Jamie Watt: More regulation means doing better risk evaluation and more due diligence

The new rules apply to those controlling or processing personal data in the EU, in relation to EU citizens, or the offering of goods or services to EU citizens. Non-EU companies will have to appoint an EU representative (how this fits with Brexit remains to be seen).

Data processors have increased liability to ensure that appropriate consents are in place. Cloud tech providers will not be exempt. Consent must be positively given by the data subject, in an intelligible and easily accessible form, using clear and plain language. Gone are the days of gathering implicit consent via terms buried in complex documentation. And it must be as easy to withdraw consent as it is to give it. A “right to be forgotten” – to have one’s personal data erased – is also provided.

As such, this piece of legislation begs for companies to have their processes, customer interactions and commercial arrangements reviewed.

Taxing matters: 2017 also saw the implementation of a new offence, facilitating the evasion of tax. Highly relevant, but not limited just to the fintech sector, it applies to companies, and the actions of persons associated with them. If you have an employee acting in connection with your company’s activities, as a director you may be liable for their actions.

The law addresses the evasion of tax both at home and abroad, and all types of tax. It covers aiding, inciting, instigating and procuring.

Examples of conduct which would be caught include continued trade with someone in the knowledge that they should be registered for VAT; the adoption of transfer pricing strategies that don’t reflect the true substance of an international business; and potentially, dealing with trade customers through their personal current accounts.

A defence to liability exists for directors. The business must have in place a policy aimed at preventing the offence. This policy should touch on areas such as risk evaluation, management reporting and due diligence. It should also highlight examples of non-permitted activities.

Anti-money laundering: Within the fintech sector, there is a particular focus on financial and payment services. Anti-money laundering regulation is highly relevant, and this has recently undergone a significant revisal.

The key is knowing your customer. Basic customer due diligence must be applied where an occasional transaction exceeding a fairly low threshold is carried out, or where a business relationship is established. It must be repeated if a single transaction or series of linked transactions exceeds another threshold, and also where awareness of a change in circumstances arises. Additional requirements apply to credit and financial institutions, which include those which take deposits, or which provide services such as payment execution.

This legislation is particularly applicable to decentralised ledger technologies, which allow funds to be transferred instantaneously and internationally.

Sanction checks, often forgotten, should also be implemented. Requirements to freeze assets are independent of customer due diligence.

There is a raft of other requirements, and the flow towards greater regulation seems unlikely to cease.

Jamie Watt is partner and IP&T specialist, Harper Macleod LLP