Risk and Compliance update - January 2020

Risk and Compliance update - January 2020

New SRA regime

Crime prevention

Business activities

GDPR & data protection

Additional Risk & Compliance updates this month

New SRA regime

RIP SRA Handbook 2011. Long live the StaRs. After years of planning, the SRA Standards and Regulations (or the StaRs, as they are also known) came into force on 25 November 2019.

The new SRA regime brings with it a host of important changes for in-house lawyers, including:

• new, slimmed-down SRA Principles

• two new Codes of Conduct, one for solicitors, RELs and RFLs which applies directly to in-house lawyers (and one for SRA-regulated firms)

• new authorisation and practising requirements—and new flexibility in the ways solicitors (including in-house lawyers) can practise

See subtopic SRA regulation of in-house lawyers including Practice Notes:

SRA Standards and Regulations 2019—in-house lawyers

SRA Code of Conduct for Solicitors, RELs and RFLs—for in-house lawyers

Conflicts of interest, confidentiality and disclosure 2019—in-house lawyers

Reporting breaches to the SRA—in-house lawyers

Dealing with freelance solicitors

Crime prevention

The Financial Action Task Force (FATF) has published a keynote speech by its executive secretary, David Lewis, who set out FATF’s role in anti-money laundering and countering terrorist financing (AML/CTF). Lewis called for action after FATF evaluations found nearly 100 countries needed fundamental or major improvements in the preventive measures taken by banks, money service businesses, lawyers, accountants, company formation agents, real estate agents, casinos and others. See: LNB News 10/12/2019 62.

Following a meeting held on 5 December 2019, the Council of the EU has published its conclusions on strategic priorities on AML/CTF. The Council welcomes the work being done by various EU bodies to tackle the issue, and recognises the need for stronger co-ordination between financial intelligence units. It urges Member States to swiftly complete the transposition of all relevant Union legislation in this area and strengthen its implementation and application. See: LNB News 05/12/2019 67.

Anti-bribery & corruption

The US Securities and Exchange Commission (SEC) has announced that Telefonaktiebolaget LM Ericsson (Ericsson) has been charged with engaging in a large-scale bribery scheme. The US Department of Justice (DoJ) has announced that Ericsson has agreed to pay over $1bn for Foreign Corrupt Practice Act violations and entered into a deferred prosecution agreement—this includes a criminal penalty of over $520m and approximately $540m to be paid to SEC in parallel civil proceedings. The scheme involved the use of fake consultants to secretly funnel money to government officials in multiple countries. The bribes allowed Ericsson profits to increase by hundreds of millions. See: LNB News 09/12/2019 46.

A senior US DOJ official has said that despite winning a recent trial against a former Alstom executive, bribery prosecutors will need to change their strategy in light of a far-reaching Second Circuit ruling requiring proof that foreigners alleged to have stewarded bribes were ‘agents’ of a US-domiciled company. See News Analysis: DOJ attorney says FCPA trial preparation shifting despite Alstom win.

A former Alstom sales director, Nicholas Reynolds, lost his appeal against his conviction for conspiring to bribe Lithuanian officials after a court ruled that questionable remarks made by the trial judge did not undermine the case. See News Analysis: Alstom Exec loses fight to overturn bribery conviction.

Dr Eike W Grunert and Dr Jochen Pörtge, partners at Pinsent Masons, explain why businesses operating in Germany should begin updating and documenting their compliance risk assessments and measures in preparation for stricter corporate sanctions laws being introduced in the country. See News Analysis: Germany toughens up on corporate sanctions.


Two Serco directors have been charged with fraud and false accounting which took place between 2011 and 2013. The charges followed scrutiny by the Serious Fraud Office of a contract between Serco and the Ministry of Justice. See: LNB News 17/12/2019 70.

Business activities
Sanctions & export controls

Principal deputy assistant attorney general at the US DoJ, David Burns, has announced new export controls and sanctions enforcement policy for business organisations. The policy revises the 2016 voluntary self-disclosure policy for US sanctions and export control breaches. Under the revised policy, the default position will be a non-prosecution agreement where a company voluntarily self-discloses export control or sanctions violations, fully co-operates and makes timely and appropriate remediation. See: LNB News 16/12/2019 46.

Regulation of economic sanctions in the US continued at a breakneck pace this year, with new rules targeting Venezuela, Cuba, Turkey and Iran, expanded guidance from the Office of Foreign Assets Control (OFAC), and one of the most active enforcement years on record, say attorneys at Ropes & Gray. See News Analysis: US strengthened and expanded economic sanctions in 2019.

GDPR & data protection
Regulatory regime

UK Finance has published a blog on the Information Commissioner’s proposals to extend its enforcement powers, including allowing it to recover profits from the criminal misuse of data under the Proceeds of Crime Act 2002. The authors note that such an extension is likely to be of interest to organisations that hold large volumes of data, such as banks, and is a further example of wider trends of regulators extending their enforcement powers, using dual-track criminal and regulatory investigations, and seeking parallel redress from individuals and corporates. See: LNB News 12/12/2019 72.

The Information Commissioner’s Office (ICO) has launched a campaign aimed at contacting all registered UK companies to remind them of the legal responsibility they have to pay a data protection fee, as part of a wider programme to ensure the data protection fee is paid by everyone required to do so. Under the Data Protection Act 2018, organisations that process personal data are obliged to pay the fee, unless exempt. See: LNB News 03/12/2019 43.

On 20 November 2019 the European Data Protection Board (EDPB) published its draft guidelines on the principles of Data Protection by Design and Default (the Guidelines) under Article 25 of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). The Guidelines give general guidance on the interpretation of the obligations of data protection by design and by default. In addition to covering these principles, the Guidelines also cover certification mechanisms for demonstrating compliance with Article 25 of the GDPR and enforcement by supervisory authorities. Matthew Buckwell, Ruth Boardman and Ariane Mole of Bird & Bird LLP explain the latest developments. See News Analysis: EDPB publishes guidelines on data protection by design and by default.

Data breaches

The ten largest fines levied in 2019 for breaches of the GDPR totalled €402m, figures released show, but few companies, if any, have been covered by cyber-insurance. See News Analysis: Biggest EU data breaches incurred €402m in fines in 2019.

Data processing

How does Article 71 of the draft agreement on the withdrawal of the UK from the EU (Withdrawal Agreement) ensure the personal data of non-UK data subjects is processed in the UK in accordance with EU law? Eleonor Duhs, director and barrister at Fieldfisher, considers the implications of the provisions in Article 71 for UK controllers. See News Analysis: Implications of Article 71 of the draft EU-UK Withdrawal Agreement for data protection practitioners.

The final text of the Danish standard contractual clauses, as adopted by the Danish supervisory authority, has been published in the EDPB)’s Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. See: LNB News 12/12/2019 17.

 Data subject requests

The ICO has opened a consultation on its new guidance in relation to the right of access (often known as subject access), which is outlined in the GDPR. The right allows individuals ‘to find out what personal data is held about them and to obtain a copy of that data’. In April 2018, the ICO published its initial guidance on the right of access. It has now drafted more comprehensive guidance on the subject, ‘which explains in greater detail the rights that individuals have to access their personal data and the obligations on controllers’. See: LNB News 05/12/2019 20.

 Right to be forgotten

The EDPB has published its adopted draft guidelines on the criteria of the right to be forgotten in the search engine cases under the GDPR for public consultation. The guidelines provide an interpretation of Article 17 of the GDPR with regard to the grounds and exceptions for delisting requests directed to search engine providers and are an update of 2014 guidelines issued by the Article 29 Working Party. These guidelines will ultimately be complemented by another set of guidelines on the criteria for handling complaints for refusals of delisting. See: LNB News 12/12/2019 23.


The European Union Agency for Cybersecurity (ENISA) has published a new report on pseudonymisation techniques and best practices that looks at the basic notions of pseudonymisation and technical solutions that may be able to support implementation in practice. See: LNB News 04/12/2019 63.

EU ePrivacy bill

MLex: Big Tech and European telecom companies like Telefónica, Orange and Vodafone are scratching their heads about what lies ahead for EU rules aimed at protecting the privacy and security of communications over their networks. The new European Commission, which will take office next week, will have to decide whether to scrap the proposal, amend it, or allow EU governments to have another crack at a compromise. See News Analysis: Comment—Big Tech, telcos face legal uncertainty as EU ePrivacy bill stalls

Additional Risk & Compliance updates this month
Queen’s Speech 2019

The State Opening of Parliament and Queen’s Speech marks the formal commencement of the new parliamentary year and is a chance for the newly formed government to set out its revised policy agenda following the 2019 general election. See: LNB News 19/12/2019 23.

The government has announced its intention to introduce the European Union (Withdrawal Agreement) Bill. The purpose of the Bill is to implement the Withdrawal Agreement that has been agreed between the UK and the EU in domestic law and recognise the government’s promise to deliver Brexit by 31 January 2020 and subsequently secure a future relationship with the EU ‘based on a free trade agreement that benefits the whole of the United Kingdom’. See: LNB News 19/12/2019 24.


Risk & Compliance forecast

Our new Risk & Compliance forecast (as at 11 December 2019) is live. This month, we report on issues including (1) AML and CTF; (2) crime prevention; (3) whistleblowing; (4) competition law compliance; (5) data protection; (6) modern slavery; (7) employment and (8) regulation of legal services. You can rest assured we're tracking forthcoming regulatory changes so you can plan ahead. See: Risk & Compliance forecast as at 11 December 2019.


Cloud computing—key trends in 2019

Baker McKenzie has released its 2019 Data and Cloud Survey results, which provides insights relating to data, including who owns it, where it resides and how it is protected. Peter George and Adam Aft, partners at Baker McKenzie, discuss the key trends that emerged from survey, as well as what the survey revealed about data protection, cloud terms, liability and cyber insurance. See News Analysis: Cloud computing—key trends in 2019.


UK’s competition & procurement regimes

MLex: The UK’s competition, procurement, State aid and digital regulations are in line for revision following the Conservative Party’s victory in the general election. See News Analysis: UK’s competition, procurement regimes in crosshairs after Tory victory.




Related Articles:
Latest Articles:
About the author:
Allison is a former partner of Shoosmiths, with extensive experience of legal management and practice compliance.