Jamie Watt: More regulation means doing better risk evaluation and more due diligence
Cloud over data? Data is already key and presents a massive untapped resource for future growth through AI-driven innovation. The legislative landscape on personal data is about to change, through implementation of the General Data Protection Regulation. Some may say it brings directly into law best practice and as such should not be as significant an issue as some may think.
The new rules apply to those controlling or processing personal data in the EU, in relation to EU citizens, or the offering of goods or services to EU citizens. Non-EU companies will have to appoint an EU representative (how this fits with Brexit remains to be seen).
Advertisement
Hide AdAdvertisement
Hide AdData processors have increased liability to ensure that appropriate consents are in place. Cloud tech providers will not be exempt. Consent must be positively given by the data subject, in an intelligible and easily accessible form, using clear and plain language. Gone are the days of gathering implicit consent via terms buried in complex documentation. And it must be as easy to withdraw consent as it is to give it. A “right to be forgotten” – to have one’s personal data erased – is also provided.
As such, this piece of legislation begs for companies to have their processes, customer interactions and commercial arrangements reviewed.
Taxing matters: 2017 also saw the implementation of a new offence, facilitating the evasion of tax. Highly relevant, but not limited just to the fintech sector, it applies to companies, and the actions of persons associated with them. If you have an employee acting in connection with your company’s activities, as a director you may be liable for their actions.
The law addresses the evasion of tax both at home and abroad, and all types of tax. It covers aiding, inciting, instigating and procuring.
Advertisement
Hide AdAdvertisement
Hide AdExamples of conduct which would be caught include continued trade with someone in the knowledge that they should be registered for VAT; the adoption of transfer pricing strategies that don’t reflect the true substance of an international business; and potentially, dealing with trade customers through their personal current accounts.
A defence to liability exists for directors. The business must have in place a policy aimed at preventing the offence. This policy should touch on areas such as risk evaluation, management reporting and due diligence. It should also highlight examples of non-permitted activities.
Anti-money laundering: Within the fintech sector, there is a particular focus on financial and payment services. Anti-money laundering regulation is highly relevant, and this has recently undergone a significant revisal.
The key is knowing your customer. Basic customer due diligence must be applied where an occasional transaction exceeding a fairly low threshold is carried out, or where a business relationship is established. It must be repeated if a single transaction or series of linked transactions exceeds another threshold, and also where awareness of a change in circumstances arises. Additional requirements apply to credit and financial institutions, which include those which take deposits, or which provide services such as payment execution.
Advertisement
Hide AdAdvertisement
Hide AdThis legislation is particularly applicable to decentralised ledger technologies, which allow funds to be transferred instantaneously and internationally.
Sanction checks, often forgotten, should also be implemented. Requirements to freeze assets are independent of customer due diligence.
There is a raft of other requirements, and the flow towards greater regulation seems unlikely to cease.
Jamie Watt is partner and IP&T specialist, Harper Macleod LLP