Archive for April, 2014

Directors’ Responsibilities

Wednesday, April 30th, 2014

The position of director brings both rewards and responsibilities upon an individual.

Whether you are appointed to the Board of the company you work for or you are involved in establishing a new business and take on the role of director you will feel a sense of achievement.

However the office of director should not be accepted lightly. It carries with it a number of duties and responsibilities. We summarise these complex provisions below.

Companies

You can undertake business in the UK as either:

  • an unincorporated entity, ie a sole trader or a partnership or
  • an incorporated body.

An incorporated business is normally referred to as a company. Although there are limited liability partnerships and unlimited companies the vast majority of companies are limited by shares. This means the liability of shareholders is limited to the value of their share capital (including any unpaid).

A limited company can be a private or public company. A public company must include ‘public’ or ‘plc’ in its name and can offer shares to the public.

The responsibilities and penalties for non compliance of duties are more onerous if you are a director of a public company.

 

Directors

When you are appointed a director of a company you become an officer with extensive legal responsibilities. For a director of an incorporated body, the Companies Act 2006 sets out a statement of your general duties. This statement codifies the existing ‘common law’ rules and equitable principles relating to the obligations of company directors that have developed over time. Common law had focused on the interests of shareholders.  The Companies Act 2006 highlights the connection between what constitutes the good of your company and a consideration of its wider corporate social responsibilities.

The legislation requires that directors act in the interests of their company and not in the interests of any other parties (including shareholders). Even sole director/shareholder companies must consider the implications by not putting their own interests above those of the company.

The aim of the codification of directors’ duties in the Companies Act 2006 is to make the law more consistent and accessible.

The Act outlines seven statutory directors’ duties, which also need to be considered for shadow directors. These are detailed below.

Duty to act within their powers

As a company director, you must act only in accordance with the company’s constitution, and must only exercise your powers for the purposes for which they were conferred.

Duty to promote the success of the company

You must act in such a way that you feel would be most likely to promote the success of the company (ie. its long-term increase in value), for the benefit of its members as a whole. This is often called the ‘enlightened shareholder value’ duty. However, you must also consider a number of other factors, including:

  • the likely long-term consequences of any decision
  • the interests of company employees
  • fostering the company’s business relationships with suppliers, customers and others
  • the impact of operations on the community and environment
  • maintaining a reputation for high standards of business conduct
  • the need to act fairly as between members of the company.

Duty to exercise independent judgment

You have an obligation to exercise independent judgment. This duty is not infringed by acting in accordance with an agreement entered into by the company which restricts the future exercise of discretion by its directors, or by acting in a way which is authorised by the company’s constitution.

Duty to exercise reasonable care, skill and diligence

This duty codifies the common law rule of duty of care and skill, and imposes both ‘subjective’ and ‘objective’ standards. You must exercise reasonable care, skill and diligence using your own general knowledge, skill and experience (subjective), together with the care, skill and diligence which may reasonably be expected of a person who is carrying out the functions of a director (objective). So a director with significant experience must exercise the appropriate level of diligence in executing their duties, in line with their higher level of expertise.

Duty to avoid conflicts of interest

This dictates that, as a director, you must avoid a situation in which you have, or may have, a direct or indirect interest which conflicts, or could conflict, with the interests of the company.

This duty applies in particular to a transaction entered into between you and a third party, in relation to the exploitation of any property, information or opportunity. It does not apply to a conflict of interest which arises in relation to a transaction or arrangement with the company itself.

This clarifies the previous conflict of interest provisions, and makes it easier for directors to enter into transactions with third parties by allowing directors not subject to any conflict on the board to authorise them, as long as certain requirements are met.

Duty not to accept benefits from third parties

Building on the established principle that you must not make a secret profit as a result of being a director, this duty states that you must not accept any benefit from a third party (whether monetary or otherwise) which has been conferred because of the fact that you are a director, or as a consequence of taking, or not taking, a particular action as a director.

This duty applies unless the acceptance of the benefit cannot reasonably be regarded as likely to give rise to a conflict of interest.

Duty to declare interest in a proposed transaction or arrangement

Any company director who has either a direct or an indirect interest in a proposed transaction or arrangement with the company must declare the ‘nature and extent’ of that interest to the other directors, before the company enters into the transaction or arrangement.  A further declaration is required if this information later proves to be, or becomes either incomplete or inaccurate.

The requirement to make a disclosure also applies where directors ‘ought reasonably to be aware’ of any such conflicting interest.

However, the requirement does not apply where the interest cannot reasonably be regarded as likely to give rise to a conflict of interest, or where other directors are already aware (or ‘ought reasonably to be aware’) of the interest.

Enforcement and penalties

The Companies Act states that they will be enforced in the same way as the Common Law, although under Company Law. As a result there are no penalties in the Companies Act 2006 for failing to undertake the above duties correctly.

Enforcement is via an action against the director for breach of duty. Currently such an action can only be brought by:

  • the company itself (ie the Board or the members in general meeting) deciding to commence proceedings; or
  • a liquidator when the company is in liquidation
  • an individual shareholder can take action against a director for breach of duty. This is known as a derivative action and can be taken for any act of omission (involving negligence), default or breach of duty or trust.

Where the company is controlled by the directors these actions are unlikely.

 

How we can help

You will now be aware that the position of director must not be accepted lightly.

  • the law is designed to penalise those who act irresponsibly or incompetently.
  • a director who acts honestly and conscientiously should have nothing to fear.

We can provide the professional advice you need to ensure you are in the latter category.

Please contact us if you would like more information.

David Cameron writes to crown dependencies

Wednesday, April 30th, 2014

Our Prime Minister has written a letter to the UK’s overseas territories and crown dependencies promoting the value of a public register that would show the ultimate owners of companies registered in their jurisdiction.

This follows the publication of the “Company ownership: transparency and trust discussion paper” last week. It concluded:

“… we plan to proceed with the following policies:

  • establish a publicly accessible central registry of UK company beneficial ownership information
  • improve transparency of company ownership and control, including:

    • abolishing bearer shares
    • prohibiting the use of corporate directors (with exceptions)
    • increasing the accountability of those who control company directors
  • improve trust in the UK regime for disqualifying company directors
  • increase the likelihood of creditors being compensated where they have suffered loss from director misconduct”

David Cameron seems keen to share the insights gained. Here’s an extract from his letter:

“As you know, I believe that beneficial ownership and public access to a central register is key to improving the transparency of company ownership and vital to meeting the urgent challenges of illicit finance and tax evasion. So I am proud that the establishment of a publicly accessible central registry of company beneficial ownership information will now form a key pillar of our G8 legacy.

“We have conducted an in-depth consultation and now look forward to introducing legislation in the UK Parliament as soon as possible.

“I am firmly of the view that making company beneficial ownership information open to the public is by far the best approach. It will give businesses and individuals a clearer picture of who ultimately owns and controls the companies they are dealing with and make it easier for banks, lawyers and others to conduct due diligence on their customers. It will shed light on those who have provided false information, helping to tackle crime where it occurs and deterring people from providing this false information in the first place. And it will help reduce the cost of investigations for tax and law enforcement authorities here and overseas, particularly in developing countries, by making information more easily available to them at the very start of an investigation.

“I am very keen that we should move forward together in raising standards of transparency globally. I therefore wholeheartedly welcome all those Overseas Territories who are joining us in leading this work, either by already having a central registry in place or by consulting on establishing one.

It would seem that the net is tightening on organisations that use off-shore arrangements to avoid paying tax.

Tax Diary May/June 2014

Tuesday, April 29th, 2014

 1 May 2014 – Due date for Corporation Tax due for the year ended 31 July 2013.

 19 May 2014 – PAYE and NIC deductions due for month ended 5 May 2014. (If you pay your tax electronically the due date is 22 May 2014.)

 19 May 2014 – Filing deadline for the CIS300 monthly return for the month ended 5 May 2014.

 19 May 2014 – CIS tax deducted for the month ended 5 May 2014 is payable by today.

 31 May 2014 – Ensure all employees have been given their P60s for the 2013-14 tax year.

 1 June 2014 – Due date for Corporation Tax due for the year ended 31 August 2013.

 19 June 2014 – PAYE and NIC deductions due for month ended 5 June 2014. (If you pay your tax electronically the due date is 22 June 2014.)

 19 June 2014 – Filing deadline for the CIS300 monthly return for the month ended 5 June 2014.

 19 June 2014 – CIS tax deducted for the month ended 5 June 2014 is payable by today.

VAT Mini One Stop Shop (MOSS)

Tuesday, April 29th, 2014

Currently, the place of taxation for broadcasting, telecommunications and e-services (BTE) supplies is determined by the location of the supplier of the services. However, from 1 January 2015, the place of taxation for private consumers will be determined by the location of the consumer.

Business to business supplies are unaffected; this change will only concern suppliers of BTE services to private consumers.

To save you having to register for VAT in every EU Member State where you supply BTE services, you may opt to use the VAT Mini One Stop Shop online service (VAT MOSS). This will be available on 1 January 2015, but you will be able to register to use it from October 2014.

For example, if you register for the VAT MOSS online service in the UK, you will be able to account for the VAT due on your business to private consumer sales in any other Member States by submitting a single VAT MOSS return. This will include any related payment to HMRC. HMRC will send an electronic copy of the appropriate part of your VAT MOSS return, and the related VAT payment, to each relevant Member State's tax authority on your behalf. The VAT rate used will be that of each Member State of Consumption at the time the service was supplied.

The changes in the underlying VAT place of supply rules are complex. If you feel you may be affected please contact us at an early date so we can advise you on any alterations, if any, you will need to make to your record keeping systems.

Pension decision period extended

Tuesday, April 29th, 2014

Last month we touched on the changes that HMRC is introducing to the treatment of defined contributions pensions. HM Treasury has now issued the following update that clarifies the position of people who have recently taken a tax-free lump sum from their defined contribution scheme.

“The government has announced today (Wednesday 9 April) that people who have recently taken a tax-free lump sum from their defined contribution pension will be given 18 months rather than 6 months to decide what they wish to do with the rest of their retirement savings, and will not be put at a disadvantage should they wish to wait to access their pension savings more flexibly.

This follows an announcement on 27 March confirming that the government would take action to ensure that people do not lose their right to a tax-free lump sum if they would rather use the new flexibility this year or next, instead of buying a lifetime annuity.

Under current tax rules, once a tax free lump sum has been taken, individuals have six months before they are required to make a decision regarding their pension, either by buying an annuity or entering into capped drawdown.

Currently, if this is not done, the lump sum is then taxed at 55%. This extra time will allow people to make the right decision for their pension.”

Exchequer Secretary to the Treasury, David Gauke, said:

“At Budget the government announced the most fundamental change in the way that people access their pension in almost a century, ensuring that over 400,000 people who have worked and saved hard will be able to access their retirement savings more flexibly. However, we recognise that decisions people take regarding their pensions are important and take time. This extension to the decision making period will give people the opportunity to take full advantage of the new flexibilities introduced at the budget.”

HMRC may be extending access to taxpayers’ data

Tuesday, April 29th, 2014

The Treasury has confirmed it was proceeding with plans to legislate making aggregated and anonymised data more widely available. In a published document HMRC said:

"The government has decided to proceed with the proposal to remove the legal restrictions that currently limit HMRC's ability to share anonymised individual level data for the purpose of research and analysis and deliver public benefits wider than HMRC's own functions, but they accept that this must be done only where there are sufficient safeguards in place to protect taxpayer confidentiality.

HMRC is committed to protecting its customers' information. We shall be consulting further on implementing the proposals for sharing anonymised data, and would only take forward specific measures where there was a clear public benefit and subject to suitable safeguards."

 A number of politicians and academics have reacted badly to this news.

The data shared could include details about income, tax arrangements and payment history. According to government sources the data would be cleansed of personal contact details of taxpayers.

Cars, business use, and tax considerations

Tuesday, April 29th, 2014

There are a number of situations where care should be taken in the way in which claims are made for the business use of a vehicle, usually a car, which is also used for private purposes.

 We have listed below a number of issues that business owners and private car users should be aware.

  1. If you are self-employed and your business assets include a car you should be reducing your claim for capital allowances, loan and HP interest and running costs based on your private use of the vehicle. The percentage added back should be based on a record of your private and total mileage. On enquiry, HMRC are unlikely to accept a private or business use percentage unless it is backed up by a detailed mileage log.
  2. Alternatively, if you are self-employed, and if your business turnover does not exceed the VAT registration threshold (currently £81,000) you can use the fixed mileage rates referred to below. These do not cover loan interest and this can also be claimed subject to restriction for private use based on private and total mileage for the period claimed.
  3. If you are employed and your employer requires that you use your own vehicle for business trips there are two aspects to consider: the rate per mile you are paid (HMRC allows you to receive up to 45p per mile for the first 10,000 business miles each tax year and 25p per mile thereafter) and the number of miles you claim. The 45p/25p rates are the maximum claim HMRC will allow. Employers are free to pay up to this limit without triggering benefit-in-kind issues. Again journeys should be logged and recorded to evidence the number of miles claimed.
  4. If you have the use of a company car and your employer pays for your private petrol you will be liable to a hefty benefit-in-kind charge. You can eliminate this charge if you reimburse your employer for the cost of private petrol provided. Usually, the cost of any such reimbursement will be lower than the tax charge created by the benefit-in-kind assessment. The reimbursement can be calculated using the ‘advisory fuel rates’ on HMRC’s website and you will need to log your private mileage.
  5. If your company provides you with a company car, and if you use the vehicle for business and private purposes, then you will be taxed on the deemed benefit. The amount of the benefit-in-kind charge will depend on the CO2 emissions of the vehicle you use. The rates of benefit vary between 0% and 35% of the list price of the vehicle when new. If you presently drive a car with a high CO2 rating you may want to consider trading it in for a lower CO2 rated model. 

 You will need to provide evidence should HMRC visit and select mileage claims for audit. Generally speaking you should:

  • Record the postcode at the beginning and end of the journey so an accurate check can be made of mileage claimed. London to Birmingham would be too vague.
  • The business miles claimed should not be rounded.
  • Home to work mileage should be excluded.

Credit Control

Monday, April 28th, 2014

Obtaining new customers is great for business, unless they fail to pay you. If you fail to check that the customer can support the amount of credit you are granting, then commencing legal action when they do not pay can be a long drawn out and potentially costly process.

If payment from the customer is not obtained and the goods or services have been provided, your cash flow is likely to be under pressure. Ensuring that customers pay on time will make managing your business easier.

If you fail to pay your suppliers because you have not been paid by your customer then you could also be damaging their business as well. This is not only bad business practice but could be regarded as corporate social irresponsibility. Treat your suppliers as you want your customers to treat you.

Factors to consider

The first thing you should do is get to know your customer.  This should start before you take on a new customer and before you give them any credit. The bare minimum of what you should know is:

  • the exact name of the customer and the trading address (consider using Companies House Webcheck service)
  • their type of business structure, e.g. are they a sole trader, a partnership or a limited company?
  • names and personal addresses of the proprietors’ if their structure is unincorporated (consider verifying letter headed paper to support this information)
  • contact other suppliers to obtain references
  • their credit rating.

Before you provide goods or services to any customer make sure you address the following:

  • discuss and agree payment terms with the customer before accepting the order
  • agree the terms in writing
  • review any documentation from the customer where they try to change the agreed payment terms
  • negotiate and agree payment terms with suppliers before accepting the order
  • if there is a gap between customer and supplier payment terms, consider whether finance is available to bridge the gap, this will require an understanding of your working capital management
  • produce a cash flow forecast covering all expected income and expenses
  • have a standard policy in place to ensure that payment terms cannot be altered without appropriate authorisation
  • ensure that you have the right to apply late payment and interest charges on invoices.

After you have provided goods or services to a customer ensure that you:

  • raise invoices promptly
  • raise invoices accurately to ensure all items are included at the quoted prices
  • include a reference number for the order and then quote this if any dispute arises
  • have everything the customer requires on the invoice
  • have a process for chasing invoices
  • have a process for dealing with disputes
  • keep a log of disputes to ascertain whether similar disputes or customers occur
  • ensure that your invoices are fully compliant with HMRC for VAT purposes.

Consider your suppliers- treat them as you would like to be treated

Remember that not paying your suppliers on time is a bad business habit and it may result in a drop in your credit rating. You should:

  • ensure you advise your suppliers of any disputes as soon as they occur
  • pay on time by ensuring that your creditor’s ledger is accurately aged and
  • keep your suppliers up to date with any issues you have with paying on time.

Some businesses unfortunately go ‘bad’ so you may wish to consider obtaining credit insurance where the business:

  • would not be able to function if key customers went insolvent
  • does not have the controls in place to ascertain whether a customer is likely to go insolvent
  • is struggling to obtain information on prospective customers
  • needs to improve credit management
  • is considering a new market venture.

Businesses should consider obtaining factoring and financing options when:

  • insufficient cash reserves are available to pay suppliers on time
  • the business needs to grow
  • the level of short term finance (including any overdraft facility) is insufficient
  • staff do not have the right level of credit management skills.

How we can help

If you are struggling with your cash flow in these difficult times then we would be happy to discuss this further with you. Please contact us for more detailed advice.

Money Laundering and the Proceeds of Crime

Friday, April 25th, 2014

There are tough rules to crack down on money laundering and the proceeds of crime. These rules affect a wide range of people and we consider how your organisation may be affected.

 

Money laundering – a definition

Most of us imagine money launderers to be criminals involved in drug trafficking or terrorism or to be someone like Al Capone. However legislation, in the last decade, has expanded significantly the definition of what we might have traditionally considered as money laundering. While the general principles remain; money laundering involves turning the proceeds of crime into apparently ‘innocent’ funds with no obvious link to their criminal origins, what has changed is that the definition now includes the proceeds of any criminal offence, regardless of the amount involved.

 

The rules

The key pieces of legislation are:

  • the Proceeds of Crime Act 2002 (The Act) as amended by the Serious Organised Crime and Police Act 2005, and
  • the Money Laundering Regulations 2007 (The 2007 Regulations).

The Act

The Act re-defines money laundering and the money laundering offences, and creates new mechanisms for investigating and recovering the proceeds of crime. The Act also revises and consolidates the requirement for those affected to report knowledge, suspicion or reasonable grounds to suspect money laundering. See the panel below for some of the more technical terms of the Act.

The 2007 Regulations

The 2007 Regulations contain the detailed procedural requirements for those affected by the legislation. The 2007 Regulations came into force on 15 December 2007.

Proceeds of Crime Act – technical terms

Under the Act, someone is engaged in money laundering if they:

  • conceal, disguise, convert, transfer or remove (from the United Kingdom) criminal property
  • enter into or become concerned in an arrangement which they know or suspect facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person or
  • acquire, use or have possession of criminal property.

Property is criminal property if it:

  • constitutes a person’s benefit in whole or in part (including pecuniary and proprietary benefit) from criminal conduct or
  • represents such a benefit directly or indirectly, in whole or in part and
  • the alleged offender knows or suspects that it constitutes or represents such a benefit.

 

Who is caught by the legislation?

Certain businesses have been affected by anti-money laundering rules for some time, for example, banks and other financial institutions. These businesses have been required to put in place specific arrangements to prevent and detect money laundering.

The new regime requires many more businesses to introduce procedures to combat money laundering and the criminal activity that underlies it. As money launderers have resorted to more sophisticated ways of disguising the source of their funds, new legislation aimed at catching those involved has become necessary.

The regulated sector

The legislation relates to anyone in what is termed as the ‘regulated sector’, which includes but is not limited to:

  • accountants and auditors
  • tax advisers
  • financial institutions
  • credit institutions
  • dealers in high value goods (including auctioneers dealing in goods) whenever a transaction involves accepting a total cash payment equivalent to €15,000 or more, whether in a single operation or in several operations that are linked
  • casinos
  • estate agents
  • some management consultancy services
  • company formation agents
  • insolvency practitioners
  • legal professionals

 

The implications of being in the regulated sector

Those businesses that fall within the definition are required to establish procedures to:

  • apply customer due diligence procedures (see below)
  • appoint a Money Laundering Nominated Officer (MLNO) to whom money laundering reports must be made
  • establish systems and procedures to forestall and prevent money laundering and
  • provide relevant individuals with training on money laundering and awareness of their procedures in relation to money laundering.

If your business is caught by the definition you may have received guidance from your professional or trade body on how the requirements affect you and your business. Those of you who are classified as High Value Dealers may be interested in our factsheet of the same name, which considers how the 2007 Regulations affect those with high value cash sales.

The implications for customers of those in the regulated sector

As you can see from the list above, quite a wide range of professionals and other businesses are affected by the legislation. Those affected must comply with the new laws or face the prospect of criminal liability (both fines and possible imprisonment) where they do not.

Procedural changes – customer due diligence (CDD)

Under The Regulations, if you operate in the regulated sector, you are required to undertake CDD procedures on your customers. These CDD procedures need to be undertaken for both new and existing customers.

CDD procedures involve:

  • identifying your customer and verifying their identity. This is based on documents or information obtained from reliable and independent sources
  • identifying where there is a beneficial owner who is not the customer.  It is necessary for you to take adequate measures on a risk sensitive basis, to verify the beneficial owner’s identity, so that you are satisfied that you know who the beneficial owner is. The beneficial owners of the business are those individuals who ultimately own or control the business
  • obtaining information on the purpose and intended nature of the business relationship

You must apply CDD when you:

  • establish a business relationship
  • carry out an occasional transaction (one off transaction valued at €15,000 or more)
  • suspect money laundering or terrorist financing
  • doubt the reliability or adequacy of documents or information previously obtained for identification.

CDD measures must also be applied on a risk sensitive basis at other times to existing customers. This could include when a customer requires a different service. Businesses must consider why the customer requires the service, the identities of any other parties involved and any potential for money laundering.

The purpose of the CDD is to confirm the identity of the customer. For the customer’s identity to be confirmed, independent and reliable information is required. Documents which give the strongest evidence are those issued by a Government department or agency or a Court including documents filed at Companies House. For individuals, documents from highly rated sources that contain photo identification, eg passports and photo driving licenses, as well as written details are a particularly strong source of verification.

The law requires the records obtained during the CDD to be maintained for five years after a customer relationship has ended.

Enhanced due diligence

Enhanced CDD and ongoing monitoring must be applied where:

  • the client has not been met face to face
  • the client is a politically exposed person
  • there is a higher risk of money laundering or terrorist financing.

Additional procedures are required over and above those applied for normal due diligence in these circumstances.

Procedural changes – reporting

As mentioned above, the definition of money laundering includes the proceeds of any crime. Those in the regulated sector are required to report knowledge or suspicion (or where they have reasonable grounds for knowing or suspecting) that a person is engaged in money laundering, ie has committed a criminal offence and has benefited from the proceeds of that crime. These reports should be made in accordance with agreed internal procedures, firstly to the MLNO, who must decide whether or not to pass the report on to the National Crime Agency (NCA).

The defences for the MLNO are:

  • reasonable excuse (reasons such as duress and threats to safety might be accepted although there is little case law in this area as yet)
  • they followed Treasury approved guidance.

The Courts must take such guidance into account.

 

National Crime Agency (NCA)

The NCA is the UK new crime-fighting agency with national and international reach and the mandate and powers to work in partnership with other law enforcement organisations to bring the full weight of the law to bear in cutting serious and organised crime. Part of the role of the NCA is to analyse the suspicious activity reports (SARs) received from those in the regulated sector and to then disseminate this information to the relevant law enforcement agency.

The Regulations require those in the regulated sector to report all suspicions of money laundering to the NCA. By acting as a coordinating body, the NCA collates information from a number of different sources. This could potentially build up a picture of the criminal activities of a particular individual, which only become apparent when looked at as a whole. This information can then be passed on to the relevant authorities to take action.

 

Is your business vulnerable?

Criminals are constantly searching for new contacts to help them with their money laundering. Certain types of business are more vulnerable than others. For example, any business that uses or receives significant amounts of cash can be particularly attractive. To counter this, the Regulations require businesses that deal in goods and accept cash equivalent to €15,000 to register with HMRC and implement anti-money laundering procedures.

You can imagine that if a drug dealer went along to a bank on Monday morning and tried to pay in the weekend’s takings, the bank would notice it and report it unless the sum was relatively small. If criminals can find a legitimate business to help them by taking the cash and pretending that it is the business’s money being paid in (in exchange for a proportion!), then that business can put the cash into the bank without any questions being asked.

Take for example the mobile telephone business that has had a fairly steady turnover of £10,000 per week for the last couple of years but suddenly begins to bank £100,000 in cash each week. Without a clear, rational and plausible explanation, this type of suspicious activity would clearly be reported to the NCA.

Perhaps a less obvious example of possible money laundering could be where an individual comes into an antiques shop and offers to buy a piece of furniture for £12,000 in cash. Not too many sellers would have insisted upon a cheque in the past! This person may be a money launderer who then goes to another shop and sells the antique for say £8,000, being quite prepared to suffer the apparent loss. This time the criminal asks for a cheque that can then be paid innocently into a bank account, making the money look legitimate.

The legislation aims to put a stop to this type of activity. Those in the regulated sector are required to report any transactions that they have suspicions about. Also, it is not simply the more obvious examples of suspicious activities that have to be reported. For the majority of those regulated, the government has insisted upon there being no de minimis limits within the legislation. This means that very small proceeds of crime have to be reported to the NCA.

 

Tipping off

There is also an offence known as ‘tipping off’ under the Act. This is what would happen if a person in the regulated sector were to reveal that a suspicious activity report had been made, say for example about a customer, to that customer. Where this disclosure would be likely to prejudice any investigation by the authorities, an offence may be committed. A tipping off offence may also be committed where a person in the regulated sector discloses that an investigation into allegations that a money laundering offence has been committed is being contemplated or carried out and again that this disclosure would be likely to prejudice that investigation. As you can imagine therefore, if you were to ask an accountant or estate agent whether they had made any reports about you, they would not be able to discuss this with you at all. If they did, they could break the law and could face a fine or imprisonment or both.

 

How we can help

The legislation brings a number of professions and businesses into the regulated sector. Complying with the requirements of both the Act and the 2007 Regulations requires those affected to introduce a number of procedures to ensure that they meet their legal responsibilities. If you would like to discuss how the legislation could affect you and your organisation please do contact us.

Data Security – Access

Wednesday, April 23rd, 2014

Many businesses are now completely reliant on the data stored on their Network Servers, PCs, laptops, mobile devices and cloud service providers or internet service providers. Some of this data is likely to contain either personal information and/or confidential company information.

Here we look at some of the issues to consider when reviewing the security of your computer systems with respect to access controls, and to ensure compliance with Principle 7 of the Data Protection Act. This states that –

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Access security

Good access controls to the computers and the network minimise the risks of data theft or misuse.

Access controls can be divided into two main areas:

  • Physical access – controls over who can enter the premises and who can access personal data
  • Logical access – controls to ensure employees only have access to the appropriate software, data and devices necessary to perform their particular role.

Physical  access

As well as having physical access controls such as locks, alarms, security lighting and CCTV there are other considerations such as how access to the premises is controlled.

Visitors should not be allowed to roam unless under strict supervision.

Ensure that computer screens are not visible from the outside.

Use network policies to ensure that workstations and/or mobile devices are locked when they are unattended or not being used.

Ensure that if a mobile device is lost there are ways to immobilise the device remotely.

Mobile devices being small are high risk items and so sensitive data should always be encrypted and access controlled via a pin number or password.

It may be necessary to disable or restrict access to USB devices and Optical readers and writers.

Finally, information on hard-copy should be disposed of securely.

Logical access

Logical access techniques should be employed to ensure that personnel do not have more access than is necessary for them to perform their role.

Sensitive data should be encrypted and access to this data controlled via network security and user profiles.

Access to certain applications and certain folders may also need to be restricted on a user by user basis.

Finally, it may be necessary to lock down certain devices on certain machines.

Passwords

It is accepted, universally, that a password policy consisting of a username and password is good practice.

These help identify a user on the network and enable the appropriate permissions to be assigned.

Passwords to be effective, however, should:

  • be relatively long (i.e. 8 characters or more)
  • contain a mixture of alpha, numeric and other characters (such as &^”)
  • be changed regularly through automatic password renewal options
  • be removed or changed when an employee leaves
  • be used on individual files such as spreadsheets or word processed documents which contain personal information

and should NOT

  • be a blanket password (i.e. the same for all applications or for all users)
  • be written on ‘post it’ notes which are stuck on the keyboard or screen
  • consist of common words or phrases, or the company name.

 

How we can help

We can provide help in the following areas:

  • defining and documenting security and logical access procedures
  • performing a security/information audit
  • training staff in security principles and procedures.

Please contact us if you would like any help in any of these areas.