever to know the exact suppliers, partners and customers that a business works with. Access to details such as beneficial ownership and People with Significant Control (PSC) are necessary steps to take when vetting existing suppliers. Equally so, it’s important to run a Politically Exposed Persons (PePs) check that can uncover risk before onboarding new partners.
Many organisations fail to realise the goldmine of valuable internal information and, equally, fail to activate it. Internal data can highlight exactly where money is being used, which suppliers work with which departments and how resource is being divided. A failure to regularly audit this information can aid nefarious practices including money laundering. Data that is outdated, poorly formatted and inconsistent can damage effective compliance functions, helping bad actors to poison the supply chain.
Many organisations fail to realise the goldmine of valuable internal information and, equally, fail to activate it.
It’s well known that clean data is crucial to business growth. But clean and accurate data also enables businesses to invest in and benefit from technology solutions that aid preventative measures in the supply chain.
PWC analysed the future of onboarding and suggested that technology can be a solution to help accurately identify and verify third-party relationships, using technologies such as biometrics, blockchain and artificial intelligence (AI). For example, law firm LLR is using AI to translate foreign documents for attorneys, saving time and helping to process vast volumes of data with ease. The same framework can be applied to a compliance model, untangling millions of data points and identifying – and therefore reducing – dishonest suppliers that could be laundering money.
Ignoring this challenge in today’s business world is no longer an option. By investing in a data-led strategy, businesses can uncover all processes in the supply chain and equip themselves to combat financial crime, even as it becomes more complex.
The only way to avoid exposure to regulatory fines and irrevocable reputational damage is through transparent data, and an investment in tech that aids compliance, complements a company’s existing regulatory processes and improves due diligence.
OneCoin was recently alleged to have been a pyramid scheme masquerading as a cryptocurrency. An operation by which it raised a huge £4 billion. "OneCoin used the success story of Bitcoin to induce victims to invest under the guise that they, too, could get rich through their investments," New York state attorneys said in an official case filing.
"This was, of course, completely false because the price of OneCoin was a fiction and not based on supply and demand,” they continued.
Mark Scott, a US lawyer acting on behalf of OneCoin, now finds himself in the midst of a trial in New York, accused of laundering approximately £310 million ($400 million), while holding back the true identity of the money’s owner.
US prosecutors claim some of the funds have been directed towards Ireland, and that Mark spent a good portion of it on a new yacht, three homes and a Ferrari.
Mr Scott’s lawyers claim he did approach the FBI before getting involved with OneCoin, and was told "there was nothing illegal going on".
"The central issue at trial will be whether or not Mr Scott knew OneCoin was operating a criminal scheme," they said.
Mark Scott now faces charges of conspiracy to commit money laundering and conspiracy to commit bank fraud, but he has pleaded not guilty. The court says the case should last around two to three weeks.
That, however, has not stymied a growing underground economy of sites servicing criminals wishing to obtain and use fraudulent US ID cards.
Here Rob Cook, Flashpoint’s Senior Analyst, examines how threat actors continue a cat-and-mouse game with defenders, attempting to bypass new security features in order to service a growing underground economy built around phony identification documents.
While only relatively few of the criminal sites can deliver quality fraudulent reproductions, there are some sites with high ratings and positive reviews within illicit communities that can deliver cards that will bypass the security measures protecting legitimate government-issued cards.
This poses a threat to facilities that scan IDs to allow entry, for example, or to businesses such as banks and other financial institutions that rely on Know Your Customer requirements to verify the identity of customers and put up barriers to synthetic identity fraud, for example.
Legitimate identification cards in the United States not only contain sometimes complex fraud-protection measures including the stars on REAL ID-compliant driver’s licenses or properly formatted scannable barcodes, but they’re also made of specific materials that are durable and transmit light in order to support these measures.
Vendors running some of the highest-rated illicit shops will advertise their capabilities around replicating these security features on identification cards, such as the correctly formatted barcode, certain micro-printing, or laser perforations. A proper barcode, for example, is often enough to allow entrance into access-controlled facilities. This is a significant risk not only to government buildings, but anywhere—such as a school or corporate office—where entry is controlled by some sort of access mechanism attached to an ID card.
The availability of high-end printers is one factor facilitating these fraudulent reproductions by threat actors. A typical office photo printer has the capability to reproduce quality products, while laminating machines and plastic card printers can also facilitate these reproductions. Supplies such as ultraviolet ink are available on the open market as well. It’s unknown whether some fake ID producers are obtaining the actual blanks used by agencies, this likely includes the laminate that contains the holograms.
[ymal]
Some of supplies used by high-end ID manufacturers to create advanced security features are also sold in bulk by vendors within illicit communities. Some forums and markets advertise “holos,” “perf sheets,” “cardstock,” “OVI sheets” and more for relatively low prices; OVI stands for optical variance ink. Transactions are generally carried out via cryptocurrency to maintain a measure of privacy throughout the transaction, and deliveries also relatively quick—anywhere from five days to three weeks. Flashpoint analysts have also seen some advertisements where payment methods such as prepaid credit cards or wire transfers are accepted.
Although even the highest quality fake IDs will likely be detected once checked against law enforcement and-or Division of Motor Vehicle databases, many of these IDs will reportedly pass the inspection of untrained security personnel and numerous off-the-shelf (OTS) barcode readers/verifiers. It would therefore be difficult to identify a professionally crafted fake for commercial retailers such as liquor stores, or office or school building access control systems that aren’t able to verify government IDs against a database. As a result, the threat to physical safety or the risk of fraud is enhanced.
Retailers that sell alcohol and tobacco, for example, may be especially vulnerable to employees accepting fake IDs based on the multiple states and forms of ID they may be presented with during transactions, particularly in locations near college campuses. Fraudsters may also use fake identification to gain entry into student events or take advantage of student discounts.
Those vendors who deliver higher quality products are rated upon not only their product quality (look, feel, durability, and acceptance rate of the ID card), but also upon their trustworthiness, and the security features included in the cards. Customers rank vendors on several advertised security features, including the quality of their templates (similarity between legitimate and phony templates), quality of the hologram and use of optical variance ink, ultraviolet ink, and their ability to incorporate microprint into ID templates. Vendors are also rated on price, discretion of shipping packages, and shipping turnaround times.
Those vendors who deliver higher quality products are rated upon not only their product quality (look, feel, durability, and acceptance rate of the ID card), but also upon their trustworthiness, and the security features included in the cards.
Entities likely to be impacted by threat actors selling or using fraudulent identification can take some steps to protect themselves.
Organisations operating in sensitive industries, for example, could mandate background checks through a law enforcement agency for new employees, or for employees with access to sensitive materials or data.
Employee training can also help retailers or public-sector organisations spot phony IDs. Various government agencies, for example, offer training that explains security features employed by the different states and how they work off of one another.
On a more granular level, retailers—in particular those selling alcohol and tobacco—could institute a policy where a second form of identification is required, even a credit card or school identification, for example.
In the meantime, threat actors will continue a frustrating cat-and-mouse game with defenders, attempting to bypass new security features as they’re implemented in order to service a growing underground economy built around phony identification documents.
However Neil Williams of business crime solicitors Rahman Ravelli outlines why one statistic in particular is significant when it comes to the sentencing of money launderers.
I would suggest that looking beyond this may help us learn more about how this increasingly high-profile crime is being tackled by the authorities. And there is one statistic, which I refer to later, that is perhaps more notable than any other.
It may certainly be the case, as has been reported, that money launderers are facing longer prison terms as a result of revisions to the sentencing guidelines in 2014. And the fact that the average prison sentence for money laundering offences rose to 27 months in 2018 is especially eye-catching when it is considered that this represents a 32% increase on the average in December 2008 – and that 27 months stands as a record high.
Under the 2002 Proceeds of Crime Act, money launderers can face up to 14 years in prison or pay a fine. In considering the increase in the average sentence between December 2008 and 2018 it would be foolish not to attribute some of this to the fact that the sentencing guidelines of 2014 allow prosecutors to argue for tougher prison sentences for individuals found guilty of money laundering or bribery. Sentencing Council guidelines have become tougher because they are seeking to emphasise the harm that financial crimes have on those who are victims of them. They intend for any penalty imposed to take into account distress, inconvenience or monetary loss that may have been suffered as a result of the offending.
It is not stretching a point, therefore, to argue that the guidelines have given prosecutors ample opportunity to aim for longer sentences for the UK’s money launderers. And it may be that, since the guidelines were introduced, judges have been prepared to accept prosecution calls for harsher sentences for money launderers. That may well be a large factor in the increase in average sentence from 2008 to 2018.
[ymal]
But, as I touched on earlier, looking beyond this attention-grabbing statistic may tell us more. In fact, one related statistic that hasn’t made as many headlines may by more enlightening. Average jail sentences for money laundering have increased by 8% over the past year. Unlike the leap in sentence length that we saw from 2008-18, this cannot be accounted for by any change to sentencing guidelines that have given prosecutors the chance to demand lengthier sentences or judges the opportunity to meet that demand.
In the past year, the guidance available to judges for sentencing has been unaltered. This means that the 8% shift upwards in average sentence length can only be attributed to two things. The first is the possibility of a sharp rise in the sums involved when convictions are obtained. This would by default increase the average sentence length – and may arguably even indicate greater success in identifying and prosecuting money laundering. The second, however, is that the longer sentences are the result of a concerted push by the judiciary to impose punishments that serve as an increasingly powerful deterrent to those who consider money laundering to be a relatively low-risk criminal enterprise.
There may well be many who are of the opinion that money laundering is a risk worth taking. Maybe they believe that a few unquestioned transfers here and there for modest reward cannot really be considered worthy of attention or even that risky. They may convince themselves that it is not as if they are committing a fraud or whatever they consider to be a “serious’’ crime.
The knowledge that sentences are on the increase however, and that money laundering is being viewed more severely by the courts should give them pause for thought. And if the headline-grabbing figure of a 32% rise in sentences over ten years doesn’t make them think twice then the 8% rise in the past year certainly should. The past year has seen sentences rise steeply. That should be a warning to anyone who still believes (or at least wants to believe) that money laundering isn’t really a serious crime.
Following the news that Zamira Hajiyeva, who is currently fighting the UK's first Unexplained Wealth Order (UWO), spent £16m in Harrods without raising suspicions, Dominic Bulfin, solicitor at leading luxury asset firm Bargate Murray, explains how the UWO regime is intended to function and what risks it might pose to the superyacht and luxury asset markets.
Zamira Hajiyeva managed to do so over a ten year period ending in 2016.
It was this spending spree, amongst other factors, that sparked the UK’s National Crime Agency (NCA) to take action against her. Action which culminated in her becoming the most high profile recipient of a landmark Unexplained Wealth Order (UWO).
Lawyer’s representing Ms Hajiyeva have made the point that “…Spending money, however exorbitant, is not a criminal offence”. We quite agree with that statement but it is neither here nor there. The crux of the case against Ms Hajiyeva is where that money came from.
In this article, we explain how the UWO regime is intended to function and what risks it might pose to the superyacht and luxury asset markets.
Brought in under the Criminal Finances Act 2017 (the Act), a UWO is an order of the High Court which calls on an individual (referred to as the “respondent” in the UWO) to explain the source of the income they used to acquire an interest in the property specified in the order. Essentially, they are another means of rooting out the fruits of money laundering and other corrupt practices.
In order to convince the Court that making such an order is justified, the authority that is applying for it[1] must establish, amongst other things, that:
Should the court see fit to issue the UWO, the respondent is required to explain its interest in the property and how it was obtained, amongst other matters as may be set out in the particular order.
Failure to comply with the terms of the UWO can result in the property specified in the UWO from being frozen and/or seized. So, in other words, a UWO can result in the respondent, quite literally, “losing their house” or, for that matter, their superyacht.
The use of UWOs has been a divisive subject. Much electronic ink has been spilled both supporting an extension of the Court’s powers to combat financial crime and corruption, and attacking their use as a draconian breach of privacy.
Whilst the objectives of the Act and the UWO regime must surely be welcomed, as lawyers we do find one aspect of the UWO process to be objectionable.
The “innocent until proven guilty” principle is a central tenet of the English legal system. Under the UWO regime however, you could argue that this principle has been flipped on its head.
We refer, of course, to the tests that must be met in order for the Court to grant a UWO. On a strict reading of those tests, no final findings of fact need be made. If we focus on the tests that we refer to above, the authorities need only establish that (a) there are “reasonable grounds” to suspect that the respondent’s lawful income is insufficient to procure the relevant property, and (b) that they are “connected” to an individual who is involved in serious crime.
The question is, of course, how carefully or loosely those terms are interpreted and what evidence the court will weigh up in, for example, answering the “reasonable grounds” question.
By way of example, the Court will look at the respondent’s sources of income which are:
“reasonably ascertainable from available information at the time of making the application or order”[3].
In our view, it is not difficult to see how nothing more than a lack of readily available information regarding an individual’s wealth, in addition to a tenuous and perhaps ultimately groundless “connection” might form part of the basis for justifying the making of an UWO.
Just imagine, for example, that an individual who has made their fortune in a foreign jurisdiction that, unlike our own, does not keep electronic records of wealthy or prominent citizens that are accessible by foreign individuals?[4] Might a lack of available information itself be used by the authorities to argue that reasonable grounds exist?
[1] Likely to be the UK National Crime Agency, although HMRC, the Financial Conduct Authority and the Serious Fraud Office are among the bodies that may apply in their capacity as “enforcement authorities” under the Act. [2] The Act defines a PEP as: an individual who is, or has been, entrusted with prominent public functions by an international organisation or by a State other than the UK or another EEA State, a family member of such a person, someone “known to be a close associate” of such a person, or anyone “otherwise connected” with such a person. [3] See Section 362B, Subsection (6)(d) of the Act. [4] It would be quite wrong, for example, to assume that the Forbes List is a complete and infallible record of the world’s billionaires. [5] National Crime Agency v Hajiyeva (Rev 1) [2018] EWHC 2534.
By Patrick Peterson, founder and CEO of Agari
Picture the scene. Your firm is in the midst of a massive M&A project for a major client. After weeks of work, everything seemed to be going fine – but now something has gone terribly wrong and your client’s deal has fallen through. And, to your abject horror, your firm is now facing accusations of being party to ‘insider trading’ and misusing confidential information.
Investigations reveal a trail of seemingly legitimate emails between a member of your firm and your client, discussing several important and strictly confidential points of the merger.
Closer inspection finally makes it apparent that the emails were the work of an imposter who had stolen your brand and impersonated an employee to trick your client into divulging sensitive information crucial to the M&A deal.
Your firm is cleared of any wrongdoing, but it’s too late. Your client has taken their business elsewhere, feeling they can no longer trust your firm to protect their information, and your reputation is in tatters. And all because of a couple of emails you didn’t even send.
The rising threat of identity theft
The threat of nightmare scenarios like this continues to grow. Cyberattacks are on the rise, and by far the most popular method of attack today is the use of deceptive emails such as phishing. The UK Government’s Cyber Security Breaches Survey 2019 found that 32 per cent of UK business were aware of being targeted by attacks in the last year, and 80 per cent of these incidents involved phishing emails. A further 28 per cent also reported that their organisation had been impersonated by fraudsters over email or online.
Law firms make a particularly lucrative target due to their trusted relationships with clients and the potential to access extremely valuable and confidential data such as intellectual property and the details of M&A activity.
Despite the mounting threat however, our research has found that the majority of the UK’s top 50 law firms lack the capabilities required to identify even the most common techniques such as spoofing.
Why are deceptive emails so dangerous?
The majority of malicious emails we encounter use spoofing to disguise their identity. While there are other more advanced deceptive techniques available, spoofing is both easy and effective, with many companies having little or no means of detecting it.
Attackers will use spoofing to forge the email header so that the message appears to be coming from another domain and email account. This means the imposter’s victims will receive emails that appear to have been sent by “CEO@yourlawfirm.net”, lulling them into a false sense of security.
The good news is that with the right tools, firms can regain control of their brand and prevent fraudsters from impersonating their trusted identity.
Canny criminals will also research both their chosen identity and their intended victim in order to craft a convincing message. Company bios and social media accounts provide a wealth of information that can be used to enhance the deception.
After making their preparations, the criminal will then use the firm’s identity to contact a client and work their way to requesting confidential information such as the M&A scenario outlined before. Another common tactic is to send over a fake invoice to trick the victim into transferring funds into the criminal’s account. A school group in Portland, USA, recently narrowly avoided losing $2.9m to this approach, saved only by the timely intervention of the FBI.
Deceptive emails like these are particularly dangerous because they do not present a threat signature that will be recognised by most traditional email security systems. There is no malware involved and, on the surface, there is nothing to distinguish a spoofed message from the real thing.
How can firms prevent their identity from being stolen?
Law firms have more to lose than most businesses because they are built so heavily around the trust of their clients. Having their clients’ sensitive data exposed in this way would shatter that trust and destroy the firm’s reputation.
The good news is that with the right tools, firms can regain control of their brand and prevent fraudsters from impersonating their trusted identity.
One of the most effective places to start is the free-to-use email security protocol DMARC (Domain-based Message Authentication, Reporting & Conformance). Implementing the DMARC framework will enable a firm to see how their domains are being used in email messages, allowing them to identify misuse by imposters. All legitimate email messages being sent by the firm can then be authenticated, including those sent by authorised third parties such as via mailing services.
A single well-crafted deceptive email has the potential to inflict thousands of pounds of damage to a law firm and, worse yet, leave its reputation as a trusted partner in tatters.
Imposters seeking to spoof the firm’s domain will trigger an alert, and their message will be prevented from entering their victim’s inbox.
Firms can also set policies that will dictate what happens to any emails that fail authentication. These emails can be automatically blocked or, better yet, quarantined for review by the security team. This will allow clients to release emails that are not malicious, as well as learning to what extent they are being targeted by attackers.
What next?
More advanced and determined attackers can use other tactics to reach their victims but having a DMARC protocol in place will rob them of their most widely used deceptive technique. However, using publicly available DMARC records, we have found that of the top 51 law firms in the UK, 16 had no DMARC record at all, while a further 18 had their policy set to “none”, which means it will have no effect on spoofed messages whatsoever.
A single well-crafted deceptive email has the potential to inflict thousands of pounds of damage to a law firm and, worse yet, leave its reputation as a trusted partner in tatters. Firms must act quickly to implement defensive measures such as DMARC that will counter the common deceptive techniques used by criminals and protect their trusted reputation from being used to target their clients.
However, here Syedur Rahman, of business crime solicitors Rahman Ravelli, warns that concerns about money laundering and other financial crime must be considered.
New Prime Minister Boris Johnson’s “do or die’’ approach to taking Britain out of the European Union by October 31 has been much discussed. But there is one detail of his post-Brexit approach that requires as much, if not more, scrutiny if the UK is not to become a magnet for more economic crime.
The PM has been quoted as saying that he favours creating about six tax-free zones in ports. This attempt to create free ports – which are government-designated areas of little or no tax – are arguably a logical idea at a time when the UK is looking to boost trade with other countries. Free ports can spark economic activity as the benefits of reduced, deferred or even no tax are clear to companies.
Yet free ports have been identified as a money laundering risk. And, ironically, it is the European Commission that has been most vocal on this subject. In a report, the Commission states that it is looking to tackle the financial risks of free port zones, which it sees as a developing threat to its attempts to combat money laundering.
According to the Commission, free ports help with the movement of counterfeit goods. This is because a ship’s load can be landed and the goods and associated paperwork can then be tampered with without the usual stringent checks. The goods can then be re-exported with little or no safeguards regarding the legitimacy of the cargo. In most cases the registered value of the goods depends solely on self-declaration, which leaves significant room for over or under valuing.
The Commission’s report states that at most free ports “precise information on the beneficial owners is not available.” This can only make them more attractive to those looking to facilitate money laundering – a point not lost on the Commission, whose report talks of the EU having a structural problem when it comes to preventing the financial system being abused. Free ports give those who are looking to commit wrongdoing the secrecy that they are seeking.
While the UK has not had any free ports since 2012, there are around 80 in European Union countries and their dependencies. The Commission has called on countries to conduct regular independent audits of the zones. Just how that request goes down remains to be seen.
The Commission’s concerns over free ports come after it has blamed banks for not complying with basic EU anti-money laundering rules and has lambasted national regulators for not intervening until rules have been repeatedly broken or the problems are glaringly obvious. Its view on free ports is equally damning, which is not encouraging for UK PLC.
Such an approach from the Commission to free ports and the banks can hardly be called alarmist. The EU has faced a number of major money laundering scandals recently. In the past 12 months, Denmark’s largest bank Danske Bank has been the subject of revelations that its Estonian branch was at the heart of Europe’s largest money laundering scandal; with 15,000 customers involved in suspicious transactions totalling 200 billion euros. Sweden’s Swedbank has also had to manage the fall-out from allegations of money laundering on a massive scale at its Estonian banking operation. And Germany’s Deutsche Bank is bracing itself for possible fines, legal action and even the prosecution of senior management over its role in a $20 billion Russian money-laundering scheme dubbed the “Global Laundromat’’.
The Fifth Anti-Money Laundering Directive will broaden the scope of its predecessor. And it explicitly includes free port operators; making them subject to the same customer due diligence requirements as, for example, real estate agents or notaries. This may go some way to removing the Commission’s concerns about free ports. It may also have a significant effect on the success of current or future free ports.
But for now there are many who do not share the PM’s enthusiasm for free ports. And it is hard to argue with their criticisms.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” - Information Commissioner Elizabeth Denham
GDPR stands for General Data Protection Regulation and it is Europe's framework for data protection laws, replacing the previous 1995 data protection directive.
The aim of the Regulation is to ease and safeguard the flow of personal data across the EU Member States. Being an EU Regulation, it is directly applicable to each Member State’s national law.
Almost every aspect of our lives revolves around data and almost every service we use involves the collection and analysis of our personal data.
GDPR legislation came into force across the European Union on 25 May 2018 and one of the main benefits of the GDPR is that companies are now required to demonstrate that they are actively working to protect their customer’s personal data, and can be fined heavily if they become complacent about data security.
The GDPR outlines a range of rights that each individual in the EU has when it comes to their personal data:
Essentially everyone. Almost every aspect of our lives revolves around data and almost every service we use involves the collection and analysis of our personal data. GDPR applies to any company or organisation operating within the EU, as well as any company or organisations outside of the EU offering goods or services to customers or businesses in the EU.
An example given is if you provide free WIFI in your building and collect the IP addresses of all users, this will be caught by the GDPR.
GDPR applies to ‘personal data’, meaning any information relating to a recognisable person who can be directly or indirectly identified in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or even online identifiers, which include IP addresses. An example given is if you provide free WIFI in your building and collect the IP addresses of all users, this will be caught by the GDPR.
There are two different types of data-handlers the legislation applies to: 'processors' and 'controllers'.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or the alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction.
There are two different types of data-handlers the legislation applies to: 'processors' and 'controllers'. The definitions of each are laid out in Art. 4 of the General Data Protection Regulation. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. It was previously thought that GDPR applied mainly to data controllers, but it is clear that data processors are affected too.
The individual is entitled to a copy of the personal data in question and does not depend on whether someone is an employee, a worker or self-employed.
DPOs must be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Art. 37). If your organisation doesn’t fall into one of these categories, then the organisation does not need to appoint a DPO.
Right of access requests under Art. 15 of the GDPR provide individuals with the ability to know whether personal data about them is being processed by a data controller, and if so, what that information is and why it is being processed. The individual is entitled to a copy of the personal data in question and does not depend on whether someone is an employee, a worker or self-employed.
While both the GDPR contains exemptions, these mostly focus on questions of public interest, such as the investigation of crime or the maintenance of effective regulatory regimes.
Observing the core principles of GDPR and preventing fraud at the same time it not an easy task.
Recital 47 of the GDPR clearly states that fraud prevention is a ‘legitimate interest’ to process personal data:
“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
However, even for the purpose of fighting fraud, the controller still has to prove that legitimate interest applies and that the processing of personal data is necessary and unavoidable. They also have to balance the interest of fighting fraud with the interests, rights and freedoms of the people who the data applies to. The complexity of GDPR means that those who need to investigate fraud may face uncertainty regarding whether they need permission to proceed.
Observing the core principles of GDPR and preventing fraud at the same time it not an easy task.
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million whichever is higher, which only applies to breaches that occurred after May 2018. This is the maximum fine that can be imposed for the most serious infringements, for example, not having sufficient customer consent to process data or violating core concepts. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.
EU countries are now actively pursuing GDPR violators. France fined Google €50 million in January 2019 for its user consent and data policies, and the UK’s regulator, the Information Commissioner’s Office (ICO), fined Facebook £500,000 for serious data protection law breaches, Uber £385,000 for failing to protect customers’ personal information during a cyberattack and Vote Leave £40,000 for sending out thousands of unsolicited text messages in connection with the 2016 Brexit vote.
GDPR imposes strict requirements upon data controllers who wish to rely on ‘consent’ as a legal basis for processing personal data.
Recently, the Information Commissioner issued a notice of its intention to fine British Airways an amount of £183 million for breaches of data protection law. The proposed fine involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers with approximately 500,000 customers being compromised. Investigations lead to conclusions of poor security arrangements by the Company, including the login, payment card and travel booking details.
GDPR defines ‘consent’ as: “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”
GDPR imposes strict requirements upon data controllers who wish to rely on ‘consent’ as a legal basis for processing personal data. This does raise concerns in a number of areas, as the lines tend to become blurry; an example to refer to is the employment contract and, to the extent it cannot be relied upon as the legal basis for the processing of personal data.
Three key questions arise in this context:
In theory, employees could give their consent freely, independent of their employment contract, however, when there is a significant imbalance of power, such as between employer and employee, it is unlikely that consent will have truly been given freely.
The right to erasure is clearly stipulated in the regulation, however, it is not an absolute right. There are exceptions including GDPR Article 17(3)(b) which imposes a difficulty as companies must retain customer due diligence and transaction records for a certain number of years after the relationship ends, even if the customer has requested to be forgotten. It remains to be seen how the industry will harmonise the regulations and exceptions in practice.
Christiana Kouppi
Partner
Phone: +357 25 261 777
Email: c.kouppi@vrikislegal.com
Here Rhys David, CEO of Credas, talks Lawyer Monthly through the complexities of carrying out independent anti-money laundering audits.
Although many practices are managing their due diligence when it comes to the basics – the independent audit is often widely missing from AML procedures.
Unfortunately, failing to carry out these important checks can easily result in an investigation and subsequent fine from the Solicitors Regulation Authority, so it’s vital that firms cover themselves against any unnecessary risk.
When carrying out an independent Anti-Money Laundering audit, there are a number of things that legal businesses need to consider before they get started.
Find an expert. Look for an auditor or company which has specific expertise in Money Laundering regulations to ensure that you are getting an audit which is fit for purpose, as many will offer template services that aren’t quite the right fit.
Be honest. Don’t embellish what you have or don’t have in place. The audit is there to improve your AML compliance and to ensure that you don’t fall foul of the regulations, so being brutally honest about your procedures is the best way to ensure that you’re seeing real value from it.
Involve the team. Have your staff involved in the process. Let them know that it is happening and make sure they know the importance of the audit and its findings for the business. This is an important part of the 4th Directive and one which should help you manage and mitigate risks in the following year’s accounts. Its important the wider team understand the firms approach to AML compliance as another component of the 4th directive is training and communication, anyone in the business should be able to answer questions on the process should HMRC visit.
Take the advice. When you have received recommendations following the audit – action them. Spending money on a service like this is sadly a wasted effort if you don’t then follow through on the necessary changes. Act on the advice of the audit and make some positive steps towards improving on your AML compliance.
Do it soon. The 5th AML Directive is coming into force in January 2020 and the need for an audit as well as risk assessments on clients and staff is a significant part of that directive. Take action now and get your house in order so you know that when the 5th is enforced you are AML-OK.
Although the 4th Directive has been in place for two years already, this is an aspect of compliance that has otherwise completely slipped under the radar. With that being said, in recent months we’ve received an increasing number of customers asking about independent audits, especially with the 5th Directive on the horizon, so it’s fantastic to see that businesses are beginning to protect themselves against unnecessary risk.
By re-visiting the legislation and checking off with a well-informed auditor all the aspects of compliance that legal practises need to adhere to prevent financial crime, the industry can rest assured that its ready for the 5th AML Directive coming in to force within a few short months.
