GDPR - One of the biggest regulatory issues for next year

This is the first of a series of CPD updates on the new requirements for Data protection coming in in May 2018. I am keeping them short and to the point to make life easier for you. This document is basically saying that you need to have a Privacy Statement in place and that it should be issued to clients from within the initial disclosure document. The deadline for having this in place is 25^th May 2018 but don’t let that date fool you.

Data Protection is going to be one of the biggest regulatory issues facing UK mortgage and insurance firms in 2018. GDPR (General Data Protection Regulation) ls an EU directive that will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

It is going to be a big issue for a number of reasons.

Firstly, it is going to introduce the need for data subjects (your clients) to provide informed and unambiguous consent to the holding and processing of their data. This means that the client has to be told what you will do with their data, who it will be passed to , who the data controllers are and a number of other matters. Unambiguous consent differs from what we have now because it will almost certainly require something written down and signed or confirmed (by an action online for example) from the client before you can begin to process their data. Silence, pre-ticked boxes or inactivity by the client will not be sufficient to demonstrate consent.

In addition, along with Data Subject Access Rights (DSARs), clients will need to be told that their consent for your firm to process data can be withdrawn at any time. Children’s data becomes an issue although probably not a major one for brokers as information about dependents will invariably be provided by their parents.

Secondly, the penalties for data protection breaches are increasing and there will invariably be a rash of very public enforcements of firms of all sizes in the early days to encourage the others. That is exactly what we saw from 2004 when the FSA took over regulation of mortgages and we should expect a repeat for Data Protection.

Thirdly, we have at last a bullish Information Commissioner who seems very keen to make a mark. We have over the past few years even under the existing rules, seen a significant increase in enforcement activity on  firms across various markets and this will most certainly continue.

So what does this mean for mortgage and insurance intermediaries?

It is early days but we need to start thinking about the actions to take. The most obvious one is that of disclosure to clients. Currently many firms still use the Initial Disclosure Document designed originally by the FSA (albeit now without the Key Facts logo). It was a document fit for purpose but in its current form it is inadequate to deal with the GDPR. So, step one is for you to consider moving to a Terms of Business letter that covers both your regulatory disclosures and your data protection obligations.  For those of you who use my MI System, there is an example of a terms of Business in the Library (although it does not address GDPR at the moment).

At the present time, what a good job looks like post 25^th May is a Terms of Business letter that satisfies Mortgage Credit Directive requirements, covers the new Insurance Distribution Directive requirements (the subject of another CPD update) and includes a full Privacy statement for GDPR requirements. This document to be signed by clients or otherwise confirmed by some form of email or electronic wizardry.

The next article on Data Protection will look at the definitions and extensions to the meaning of information and the types of processing mortgage and insurance intermediaries typically undertake in order to see if we have any issues and concerns post 25^th May 2018.

Can You Afford a £1 Million Fine?

A conversation with a firm recently reminded me of the importance and, arguably, the utter impossibility of checking the HM Treasury Sanctions list. By way of a reminder, this is a list that our Government has complied of individuals and organisations that we are prohibited from dealing with. You may recall a couple of years ago the then FSA sent out a survey on Systems of Control which included a question about whether firms routinely check against the Sanctions List.

Of course such checks are mandatory for all firms and, whilst the probability of  being approached by someone or an organisation on that list is quite low, the consequences are quite serious both for your firm and personally to the individual transacting.

From April 2017, the Treasury’s Office of Financial Sanctions Implementation (OFSI) will be able to impose penalties for serious breaches of up to £1 million or 50% of the breach - whichever is higher.

So what can be done?

Well a quick look at the first three entries on the Individuals Sanctions List  below indicates the scale of the problem when considering a visual search on screen. There are 136 entries for individuals and 5 entries for Entities for the Afghan Regime alone and that accounts for approximately 10% of the size of the list. Currently, the UK has over 27 United Nations, European Union and domestic financial sanctions in place, covering just over 1,900 individuals, groups and countries.

• Extract from Afghanistan Regime Individuals List

1. Name 6: ABBASIN 1: ABDUL AZIZ 2: n/a 3: n/a 4: n/a 5: n/a.DOB: --/--/1969. POB: Sheykhan Village, Pirkowti Area, Orgun District, Paktika Province, Afghanistan a.k.a: MAHSUD, Abdul Aziz Other Information: UN Ref TI.A.155.11. Key commander in the Haqqani Network under Sirajuddin Jallaloudine Haqqani. Taliban Shadow Governor of Orgun District, Paktika Province, as of early 2010. Listed on: 21/10/2011 Last Updated: 17/05/2013 Group ID: 12156.
2. Name 6: ABDUL AHAD 1: AZIZIRAHMAN 2: n/a 3: n/a 4: n/a 5: n/a.DOB: --/--/1972. POB: Shega District, Kandahar Province, Afghanistan Nationality: Afghan National Identification no: 44323 (Afghan) (tazkira) Position: Third Secretary, Taliban Embassy, Abu Dhabi, United Arab Emirates Other Information: UN Ref TI.A.121.01. Listed on: 23/02/2001 Last Updated: 29/03/2012 Group ID: 7055.
3. Name 6: ABDUL AHMAD TURK 1: ABDUL GHANI 2: BARADAR 3: n/a 4: n/a 5: n/a.Title: Mullah  DOB: --/--/1968. POB: Yatimak village, Dehrawood District, Uruzgan Province, Afghanistan a.k.a: (1) AKHUND, Baradar (2) BARADAR, Abdul, Ghani Nationality: Afghan Position: Deputy Minister of Defence under the Taliban regime Other Information: UN Ref TI.B.24.01. Arrested in Feb 2010 and in custody in Pakistan. Extradition request to Afghanistan pending in Lahore High Court, Pakistan as of June 2011. Belongs to Popalzai tribe. Senior Taliban military commander and member of Taliban Quetta Council as of May 2007. Listed on: 02/04/2001 Last Updated: 29/03/2012 Group ID: 7060.

Obviously, it is possible to do a SHIFT F3 search on a screen version of the Sanctions List but if you are looking for the name, Mohammed, then you have  136 entries to read through.

This all takes time and frankly, whilst it is mandatory, it doesn't add to the profit margins. Even if you use a system ( and there are a few out there) you still come down to the final point of responsibility. It is you as a controller who have to have in place a system to check the Sanctions List and you and if applicable, your employees or ARs or self employed staff must undertake these checks without fail.

Next steps

You must have  in place a procedure for checking the HM Sanctions List at the this address .

• You must ensure that for each application for mortgages or insurances ( or any other business), a check is made of that list. My recommendation is check Surname first and if any occurrence, then also check full name. Depending on your level of confidence it might also be  worth checking just first name. Don't forget that these lists include names and aliases.
• If any occurrences are found, then check the details of each entry as far as you are able, e.g. date of birth or any other details that you can find that might be  pertinent ( address history for example or passport details - not an exhaustive list).
• Keep a record the result of your review and if you identify an issue or have a concern report it to Office of Financial Sanctions Implementation (OFSI).

The  OFSI has issued guidance on the Sanctions List in December 2016  and, inter alia, includes the following text.

The consolidated list generally contains additional identifying information such as date of birth, passport details, nationality, last known address, and employment or government role.  You should consider all of the information that you hold on the person or entity you are dealing with against the information on the consolidated list to determine if you have a real match, usually known as a target match.

Where you have reviewed all of the information on the consolidated list against all of the information that you have about the person or entity and you are still unsure as to whether you have a target match, you can contact OFSI for assistance. 

Additional Point

The  reality of all this is that most searches will result in nothing being found but you never know and, as important, you do need to demonstrate that you have systems of control in place to deal with this.

If you currently use my MI System, you can find a new facility to check the Sanctions List in the Library Section under Fraud. This will report all the unique occurrences of the text submitted with details of each entry identified, including duplicates where there are aliases. You can print this off and keep it on file to demonstrate compliance.