Apex Regulatory Update - May 2017

From the 1^st January 2018, a new EU Benchmark Regulation (“BMR”) will apply to financial markets. BMR introduces a common framework to ensure the accuracy and integrity of indices used as ‘benchmarks’ in financial instruments, financial contracts, or to measure the performance of investment funds in the Union. This Regulation thereby contributes to the proper functioning of the internal market whilst achieving a high level of consumer and investor protection (Art. 1 subject-matter).[1]

Benchmarks and indices are vital tools for assessing the underlying price of financial instruments and contracts, as well as for measuring the performance of investment funds. The new BMR regulation will ensure that benchmarks are robust and reliable, whilst conflicts of interest in the setting process are minimized.

The FCA shared its intention of issuing a consultation paper on the Regulation regarding indices used as benchmarks in financial instruments and contracts; the outcome of which is expected immanently. The key issues addressed relate to scope, conduct requirements and extra-territorial implications (particularly in regards to Brexit).

Planned publication of the FCA’s consultation paper[2] on the UK’s implementation of the BMR is due in the coming weeks. The regulatory timelines are very tight, especially in light of the close implementation deadlines for MiFID II (3^rd January 2018).

What about Non-EU Benchmarks?

Particular challenges will be faced for EU firms referencing non-EU benchmarks in securities or derivatives, or using them in the management of investment funds. The Benchmarks of non-EU administrators may only be used in the EU whereby;

• The administrator is authorised or registered under an equivalent third-country regime,
• The administrator is recognised by member state authorities pending an equivalence decision; or
• The benchmark is endorsed by a connected EU supervised entity (in this case the benchmark needs to fulfil requirements “at least as stringent as the BMR”).

Supervised entities using these benchmarks will need to maintain written contingency plans.

Tax Fraud – Update:

The 4th Anti Money Laundering Directive (“AMLD”) now sees a new feature pertaining to Tax Crimes introduced into the Directive guidelines. This feature suggests that Crimes carried out in relation to direct and indirect taxes are now, for the first time in the EU, expressly considered by the Directive as predicate offences; however, there is still no harmonised definition of what a ‘Tax Crime would constitute under the 4^th AMLD.

Revisions to the AMLD now ensure that EU member states are obliged to keep a central register of information on the ultimate “beneficial” owners of corporate and other legal entities, lowering the threshold for declaring beneficial ownership for passive corporate entities. This requirement will ensure that these structures are subject to greater transparency and scrutiny.

The central registers will be accessible to the following parties:

• Authorities and their financial intelligence units (without any restriction),
• “Obliged Entities” (banks performing Due Diligence).
• Public (registration prerequisites).

Access requests are only granted in case of a “legitimate interest“, which are:

• Suspected money laundering, terrorist financing.
• “Predicate” offences that may help to finance them, such as corruption, tax crimes and fraud.

Here is an example of local implementation (Luxembourg):

In conjunction with the implementation of the 4^th AMLD in 1 January 2017, Luxembourg also introduced the concept of three types of tax fraud:

• “simple” tax fraud (Tax evasion + intention),
• “aggravated” tax fraud (simple tax fraud + higher amounts involved),
• “tax swindle” or “escroquerie fiscale” (aggravated tax fraud + systematic use of fraudulent acts).

Money laundering offences have therefore been extended to include cases of “aggravated” tax fraud and tax evasion.

The art 506-1 of the Luxembourg Criminal Code has been updated to include and distinguish different types of tax frauds and the subsequent punishments/action taken:

• Aggravated tax fraud and tax swindling are both considered predicate offences in Luxembourg, criminally sanctioned and classified as intentional act to avoid tax and breach tax legislation.
• Simple tax fraud has administrative sanction; however it is not considered a primary offence.

The CSSF Circular 17/650 was amended to include a list of 21 fiscally relevant indicators. These shall raise awareness and are impacting other due diligence factors (client occupation, business scope, etc.).

Suspicion triggered by assessed indicators is sufficient for reporting to the local FIU and shall not lead the reporting entity to classify the tax fraud type.

What are the impacts?

In order to comply with the new Circular, Fund Administrators should update internal policies and procedures to include;

• An Enlarged set of criteria for the AML/CTF risk assessment, to also consider the risk of tax fraud.
• Increased documentation to be collected.
• Transaction monitoring to also identify any operation that might provide the means for tax evasion.
• Inclusion of the tax offence in the cases reported to the local authority (other than the already defined unusual activities).
• The new 21 indicators that can raise a suspicion of money laundering offence to tax crime.

In order to implement the Circular in practice, the concept of a “Tax Compliance Policy” will need to be introduced and implemented: this will be complementary of the already existing Apex Group AML Policy and will include the tax offenses within the risk factors to be considered in the overall risk assessment.

Data Protection Impact Assessment:

In the context of the General Data Protection Regulation (GDPR), introduced in April 2017, the Data Protection Impact Assessment (DPIA) has become a mandatory requirement within fund industry as it is “likely to result in a high risk to the rights and freedom of natural persons”.

What is Data Protection Impact Assessment (DPIA)?

DPIA is a process designed to provide guidance and help to ensure that the fundamental rights of personal data and privacy protection are upheld. DPIA helps data controllers not only to comply with the GDPR requirements, it also demonstrates that appropriate measures are being taken to ensure compliance with Regulation and to mitigate or eliminate the risk identified.

When is DIPA applicable?

DPIA should be carried out in any instance where an activity could “likely result in high risk to the right and the freedom of a natural person” – taking in consideration nature, scope, context and purposes of the processing.

Art 29 of the Guidelines on DPIA includes some examples of activities that may incur in “higher risk”:

• Systematic and extensive evaluation of personal aspects relating to a natural person who is based on automated processing.
• Processing, on a large scale, of sensitive or personal data relating to criminal convictions and offences.
• Systematic monitoring of a public accessible area on a large scale.

Given the above, where the type of data processing is likely to result in a high risk for the rights and freedom of individuals, data controllers shall carry out DPIA prior to the processing in order to assess the impact of the envisaged processing operations on the protection of personal data.

When is a DPIA not applicable?

A DPIA is not required when the processing of data is not “likely to result in a high risk,” or the processing is very similar to another case for which DPIA has been already conducted for DIPA is also not required where the activity has a legal basis in the EU or Member State law, or where the processing is included on the optional list established by the supervisory authority of exempted processing operations.

Who is involved in this process?

Data Processor (on behalf of clients):

• If  the  processing  is  wholly  or partly  performed  by a  Data  Processor,  the  processor  should  assist  the controller in carrying out the DPIA and provide any necessary information.

The data controller (on own behalf), with the DPO and the data processor(s):

• The controller is responsible for ensuring that the DPIA is carried out as per Article 35(2).
• The controller should document its justification for not seeking the views of data subjects, if it decides that this is not appropriate.

Data  Protection  Officer  (DPO):

• The DPO  should  also  monitor  the  performance  of  the  DPIA.
• The DPIA may be carried out by someone other than the above listed persons, however the ultimate responsibility remains that of the Data Controller.
• In a circumstance where the DPIA identifies risks that cannot be sufficiently mitigated by the Data Controller, the Data Controller must consult the supervisory authority.

Content of the DPIA:

The controller must assess the impact of the ‘in scope processing operations’ on the protection of personal data;

• Minimum content
• Systematic description of the processing and its purposes
• Assessment of the necessity and proportionality of the processing
• Assessment of the risks to the rights and freedoms of data subjects
• The measures envisaged to address the risks (this shall includes the methodology ad the adherence with the company code of conduct)
• Supportive Documentation

Non Compliance with the DPIA:

Non compliance with the DPIA might constitute a serious violation, subject to a fine up to €10 million or up to 2% of the organisation’s total worldwide turnover of the preceding financial year. Non compliance could also lead to:

• Claims for damages.
• An order by a supervisory authority (SA).
• Injunctions or interim measures by individuals or works councils.
• Loss of reputation and customer trust.

FATCA and CRS – Extended Compliance Deadlines:

Similar to the first year of reporting under FATCA, some notification and reporting deadlines under CRS have also been pushed out. Malta extended its CRS deadline from 30 April 2017 to 30 June 2017. Both the British Virgin Islands and Cayman Islands extended their CRS notification deadline to 30 June 2017 and CRS reporting deadline to 31 July 2017. In Bermuda, the Ministry of Finance has set a registration deadline of 14 July 2017 and a reporting deadline of 30 August 2017. All reporting must be submitted via the Bermuda Tax Information Portal which is currently under development.

The Cayman Islands Automatic Exchange of Information (“AEOI”) Portal re-opened on the 16 May 2017 and is accepting FATCA XML Schema version 2.0 submissions, CRS notifications and variations to reporting obligations. CRS return submission functionality is anticipated to be available at the beginning of June 2017. Due to the portal being offline until mid-May then the Cayman Tax Authority also extended the deadline for US FATCA reporting until 31 July 2017 to bring it in line with the CRS deadline.

Registration obligations for Investment Managers and Investment Advisors in Cayman and Malta:

The scope of exemptions available under the CRS is much narrower than under FATCA. Entities that were classified as Non-Reporting FIs under Annex II of the Intergovernmental Agreements (IGAs) such as Investment Managers, Investment Advisors, General Partners etc. may now be classified as Reporting FIs for CRS purposes.

Investment Managers and Advisors that only provide investment advisory or management services will be regarded as not having any financial accounts and therefore, not required to report, as long as they meet the “solely because” test in the definition of a Financial Account under the CRS Regulations. They may however have a notification or registration obligation in their local jurisdiction and should review their classification to determine how CRS will impact them.

The Cayman Tax Authority requires that all Cayman FIs submit a notification to the Tax Information Authority by the 30 June this year. This applies to Investment Managers and Advisors however they can select the option that they ‘have no financial accounts’ so that it is not necessary to submit an annual return thereafter unless their circumstances change.

There is also an obligation on all Malta FIs to register with the Commissioner for the purposes of CRS. This registration is to be accomplished through the online registration process through the website of the Inland Revenue Department.

Additionally, the Sponsoring Entity and Sponsored Entity approach is not available under CRS therefore FIs that have availed of this option will need to notify and submit reports separately under CRS.

Luxembourg Introduces a Bill of Law to Implement the 4th Anti-Money Laundering and Terrorist Financing Directive:

On 26 April 2017, the Bill of Law n.7128 (Bill of Law) was introduced to the Chamber of Deputies: the scope is to implement into national legislation some provisions of the 4th AML Directive.

The Bill of Law will amend the Luxembourg legal framework to ensure:

• The implementation of the Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (4th AML Directive) that relate to the obliged entities’ professional obligations and the monitoring of their respect.
• The reinforcement of measures of the Regulation (EU) 2015/847 on information accompanying transfers of funds

Who is impacted?

• Foreign credit institutions and financial institutions when they perform their activities in Luxembourg through branches or simply as free service providers.
• Every person exercising the Family Office activity.
• Court bailiffs when they proceed to valuation and public sales of furniture, movables and harvestings.

Reduced Threshold:

The amount of cash payments, for which traders of goods shall implement the obligations of the AML Law, will be reduced from €15,000 to €10,000.

Risk based approach:

All professionals impacted by the AML Law shall:

• Take appropriate steps to identify and assess the risks of money laundering and terrorist financing which they are exposed to, also taking into account risk factors and risk variables to ensure built of adequate level of controls.
• Ensure collection and retention of the above mentioned risk assessments, to be also available to the relevant authorities.
• Perform sae risk assessment also on the potential new products, business practices and technologies.

Defined professional obligations:

The AML Law has included and defined specific obligations that the professional of the financial sector need to comply with. These are:

1. Customer due diligence
2. Record-keeping of documents and information
3. Processing of personal data in line with the upcoming GDPR requirements
4. Simplified customer due diligence to be documented an justified
5. Enhanced customer due diligence applicable cases defined
6. Wider PEP definition, with the aim of removing the distinction between domestic and foreign PEPs
7. Adequate internal management requirements, including but not limited to:
   1. Implement robust policies and monitoring procedures to manage the ML-TF risks
   2. Adequate training to staff to ensure robustness of the 1^st line of defence
   3. Implement appropriate procedure to allow the employees to appropriately report any AML/CFT obligations breaches to the 2^nd line of defence
   4. Implement group-wide policies and procedures to ensure harmonised transposition of the 4th AML Directive.

Supervising Authorities:

The AML Law refers to both Control Authorities and Self-regulatory bodies, which shall ensure:

1. An efficient monitoring on the professionals of the financial sector’s compliance with their AML/CFT obligations
2. Availability of up-to-date information and documentation to proof robust identification and management of the ML-TF risks and suspicious transactions.
3. The establishment of reliable and efficient procedures that allow a smooth reporting of any suspicious activity to the local authorities

Sanctions:

Administrative sanctions: they can be up to €5,000,000 or 10% of the total annual turnover

Criminal sanctions: the fine can vary from €12,500 to €5,000,000 for the non-compliance with professional obligations.

[1] Official Journal of the European Union

[2]FCA’s Consultation Paper