As Compliance Officers return to work after the strangest Christmas which most of us can remember, it's time to write that compliance plan for the year ahead.
Before you start, firstly consider what didn't get done last year. We know from our discussions with compliance officers that Covid-19 has caused significant delays to plans, so we would recommend addressing any outstanding, urgent items from last year before anything else. Planning will be different for every firm, but the items with the most risk attached should of course be put to the top of the list.
Below, we have outlined considerations and actions you might want to focus on in the months ahead, though these will obviously vary based on your individual priorities and on world events as they unfold.
January
On 31 December 2020, the government had a last minute change of approach to their implementation of DAC6 (EU Directive 2018/822). The government seems to have formed the opinion that much of the directive simply repeats existing UK legislation. The Disclosure of Tax Avoidance Schemes (DOTAS) provisions have been in place for some time, and other requirements of DAC6 were regarded as being too wide in scope.
As a result, only arrangements falling within Hallmarks D1 or D2 are still reportable to HMRC, i.e. those that involve attempts to conceal income or assets, or aim to obscure beneficial ownership.
D1: Arrangements which may have the effect of undermining Common Reporting Standard (CRS) reporting
D2: Certain arrangements involving non-transparent ownership chains, using arrangements which lack substance
While there is no longer a requirement to report as meticulously to HMRC, businesses will still need report to relevant EU tax authorities where an obligation to do so remains (it may simply be the case that organisations with operations in the UK and the EU report there instead of to HMRC).
This change reduces the ongoing burden of complying, and also helps avoid the rush to meet imminent reporting deadlines that relate to historic arrangements, as only those limited to D1 and D2 cases need to be dealt with.
In due course, the UK will commence a consultation and bring forward new legislation in order to implement the OECD disclosure rules.
Of course, the big news this month that we all had plenty of notice for, was Brexit. With a deal finally agreed, we now have a little more certainty about our future relationship with Europe.
However, some social media companies have already announced plans to relocate 'UK data' from the EU to the US, so going forward you will need to keep an eye on changes to your provider agreements. The government's advice about data can be found at:
Using personal data in your business or other organisation - GOV.UK (www.gov.uk)
And from the Information Commissioner at:
Data Protection after the end of the transition period | ICO
There have also been changes to the sanctions regime. The Office of Financial Sanctions Implementation (OFSI) has published advice on what to do now that we are out of the EU, and the EU regime no longer applies:
Get ready for the end of the transition period - OFSI (blog.gov.uk)
The registered European lawyer (REL) regime ended on 31 December 2020 (except for Swiss lawyers), and where this takes effect, everyone will become a registered foreign lawyer (RFL) unless they have opted out. It is worth asking affected staff to check that this is taken care of.
February
New AML guidance from the Legal Sector Affinity Group is expected to be published by now and getting to grips with it should be a priority. We expect, from the updates at the SRA's Compliance Conference, that there will be some significant changes since the last version.
Now is the time to give your AML policies and procedures a health check and to prioritise training. It is essential that any changes you make are embedded in processes, particularly as the SRA continues to focus on AML issues. Are you appropriately documenting sources of wealth and funds? Are matter risk assessments completed? Is there documented ongoing monitoring of matters? Now would be a good time to carry out AML file audits and to review your firm wide risk assessment.
As the stamp duty holiday comes to an end, financial crime is expected to increase and therefore should be an important consideration this month. Fraudsters will see the coming couple of months as a golden opportunity to get their hands on your clients' funds.
March
Conveyancers may be feeling the pressure this month, as fraudsters look to take advantage of the home-working situation and appropriate completion funds. Conveyancers should ensure that staff are updating their anti-virus software, but more essentially, that they are carefully checking emails and instructions in order to spot fraudsters attempts. Ensuring effective supervision over the movement of funds will be paramount for firms to avoid fraud. Other important considerations will be; is your accounts team in the loop, are other suitable people on hand to help out with answering phone calls, doing the less essential admin and freeing up stressed conveyancers?
April
While Covid-19 and lockdowns have undoubtedly caused lapses in certain processes, it is essential for firms to keep on top of the basic security protocol like file reviews and supervision. Conveyancers should prioritise dealing with any backlogs on these, and avoid processes slipping further. Completing reviews now will help towards planning for the next month.
May
Now would be a sensible time to review your compliance with current CQS standards if they are relevant to you. If you also follow Lexcel compliance standards it would also be sensible to check this. Keep in mind the requirements for training.
It would also be worth preparing for the PI renewal at this time of year. It is good practice to ask people to report any previously unmentioned potential complaints or claims, feeding back any feedback or trends in relation to these.
June
This year, there will be another SRA Equality and Diversity survey which should be advertised within your firm to ensure as many people as possible complete it. If you choose to publish the results, on your website for example, remember to do so in a way that avoids individuals being identified. Take the opportunity to reflect on previous years, to look for any improvements, and record them. Consider any action needed going forward, and check when you last provided E&D training. Have new staff members received it?
If you didn't review your AML Risk assessment back in February, now would be a good time to do this. We'd also recommend checking those data protection agreements and policies six months post-Brexit.
July
Before holiday season starts in earnest, now would be a good time to ensure training is up to date. We've mentioned AML and E&D already, but what about an information security reminder? Have you only provided Bribery Act training more than once? Staff need to complete a Learning Needs Analysis, so make sure they are in a position to learn and make the required declarations.
August
Who knows how things will be in August? Potentially, people may be wanting a break and you will need to consider holiday cover. It might not be possible to travel abroad, so people could be venturing into more remote parts of the UK where mobile reception is poor and advertised holiday home Wi-Fi may only be available in theory.
September
Renewal time will keep you busy this month. However, if you have spare time, you can improve your information security status by checking against the CyberEssentials standard, or even CyberEssentials+.
October
If you haven't already updated your website in respect of the transparency rules, now would be a good time to start a review. Have staff changed? What about fee rates and other costs? How has Covid affected timescales (both yours and third-parties')? Busy courts and other factors could mean things just aren't moving as fast as they used to.
November
This month you should carry out your annual review of your compliance policies and procedures in relation to SRA Standards and Regulations – these will be two years old by now.
December
Now is as good a time as any to carry out a review of your risk register if you have one, and if not, a good time to create one. It should cover things like:
- Covid-19 impact
- Complaints and claims, identified trends from file audits and supervision
- BCP review
- SAR's submitted (or not)
- The year ahead – what are your audit and training plans for example? Back to that Compliance Plan!