Monday 18th November 2024
Twitter Facebook Twitter LinkedIn RSS

Comsure operates in:the UK, Jersey, Guernsey

Regulated financial and Professional Services firms under threat AND should consider the risks NOW

The recent fallout from the “Panama Papers” data leaks have not only thrown the use of offshore tax havens and fiscal transparency back into the spotlight, but also highlighted the threat of data security breaches and associated compliance risks on those firms operating in this jurisdictions

The following thought provide an overview of the main issues arising from these leaks along with some comments and implications for:

  1. Money laundering
  2. AML
  3. Asset tracing
  4. Sanctions
  5. Data protection
  6. Cyber security & Corporate reputation
  7. Cyber security risks & Professional Indemnity

These matters are discussed below

MONEY LAUNDERING

  1. The recent allegations may have potentially wide-ranging and significant ramifications not only for those identified in the leaked documents, but also for anyone else on notice of the issues and risks that have been exposed and who has dealings with the individuals and entities about whom allegations have been made.
  2. Where there are allegations concerning efforts to conceal or mislead as to ownership of assets, for whatever reason, there will be greater risk of fraud and money laundering.
  3. Likely top of the list of concerns for those involved in transactions or business arrangements with named parties (or their offshore vehicles), is whether those arrangements expose them to money laundering risks. If so, they will need to consider carefully whether they can safely proceed with those arrangements. Even if they decide that they cannot, it is not necessarily straightforward to extricate oneself from a relationship without potentially triggering a money laundering offence.
  4. These risks arise wherever there are suspicions held (however subjectively) that one is dealing in any way with proceeds of crime (i.e. anything that constitutes or represents the benefit from criminal conduct).
  5. If the dealing (including simply possessing proceeds of crime) and the suspicions exist at the same time, a money laundering risk exists.
  6. This risk will be real for anyone who has suspicions that their arrangements might involve them in
    1. receiving,
    2. transferring or
    3. holding
    4. the proceeds of crime or that they have become concerned in an arrangement that:
    5. facilitates their acquisition,
    6. retention or
    7. use by someone else.
  7. The issue may be critical and urgent where a payment is about to be made or received about which suspicions now exist.
    1. The penalties are severe – up to 14 years’ imprisonment and an unlimited fine.
    2. The bar for the UK authorities to meet any jurisdictional requirements to investigate and prosecute is very low – if activities in relation to the crime occur in the UK, UK nationals are involved, the monies enter or leave the UK or victims suffer in the UK, this may be sufficient in appropriate cases to allow prosecutors like the SFO to investigate.
    3. There is only one clear way out, make a suspicious activity report to the FIU (e.g. JFCU, National Crime Agency) seeking permission to proceed with the relevant transaction or arrangement, and then wait for their response.
    4. For businesses in the regulated sector (i.e. broadly those who deal with client money, offer and manage investments and insurance products and/or advise on investments, tax and property transactions), this isn’t a choice – there are positive obligations to report suspicions of money laundering where the relevant information has been learned in the conduct of the regulated business. Failure to report could result in 5 years imprisonment

AML

  1. Firms authorised and regulated e.g. JFSC/GFSC/PRA or FCA are obliged to carry out regular assessments of the effectiveness of their anti-money laundering systems and controls. Should a data security breach give rise to any such concerns, firms should use this as a trigger to review the effectiveness of existing controls.
  2. In the same way, and whether firms are regulated or not, to the extent that the recent disclosures affect the risks more generally of doing business with particular parties from a bribery and corruption perspective or otherwise, these should be taken into account as part of any due diligence or on-boarding exercise before proceeding to contract with relevant parties.
  3. More generally, the recent disclosures in respect of a number of different matters in recent weeks may warrant a specific review or audit of relevant anti-fraud/money laundering/bribery controls to ensure that they remain suitable for the particular risks that the business faces.

ASSET TRACING

  1. If the disclosure of a party’s interest in offshore entities exposes wrongdoing, this may give rise to new causes of action arising from those arrangements. For example,
    1. a party involved in a fraud or breach of fiduciary duty may have used an offshore shell company (in which they held an anonymous interest) for the purposes of facilitating that fraud or breach of duty.
    2. The exposure of such arrangements would offer additional remedies against the wrongdoer and possibly any assisting parties.
  2. Such remedies may include following, tracing and seeking restitution of any stolen monies, or assets acquired with those funds.
  3. In the meantime, there may be claims that the misappropriated monies and assets acquired with them are held on trust for the benefit of the claimants.
  4. Evidence of the transferring of assets to entities in offshore jurisdictions, and ostensibly out of the reach of a potential judgment or award creditor, is likely to support court applications to freeze those assets, quite possibly through the use of worldwide freezing injunctions.
  5. This is particularly the case where the intention behind the arrangement is to make it harder to enforce any actual or anticipated judgment or award, or is a precursor to the dissipation of concealed assets.
  6. In general, time is of the essence if creditors want to protect their position and a well-coordinated cross-border strategy will be needed to identify, trace and recover the money lost.

SANCTIONS

  1. The recent allegations have revealed the use of offshore structures to circumvent sanctions.
  2. Whilst there has been much coverage recently of the relaxation of the sanctions regime affecting Iran, there remain several thousand persons and entities listed on UK, EU and US sanctions lists.
  3. Sanction regimes generally prohibit receiving payments from sanctioned persons, making payments to sanctioned persons and dealing with the economic resources of sanctioned persons.
  4. Firms need to ensure that they screen clients and potential clients to confirm that any representation is not in breach of sanctions regimes. Whilst it may be possible to obtain a licence, these can be difficult and time-consuming to obtain. However, firms also need to exercise caution in providing advice that may be regarded as facilitating the circumvention of sanction rules.
  5. Within the UK, sanctions awareness and enforcement has been made a priority by the Chancellor George Osborne.
  6. On 31 March 2016, a new dedicated sanctions body, the Office of Financial Sanctions Implementation, was established. As well as advising on compliance, this body is expected to take a more aggressive enforcement approach than hitherto taken by HM Treasury.
  7. Further, the UK government has included provisions in the Policing and Crime Bill to introduce new penalties for breach of sanctions rules, as well as increasing the maximum custodial sentence from two to seven years.

DATA PROTECTION

  1. A “data leak” (whether following a cyber-attack or otherwise) that involves the disclosure of personal data gives rise to the potential for liability under data protection legislation.
  2. However, under the UK data protection regime (which implements the relevant EU Directive), the fact that there has been a security breach does not of itself necessarily result in a breach of the relevant legislation.
  3. The obligation on a “data controller” (the entity that determines the purposes for which and the manner in which the personal data are to be processed) is to ensure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing, having regard to, amongst other things, the state of technological development, the harm that may result following a breach and the nature of the data to be processed.
  4. If, having taken appropriate measures, there is still a personal data breach (for example following a sophisticated cyber-attack that could not be realistically prevented) the data controller will not have liability under the legislation for breach of this obligation.
  5. This position will not materially change under the proposed new EU “General Data Protection Regulation” (the “Regulation”), which is anticipated to apply from Spring 2018.
  6. However, what will be very different under the new Regulation is the requirement to notify, in certain circumstances, the relevant supervisory authority and data subjects of a personal data breach.
    1. Where a notification to the supervisory authority is required, it would need to be done without undue delay, and where feasible, not later than 72 hours after the data controller has become aware of the breach.
    2. Where a notification to data subjects is required, it would need to be made without undue delay. In addition, for the first time, “data processors” (entities that process personal data on behalf of data controllers) will also have obligations imposed on them in relation to data security and shall be directly liable under the Regulation for failing to meet them.
  7. Given the level of potential fines under the UK Regulation (which could be as high as EUR 20 million, or in the case of an undertaking, 4% of the total worldwide annual turnover of the preceding financial year, whichever is the greater), organisations should ensure that they adequately assess the appropriateness of the technical and organisational measures that they have in place to prevent, or mitigate the effects of, a data security breach.
  8. Where relevant (and in certain circumstances it is necessary under the Regulation) a data protection impact assessment should be completed which should, amongst other things, identify the risks posed by the processing to be performed and the measures that could be employed to address those risks.
  9. Organisations (whether they be controllers or processors) should also develop policies that set out the procedures that the organisation will follow in the event of a personal data breach, including to take account of the new notification requirements.

CORPORATE REPUTATION

  1. Both the entity whose security has been breached and any company whose data is leaked, are at risk of reputational damage, particularly where the nature of the data can be used to suggest some form of wrongdoing, whether moral or legal.
  2. Similarly, there are risks where the leaked data relates to a key employee, such as the CEO or another member of the board of directors, and where their alleged wrongdoing can be imputed to their employer.
  3. Cyber security incidents can be big news and in order to minimise reputational damage it is important to have a carefully prepared PR strategy.

PROFESSIONAL INDEMNITY COVER AND CYBER SECURITY RISKS

  1. Law firms and other professional service providers face two major risks in relation to cybercrime which may not be covered by professional indemnity coverage: breach of client confidentiality and structural/financial impact upon a law firm itself.
  2. Unauthorised “leakage” of confidential information by employees, commercial espionage, “phishing” attacks, the use of “malware” and hacking are all risks facing law firms given the nature of confidential information they hold.
  3. Where these result in civil claims against the firm by clients or other third parties to whom the firm owes a duty of care and/or prompt an investigation or inquiry, there may be cover under the firm’s professional indemnity cover, subject to its terms and conditions (which commonly exclude cover for fines or penalties).
  4. Firms may also face threats to their own ability to carry out their professional business, for example, due to attacks on their own websites or servers or on those of external providers.
  5. As well as some third party losses, first party losses – such as breach response, PR expenses, forensic investigations, business interruption, denial of service, extortion threats, breach of employee confidentiality, and fines and penalties – caused to a law firm may not be covered by its professional indemnity insurance.
  6. Where news of a breach of confidentiality breaks, a firm is in a situation which has legal, regulatory, technical and public relations dimensions and it is vital that a firm
    1. plans for this contingency and
    2. identifies in advance a specialist internal or, if necessary, external team that can assist.

Regarding these matters Many cyber insurers provide access to such support as an ingredient of the coverage.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
WP2Social Auto Publish Powered By : XYZScripts.com