Be prepared - Gibraltar businesses should get ready for a regulatory challenge in 2018, says KPMG Regulatory Consultancy Manager, Lawrence Hanlin.
The forthcoming 2018 MONEYVAL Assessment and the European Union General Data Protection Regulations were two topics featured at the recent Gibraltar KPMG eSummit.
The regulatory arena is something that is constantly changing and the KPMG eSummit calendar is something that allows individuals like me to share our knowledge and experiences with a wide field of fellow experts and gaming operators.
This was the 14th KPMG e-Summit and the fifth that I have personally attended. On this occasion I was invited to be on a panel session to speak about current and forthcoming changes in regulations.
This year we saw 280 delegates, both local and international, attend the eSummit which had a multitude of experienced speakers covering a variety of diverse subjects such as;
• State of the Sector address by Clive Hawkswood (RGA);
• Update from the Gambling Anti-Money Laundering Group;
• National Online Self-Exclusion System (NOSES);
• Gender diversity in the gaming sector;
• General Data Protection Regulations (GDPR);
• Regulatory Masterclasses;
• Hiding in the Web: how location fraud enables cybercrime and how to fight it;
• Harm minimisation in an Online World;
• Approaching Africa: understanding the opportunity for gaming.
My particular discussion point for my panel session was the current rounds of AML jurisdictional assessments that are taking place globally. This was particularly pertinent as Gibraltar will be assessed for compliance by MONEYVAL in 2018. As the following subhead alludes to, hindsight is a wonderful thing: lessons can be learnt by those countries that have still to be assessed by their FATF Style Regional Body (FSRB).
MONEYVAL - Hindsight is a wonderful thing
Having an office in both Gibraltar and the Isle of Man, KPMG is well placed to comment on how the forthcoming MONEYVAL assessment could affect another Financial Centre such as Gibraltar.
So, who are MONEYVAL? MONEYVAL is a permanent monitoring body of the Council of Europe (as opposed to the European Council), who send committees of experts to evaluate the existence and effectiveness of their members’ Anti Money Laundering and Counter-Terrorism Financing (AML/CTF) measures.
Gibraltar has been a member of MONEYVAL for 18 months and this will be their first full MONEYVAL assessment. Gibraltar’s last Financial Action Task Force (FATF) evaluation was completed in 2006, since when there have been significant enhancements in AML/CTF law and regulation globally.
So, what should Gibraltar expect to see? Gibraltar will have its national approach to AML/CTF evaluated for effectiveness against 11 rating criteria which are described as “Immediate Outcomes” or IOs. These IOs are a relatively new introduction by MONEYVAL, and are supplementary to the technical compliance criteria, of which there are 40.
At the time of writing, 30 countries globally have had their approach to AML/CTF assessed for its effectiveness, with only four – Spain, Italy, Armenia and Cuba - escaping what is called “Enhanced Follow-Up”. As a matter of interest, this caused some debate –with some commentators concluding that the ability to show a strong track record on tackling financial crime necessitates the existence of high levels of such crimes within one’s jurisdiction. I will leave you to your own views on this.
Enhanced Follow-Up imposes a burden upon members to remedy any deficiencies found by the assessment committee in a relatively short time frame compared to the “Regular Follow-Up” procedure, as well as to report back on progress faster.
In deciding whether to place a member in Enhanced Follow-Up, MONEYVAL will consider the following factors:
• Is Gibraltar Non-Compliant (NC) or only Partially Compliant (PC) with eight or more of the 40 technical compliance criteria?
• Does Gibraltar have ratings of NC/PC for five of the most material technical standards?
• Is Gibraltar only effective at a “low” or “moderate” level for seven or more of the 11 effectiveness outcomes?
• Does Gibraltar have a “low” level of effectiveness for four or more of the 11 effectiveness outcomes?
Gibraltar is well placed to learn from the other jurisdictions in preparing for and meeting the effectiveness standards. It is clear from the number of countries currently in Enhanced Follow-Up that avoiding such a result would be an exception.
The recently-assessed Isle of Man has taken on board the recommendations provided by MONEYVAL and is building a plan at Cabinet Office level to address their findings. From analysis conducted by KPMG, there were three key areas of concern where the Isle of Man and a number of other countries have been noticeably marked down.
These relate specifically to Financial Intelligence, Money Laundering Investigation & Prosecution and Confiscation. These elements are key to any jurisdiction in ensuring that criminal activity of this nature is tracked and dealt with demonstrably and adequately under the law.
To ensure compliance with evolving AML/CTF regulatory expectations, Gibraltar-based financial services and gaming operators may require significant cultural change, demanding a shift in attitudes and priorities in order to become conversant with both the expected demands of MONEYVAL, as well as Gibraltar`s prevailing money laundering law and regulations.
The consequences of a negative assessment will be visible globally, and could cause reputational damage for Gibraltar, should its standards in the AML/CTF space be found wanting. It is therefore important that Gibraltar’s public and private sectors embrace the inevitable changes which will pre-empt and follow this assessment.
So now is the time to ask yourself - are you ready for the 2018 assessment, and do you understand your obligations in preventing the laundering of money or the financing of terror in Gibraltar?!
Another hot topic discussed on the day in a Regulatory Masterclass panel session was regarding the incoming EU GDPR which comes into force on 20th May 2018. I was lucky enough to attend a session on which my regulatory colleague Allan Christian was speaking. He was able to share his views and thoughts on how this regulation could affect individuals and companies particularly with regard to potential penalties for non-adherence.
There is a recognition throughout Europe that the volume and sensitivity of personal data which is held by both public and private sector bodies is not only growing exponentially, but is also increasingly targeted by cyber criminals. An EU-wide refresh of personal data protection law, last revised in a meaningful way in in 1995 Data Protection Directive, was therefore long overdue.
The resulting updated regulation goes live next year in the form of GDPR. Given it is ultimately focused on the protection of the fundamental human rights of EU residents, it is difficult not to be supportive of it.
Below I flag some of the more material changes it introduces to world of personal data protection:
• Defaults in favour of individuals, not data controllers – these include expectations that data controllers ensure “privacy by design” and “privacy by default”, using techniques such as anonymising or pseudonymising the personal data they acquire and hold.
• Ensuring that consent given to entities in order to process an individual’s personal data is given freely and unambigiously – perhaps eradicating the unticking of boxes technique often seen in the last decade.
• Performing Data Protection Impact Assessments for all high-risk processing – examples might include use of biometrics to identify customers, or data relating to problem gambling, for example.
• Administrating more – gaming firms will need to compile and maintain a record of processing activities which their supervisor can request at will.
• Administrating faster – both the notification to the supervisor of any data breaches, and responding to requests for copies of an individual’s personal data will need to be executed faster (and in the case of the latter, for free).
• Staffing stretches – gaming firms will be expected to appoint a sufficiently skilled Data Protection Officer, with a specified task list, as a minimum. With a remit similar to a conventional Compliance Officer, they will be “advising and monitoring” rather than doing, which will stretch the capacity of your existing staff in both preparing for and operating within GDPR.
• A two-tiered financial punishment regime will be introduced, with a ceiling of €20m or 4% of global turnover for the fines which can be applied to errant data controllers or processors.
• The introduction of a new supervisor of supervisors – the European Data Protection Supervisor, who is currently the EU Institutions’ data regulator, will gain additional powers, including dispute arbitration and the assessment of third country “adequacy”.
While the amendments can look ominous when piled together, revisiting and revising your approach to personal data governance is a worthy exercise for the gaming industry, given the sensitivity of the data you may control. KPMG will remain active in this space during the preparatory period and beyond should you require assistance in any way.
It is clear to me that operators and jurisdictions cannot rest on their laurels with regard to adherence to the multitude of regulations that operators are having to deal with on an ongoing basis.
Furthermore it is the responsibility of both the regulators and the operators to continue to develop improvements in AML/GDPR which is critical to fulfilling their obligations both now and in the future.