Monthly Archives: February 2012

FATF steps up the fight against money laundering and terrorist financing

On 15 February 2012 the Financial Action Taskforce (FATF) issued revised standards on combating money laundering, terrorist financing and the proliferation of weapons of mass destruction.
FATF state that the revisions to the FATF recommendations address new and emerging threats, clarify and strengthen many of the existing obligations, while maintaining the necessary stability and rigour in the recommendations.

Key changes of interest to the legal profession include:

  • Increased clarity in the risk-based approach with specific requirements for both countries and regulated entities. More guidance is provided on the types of clients, countries and transactions which may be higher or lower risk and sets out a range of measures which could be applied either for enhanced or simplified due diligence. Countries are permitted to provide options for simplified due diligence and also complete exemptions from due diligence requirements. Where a client would qualify for simplified due diligence on one basis, but otherwise be subject to enhanced due diligence, the standards now make it clear that the enhanced due diligence is required. However, there is recognition that even where enhanced due diligence is required; the extent to which the enhanced measurers are applied may vary according to the specific levels of risk of the retainer.
  • Regulated entities are now specifically required to have a written risk assessment, their policies and procedures should be compliant with supervisors’ guidance, and include provision for an audit function to test compliance and screening to ensure high standards when hiring employees. Further the money laundering reporting officer should be appointed at management level.
  • For due diligence on companies, there is a new beneficial owner which should be identified in the event that no individual has control of share ownership or other control, namely the person who holds the position of senior managing official. Further simplified due diligence is permitted for listed companies who are either the client or the owner of a controlling interest, meaning that neither the shareholders nor the beneficial owners need to be identified or verified. A listed company is one which is listed on a stock exchange and subject to disclosure requirements either by stock exchange rules or through law or enforceable means, which is wider than currently permitted.
  • For due diligence on trusts, the protector and settlor are now required to be identified.
  • The standards now require a company register to be established in each country, which should at least have information on shareholders or members, directors and basic regulating powers. Trustees are required to hold information on beneficial owners and provide information on beneficial ownership to regulated entities, although this requirement may be applied by common law.
  • Foreign politically exposed persons should be subject to enhanced due diligence, whether they are the client or the beneficial owner and enhanced due diligence should apply to domestic peps on a risk based approach.

The recommendations also provided detailed requirements around implementation of sanctions regimes and the prevention of the use of non-profit organisations for terrorist financing.

The European Commission will be releasing a consultation paper in March on how the FATF recommendations will be implemented within the European Union.

Read the new FATF Recommendations

Confidentiality and data protection

The loss of data ? whether it is through hacking, leaving briefcases, unencrypted laptops or USB sticks on the train (which even MI5 and MI6 can do) ? can have huge ramifications. Outcome (7.5) requires all law firms to comply with data protection legislation. Firms should register with the Information Commissioner, have in place a data protection policy and regularly update all members of staff in connection with good practice on the security of personal information.

[col1]A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data about individuals involved in eight court cases that she had been working on. The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. The breach was only reported to the ICO on 30th August 2011 when the last case relating to information held on the laptop was concluded.

Although in this case the Information Commissioner?s Office was unable to serve a financial penalty as it took place before 6th April 2010, it should act as a warning to all legal practitioners that failure to protect personal information is not just about a potential penalty of up to ?500,000 ? it could affect their careers too. If personal data is not properly safeguarded, it can seriously jeopardise the important work the firm carries out, damage its reputation and prosperity and compromise the safety of individuals.

Firms should also be in a position to respond to any breach of security swiftly and effectively. All breaches have to be reported to the Information Commissioner?s Office as soon as possible.

Since gaining new powers in 2010, the Information Commissioner?s Office has already levied penalties of hundreds of thousands of pounds for breaches of data protection laws. And law firms are not immune. [/col1]

[col2]There have been numerous cases concerning lost memory sticks and back-up tapes that were unencrypted. Data controllers must ensure that there are appropriate policies in place to protect any personal information both inside (including clients and/or third parties being able to identify clients from file labels) and outside the office and that relevant staff are fully trained on how to follow them.

To comply with Principle 7 of the Data Protection Act, firms need to have adequate physical and technical security, backed up by robust policies and procedures to prevent the personal data they hold being accidentally or deliberately compromised.

Staff should be aware of what they can and cannot do with the personal information they handle and what they can and cannot say in relation to sensitive client information in public. There is also the danger of someone trying to trick staff into disclosing information or changing an address. All staff who handle personal information need to know that it is a criminal offence to give out personal information without the data subject?s consent.[/col2]

Updates for your website, terms of business and client care documents

To comply with Chapter 8 of the Handbook, your letterhead, website and e-mail footer must now (inter alia) show the worlds ?authorised and regulated by the Solicitors Regulation Authority and the firm?s SRA number (or Companies House registration number if applicable).

The financial services status disclosure information in your terms of business should now include the FSA?s website address: