I have been hearing and reading all sorts of interesting and potentially scary things about GDPR and the need for encryption of emails and back ups and so on and so forth. After reading as much as I could find about it on the ICO web site, I failed to find an answer to one key question:
Is encryption mandatory under GDPR emails and back ups and so on?
On Friday, last week, I called the ICO help desk and was given what I thought was a pretty definitive answer and below is my interpretation of the response that I was given
To the answer is encryption mandatory the answer is no. However, there is an ‘it depends’ element and that goes as follows. Under GDPR you are expected to take reasonable steps to protect the privacy of data that you hold for individuals. Just exactly what is reasonable depends on a number of circumstances.
If you are processing sensitive personal data such as religious or health matters, then I would suggest that encryption for the emailing of such data back to the data subject or on to other parties is probably appropriate. I note that many insurance portals use encryption to allow you to pass data through them.
If you are not processing sensitive personal data ( for example mortgage details) then encryption may not be necessary as long as you have the normal procedures and practices in place to prevent unauthorised access to your files or computer systems.
Normal procedures and practices would include password protection for computers, phones, tablets and laptops or any other communication device. Password protection is also appropriate for access to any specific systems that you use for processing personal data such as Trigold, Brain, The Key , any other or bespoke customer management systems that you might use. Physical security would include making sure that papers files and physical device computer back ups are held in locked cabinets and kept in secure offices or premises that are also lockable when unoccupied. Leaving a laptop in a car for example cannot be held secure even with password protection as nationwide found out a number of years ago under the existing Data Protection regulations. Equally taking a backup of you system and leaving it on a pen drive in a locked car or hanging up in the kitchen of a family member’s home cannot be considered reasonable steps to keep data that you hold, private.
Another aspect to consider is how material would the loss of data be. I was given the following example by the ICO help desk. If you were holding a list of names and addresses and payments for a club, you might keep that on paper in a locked drawer in a lockable office. That would be reasonable steps in normal circumstances. However, if you were holding a list of all MI5 agents operating in Russia, it might be more appropriate to keep that in a locked vault with an armed guard because the consequences of a breach of privacy would be more significant in the second case.
On this basis, then I think it might also be reasonable to argue that clients credit or debit card details should not be passed about by unencrypted emails, or rather, the full data required to access and use such cards should not be passed about in unencrypted emails.
Of course, the problem with encryption for emails is that you have to provide the recipient with a key to access the encrypted data. That provides an additional layer of complexity in the process and could prevent or discourage your clients from interacting with you as they should. In the extreme cases that could result in the client going elsewhere and finding a broker who wasn’t making it so difficult for them to transact with you.
No matter what actions you take, there is always going to be the risk that you will experience a breach of data privacy. If that occurs, the first thing that the ICO will look at is how serious your organisation was about data protection. Carrying out a Data Protection Risk Assessment on the firm annually or whenever you make a change to the way that you handle or process data, will provide evidence of your firms seriousness about data protection. This will be an important part of mitigation if you fall foul of the ICO for a privacy breach. I will be issuing an example of a DPRA for a ‘typical broker’ over the next couple of days to enable you to give thought to any potential concerns.
How does all this translate into an action?
If you are processing sensitive personal data then you are advised to encrypt. This includes religious and health matters, sexual orientation and the like. It does not technically include a clients financial circumstances despite the importance that we place on it. This may mean that some of your insurance data may need to be passed through encrypted portals or email systems.
You should not be passing client’s credit card or debit card details through unencrypted emails.
Most mortgage related data does not fall into sensitive personal data category ( although some questions for lifetime mortgages may well do) and so there is no requirement to encrypt either email or security back ups as long as you have taken appropriate measures to protect the privacy of the data that you hold. Appropriate measures in this context is set out in general terms the following paragraph although individual cases and circumstances may vary.
In all cases strong password protection for computers, laptops, mobiles, ipads and so on in order to prevent unauthorised access to your devices. Within applications, once again strong password protection to prevent unauthorised access to systems and the data held within them. Paper files when not in use kept in secure lockable cabinets or drawers that are locked when the office or premises is not attended. Lockable and secure premises that are locked when unattended. Security backups kept in a secure location and on secure devices.
To demonstrate that you take Data Protection seriously, it is advisable to undertake a Data Protection Risk Assessment at least annually or whenever you make a change to the way that you handle or process data. An example will be issued in the next couple of days.
Monday 9 April 2018
Wednesday 14 February 2018
A Quick Update on AML Activity
The FCA has a guide for small firms on dealing with and mitigating the risk of Financial Crime. It can be found here . In it they provide examples of good practice for sanctions systems and controls.
The FCA has previously carried out a thematic review on financial services firms’ approach to UK financial sanctions where it found that many small firms were unaware of the financial sanctions regime and those who were aware had misconceptions about it. It is my understanding that the FCA are now doing another review on the theme, presumably as a follow up.
They have suggested that it is useful to consider the following facts about financial sanctions:
- Standard anti-money laundering checks do not screen clients against the HM Treasury (HMT) list. Firms should not confuse HMT’s financial sanctions regime with anti-money laundering procedures.
- Financial sanctions apply to all transactions, there is no minimum financial limit.
- Politically Exposed Persons (PEPs) are not necessarily financial sanction targets.
- Most listed individuals and entities are aware that they are on the HMT list, which is publicly available. The issue of ‘Tipping off’ (as set out in the Proceeds of Crime Act 2002) should therefore not generally arise.
- HMT’s financial sanction regime is not the same as FCA enforcement action. HMT is responsible for implementing, administering and enforcing compliance with the financial sanctions regime.
The FCA have indicated that is good practice to check:
- your existing clients against HMT’s list
- all new customers prior to providing any services or transactions
- any updates to the HMT list
- any changes to your client’s details (this would only really apply to a mortgage broker where the client has come back for a new product)
Final points to note are that even providing financial advice can be a breach. It is good practice to include directors, beneficial owners of corporate customers in your checks where applicable.
Tuesday 13 February 2018
Are your clients Policially Exposed Persons?
There is, as a matter of routine and almost without fail, regular suggestion in the press about corruption amongst persons who hold public office or who act in forms of public capacity, whether this include heads of state, politicians or even senior managers in charitable institutions. Why only this week I was reading.....
It is pretty obvious that one of a number of popular destinations for overseas PEPs is the UK where funds obtained by dubious means can be used for investments in property, school fees for children and all those many other things that are associated with a lavish way of living.
As a mortgage broker, you are now required to conduct enhanced due diligence on politically exposed persons (PEPs). Although technically, you are not covered by the FCA handbook on Money Laundering, there is an expectation and indeed in all truth an insistence that as a part of your systems and controls for mitigating the risk of financial crime, you will be addressing this issue.
You should be aware that the FCA appear to be conducting some form of thematic review on anti money laundering activity in small firms and that this is a part of the scope of that review. Lenders, who do have a specific obligation under the ML Handbook also have a significant interest in how you deal with this matter when introducing business to them.
You should also make sure that you are absolutely clear about where funds are coming from and where income that is stated has been derived. Third party evidence is good as long as it is valid and doesn't raise worries in its own right (e.g. a bank statement from a sanctioned country should raise alarms).
Where a PEP has been identified however, you should also be undertaking a greater level of scrutiny. Looking around the internet for the individual may turn up some evidence as may a search on the web site of the organisation that has entrusted responsibility to the person.
There are also other plausibility approaches to take. Given that the issues around mortgages will normally relate to income and deposit money, these should be interrogated fully. A full audit trail on deposit monies should be sought. Reviews for suspicious transactions should be made on bank statements and. if sound don't forget to SAR (Suspicious Activity Reports to the National Crime Agency (NCA)). Does the income of the individual support the lifestyle evident in the bank statements that you have available. Are there any other assets of concern in the background?
A check on the HM Treasury Sanctions List would be mandatory in any case but I just state the obvious because it is not always so.
Finally on this point is the matter of proportionality and risk. if you are operating in a market that is home grown and local to you, where you know most of your clients and they either live within a stone's throw or they are past clients who have moved away from the area, then the risk of exposure to PEPs is relatively low. However , it is never absent and you should always be on your guard against unusual or unexplained external contacts particularly introducers from outside of your normal area.
If on the other hand you work in a niche that involves persons of non-UK origin or deals with highly paid employees of non-UK businesses or foreign governments or NGOs for example, then the risk of exposure is greater and you need to make sure that you are on permanent and heightened alert.
There are a number of providers out in the marketplace that specify that they check various lists of PEPs although I am not sure how such lists are complied or who is accountable for them.
In my opinion, the easiest way to find out is to ask the applicants if they are PEPs. I don't necessarily think that it is of value to ask the question, Are you or anyone in your close family or associates, a Politically Exposed Person. It may simply provide a self fulfilling answer.
However, fact finding should be sufficiently robust to ask a number of questions such as:-
Do you, or anyone in your immediate family, hold any position with any of the following organisations (Such as a state other than the UK, a community institution, or an international body)?
If so, obtain Name and contact details on the entity.
What is the exact nature of your relationship with the entity above?
Here you should obtain in their own words the role that they carry out , their remuneration and contact point to obtain verification. If another member of the family is involved then obviously you need the nature of the applicants relationship with that person.
This information should be clearly evidenced on file together with a note from the firms controller to authorise the transaction to proceed.
PLEASE NOTE: I use the term fact finding. I am aware that some fact finds provided by various systems do not include such questions but that is not relevant. What is relevant is that in your own fact finding and know you customer KYC activity, you record that you have asked and that you have gathered any relevant details.
It is pretty obvious that one of a number of popular destinations for overseas PEPs is the UK where funds obtained by dubious means can be used for investments in property, school fees for children and all those many other things that are associated with a lavish way of living.
As a mortgage broker, you are now required to conduct enhanced due diligence on politically exposed persons (PEPs). Although technically, you are not covered by the FCA handbook on Money Laundering, there is an expectation and indeed in all truth an insistence that as a part of your systems and controls for mitigating the risk of financial crime, you will be addressing this issue.
You should be aware that the FCA appear to be conducting some form of thematic review on anti money laundering activity in small firms and that this is a part of the scope of that review. Lenders, who do have a specific obligation under the ML Handbook also have a significant interest in how you deal with this matter when introducing business to them.
Firstly, who is a PEP?
A PEP is someone who within the previous 12 months has been entrusted by :-- a state other than the UK
- a community institution, or
- an international body,
and who fulfils one of the following public roles:
- heads of state, heads of government, ministers and deputy or assistant ministers
- Members of Parliament
- members of supreme courts, or constitutional courts or of other high-level judicial bodies whose decisions are not generally subject to further appeal, except in exceptional circumstances
- members of courts of auditors or of the boards of central banks
- ambassadors, chargés d’affairs and high ranking officers in the armed forces
- members of the administrative, management or supervisory bodies of state-owned enterprises
PEPs will also include this person's family members and known close associates.
PLEASE NOTE THAT A UK MP IS NOT A POLITICALLY EXPOSED PERSON despite what you might think and their own credibility and public performances. If they are doing something wrong and it is illegal, then they are a criminal. If it is morally reprehensible then they are presumably something else. But they are not a PEP.
What do you need to do about PEPs?
Once you have established that you are dealing with a PEP, regardless of the size of your firm, you need to carry out the following:-
- have senior management approval for establishing a business relationship with a PEP
- take adequate measures to establish the source of wealth and source of funds which are involved in the business relationship or occasional transaction
- conduct enhanced ongoing monitoring of the business relationship
What does this mean in practice for a small firm?
Even if you are the only person in the firm, you should ensure that the client file indicates clearly that the person is a PEP and that the controller of the firm ( i.e. it may be you) has authorised the transaction to proceed. There is no prescribed text but a date of action would also be useful.You should also make sure that you are absolutely clear about where funds are coming from and where income that is stated has been derived. Third party evidence is good as long as it is valid and doesn't raise worries in its own right (e.g. a bank statement from a sanctioned country should raise alarms).
Where a PEP has been identified however, you should also be undertaking a greater level of scrutiny. Looking around the internet for the individual may turn up some evidence as may a search on the web site of the organisation that has entrusted responsibility to the person.
There are also other plausibility approaches to take. Given that the issues around mortgages will normally relate to income and deposit money, these should be interrogated fully. A full audit trail on deposit monies should be sought. Reviews for suspicious transactions should be made on bank statements and. if sound don't forget to SAR (Suspicious Activity Reports to the National Crime Agency (NCA)). Does the income of the individual support the lifestyle evident in the bank statements that you have available. Are there any other assets of concern in the background?
A check on the HM Treasury Sanctions List would be mandatory in any case but I just state the obvious because it is not always so.
Finally on this point is the matter of proportionality and risk. if you are operating in a market that is home grown and local to you, where you know most of your clients and they either live within a stone's throw or they are past clients who have moved away from the area, then the risk of exposure to PEPs is relatively low. However , it is never absent and you should always be on your guard against unusual or unexplained external contacts particularly introducers from outside of your normal area.
If on the other hand you work in a niche that involves persons of non-UK origin or deals with highly paid employees of non-UK businesses or foreign governments or NGOs for example, then the risk of exposure is greater and you need to make sure that you are on permanent and heightened alert.
So how to you spot a PEP?
Ok, so all seems most obvious so far but the bit that everyone seems to skirt around is how to spot a PEP?There are a number of providers out in the marketplace that specify that they check various lists of PEPs although I am not sure how such lists are complied or who is accountable for them.
In my opinion, the easiest way to find out is to ask the applicants if they are PEPs. I don't necessarily think that it is of value to ask the question, Are you or anyone in your close family or associates, a Politically Exposed Person. It may simply provide a self fulfilling answer.
However, fact finding should be sufficiently robust to ask a number of questions such as:-
Do you, or anyone in your immediate family, hold any position with any of the following organisations (Such as a state other than the UK, a community institution, or an international body)?
If so, obtain Name and contact details on the entity.
What is the exact nature of your relationship with the entity above?
Here you should obtain in their own words the role that they carry out , their remuneration and contact point to obtain verification. If another member of the family is involved then obviously you need the nature of the applicants relationship with that person.
This information should be clearly evidenced on file together with a note from the firms controller to authorise the transaction to proceed.
PLEASE NOTE: I use the term fact finding. I am aware that some fact finds provided by various systems do not include such questions but that is not relevant. What is relevant is that in your own fact finding and know you customer KYC activity, you record that you have asked and that you have gathered any relevant details.
Subscribe to:
Posts (Atom)