What will the vote to leave the EU mean for law firm compliance? We consider the implications for data protection, financial crime prevention, cyber-security, tax evasion and the SRA’s proposed programme of radical reform.
Our conclusion is this: anyone expecting a bonfire of regulation is in for a disappointment.
The UK has voted to leave the European Union by 52% to 48%, with a turnout of 72%. The full impact of the referendum result will become apparent in the coming days, weeks and months but here are some preliminary predictions about what this might mean for law firm compliance.
On 24 June 2016, the Information Commissioner issued a statement confirming what we already knew:
The Data Protection Act remains the law of the land irrespective of the referendum result.
If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.
Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.
The message is clear: the domestic data protection regime is unlikely to be scaled back anytime soon. The real question is how do we maintain free flows of data between the UK and Europe? There seem to be three options:
- General Data Protection Regulation (EU) 2016/679 (GDPR) join the European Free Trade Association (EFTA), whose current members are Iceland, Liechtenstein and Norway—this would enable the UK to remain in the European Economic Area (EEA) and facilitate the free flow of data between the UK and Europe
- seek a decision of ‘adequacy’ from the European Commission, deeming UK data protection laws to provide the same level of protection as those in European countries and enabling free flows of data without any further measures being required—this seems to what the ICO is favouring and New Zealand, Argentina and Canada have all gone down this route.
- enter into some kind of bilateral arrangement similar to the EU-US Safe Harbor Framework or its replacement, the EU-US Privacy Shield—as recent events have demonstrated, this can be a time-consuming and challenging path.
The next question is: will we have to implement the full EU General Data Protection Regulation (GDPR) in the meantime?
We already know that GDPR will become effective in the UK in May 2018, which is likely to be several months before we formally exit the EU.
In any event, the greater the difference between UK laws and the GDPR, the harder it’ll be for the UK to demonstrate our laws are essentially equivalent to the EU. Any attempt to join the EFTA, seek a decision of adequacy, or negotiate a US-style Privacy Shield will be easier if we amend domestic data protection regime to reflect GDPR.
We’ll be monitoring developments closely, but for more information in the meantime, see: The impact of Brexit on data protection.
The Fourth Money Laundering Directive (4MLD) was endorsed by the European Parliament way back in May 2015 and was published in the Official Journal of the European Union on 5 June 2015. That’s when the clock started ticking—member states had two years to transpose 4MLD into national law.
We’ve all been waiting with baited breath for the UK Government to publish draft regulations implementing 4MLD. They were promised last autumn, then in the spring, then… well, it was quite obvious we were waiting on the Brexit vote.
But in reality, Brexit isn’t likely to make a huge amount of difference in terms of anti-money laundering.
The changes to be given effect through 4MLD are not inventions of the EC, they derive from the Financial Action Task Force (FATF).
The FATF is an inter-governmental body established to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system.
The FATF Recommendations set out a comprehensive and consistent framework of measures, or international standard, which countries should implement in order to combat money laundering and terrorist financing. Countries have diverse legal, administrative and operational frameworks and different financial systems, and so cannot all take identical measures to counter these threats.
The original FATF Forty Recommendations were drawn up in 1990 as an initiative to combat the misuse of financial systems by persons laundering drug money. The Recommendations, which were revised in 1996, 2001 and 2003, have been endorsed by over 180 countries and are universally recognised as the international standard for anti-money laundering and countering the financing of terrorism .
The FATF further reviewed and updated its Recommendations in 2012 to address new and emerging threats, clarify and strengthen many of the existing obligations, while maintaining the necessary stability and rigour in the Recommendations. The FATF called on all countries to implement effective measures to bring their national systems for combating money laundering, terrorist financing and the financing of proliferation into compliance with the revised FATF Recommendations.
And this is where the EC stepped in with 4MLD which provides EU Member States with a high-level structure and mechanism with which to implement the FATF Recommendations. Of course 4MLD is just a starting point for Member States which can choose how they wish to transpose the requirements as they see fit.
The fact that the UK is now on a course to leave the EU does not mean we can ignore the FATF Recommendations—we’ll still have to find a way to implement those requirements through our national law. And what better way than the structure negotiated and agreed through the EU? Indeed, the Government has al-ready implemented some 4MLD requirements, e.g. the PSC Register regime—see Beneficial ownership and the PSC register.
So in reality it’s unlikely we’ll see anything too dissimilar to what was expected under 4MLD, it’s just a case of when.
Counter-terrorism efforts generally are heavily dependent on cross-border co-operation, so an exit from the EU could have a profound effect on the fight against terrorist financing, especially on intelligence gathering, crime investigation and prosecution.
In response to the Paris terror attacks last November the European Commission issued a counter-terrorist financing (CTF) ‘Action Plan’, the headline proposals of which are:
- bringing forward by six months the date by which Member States need to have transposed 4MLD (to the end of 2016)
- putting together an EU blacklist which identifies high risk third countries with strategic deficiencies in their AML/CTF provisions by the second quarter of 2016
- shortening the timeframe for completing the EU Supra-National Risk Assessment exercise (now due to be published early 2017)
- amending some aspects of 4MLD affecting enhanced due diligence for high risk third countries, virtual currencies, prepaid instruments, centralised bank account registers and financial crime agencies information sharing
On 11 March 2016, the European Council agreed its negotiating position on a proposal for a Directive on combatting terrorism. On the basis of this mandate, the Netherlands presidency will start negotiations with the European Parliament as soon as the latter has adopted its position.
The proposed Directive strengthens and updates the EU’s legal framework in preventing terrorist attacks; in particular, it criminalises:
- travelling for terrorist purposes
- funding, organisation and facilitation of such travels
- receiving training for terrorist purposes
- providing funds to be used to commit terrorist offences and offences related to terrorist groups or terrorist activities
However, the Law Society says the EU Select Committee has indicated that the UK Government was likely to choose not to opt into any proposed terrorism directive in any event, so perhaps, in terms of legislative changes at least, no major news here.
Cybercrime and cybersecurity
As with counter-terrorist financing, efforts to thwart cyber-criminals and protect cyber-security are heavily dependent on cross-border co-operation. The EU has taken several legislative actions encouraging Member States to strengthen national cyber-crime laws which contribute to and support the fight against cybercrime.
The EU agenda for initiatives on cybersecurity and cybercrime includes:
- the launch of an ambitious contractual public private partnership on cybersecurity aimed at strengthening the EU cybersecurity industry and ensuring European citizens and businesses have access to more innovative, secure and user-friendly solutions that take into account European rules and values, and
- prioritising cybersecurity (together with 5G, cloud computing, the Internet of Things and data technologies) in the Commission’s initiative to identify the essential ICT standards and present measures to accelerate their development in support of digital innovations across the economy
The main effect of leaving the EU isn’t likely to be a change of direction in terms of legislation or policy, it’s more a case of losing easy access to these key resources and projects and taking the UK’s voice out of these initiatives.
Sanctions are international measures aimed at:
- encouraging a change in the behaviour of a particular country or regime
- applying pressure on particular countries or regimes to comply with certain objectives
- preventing and suppressing terrorist financing
They are also used as a last-resort enforcement tool when international peace and security has been threatened.
Sanctions effective in the UK can be imposed by:
- the UN Security Council (which are implemented in the EU through common positions and regulations)
- the EU pursuant to the objectives of the Common Foreign and Security Policy
- the UK Government (through the Office of Financial Sanctions Implementation – part of HM Treasury), usually under counter-terrorist financing legislation
In most cases, a statutory instrument is effected in the UK to introduce the measures ahead of the EU introducing the same measures into EU law because it can take time for these provisions to work through the EU legislative process and, if UN-imposed measures are given effect by an EU regulation, a UK statutory instrument would still be required to introduce any penalties resulting from a breach of the regulation.
So again, although the legislative landscape is likely to change significantly in terms of financial sanctions, on the ground efforts and UK processes are unlikely to be drastically different.
Corporate criminal offence—failing to prevent facilitation of tax evasion
HMRC consultation: Tackling tax evasion, a new corporate offence of failure to prevent the criminal facilitation of tax evasion
In April 2016, the government published draft guidance on its proposed corporate criminal offence—failing to prevent facilitation of tax evasion. If implemented, this will require law firms to introduce Bribery Act style systems and controls in relation to tax evasion.
The consultation closes on 10 July 2016 and implementation was planned for the Autumn, but the question now is whether this draft legislation will ever hit the statute books.
On the one hand, this is a wholly domestic piece of draft legislation—it doesn’t derive from EU or international regulation. On the other hand, this could be precisely the sort of ‘regulatory red-tape’ that Brexiteers promised to sweep aside.
So the answer on this particular issue seems to be watch this space.
The SRA published one of its irregular periodic updates late on 23 June 2016, to coincide perfectly with the referendum. Despite the timing, the SRA update contained no acknowledgement that the referendum was happening—the SRA instead preferred to focus on its proposals for “radical reform of the way we regulate solicitors”.
Just what you need in this unprecedented period of economic uncertainty.
The timescale for this regulatory revolution is late 2017 or early 2018. Hopefully the SRA can be persuaded to apply the brakes on non-critical changes, as the profession will have enough on its plate for the next couple of years without having to tackle radical reform from its own regulator.
If, however, the SRA is determined to press on, you can expect:
- two codes of conduct—one for solicitors and one for regulated law firms and their staff
- slimmed down SRA Principles, none of which are particularly contentious
- a new-style code of conduct, taking the outcomes-focused mantra to its logical conclusion—a shorter code, expressed by way of ‘standards’ and supplemented by toolkits rather than indicative behaviours
- retention of the COLP and COFA roles but potential, as yet unspecified, changes to the nature of these roles
- removal of the 3-year PQE requirement for supervisors
- further competition from non-regulated business, which will be allowed to employ in-house solicitors to provide external legal services (apart from reserved legal services like probate, con-ducting litigation, conveyancing and advocacy)—this has some additional implications:
- in-house solicitors will not be permitted to handle client money, although the SRA has no power to regulate the way their employer holds client money
- individual in-house solicitors will have to follow the ‘Code for Solicitors’ but the ‘Code for Firms’ will not apply to their non-regulated employer
- clients of solicitors employed by non-regulated firms will not have the benefit of compulsory professional indemnity insurance or the SRA Compensation Fund
So far, there’s been no comment from the SRA about whether it’ll step back from these proposals but it has published a statement about the impact on European lawyers: “as it stands there is no impact on your ability to practice or apply. We will keep you updated if this position changes in the future.”
Keep an eye on our email updates. We’ll be tracking these areas closely and will let you know more as soon as we do.
A Practice Note explaining all this, is available exclusively to LexisPSL Practice Compliance subscribers. LexisPSL Practice Compliance is an online toolkit that makes risk and compliance easier to manage. It comes with everything you need to get your compliance house in order and keep it that way: practical guidance, templates, flowcharts, checklists and other time-saving tools. Find out more here.