Risk and Compliance update - February 2020

Risk and Compliance update - February 2020

In our February edition of Risk and Compliance highlights, we cover  Brexit, anti-bribery & corruption; AML & counter-terrorist financing, and  GDPR, and data protection -  information management & security.

In this issue:


Anti-bribery & corruption

AML & counter-terrorist financing

GDPR & data protection

Information management & security

Brexit—exit day update

As of 31 January 2020, the UK ceases to be an EU Member State and will no longer participate in the political institutions and governance structures of the EU. However, in accordance with the transitional arrangements provided in Part 4 of the Withdrawal Agreement, exit day marks the commencement of an 11-month implementation period (IP) during which the UK will continue to be treated by the EU as a Member State for many purposes.

Under the current terms, the IP will run from 11pm on 31 January 2020 (exit day) until 11pm on 31 December 2020 (IP completion day). During this period, the UK must continue to adhere to its obligations under EU law (including EU treaties, legislation, principles and international agreements), and submit to the continuing jurisdiction of the Court of Justice of the European Union in accordance with the Withdrawal Agreement.

Exit day is still key in terms of being the date the UK ceases to be an EU Member State, but in terms of the legal impact, IP completion day is the date that the majority of key legal changes associated with Brexit will take effect, including the full repeal of the European Communities Act 1972, incorporation of retained EU law into the domestic legal regime and commencement of associated Brexit legislation, including Brexit SIs.

The European Union (Withdrawal Agreement) Act 2020 (EU(WA)A 2020) implements the Withdrawal Agreement into UK domestic law and includes a range of interpretation and consequential provisions in order to effect this change in the timing. IP completion day replaces exit day for many purposes throughout the EU(WA)A 2020 and related Brexit legislation, including specific provisions to defer the commencement of Brexit SIs and related enactments.

Notwithstanding the terms of the EU(WA)A 2020, the SRA is currently saying it will not be accepting new applications for Registered European Lawyer (REL) status after 31 January 2020. It is unclear on what basis this decision has been made. We have raised this with the SRA and hope they will review the end date for REL applications in the light of the deferment of substantive changes to UK law until the end of the Withdrawal Agreement implementation period.

For more information on the Withdrawal Agreement, see Practice Note: Brexit—introduction to the Withdrawal Agreement.

Brexit - EU Withdrawal Agreement 

As MEPs gathered in Brussels to approve the Withdrawal Agreement on 29 January 2020, the UK introduced Commencement Orders to bring into force relevant provisions of the legislation implementing and giving effect to the Withdrawal Agreement in domestic law, in preparation for exit day on 31 January 2020. Kieran Laird, partner and head of constitutional affairs in the Gowling WLG Brexit Unit, comments on the final stages of the Withdrawal Agreement ratification and the associated legislation. See: LNB News 29/01/2020 94.

The European Union (Withdrawal Agreement) Bill received Royal Assent on 23 January 2020, becoming the EU(WA)A 2020. The passage of this legislation confirms the UK Parliament’s approval of the Withdrawal Agreement in accordance with domestic constitutional arrangements (as amended). See: LNB News 24/01/2020 87.

Graeme Cowie, Senior Library Clerk (Constitutional Law) at House of Commons Library, examines the government’s new EU (Withdrawal Agreement) Bill (the WAB). It sets out the background to the Bill and identifies the key differences between this Bill and the earlier European Union (Withdrawal Agreement) Bill introduced to Parliament in October 2019. See News Analysis: The new EU (Withdrawal Agreement) Bill—what’s changed?

Anti-bribery & corruption
Deferred prosecution agreements (DPA’s)

The Serious Fraud Office (SFO) has confirmed that a DPA, subject to court approval, has been reached between the SFO and Airbus. A public hearing will take place on 31 January 2020, before the President of the Queens Bench Division. See: LNB News 29/01/2020 22 and News Analysis: Airbus €3.6bn global bribery settlement up for court approval.

Southwark Crown Court has approved a DPA requiring Guralp Systems Ltd, which had been charged with conspiracy to make corrupt payments and failing to prevent bribery by employees, to disgorge within five years its profit attributable to the corruption. The court found the DPA was likely to be in the interests of justice and its proposed terms were fair, reasonable and proportionate. Quinton Newcomb, barrister and director, and Blake Woodfield, solicitor, at Fulcrum Chambers Ltd, examine the judgment and the DPA, which has some unusual features. See News Analysis: Latest deferred prosecution agreement approved (Serious Fraud Office v Guralp Systems Ltd).

The founder and a former executive of a scientific instruments manufacturer has been acquitted of conspiracy to make corrupt payments to a South Korean official, after the company made a deal with the SFO to pay £2.1m (US$2.7m) under a DPA. See News Analysis: Guralp founder, exec acquitted in SFO bribery case.

While DPA’s can seem attractive, the recent acquittal of Guralp executives accused of conspiracy to make corrupt payments shows that such deals may not always be in a company’s best interests, says Aziz Rahman of Rahman Ravelli. See News Analysis: When a deferred prosecution agreement isn’t the best option.

 Serious Fraud Office (SFO)

The year ahead will see the conclusion of the SFO’s long-running case against senior Barclays bankers and critical guidance from the UK Supreme Court that will shape a growing queue of price-fixing damages suits. See News Analysis: The big UK corporate crime cases & trends to watch in 2020.

The past year saw long-running SFO investigations conclude with mixed results for the white-collar crime agency, while a ruling by the Court of Appeal reinforced the duty banks owe to corporate clients to help protect against fraud. See News Analysis: The biggest UK corporate crime cases of 2019.

The SFO has updated its Operational Handbook with new guidance on ‘Evaluating a compliance programme.’ The guidance is designed to assist SFO personnel investigating companies for corporate criminal wrongdoing. This will be either in the context of having received a self-report or where the SFO initiates an external criminal investigation. Companies and their legal advisors should take note of the guidance as it will feed into the decisions about the resolutions that are available, including any potential DPA and charging decisions. See: LNB News 21/01/2020 104.

The International Bar Association (IBA) has reported that a lack of convictions for financial crime and delayed investigations has prompted some to question the UK’s appetite for tackling corruption. For the SFO, convictions secured by the organisation fell to 53 percent in 2018–19—the lowest level since 2015–16. In addition, a freedom of information request from law firm Fieldfisher revealed that the SFO has ‘secured only seven convictions against five corporates since April 2013’ and that ‘32 of the 43 criminal investigations opened during this period have not reached a conclusion’. See: LNB News 17/01/2020 48. 

Foreign Corrupt Practices Act (FCPA)

Following a banner year for Foreign Corrupt Practices Act (FCPA) enforcement in the US during 2019, with individual prosecutions surging and combined corporate penalties reaching new heights, it is now more important than ever for companies to have a strong, properly tailored, proactive compliance programme and vigilant compliance officers, says Martin Bloor of Cozen O’Connor. See News Analysis: A robust FCPA compliance programme is imperative in 2020.

After a year that set a record for US corporate settlements of FCPA violations, the US is preparing new laws and regulations that would increase corporate transparency in a push to reduce corruption. See News Analysis: US corporate bribery settlement payments and guilty pleas set US records in 2019 and SEC transparency rule on track for 2020.

Uber Technologies, the transportation company, won't face a US Justice Department (DOJ) prosecution over alleged payments made to foreign officials, the company announced last week. The news came from the company alone, with the DOJ staying mum, a move in line with a trend towards handling declinations outside public glare. The new DOJ practice offers some privacy to companies that are resolving prosecutions—a boon as they fight potential challenges from shareholders and seek to rebuild their reputations. For observers, though, the DOJ's reasoning on declinations has become more obscure. See News Analysis: DOJ’s silence on Uber FCPA declination illustrates trend towards staying mum.

 AML & counter-terrorist financing
Money Laundering and Terrorist Financing (Amendment) Regulations 2019

The Money Laundering and Terrorist Financing (Amendment) Regulations 2019, SI 2019/1511 came into force on 10 January 2020, bringing new requirements for financial service providers and others in ‘the regulated sector’ in preventing money laundering and terrorist financing. John Binns, partner at BCL Solicitors LLP, considers the impact of SI 2019/1511 on the day-to-day activities of affected businesses and how Brexit will impact the UK’s future transpositions of EU anti-money-laundering (AML) directives. See News Analysis: Ensuring compliance with the Money Laundering and Terrorist Financing (Amendment) Regulations 2019.

 Suspicious activity reports (SARs)

The government has pledged to reform suspicious activity reports (SARs) to ensure UK enforcement agencies and IT systems are prepared to effectively prevent and tackle money laundering and terrorist financing. Max Hobbs, solicitor, and Neill Blundell, head of corporate crime and investigations practice at Macfarlanes, consider the strength of the UK’s existing SAR regime and suggest what changes can be expected from the reform programme. See News Analysis: Reforming SARs—reflections on the reform programme.

GDPR & data protection


The ICO has issued a statement on the implications of Brexit on the UK data protection regime. The ICO stated that EU data protection laws, such as the GDPR, will continue to apply in the UK during the transition period until December 2020. Companies and organisations offering goods or services to the EU will not be required to appoint a European representative. See: LNB News 29/01/2020 72.

While businesses in the UK that handle personal data do not face immediate disruption, the Information Commissioner’s Office (ICO) is bracing itself for an increasingly diminished role on the umbrella group for national EU regulators, the European Data Protection Board (EDPB). See News Analysis: ICO counts the days until EU influence falls away.

The ICO’s position as a regulator is uncertain in light of Brexit and the ever–changing landscape of data protection. Going into 2020, James McGachie, legal director, and Sami Qureshi, associate at DLA Piper, consider the ICO’s focuses, neutrality and how it will position itself as a regulator outside of the EU. See News Analysis: ICO enforcement—2019 trends and 2020 predictions.

The ICO has issued a consultation on new, draft guidance on dealing with subject access requests (SARs). Stephanie Creed and Ruth Boardman of Bird & Bird LLP explain the latest developments. See News Analysis: Information Commissioner consults on subject access guidance.

 Standard contractual clauses

The Advocate General has opined that the Court of Justice should rule that the EU standard contractual clauses (SCCs), which are one of a limited number of mechanisms by which organisations in the EU can transfer personal data to countries outside of the EU, remain a valid data transfer mechanism. In particular, the Advocate General found that, notwithstanding any local law or practices in the recipient country, the SCCs ensure an adequate level of protection for personal data transferred because they require the organisation transferring personal data to suspend such transfers in the event that the protections provided by the SCCs cannot be met. Furthermore, EU data protection supervisory authorities have the power to suspend transfers of personal data when that is the case. Written by Bridget Treacy, partner, and James Henderson, senior associate, at Hunton Andrews Kurth. See News Analysis: Advocate General opines EU standard contractual clauses are valid (Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems).

The first standard contractual clauses for contracts between controllers and processors of personal data have been adopted by the Danish supervisory authority for data protection. Bridget Treacy, partner at Hunton Andrews Kurth LLP, considers how these standard clauses will be applied in practice, and challenges arising from liability alongside wording revisions in commercially negotiated personal data processing agreements. See News Analysis: Examining the first standard contractual clauses for contracts between controllers and processors.

Direct marketing

The ICO has published a draft Code of Practice on Direct Marketing, which is now out for consultation—see: LNB News 08/01/2020 20. Elle Todd of ReedSmith LLP explains the latest developments, the context and key takeaway points from its 120+ pages. See News Analysis: ICO draft Code of Practice on Direct Marketing.


The ICO has released a Code of Practice to protect children’s privacy online. The Code of Practice, coined the Age Appropriate Design Code, sets out 15 standards that those designing, developing or providing online services are expected to meet in order to protect the privacy of children. The code requires that children be provided ‘with a built-in baseline of data protection whenever they download a new app, game or visit a website’. Claire Williams, principal associate, at Mills & Reeve encourages providers to rethink and tweak their approach to data protection in light of the new code. She notes that the new code emphasises that privacy should be built directly in to online products. Lorna Cropper, director of privacy and information at Fieldfisher, agrees that the code will require a baseline of privacy by default and that it will be important for providers to identify their users. See: LNB News 22/01/2020 82.

Data breaches

Data-protection regulators across Europe have hit businesses with fines totaling €114m (US$126m) for mishandling customer information since the bloc’s tough privacy rules came into force in 2018, DLA Piper said on 20 January 2020. See News Analysis: EU fines for data breaches reach €114m.

The ICO has fined the national retailer DSG Retail Ltd £500,000 after a cyber-attack rendered its point of sale computer system compromised, resulting in unauthorised access to at least 14 million customers’ personal details between July 2017 and April 2018. See: LNB News 10/01/2020 19.

 Information management & security

Business leaders and risk experts have said for the first time that the threat of cyber incidents is their number one concern, according to a survey by German insurer Allianz AG. See News Analysis: Cyber incidents—ranked as biggest threat to business.

Britain’s cybercrime laws need to be brought into the 21st century, according to a legal report that warns outdated rules could lead to courts prosecuting professionals who have ethical motives for accessing company data. See News Analysis: UK cybercrime laws need reform, report says.

Guidance has been published by the National Cyber Security Centre (NCSS) for businesses on making security decisions when selecting the products and services that provide secure communications in the workplace. The guidance includes a set of principles to guide businesses on assessing the security of voice, video and messaging communication services to help risk owners and security professionals ‘achieve the right balance of functionality, security and privacy’. See: LNB News 23/01/2020 66 and LNB News 17/01/2020 47.

 EU ePrivacy

Big Tech and European telecom companies such as Telefónica, Orange and Vodafone are still likely to face EU rules aimed at protecting privacy and security over communication networks as the EU executive is unlikely to withdraw the draft bill, See News Analysis: EU ePrivacy proposal still on table following EU ministers’ deadlock, Breton says.



Related Articles:
Latest Articles:
About the author:
Allison is a former partner of Shoosmiths, with extensive experience of legal management and practice compliance.