Risk & Compliance monthly highlights - September 2020

Risk & Compliance monthly highlights - September 2020

In this issue:


GDPR & data protection

AML & counter-terrorist financing

Sanctions & export controls

Crime prevention

Health & safety




Navigating the Brexit transition

For our report Continental Shift: Navigating the Brexit transition, we have gathered insights and commentary from a range of experts on key developments following the UK’s withdrawal from the EU, focusing on some of the frequently asked questions on the transitional arrangements and key transition workstreams, including implementation of the UK-EU Withdrawal Agreement, negotiation of the future UK-EU relationship, and domestic policy, legislation and preparation for the legal landscape beyond Brexit. As part of LexisNexis’ ongoing Brexit coverage, this report provides a helpful update on the key legal and practical issues, highlighting useful information and materials to help lawyers navigate the Brexit transition and prepare for legal changes on the horizon. See: Continental Shift: Navigating the Brexit transition.

Legal profession

The Law Society has published a new guidance page to help lawyers prepare for the end of the transition period. The guidance page, ‘Preparing for the end of the transition period’, highlights key steps to be taken by solicitors ahead of the end of the transition period on 31 December 2020 ‘whether an agreement is reached on the UK-EU future relationship or not’. It also includes links to a range of government and regulator resources that should be of assistance to solicitors and firms. See: LNB News 21/08/2020 67.

The Department for Business, Energy & Industrial Strategy is calling for evidence regarding the UK’s approach to the recognition of professional qualifications and the regulation of professions. Views are sought from those who interact with any aspects of a regulated profession. The deadline for submissions is at 11.45 pm on 23 October 2020. See: LNB News 26/08/2020 33.



GDPR & data protection

International transfers of data

Victoria Hordern, partner and head of data privacy at Bates Wells, considers the impact of the judgment taken by the Court of Justice on 16 July 2020 in Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, Case C-311/18 (Schrems II) on European data protection law. See News Analysis: Data transfers—the aftermath of Schrems II.

Emma Ottoy, managing associate and Richard Steppe, associate, both at Linklaters in the TMT/IP department, consider the next steps for organisations transferring personal data following Schrems II. See News Analysis: Key implications and next steps post Schrems II.

noyb.eu (NOYB), the non-profit privacy advocacy organisations founded by Max Schrems, reported that it had filed 101 complaints with data protection supervisory authorities concerning companies in 30 EEA states that forward personal data to Google and Facebook. See: LNB News 25/08/2020 4.

Meanwhile, the UK’s prospects of maintaining a free flow of data with the EU after Brexit by clinching a deal with the bloc this year are looking increasingly shaky as the clock ticks down. See MLex News Analysis: Comment—UK uncertainty over EU data-transfer deal grows as Brexit deadline nears.

The Court of Appeal has also considered whether the transfer of personal data from the UK to the British High Commission in Jamaica constituted a transfer of personal data to a third country outside the European Economic Area (EEA) subject to Chapter V of the General Data Protection Regulation (the GDPR). In Johnson v Secretary of State for the Home Department [2020] EWCA Civ 1032, the Court of Appeal did not give a ruling on whether a transfer to a third country had occurred (a derogation applied in any event) but made a number of interesting comments on the issue. The court also considered the application of certain data subject rights. See News Analysis: Court of Appeal considers an international transfer under the GDPR (Johnson v Secretary of State for the Home Department).

Data breaches

MLex: Hotel group Marriott International is facing a class action damages claim in a London court over a massive breach of customer records that could see millions of guests seek compensation. See News Analysis: Marriott faces UK class-action damages suit over huge data breach.

MLex: British Airways (BA) now expects to get away with a tiny fraction of the UK fine proposed to punish the airline’s 2018 data breach. If it succeeds, the ICO will need to account for its apparent toothlessness in the pursuit of its first significant case under the EU’s General Data Protection Regulation (GDPR). See News Analysis: Comment—would slashing BA’s data-breach fine make UK regulator look reasonable or just weak?



AML & counter-terrorist financing

Source of wealth and source of funds

The Wolfsberg Group has published FAQs on how financial institutions can identify, mitigate and manage money laundering risks by undertaking source of wealth and source of funds checks on relevant customers, when appropriate and/or required by applicable regulation. The FAQs are targeted predominantly at the private banking/wealth management customer segments and take into consideration controls and procedures recognised in the Wolfsberg Anti-Money Laundering (AML) Principles for Private Banking. See: LNB News 11/08/2020 23.

Company transparency measures

MLex: The owners of murky shell companies and well-wrapped offshore vehicles have seen worldwide regulatory efforts gather steam in recent years to remove the shrouds and build unified standards of transparency. In practice, wiggle room and differences in approach are emerging that could stymie a joined-up approach. See News Analysis: Global company transparency measures come in fits and starts.

JMLSG guidance

The Joint Money Laundering Steering Group (JMLSG) has received HM Treasury ministerial approval for its guidance material published in June/July 2020. This includes the new Sector 22 Cryptoasset exchange providers and custodian wallet providers, Annex 5-V Pooled Client Accounts, and the various other revisions within Part I and Part II. See: LNB News 19/08/2020 54.

AML breaches

HM Revenue and Customs (HMRC) has published a list of businesses for the tax year 2019 to 2020 that have not complied with the Money Laundering Regulations. The list sets out details of businesses that received a penalty notice between 6 April 2019 and 31 January 2020, together with a brief description of the breach involved, the penalty amount and appeal status. See: LNB News 19/08/2020 75.

Law360: European regulators have clamped down on anti-money laundering rules in 2020 as total fines surged in the first six months of the year after a dip in 2019, a new report has found. See News Analysis: Global AML fines surge in 2020, led by Europe.

The Metropolitan Police has confirmed that a man and woman have been charged with a number of fraud and money laundering offences as part of an investigation by the Met’s Economic Crime Command​. The offences are suspected to have taken place between 23 December 2014 and 29 October 2019, while one of the pair was working in the European Bank for Reconstruction and Development​’s Office of the Chief Compliance Officer and, prior to that, as an Anti-Corruption Legal Expert with the Organization for Economic Co-operation and Development’s Anti-Corruption Division. See: LNB News 06/08/2020 32.

AML/CFT Action Plan

The European Banking Authority (EBA) has published its response to the European Commission’s Action Plan for a comprehensive EU policy on preventing money laundering and terrorism financing, giving its backing to the European Commission’s call for a tougher regime to fight money laundering and terrorist financing after a spate of high profile financial scandals revealed cracks in the regulatory framework. See: LNB News 19/08/2020 73 and Law360 News Analysis: European Banking Authority backs tougher anti-money laundering plan.

UK Trust Registration Service

The final rules on changes to the Trust Registration Service (TRS) have been published. Jennifer Smithson and Robin Vos of Macfarlanes LLP consider the changes to the TRS and the wider impacts of the Fifth Money Laundering Directive (5MLD). See News Analysis: How will the 5MLD impact the UK Trust Registration Service?

AML risk for trusts and company agents

Law360, London: The UK government warned on 17 August 2020 that businesses working with trusts and company agents should make sure they have strict AML checks in place as the region clamps down on financial crime in the wake of high-profile scandals involving European banks. See News Analysis: Government outlines AML risk for trusts and company agents.



Sanctions & export controls

Cybersecurity sanctions

Practice Compliance analysis: The UK government has published details of the new cybersecurity sanctions regime in the form of the Cyber (Sanctions) (EU Exit) Regulations 2020 (the Regulations). Cybersecurity has arguably never been more important as our world becomes increasingly digitised. This provides fertile soil for cybercriminals, who are using increasingly sophisticated methods of illegally accessing IT networks. Nicola Broadhurst, partner; and Gregory Barton, associate; both at Stevens & Bolton LLP, set out details of the regime and the purpose of the Regulations. See News Analysis: New cyber security sanctions regime.

The first set of sanctions have been issued under the EU’s cyber sanctions regime. The EU sanctions were directed at nine individuals and organisations from North Korea, China and Russia for their part in ‘state sponsored...malicious cyber activity’, which targeted democratic institutions, national infrastructure, media outlets and international organisations. The sanctions raise the penalty for engaging in such activities. The UK will continue to implement the regime at the end of the transition period through its own UK cyber sanctions regime. See: LNB News 31/07/2020 11 and News Analysis: Imposing sanctions against malicious cyber actors—the EU’s approach, in which John Binns, partner at BCL Solicitors LLP, discusses the EU’s first use of sanctions against malicious cyber actors.

Human rights sanctions

Law360: A new EU human rights sanctions regime expected to closely mirror the US Magnitsky Act could be adopted later this year, the Irish government has said, marking an important step in aiding the EU’s Member States to cut off institutions and individuals from financial systems. See News Analysis: EU Magnitsky Act edging closer, Irish foreign minister confirms.



Crime prevention


Interpol has published a report on the impact of coronavirus (COVID-19) on cybercrime, demonstrating a target shift from individuals and small businesses to major corporations, governments and critical infrastructure. The report demonstrates that criminals are taking advantage of individuals working from home and that, in January 2020–April 2020, 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs, all of which related to coronavirus, were detected by an Interpol private sector partner. The Interpol Chief has commented that the report demonstrates the need for co-operation between the public and private sector to combat the threat of coronavirus to ‘our cyber health’. See: LNB News 04/08/2020 71.

The National Cyber Security Centre (NCSC) has issued new guidance to help organisations ask the right questions when considering cybersecurity insurance. The new guidance is not a buyers’ guide to cybersecurity insurance. Instead it is designed to help organisations decide whether cyber insurance could contribute to how they manage cyber risk. The NCSC has also provided several questions that organisations may wish to discuss with their insurance broker or provider in order to understand what services and support are available to deal with a cyber incident and also how cyber insurance could help an organisation get back to its feet, should there be a cyber-related incident. See: LNB News 06/08/2020 33.


Law360: Consumer lender World Acceptance Corporation will pay $US 21.7m to resolve a US Securities and Exchange Commission (SEC) investigation into the alleged bribery of government officials and union officials in Mexico. See News Analysis: Consumer lender will pay SEC $US 21.7m to end FCPA probe.

Deferred prosecution agreements

Local Government analysis: On 17 July 2020, a three-year Deferred Prosecution Agreement (DPA) between the Serious Fraud Office (SFO) and G4S Care & Justice Services (UK) Ltd (G4S) was approved. This DPA is the second arising from fraudulent conduct in the performance of electronic monitoring services for the UK government between 2005 and 2013, after Serco Geografix Ltd entered a DPA in 2019. The judgment contains some interesting observations for companies who might consider self-reporting to the UK authorities, particularly those involved in bidding for public contracts. Crispin Rapinet, Liam Naidoo and Reuben Vandercruyssen from Hogan Lovells’ investigations, white collar and fraud practice consider the relationship between DPAs and debarment in the UK, and discuss the way forward for companies concerned about the impact of alleged wrongdoing on their ability to bid for public contracts. See News Analysis: Not a silver bullet—public procurement lessons from the G4S DPA.

Tax evasion

Law360, London: A scheme in which tax evaders can own up to their crimes and escape jail has helped authorities rake in almost 25% more revenue than the previous year, according to HM Revenue & Customs (HMRC) figures. See News Analysis: HMRC gets £23m boost from tax evasion deals.



Health & safety

Working safely during coronavirus

The government continues to publish updates to its ’Working safely during coronavirus (COVID-19)’ guidance documents, including to amend and add advice on the possible return to work of clinically extremely vulnerable individuals, following the pausing on 1 August 2020 of the shielding regime that applied to them until that date. See News Analysis: BEIS ‘Working safely during coronavirus’: 31 July updates after pausing of shielding regime.

Compliance & Risk, 1 August 2020: The future of workplaces, both post-lockdown and post-coronavirus, will look and feel very different from the offices abandoned in March 2020. See: LNB News 11/08/2020 49.

Responding to the media following a health and safety incident

Compliance & Risk, 1 August 2020: How does an organisation go about influencing the media so that at least a fair and balanced view of what has happened, and its part in it, is presented? See: LNB News 11/08/2020 41.



Related Articles:
Latest Articles:
About the author:
Allison is a former partner of Shoosmiths, with extensive experience of legal management and practice compliance.