A perfect regulatory storm is brewing

The British are obsessed with the weather, it dominates our conversation, our lives and recently the news headlines. Apocalyptic weather has been reported in Central America, the Caribbean Islands and across the state of Florida, whilst in Asia devastating rains and flooding have killed and displaced thousands of impoverished people from India, Pakistan, Nepal and Bangladesh.

These are truly tragic events with huge human impact, but whilst these events have been characterised as ‘once in a lifetime events’, they are to some extent predictable but unavoidable as it seems nature asserts its authority over human development.

Predicting a storm in financial services is rather more certain as most of the regulatory events are planned and therefore you might expect that the risks are therefore avoidable. But my eye and attention has been drawn to what I can foresee could be a series of events over the next six to nine months that presents a perfect regulatory storm, with serious financial and regulatory consequences for those who are not watching the regulatory ‘charts’.

Tropical Disturbance leading to Depression. A period when dark regulatory clouds form.

On 1st September 2017, the UK government provided guidance on how to meet the requirements of the UK Financial Crime Act that will take effect on 30th September.1

In brief, this powerful new law brings significant additional legal, criminal and therefore reputational risks to firm’s due to the strict liability and extra-territoriality of the legislation. Whilst bearing a resemblance to the Bribery Act from 2010, this law deals with a different predicate offence, the facilitation of criminal tax evasion by employees and ‘associated persons’, and places an emphasis on firms to ensure that they have in place procedures to prevent these persons from facilitating the evasion of UK and foreign taxes and duty.

Lining up behind new powers of enforcement that can be used even when the firm has no knowledge of the offence and where no criminal prosecution for the tax evasion is required, are the SFO, NCA and HMRC. Having heard a presentation from Simon Airey this week at the London MLRO’s.com conference, it appears that those businesses that have previously been party to allegations of facilitating tax evasion, but which could not be prosecuted, are firmly in the cross hairs and we can expect some early action.

And this is where things start to get interesting, because it is entirely foreseeable that the authorities will be aware of these tax crimes, well before the banks and firms who manage the affairs of these offending companies.

Increasing coordination and sharing of information between law enforcement agencies and local regulatory supervisors is to be welcomed and encouraged if there is to be any improvement in law enforcement attempts to deny access to criminal proceeds. However, it is not inconceivable that a regulated firm may now receive and be required to manage both a criminal enquiry and a regulatory inspection relating to the management of tax evasion risks. Let’s hope some common sense prevails in the most part.

Thunderstorms, lightening and heavy rains leading to a hurricane status. The mood darkens.

Given that there is a presumption of guilt under the UK FCA 2017 that the firm must then defend with demonstrable ‘reasonable procedures’, I can foresee some choppy water building here that will increase to form a ‘depression’ when tax information between jurisdictions under new information exchange agreements is added to the mix.

The high winds being provided by the Criminal Finance Act 2017 are going to be intensified by the first tranche of reporting by the early adopters under the Common Reporting Standards.

After the G20 meeting in London in 2009, there has been a great deal of movement to combat tax evasion, at least outside of the states of Delaware and Wyoming et al in the USA.

In May 2014, the Standard for Automatic Exchange of Financial Account Information, commonly referred to as the Common Reporting Standards (‘CRS’), was entered in to by 47 countries. Today more than 140 countries have agreed to share ‘reportable’ details that include:

  1. Name, address, Taxpayer Identification Number;
  2. Date and place of birth of each Reportable Person;
  3. Account number;
  4. Name and identifying number of the reporting financial institution; and
  5. Account balance or value as at the end of the relevant calendar or closure if earlier

From September 2017, that’s right, at exactly the same time the UK FCA 2017 is implemented, more than fifty early adopters will be sharing highly private and confidential information as part of the biggest international data exchange the world has ever witnessed.

Quite aside from the likely impact that this current information will have to support greater scrutiny from HMRC, and therefore the level of investigative and operational resource that will be required to be employed within regulated firms to meet this level of scrutiny, the sheer size and scale of such a data exchange is truly staggering and brings unprecedented cybercrime risks at a time when we have just been appraised of yet another significant reported theft of data in the USA by Equifax.

Consider for a moment what the impact could be if any of this new CRS data, much of which is being sent from emerging market jurisdictions with potentially less robust systems and infrastructure, falls in to the wrong hands, courtesy of an aggrieved employee, dissatisfied government official, hacker or through simple negligence.

Whilst we should applaud attempts to shine a light in some of the darkest and most secret tax havens of the world, the risks that accompany this trade in personal data comes with a significant threat of someone catching a cold.

If the limit of the current reported disclosure of Equifax client information is contained and ONLY affects 140 million customers in the USA, just how will identity verification be performed for these customers when the details of their school, mother’s maiden and the fact that their first dog was called ‘Bounce’ are already available on the dark web. What then?

Heaven forbid we then have new data protection laws introduced in May of 2018 that stiffen the maximum fines and strengthen the enforcement action that may be taken against data controllers and processors who fail to secure their client details and assets!

Stay inside, batten down the hatches and be prepared!

Most of us will not have the privilege and good fortune to ride out this regulatory hurricane in our wine cellars. Regrettably, I fear that some of us in the regulated sector, and I do genuinely fear for some of the accountable persons under the SM &C regime, will not only get wet, but may be displaced far sooner than was anticipated unless some considerable time, effort and resource is put in to performing robust risk assessments to guide and mitigate these risks.

Whilst this vision for the coming year may appear a little morose for some, a good look at the facts and the momentum that is being built around transparency, accountability and consequence management, should I hope, incentivise boardroom management to provide the resource that is going to be required to prioritise and manage these very real risks.

1 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/642714/Tackling-tax-evasion-corporate-offences.pdf