Brexit: implications for engagement letters and AML
Issues to consider with regards to GDPR and anti-money laundering regulations.
From 1 January 2021, the UK is not a part of the EEA, which means the UK is in control of its own laws and regulations. Many EU laws are already embedded in the UK laws which may be tailored to suit the local requirements as and when required.
The following laws are among many which may affect practitioners in the coming weeks or months:
General Data Protection Regulations (GDPR); and
Anti-money laundering (AML) laws.
Data sharing impact due to General Data Protection Regulations
The existing EU GDPR will continue to apply, unchanged, in the countries of the EEA. All the main principles, obligations and rights remain in place.
As of 1 January 2021, the UK GDPR together with the amended Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR) will constitute the personal data protection legislation in the UK.
One of the burning questions troubling many practitioners is whether they need to amend or issue new engagement letters.
The answer is it all depends.
There is no specific requirement for issuing new engagement letters unless the practice is getting their data processed in a EEA area or the personal data is transferred outside the UK. However, the firms should review their engagement letters if the data is processed or shared with another EEA country; you should ensure that there are the adequate safeguards suggested by the Information Commissioner’s Office (ICO) and GDPR laws. But the good news is that there is a little time to consider this area.
The ICO clearly states that in answer to ‘What effect does the trade deal have on data protection?’ as ‘part of the new trade deal, the EU has agreed to delay transfer restrictions for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends. If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.’
The ICO has published resources for the Brexit transition here, which all firms must adhere to in order to comply with the regulations.Furthermore, firms may need to check their outsourcing arrangements in detail if any information is being processed within the EEA (such as payroll processing).
Firms need to ensure that they have explicit consent – which is already built into ACCA standard engagement letters – for the processing of data. A practitioner must send their privacy notice to clients as part of the engagement letter. This will cover most of the information that clients require under the legislation. A practitioner must also update clients if the purpose or lawful basis of processing their data has changed.
A sample privacy notice has been provided which, if this version is used, must be adapted to cover the circumstances applicable to a practitioner’s own firm. Alternatively, a firm should send clients their own version.
More detailed ICO documentation templates for controllers and processors are available on the ICO website
Transfer of data to and from the EEA
Data can be transferred from the UK to the EEA. Transfers to Gibraltar will also continue. As the UK is considered a third country outside the EEA, the EU GDPR will continue to apply to EEA senders of personal data and EU GDPR transfer rules will apply to any data coming from the EEA into the UK.
Under the GDPR, an EEA controller or processor will be able to make a restricted transfer of personal data to the UK if any of the transfer mechanisms are in place which are subject to reaching an adequacy decision and appropriate safeguards.
Being outside Europe will affect the following data protection matters in the UK:
International transfer of personal data, including the question of ‘adequacy’ and other safeguards. (This is to be kept under review by the UK government.) The ICO website states that ‘In the absence of an EU adequacy decision, the EU GDPR as it was on 31 December 2020 (‘frozen GDPR’) applies to the processing of personal data collected before 01 January 2021 about an individual living outside the UK as of 31 December 2020 (‘legacy data’). Our [Interactive Tool] will help you decide if you are processing ‘legacy data’ and provides more guidance. As the UK data protection regime is currently aligned with Frozen GDPR, you can continue to read our guidance on the basis that UK GDPR applies. Please continue to monitor the ICO website for updates.’
If there are no UK ‘adequacy regulations’ about the country, territory or sector for your restricted transfer, you should then find out whether you can make the transfer subject to ‘appropriate safeguards’:
The possible need to appoint a representative in the EEA.
Lead supervisory authorities - who is yours and might it change?
Miscellaneous points to check and note.
Standard Contractual Clauses can be used when the controller is sending data. However, the European Commission has recently published draft SCCs which also cover transfers from processors.
If the firms have offices in UK and EU countries, then the Binding Corporate Rules (BCRs) apply. These are internal codes of conduct, which apply to multi-national groups sending data between its entities.
Holders of EU BCRs, where ICO wasn’t the lead supervisory authority, will be eligible automatically for a UK BCR if:
the UK established entity notifies the ICO that they have an EU BCR and wish to have a UK BCR
they provide the name and contact details of their DPO or other relevant contact; and
additional information the ICO reasonably requires.
Changes to procedures under anti-money laundering laws
The Fifth Money Laundering Directive (5AMLD) introduced a number of key changes to the European money-laundering regime, including extending the scope of the directive to cryptocurrency wallets and electronic identification process.
The UK has already adopted the fifth money laundering regulation in its laws since 10 January 2020 through SI 2019/1511 to warrant the Financial Action Task Force (FATF) standards. Additionally UK passed the The Money Laundering and Transfer of Funds (Information) (Amendment) (EU Exit) Regulations 2019, and SI 2020/991 to bridge the gap between EU legislation and UK anti-money laundering rules.
Among many changes, firms are expected to report discrepancies they find between their own KYC and the information on the PSC register. In addition, updates have been made regarding access to the UK’s register of express trusts, requiring information to be made available to those with a ‘legitimate interest’. Some of the regulations are set to be applicable on different future dates.
The Sixth Money Laundering Directive (6AMLD) will be transposed into EU law this December and must be implemented into member states’ national laws by 3 June 2021. However, the UK has decided to opt out of complying with 6AMLD as the UK AML regime already complies with many of the 6AMLD rules. Whilst 6AMLD has not been formally incorporated into the UK AML legislation it’s crucial that all regulated entities that operate in Europe ensure they are compliant.
ACCA AML guidance and factsheets Look out for further updates on engagement letters, including revised VAT schedules for GB and NI that will be available in the next few weeks.