Insolvency Oracle

Developments in UK insolvency by Michelle Butler

Category Archives: Changes in statute


by Leave a comment

Checking PSCs: is it Pretty Silly Compliance?

A lot later than I’d hoped, here’s an article on some of the changes in the Money Laundering Regs that took effect on 1 April 2023.  I’ve also covered some anomalies in the PSC regime when compared with AML Beneficial Owners that could trip up the unwary.

In brief, this article explores:

  • At what points are we now required to check the PSC register?
  • What records are we now required to keep?
  • Does the change to reporting only “material” PSC discrepancies now give us a reason for not reporting in many instances?
  • Do PSC discrepancy reports need to be repeated if the discrepancy has not been fixed?
  • Does an insolvency office holder become a PSC?
  • When a PSC is not the same as an AML beneficial owner: (i) when the shareholder is a UK-registered company
  • When a PSC is not the same as an AML beneficial owner: (ii) when the shareholder has died
  • When a PSC is not the same as an AML beneficial owner: (iii) when the person exercises “significant”, but not “ultimate”, control

The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 can be found at https://www.legislation.gov.uk/uksi/2022/860/contents/made

In this article, I refer to three useful pieces of Companies House guidance:

Reviewing PSCs as part of “ongoing monitoring”

When the MLR19 came out, several professional bodies queried the wording that appeared to suggest that a client’s PSCs were to be reviewed (and, if necessary, a PSC discrepancy report submitted) during the life of a business relationship.   It was felt that this put an unnecessary burden on AML-regulated businesses.  As a consequence and because it appeared that the MLR19 had gone further than had been originally planned, in 2020 the MLR17 were changed making it clear that a PSC review was required only when establishing the relationship at the start.

However, in 2021, HM Treasury consulted on the question: wouldn’t it be a good idea to review clients’ PSCs whenever ongoing monitoring is carried out during a relationship?

At that point of course, the fate was sealed.  So it came to pass: the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 reintroduced the need to review PSCs as part of ongoing monitoring.

How frequently should these reviews be carried out?

The MLR17 indicate that the primary purposes of “ongoing monitoring” are to examine whether a client’s activity is consistent with what the AML-regulated business expects it to be based on its knowledge and risk assessment and to ensure that the AML CDD measures remain up to date.

Neither the MLR17 nor the CCAB Guidance specify how frequently “ongoing monitoring” should be conducted.  As with most things AML, the MLR17 state that it needs to be done according to the assessed risk.  In a fairly recent ICAEW webinar directed at ICAEW members in general (c.1 hour into “Money Laundering Risks”, March 23), it was suggested that periodic routine ongoing monitoring might be done every year for high risk clients and every two or three years for low risk clients.

Of course, the mood music from the RPBs has been that insolvency is generally a high risk service, so IPs are unlikely to have any truly low risk clients when compared with accountants.  Therefore, in insolvencies, it seems to me sensible to tick the “ongoing monitoring” boxes at the time of each case review, but of course firms are free to establish policies setting out other timescales.

Do these reviews realistically achieve anything in insolvencies?

In almost all cases, I think not.  For example, you would not expect PSCs to change in a CVL.  The only cases where I can imagine a PSC ever changing are rescue Administrations or CVAs, but even then it would be very rare.  I guess potentially it could also happen in an MVL, although most shareholder-shifting occurs pre-liquidation.

I understand that part of the authorities’ concerns generally is that some fraudsters file director-appointment or PSC-registration documents on Companies House in order to build a false identity.  Although one would hope that directors would police their own company’s file at Companies House, AML-regulated businesses are also tasked with keeping the registers clean by means of these statutory PSC reviews and discrepancy reporting requirements.

But how likely is it that a fraudster is going to pick an insolvent company in order to build a false identity? 

Hopefully, the long-awaited Companies House reform measures via the Economic Crime and Corporate Transparency Bill, which is currently being considered by the House of Lords, will block the ability for fraudsters to abuse company files in this way in future.  But I suspect that this will not mean that the PSC requirements on professionals are lifted (sigh!).

HM Treasury micro-management: requirements on record-keeping

If the issue were just that we needed to check the PSC register at every ongoing monitoring point, I could just about live with that.  However, the amendments go further than this.  In a seemingly unprecedented demonstration of micro-management, we are now required to take a copy of the PSC register every time ongoing monitoring is carried out!

This is set out in new Regulation 30A(2A):

“When taking measures to fulfil the duties to carry out customer due diligence and ongoing monitoring of a business relationship.., a relevant person must also collect an excerpt of the register which contains full details of any information specified in paragraph (1A) which is held on the register at that time, or must establish from its inspection of the register that there is no such information held on the register at that time.”

But now we only need to report “material discrepancies”, right?

True, the regulators have highlighted this particular change as lessening the burden on us all.  But the small print suggests to me that little has changed in practice.

While the Regs have been changed so that only material discrepancies need to be reported, new Schedule 3AZA defines these as occurring where:

“… the discrepancy, by its nature, and having regard to all the circumstances, may reasonably be considered—

(a) to be linked to money laundering or terrorist financing; or

(b) to conceal details of the business of the customer.”

Companies House guidance on Reporting a Discrepancy points out that it is irrelevant whether there was an intention to conceal.

The Regs’ Schedule continues:

“Discrepancies listed in this paragraph are in the form of—

(a) a difference in name;

(b) an incorrect entry for nature of control;

(c) an incorrect entry for date of birth;

(d) an incorrect entry for nationality;

(e) an incorrect entry for correspondence address;

(f) a missing entry for a person of significant control or a registrable beneficial owner;

(g) an incorrect entry for the date the individual became a registrable person.”

In my experience, incorrect natures of control or entirely missing entries are the most obvious discrepancies, so these will continue to need to be reported. 

The Companies House guidance on Reporting a Discrepancy provides examples of discrepancies that would be considered “material” and it seems to me that only insignificant typos might not hit this threshold.  I guess, however, that we might also avoid reporting a discrepancy if someone is registered as a PSC when they are not one… although I wonder how the RPBs will view this.

What a faff!

What happens after a PSC discrepancy report is submitted?

Well, the Regs require Companies House to “take such action as [Companies House] considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner” (MLR17 Reg 30A(5)).  In practice this appears to mean that they will email the insolvency office holder and ask them to amend the company’s register.  Personally, I cannot see that there is a positive duty on an insolvency office holder to fix the register and, in any event, the PSC discrepancy report is only submitted on the basis of the IP’s knowledge; in many cases, the true facts of the situation may be less than certain.

If the IP chooses not to amend the register, then the chances are that the discrepancy will remain.  I have seen that, in such cases, Companies House generally takes the view that they have taken the appropriate steps and so no more action is required.  Oh, the things we all do to comply with poorly thought-out legislation!

A welcome bit of pragmatism in the Companies House guidance

Of course, things tend to be different with a live client, such as those with accountants.  In those cases, when an accountant identifies a PSC discrepancy, it would be usual for them to get in touch with the client and encourage them to correct the discrepancy on the file.  Although this sometimes also happens pre-insolvency, in cases where the PSC discrepancy remains after the insolvency has begun, this gives rise to another issue when “ongoing monitoring” is carried out later.

Technically, the amended Regs don’t accommodate an uncorrected PSC discrepancy.  They would require you to submit a new PSC discrepancy report every time.

However, the Companies House guidance on Reporting a Discrepancy thankfully explains that they are not expecting a second discrepancy report if it has been reported previously.

Should the insolvency office holder be recorded as a PSC?

Interesting question, don’t you think?  Clearly, insolvency office holders exercise “significant influence or control”, so does this make them a PSC?  As their appointment doesn’t immediately affect the PSC register at Companies House, does this give rise to a material discrepancy to be reported during ongoing monitoring or a need to be registered as a PSC on appointment?

I strongly recommend the Companies House guidance on “Significant Influence or Control”.  It contains many nuggets helping to determine who might be a PSC.

It includes, at para 4.4, that anyone exercising a function under an enactment, e.g. “a Liquidator or receiver”, is not a PSC (provided that they only act in accordance with their statutory functions).

That’s one issue sorted, then.

When PSCs and Beneficial Owners differ

But there are other scenarios that can be confusing.  In most cases, identifying the PSCs is no different from identifying the beneficial owners for AML CDD purposes and this makes it relatively straightforward to spot any PSC discrepancies. 

But there are several situations in which the PSCs are not the same as the AML beneficial owners, so when staff are checking for PSC discrepancies it is valuable that they understand these anomalies.

When there is a UK-registered corporate shareholder

Sometimes, we come across the following scenario:

We’re probably all comfortable with the concept that the beneficial owners for AML CDD purposes are the two 50% shareholders at the top of the tree.  However, if the holding company is a UK-registered company, then the holding company is the one that should be registered as the operating company’s PSC.

There are other scenarios (i.e. not only UK-registered companies) where a 25%+ shareholder who is a legal entity should itself be registered as a PSC – see section 2.2. of the Companies House PSC guidance for companies.  But in other cases, the legal entity shareholder should not be registered as the PSC, but instead the individuals or entities up the shareholding tree need to be registered.

Where the shareholder has died

For AML CDD purposes, the MLR17 state (Reg 6(6)):

“In these Regulations, ‘beneficial owner’, in relation to an estate of a deceased person in the course of administration, means—

(a) in England and Wales and Northern Ireland, the executor, original or by representation, or administrator for the time being of a deceased person;

(b) in Scotland, the executor for the purposes of the Executors (Scotland) Act 1900”

However, the Companies House PSC guidance for companies states (para 7.7.1):

“In the unfortunate event that a PSC of your company is deceased, the PSC should remain on the PSC register until such time as their interest is formally transferred to its new owner. While an executor has fiduciary duties to the intended beneficiaries of the assets, the executor is are responsible for administering the estate according the wishes of the deceased. The deceased will therefore continue to be registrable until such time as the control passes to another person, such as an heir, who will exercise their influence and control over your company for themselves.”

In other words, for AML CDD purposes, the executor or administrator of a deceased person’s estate will be a beneficial owner, but for PSC purposes it will remain the deceased person.

The difference between “significant” and “ultimate” control

While we usually focus on the shareholders and directors when identifying the beneficial owners for AML CDD purposes, there is an additional woolly category (MLR17 Reg 5(1)(a)): those who “exercise ultimate control over the management” of the entity.

The PSC regime has a different measure.  As the name suggests, it is concerned with those who exercise significant, not ultimate, control.  I think that both the AML and PSC regimes require us to consider shadow directors, but other people may be a PSC but not a beneficial owner.

The Companies House guidance on “Significant Influence or Control” includes an interesting – and insolvency-relevant – example (para 4.10):

“Extra-ordinary functions of a person could result in them being considered to have significant influence or control:

A director who also owns important assets or has key relationships that are important to the running of the business (e.g. intellectual property rights), and uses this additional power to influence the outcome of decisions related to the running of the business of the company. This individual would not be able to rely on the excepted role of director to avoid being considered to exercise significant influence or control.”

This scenario – and indeed the existence of shadow directors – could make an IP’s life frustrating, I think.  Before appointment, you could identify someone exercising significant control in this way but who is not registered as a PSC at Companies House… so you submit a PSC discrepancy report.  Then, Companies House gets in touch with you after your appointment asking you to amend the register.  But at that point, the person no longer exercises significant control – ta daa!

Ok, I know, I would hope that the RPB would not take you to task for not submitting a PSC discrepancy report pre-appointment, but who knows?

The costs of compliance

IPs are well accustomed to investing time and effort in complying with what appear to be pointless requirements, so I’m sure that most will read this with a tired eye-rolling. 

Of course, all these additional duties need to be resourced and this costs firms – and therefore insolvent estates – more money.  However, it seems that the RPB/IS perceptions that some IPs charge excessive fees never change, regardless of the fact that year after year compliance duties increase.  This may only be another 10-minute task, but it all adds up, doesn’t it?


by Leave a comment

The Economic Crime Levy – a disaster averted

Regulations introduced last year appeared to make insolvency office holders personally liable for the new economic crime levy due from insolvent businesses, whether incurred pre- or post-appointment.  Was this another example of HMRC looking to jump the queue over ordinary unsecured creditors?

Fortunately, R3 took up the baton and, eventually, amendment regulations were created to curtail these effects.  Phew!

The original regulations, the Economic Crime (Anti-Money Laundering) Levy Regulations 2022 (“the Regs”), can be found at: https://www.legislation.gov.uk/uksi/2022/269/contents/made

The Economic Crime (Anti-Money Laundering) Levy (Amendment) Regulations 2023 (“the Amendment Regs”), are at: https://www.legislation.gov.uk/uksi/2023/369/contents/made

How does the levy work in general?

Don’t panic!  The charge is not levied on all businesses.  It is attracted only by businesses that carry out AML-regulated businesses… so banks, solicitors, accountants, art dealers, estate agents, casinos, insolvency practitioners…

IPs?! 

Honestly, there’s no need to panic… at least not this year.

Relating to the 2022/23 year, the levies are:

  • For small businesses (under £10.2m UK revenue): nil
  • For medium businesses (£10.2m – £36m): £10,000
  • For large businesses (£36m – £1bn): £36,000
  • For very large businesses (over £1bn): £250,000

The levy for the 2022/23 financial year becomes due on 30 September 2023.  The levy rates have been fixed by the Finance Act 2022, so it will be interesting to see if/when this changes in future and whether small businesses will be made to contribute.

What if the trader goes insolvent?

Regulation 15 of the Regs states:

  • (1) This regulation applies where a person liable to pay the levy—
  • (a) who is an individual—
  • (i) has died or become incapacitated; or
  • (ii) has become bankrupt; or
  • (b) is subject to winding-up, receivership, administration or an equivalent procedure.
  • (2) The person (“P”) who—
  • (a) in the case of an individual, carries on the regulated business on behalf of an individual who has died or become incapacitated; or
  • (b) acts as the liquidator, receiver or administrator in relation to the business of the person liable to pay the levy or acts in an equivalent capacity,
  • may be treated by the appropriate collection authority as the person liable to pay the levy and must satisfy the requirements of Part 3 of the Act and the requirements of these Regulations as if they were the person liable to pay the levy.

And that was it!  There was nothing limiting the scope or slipping the levy into any insolvency order of priority: if the insolvent business couldn’t pay, then the levy could be charged to the office holder.

Disaster averted!

After I had realised the effect of this regulation (with the help of the R3 GTC chair), I raised it at an R3 General Technical Committee meeting and fortunately R3 – as well as, I think, the Insolvency Service (after all, Official Receivers could be liable too) – took up the issue with HMRC, as they are the “appropriate collection authority” in the majority of cases.

The Amendment Regs were made on 27 March 2023 and they insert the following:

  • (3) Any amount of levy which relates to UK revenue attributable to a period before the date when the winding-up, receivership, administration or other equivalent procedure takes effect is payable by the person subject to the winding-up, receivership, administration or an equivalent procedure, and not by the person treated as the person liable to pay the levy under paragraph (2).
  • (4) Any amount of levy which relates to UK revenue attributable to a period on or after the date when the winding-up, receivership, administration or other equivalent procedure takes effect is to be regarded as an expense of that winding-up, receivership, administration or equivalent procedure.

The effect of this amendment

In other words, if the levy relates to pre-appointment revenue, it will remain due and payable by the insolvent entity, i.e. it will be a normal unsecured claim.  It is only if the levy relates to post-appointment revenue that we will need to worry, because then it will be an expense.

The thought of trading-on an AML-regulated business probably sends shivers down most of our spines already.  Now, the attraction of an additional expense just adds another nail in the trading-on in insolvency coffin.

“Equivalent procedures”?

As you can see, the Regs specifically reach to liquidators, receivers, administrators and trustees in bankruptcy.  What about VA Nominees and Supervisors?  Personally, I can think of many arguments as to why a VA is not an equivalent procedure and moratorium monitors are even less likely to be caught, I think.  However, it may well be up to the courts to decide on those.

It’s not all good news: more work for office holders

Regulation 15 imposes more than a direct financial cost on insolvency office holders.  They also “must satisfy the requirements of Part 3 of the Act and the requirements of these Regulations as if they were the person liable to pay the levy”.

This means that insolvency office holders will need to submit returns to HMRC (or the FCA or the Gambling Commission, depending on the type of business) for pre-appointment periods and probably also for the first post-appointment period to the end of the tax year unless the collection authorities introduce an end-of-trading return process.  I very much doubt that HMRC etc. will be able to accommodate office holders who want to submit returns offline – that will be interesting.

If there is no post-appointment trading and no prospect of an unsecured dividend, will office holders still be required to submit missing returns?  Let’s hope the collection authority doesn’t get all jobsworth over this requirement.

A new regime and a new registration process

Of course, we’ve only just got to the end of the first levy year and, although the Regs came into force on 1 April 2022, HMRC is not yet receiving registrations (see https://www.gov.uk/government/publications/prepare-for-the-economic-crime-levy/get-ready-for-the-economic-crime-levy#registering-for-the-ecl).  Therefore, office holders taking appointments of AML-regulated entities over the next few months may also need to do the work of registering the entity in the first place.

Is it all a conspiracy?

Actually, no, I don’t think HMRC tried to jump the queue by getting this levy some kind of super priority.  I think it was just poor drafting.  But, goodness, what poor drafting!

It goes to show that we all need to stay alert to new legislation: the more eyes on these things, the better.


by Leave a comment

A tale of two views: is a paid creditor still a creditor?

The Insolvency Service’s report on the 2016 Rules review contains some interesting gems.  It’s a detailed report, which demonstrates they have scrutinised the consultation responses.  The result is a list of proposed fixes to the Rules – most are welcomed, a few are alarming.

In this blog, I describe what I found was the most surprising and alarming statement in the report.  It relates to the age-old question: is a paid creditor still a creditor?  The report’s statement is surprising, as it is the polar opposite of a comment published by the Insolvency Service 5 years’ ago.  And it is alarming because the report states merely that the Rules need to be made “clearer”, which suggests that we have all been misinterpreting the Rules over the past 5 years.  But hey ho, we’re only talking about fee-approval and Admin extensions!

The Insolvency Service’s report is available at: https://www.gov.uk/government/publications/first-review-of-the-insolvency-england-and-wales-rules-2016/first-review-of-the-insolvency-england-and-wales-rules-2016

Is a paid creditor still a creditor?

If a creditor’s claim is discharged (and not subrogated to the payer) after the start of an insolvency proceeding, should that creditor still be treated as a creditor for decision procedures and report deliveries?

Before I left the IPA in 2012, the question began to be discussed at the JIC.  It turned out to be a hotly debated topic and I never did learn the conclusion.  I’d always hoped that there would be a Dear IP on the subject to settle the matter once and for all (subject to the court deciding otherwise, of course).  It was such a live topic at that time that surely the 2016 Rules were drafted clearly, weren’t they?

The general principle?

I had heard a rumour long ago that the Insolvency Service’s view was once-a-creditor-always-a-creditor.  I understood that the basis for this view was that creditors are generally defined as entities who have a claim as at the relevant date, so the fact that the creditor’s claim may have been discharged later does not change their status as a creditor.

Of course, this doesn’t work if, after the insolvency commences, the creditor sells their debt (or it is otherwise discharged by a third party): the purchaser/settlor tends to acquire the creditor’s rights, so the original creditor would no longer be entitled to a dividend or to engage in decision procedures – there are Rules and precedents to address these scenarios.

I can see where this view might come in handy, e.g. where an office holder had already paid creditors in full and only afterward realises that creditors have not yet approved their fees.

However, this view always seemed illogical to me: why should a paid creditor be entitled to decide matters that no longer affect them, e.g. the office holder’s fees or the extension of an Administration?  Indeed, some paid lenders refuse to engage where their debt has already been discharged, even though an Administrator may need all secured creditors’ consents to move forward.

Setting aside this issue, it could be argued that in some respects the 2016 Rules support a once-a-creditor-always-a-creditor view.  For example, R15.31(1)(c) states that in CVLs, WUCs and BKYs, a creditor’s vote is calculated on the basis of their claim “as set out in the creditor’s proof to the extent that it has been admitted”, which could indicate that post-commencement payments are ignored for voting purposes. 

But then what about R14.4(1)(d), which states that a proof must:

“state the total amount of the creditor’s claim… as at the relevant date, less any payments made after that date in relation to the claim… and any adjustment by way of set-off in accordance with rules 14.24 and 14.25”? 

Is the “claim” the original sum or the adjusted sum?  If, for the purposes of identifying the “claim” for voting purposes, conveners are supposed to ignore post-commencement payments made, then doesn’t R14.4(1)(d) (and R15.31(1) – see below) mean that they should also ignore any set-off adjustment?  That doesn’t make sense, does it?

Administrations are always “special”, aren’t they?!

R15.31(1)(a) provides that creditors’ claims for voting purposes are calculated differently for ADM decision procedures.  It states that in ADMs creditors’ votes are calculated:

“as at the date on which the company entered administration, less (i) any payments that have been made to the creditor after that date in respect of the claim, and (ii) any adjustment by way of set-off…”.

This seems pretty unequivocal, doesn’t it?  A paid creditor would have no voting power in an ADM decision procedure.

It is not surprising therefore that R15.11(1) provides that notices of ADM decision procedures must be delivered to:

“the creditors who had claims against the company at the date when the company entered administration (except for those who have subsequently been paid in full)”.

So the natural meaning of these Rules seems to be that paid creditors have no voting power and therefore do not need to be included in notices of decision procedures.  This seems logical, doesn’t it?

What about prefs-only decision procedures?

These Rules led me to ask the Insolvency Service via their 2016 Rules blog: what is the position where an Administrator is seeking a decision only from the prefs, especially where those creditors also have non-pref unsecured claims?  Do the Rules mean that, where a pref creditor’s claim has been paid in full, the pref creditor is ignored for the prefs-only decision procedure? 

Or does the fact that the creditor hasn’t actually been “paid in full” because they have a non-pref element mean they should still be included in the prefs-only process?  And does that mean that, per R15.31(1)(a), they would be able to vote in relation to their non-pref claim? 

Yes, I know this would seem a perverse interpretation, but it seemed to me the natural meaning of rules that were not designed to apply to a prefs-only process.

The Insolvency Service’s view in 2017

The Insolvency Service’s response on 21 April 2017 (available at https://theinsolvencyrules2016.wordpress.com/2016/11/30/any-questions/comment-page-1/#comments – a forum on which the Service aimed to “provide clarity on the policy behind the rules”) was:

“Our interpretation is that 15.3(1)(a) (sic) would lead an administrator to consider the value of outstanding preferential claims at the date that the vote takes place. This would only include the preferential element of claims, and if these had been paid in full then the administrator would not be expected to seek a decision from those creditors.”

Now: the Government’s “long-standing view”

However, the Insolvency Service’s Rules Review report (5 April 2022) states:

“Several respondents asked for clarification on the position of secured and preferential creditors that had received payment in full. It has been the Government’s position for some time that the classification of a creditor is set at the point of entry to the procedure and that this remains, even if payment in full is subsequently made. We believe that to legislate away from this position could cause more problems than it would seek to solve. Accordingly, the Government has no plan to change its long-standing view on this matter. We will amend rule 15.11(1) to be clearer that where the Insolvency Act 1986 or the Rules require a decision from creditors who have been paid in full, notices of decision procedures must still be delivered to those creditors.”

Wow!  If only the Insolvency Service had published the Government’s long-standing view 5 years’ ago, before all those fees had been considered approved by only unpaid prefs or secureds!

Is it only a R15.11(1) issue?

The Service’s report makes no mention of the voting rights of paid prefs.  So does this mean that paid prefs should receive notice of decision procedures, but, in line with the Service’s statement in 2017, they have no voting rights?  Or do they think that R15.31(1)(a) also needs to be changed?

And what about paid secured creditors?  They’re not involved in decision procedures at all, so R15.11 is irrelevant where an Administrator is seeking a secured creditor’s approval or consent. 

What is a “secured creditor”?

A secured creditor is defined in S248 of the Act as a creditor “who holds in respect of his debt a security over property of the company”.  “Holds” = present tense.  If a secured creditor no longer holds security over the company’s property at the time when an Administrator seeks approval/consent, are they in fact a secured creditor?

It seems to me that, if the Service wishes to amend the Rules to make them clearer as regards the Government’s position, they may need to look at amending the Act too.

The consequence of a clarification of the Rules

If the report had stated that the Service intended to change the Rules to give effect to the Government’s view, I would not have been so alarmed – that would be a problem for the future.  But they have said that they want to make the Rules “clearer”.  This suggests that they believe the existing Rules could be interpreted to give effect to the Government’s view.  In that case, are we expected to apply the existing Rules in the way that this report describes?

And what about all the earlier cases in which paid secured or pref creditors’ approvals were not sought?  What effect does this have on previously-deemed approved fees, extended Administrations and discharged Administrators?

And what does this approach achieve?  Are IPs really expected to seek approvals/consents from paid creditors, most of whom have no theoretic, or even real, interest in the process?  Why should paid prefs get to decide, even if they have non-pref unsecured claims, when no other unsecured creditors have this opportunity?

Are the ADM Para 52(1)(b) Rules fit for purpose?

I have often blogged that I think the Rules around the consequences for Para 52(1)(b) ADMs are confused and illogical.  The Insolvency Service acknowledged some issues in the Rules Review report:

“Some respondents raised issues related to administration cases where statements had been made pursuant to paragraph 52(1)(b) of Schedule B1 to the Insolvency Act 1986, highlighting the difficulties that can sometimes occur when only secured and/or preferential creditors need to be consulted on certain matters under the Rules. It is clear that in some cases engagement with this smaller group of creditors can be difficult. However, we consider that the overall efficiencies provided for by the Insolvency Act and Rules across all such cases outweigh the difficulties that can occur in a minority of them.”

“The overall efficiencies”?  Is the Insolvency Service saying that, because it is useful in many cases not to have to bother with non-pref unsecureds, this outweighs the issues arising in a minority of cases?  If that’s true, then why not roll out this alleged more efficient process across all insolvency case types..?

The advantage of HMRC pref status?

Ok, a silent secured creditor can be a real headache and a silent paid secured creditor is going to be particularly reluctant to lift a finger.  But now that HMRC is a secondary pref creditor in most cases, at least this eases the problem of getting a decision from the prefs, doesn’t it?

I understand that HMRC is still acting stony in the face of many decision procedures.  Oh come on, guys!  If you want IPs to waste estate funds applying to court, you’re going the right way about it.

Other issues with the Rules Review report

This is only one of a number of issues I have with statements in the report.  In the next article, I will cover some others as well as highlight some items of good news for a change.

And apologies for my silence over the past months: an extremely busy working season and an unexpected health issue sapped me of my time and energy.  Last August, I had planned on covering other effects of the IVA Protocol – this will emerge one day.


by Leave a comment

Brexit brings changes even for exclusively-UK insolvencies

Have you found yourself reading articles about the effects of the end of the Brexit transition period that leave you wondering: ok, but is there anything that directly affects my bog-standard UK insolvency work?

As we have been labouring on fixing our own document packs, I thought I’d publish our to-do list.

Jo’s latest Technical Update summarised the main changes and gave a full list of useful resources.  If you have bought the latest Butterworths, you’ll see that the changes have already been helpfully inserted in italics.  However, you still really need to refer to the Insolvency (Amendment) (EU Exit) Regulations 2019 (at https://www.legislation.gov.uk/uksi/2019/146/contents) to see which Act sections and Rules have been affected.  And then of course there’s non-insolvency legislation like the GDPR to think about.

Jo and I found that the key effects boil down to:

  • Determining the type of proceedings;
  • Ignoring member State liquidators; and
  • Re-defining the GDPR

 

New Types of Proceedings

It seems like only yesterday that we started to add to docs whether the EU Regulation (or EC Reg as it was then in 2010) applied and thus whether the proceedings in question were main, secondary, territorial or non-EU proceedings.

Unfortunately, the Brexit effect is not that this sentence can now be eliminated.  Instead, we need to replace it with a statement as to whether the proceedings are (or will be):

“COMI proceedings, establishment proceedings or proceedings to which the EU Regulation as it has effect in the law of the United Kingdom does not apply”.

What defines the proceedings?

New definitions have been added to Rule 1.2:

“COMI proceedings” means insolvency proceedings in England and Wales to which the EU Regulation applies where the centre of the debtor’s main interests is in the United Kingdom;

“establishment” has the same meaning as in Article 2(10) of the EU Regulation;

“establishment proceedings” means insolvency proceedings in England and Wales to which the EU Regulation applies where the debtor has an establishment in the United Kingdom

Dear IP no. 116 explains that effectively COMI proceedings are the new “main” proceedings: the COMI tests are very similar to the previous ones and so, where a company’s principal place of business and registered office are in the UK, this will be the reason why the proceedings are COMI proceedings.

Dear IP no. 116 also explains that similarly establishment proceedings occur where the COMI is elsewhere but the insolvent has an establishment in the UK, where previously this would have resulted in secondary or territorial proceedings.

“Proceedings to which the EU Regulation as it has effect in the law in the United Kingdom does not apply” will be encountered where, per Dear IP no. 116, “one of the UK’s other grounds for the opening of insolvency proceedings has been relied upon”.

What documents are affected?

The documents affected (excluding those that an IP’s solicitors would draft, such as Admin order applications and winding-up petitions) are:

As regards the last document listed above, in fact there has been no change to R8.24(2)(c), which requires the Nominee’s report on the consideration of the IVA Proposal to “state whether the proceedings are main, territorial or non-EU proceedings and the reasons for so stating”… but we assume that this was mistakenly omitted.

 

Member State Liquidators: blink and you’ll have missed them

In June 2017, the Act and Rules were amended to require office holders to engage with member State liquidators involved with the debtor.  For example, office holders needed to send to the member State liquidator copies of all their notices to the court, Companies House or the OR and liquidators and administrators needed to seek the member State liquidator’s consent to the dissolution of the company prior to filing the final docs at Companies House.

All those obligations have now been removed.

Even if you have never dealt with a member State liquidator before and your checklists never even referred to them, there is one change that you need to make to documents as a consequence: R15.8(3)(j) requires decision procedure notices in CVAs and IVAs to state the effects of R15.31 about the calculation of voting rights.  R15.31(7) and (9) have been changed to remove reference to the rights of a member State liquidator to vote, so likewise you will need to tweak your CVA and IVA R15.8 notices.

 

The GDPR: what is it called now?

The EU’s GDPR (i.e. EU 2016/679) forms part of the UK’s law as a consequence of the European Union (Withdrawal) Act 2018.  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 define the product of this action as the “UK GDPR”.  These Regulations also make the necessary amendments to the GDPR to reflect the fact that the UK is not a member State.

Does this mean that we now need to start referring to the “UK GDPR”?  Personally, I don’t think so.  “GDPR” was a colloquial term in any event, so I don’t think this has ceased to be relevant… unless you’re communicating with someone in the EU about the GDPR, of course.  Certainly, I don’t think there is any need to go editing internal checklists and I don’t think there’s any pressing need to change documents that refer in passing to the GDPR… although you might like to take this opportunity to replace “GDPR” with something more generic like “data protection legislation” to future-proof it in case the EU GDPR and the UK GDPR diverge materially over time.

So no changes are required for the GDPR switch then?

Almost none.  If you have any documents that accurately define the EU GDPR, then you should update this.  For example, many letters of engagement make specific reference to the General Data Protection Regulation EU 2016/679 in setting out the parties’ obligations as data controllers (such as the style clause for engagement letters that was issued in 2018 by ICAS at https://www.icas.com/regulation/guidance-and-helpsheets/preparing-for-gdpr).  If so, then it would be correct to update this to refer to the effect of the 2019 Regulations.

You should also check what your privacy notice says about transferring data outside the EU.  Some notices are specific about when this would happen (if ever).  Of course, now the data you process are already outside the EU and if you were to transfer any of it to any of your service providers (e.g. ERA providers or debt collectors) in the UK, it would be a transfer outside the EU.  Other than making sure that your privacy notice describes this reality, it’s not a big deal, as you would still be transferring data in accordance with the data protection legislation, wouldn’t you..?

What about GDPR-compliant contracts?

To be honest, I’ve encountered a staggering diversity in the levels of concern about the creation of GDPR-compliant contracts with data processors.  I suppose that’s not surprising when even some RPB reviewers have chosen not to explore GDPR compliance to any great degree.

But if you do ensure that the data processors that are engaged by you, your firm, or the insolvents over which you are appointed are wrapped into a GDPR-compliant contract, then you may want to revisit the wording of your standards, especially around the conditions for transferring data outside the EU.

 

Fortunately, as far as we can see, those are the only practical effects on day-to-day UK insolvency work.  What with all the changes to documents and processes in consequence of the CIGA and HMRC secondary preferential creditor changes, I think we could all do with a break from largely unhelpful tinkering for a while.

 


by 1 Comment

It’s not just connected pre-packs and it’s not just legislation

If the draft regs and pre-packs were a Venn diagram…

The new draft legislation requiring an evaluator’s opinion on connected pre-packs has drawn most attention.  But the measures will affect more than just connected pre-packs and the Insolvency Service’s report reveals other planned efforts to influence IPs’ activities and disclosures.

In this article, I focus on the less-publicised changes that are afoot, including:

  • The impact on post-appointment connected party sales
  • The option of seeking creditors’ approval, rather than getting an independent opinion
  • The government’s desire to increase the use of viability statements
  • The emphasis on SIP16’s “comply or explain” requirement
  • The government’s wish for RPBs to probe into cases where marketing is not undertaken
  • The need for greater compliance with SIP16’s disclosure requirements

The Insolvency Service’s Pre-Pack Sales in Administration Report and the draft regulations are at: https://www.gov.uk/government/publications/pre-pack-sales-in-administration.

 

The draft regulations are not about pre-packs

No, really, they’re not.  The draft regulations impose new requirements on:

  • Connected party sales only
  • But not just connected party pre-packs, also any sales of “all or a substantial part of the company’s business or assets” within 8 weeks of the start of the Administration
  • How is a “substantial part” defined? It isn’t.  It will be up to Administrators to form an opinion about whether a sale involves a substantial part
  • And the regs will capture not just sales, but also the “hiring out” of all or a substantial part of the business or assets

 

Why interfere with post-appointment sales?

The Insolvency Service’s report does not explain or seek to justify this step.  It seems to suggest that, because the SBEE Act’s power to legislate extended to all connected party sales, they were free to regulate all such sales.  However, they have graciously decided “only” to apply the requirements to sales within 8 weeks of the start of the Administration.

So… a secured lender appoints Administrators perhaps in a hostile manner.  The Administrators have had no contact with the director before their appointment, but they soon learn that the director is anxious to hold onto the business so will offer almost anything.  The Administrators are keen to recover as much as possible for their appointor and, as is their statutory duty, to care also for other creditors’ interests, so they play hard ball to squeeze out the best deal.  The Administrators’ agents recommend that they snap up the offer – maybe they’ve now carried out some marketing, maybe it’s a no brainer that no unconnected party in their right mind would offer anything approaching the director’s offer – the secured lender is happy with it, and the Administrators make sure that the purchaser is good for the money.  But still the purchaser must instruct an independent evaluator?

 

What will the evaluator evaluate?

The evaluator’s report must state whether or not they are:

“satisfied that the consideration to be provided for the relevant property and the grounds for the substantial disposal are reasonable in the circumstances”

It seems to me that the people best-placed to evaluate whether the consideration is reasonable are professional agents, aren’t they?  Shame that independent, qualified, PII’d agents instructed by the Administrators to do just that cannot be trusted with this task, isn’t it?

How does someone assess whether “the grounds for the substantial disposal” are reasonable?  It’s not “the grounds for Administration”, so this will not address the cynics’ belief that directors engineer companies into Administration to “dump debts” and start again.  I’m not saying this happens often, if at all.  Unnecessarily putting yourself through an Administration and then battling to restore, or to build new, trust of suppliers, employees, and customers seems a drastic step to take.  I think that many connected purchasers underestimate the struggles ahead of them.

Presumably, “the grounds for the substantial disposal” relates to the question: could a better price be achieved by a different strategy?  This sounds like a debate about the marketing strategy, the prospects of alternative offers, and going concern v break-up, so again professional and experienced agents seem best-placed to make this evaluation.

 

But why not just ask the Pool?

I understand the noises of: what’s wrong with simply asking the Pre-Pack Pool?  But I return to the question: why have an opinion in the first place?  It won’t dispel the suspicions that the whole thing has been designed by the directors who shouldn’t be allowed to use Administration or Liquidation and it won’t answer the many who just believe that it’s wrong for a director to be allowed to buy the business or assets from an Administrator or Liquidator.  The public comments below The Times’ articles on pre-packs say it clearly: some people call connected party sales (and CVAs) “fraud” or “legal theft”.  How do you persuade these people to see things differently?

The strongest argument I could find in the Insolvency Service report for a Pool opinion was:

“Whilst some stakeholders said that an opinion from the Pool (or lack of one) would not affect their decision to trade with a business that was sold to a connected party purchaser, other creditor groups said that their members valued the Pool’s decision, and that the opinion did influence their decision as to whether to trade with the new company.  They also stated that where the Pool had been utilised, the opinion given helped to demonstrate to creditors that in some circumstances a sale to a connected party provided a reasonable outcome for creditors.”

So some say it helps, some say it doesn’t.

Somehow the Insolvency Service concluded that their “review has found that some connected party pre-packs are still a cause for concern for those affected by them and there is still the perception that they are not always in the best interests of creditors”, but I saw nowhere in the report where those perceptions originate.  The report referred to the media and the CIG Bill Parliamentary debates.  Is that your evidence?  Oh yes, some Parliamentarians have been very colourful in their descriptions of pre-packs; one said that the directors offer “a nominal sum – maybe only £1 or a similarly trivial sum”.  Their ignorance – or the way they have been misled to believe this stuff – is shameful and on the back of such statements, distrust of connected party pre-packs grows and so the case for an independent opinion is made.

And now the R3 President is reported as saying that “effectively anyone will be allowed to provide an independent opinion on a connected party pre-pack sale, which risks abuse of the system that undermines the entire rationale of these reforms”.  Again, we feed the beast that bellows that IPs – and professional agents – cannot be trusted.

So, ok, if it makes you happy, fine, let it be a Pre-Pack Pool opinion.  In my view, they have fallen far short of justifying their existence, but if it shuts the mouths of some who see pre-packs as “Frankenstein monsters” (The Times) or at least gives them pause, then so be it.

 

Getting creditors’ approval as an alternative

The draft regulations provide that, as an alternative to getting an evaluator’s opinion, a substantial disposal to a connected party may be completed if:

“the administrator seeks a decision from the company’s creditors under paragraph 51(1) or paragraph 52(2) of Schedule B1 and the creditors approve the administrator’s proposals without modification, or with modification to which the administrator consents”

This must be achieved before the substantial disposal is made, so it will not be available for pre-packs… unless you can drag out the deal for 14+ days.

Could it help for post-appointment business sales?  Provided that you don’t make a Para 52(1)(a), (b) or (c) statement in your proposals, it might.  And let’s face it, if you’re issuing proposals immediately on appointment and before you’ve sold the business and assets, you may be hard pressed to make any positive statement about the outcome of the Administration.

But if you issue proposals immediately, i.e. before you have negotiated a potential deal with anyone, what exactly would the creditors be approving?  Presumably, they would be informed of your strategy to market the business and assets and shake out the best deal from that.  They would not be informed of what offers (if any) are on the table and it would be commercial suicide for the proposals to include valuations.  Would such vague proposals achieve what the Insolvency Service is expecting from this statutory provision?

Could it be that the Service recognises that true post-appointment connected party sales (i.e. not those that avoid the pre-pack label by resisting negotiation until a minute past appointment) do not require independent scrutiny and this is their way of avoiding putting them all in that basket?

 

Smartening up on SIP16 statement compliance

The Insolvency Service reports that SIP16 statement compliance has improved: since the RPBs took on monitoring compliance in late 2015, the annual non-compliance rate has dropped from 38% to 23%.  The report states, however, that:

“the level of non-compliance continues to be a concern, as SIP16 reporting is a key factor in ensuring transparency and maintaining stakeholder confidence in pre-pack sales”

Hang on, when did SIP16 require a “report”?  The Insolvency Service refers throughout to a SIP16 report.  It’s funny, isn’t it, how something that started off as “disclosure”, then became a “statement”, and now is considered a “report”?  I think this demonstrates how the SIP16 disclosure requirements have grown legs.  And, while the report acknowledges that the RPBs state that most of the non-compliances are “minor technical breaches” and that there is “now more information available to creditors as a result of the SIP16 changes”, it seems to suggest that stakeholder confidence can only be enhanced if we eliminate even those minor breaches.

The report focuses on three areas where it seems that “greater consistency needs to be promoted across the profession”: viability statements, marketing activity and valuations.

 

The value of viability statements

The report indicated that, of the 2016 connected party SIP16 statements reviewed, 28% of them “stated viability reviews/cash flow forecasts had been provided”.  69% of the purchasers in these cases were still trading 12 months later.  However, in the category of cases where no viability statements were evidenced, 87% of those purchasers were still trading after 12 months.  This suggests to me that disclosure of a viability statement does not particularly help Newco to gain trust with creditors!

Of course, rightly so the report states that the purchasers may well have carried out their own viability work but have been unwilling to share it.  What I was far less pleased about was that the report stated that “alternatively, it may be that the insolvency practitioner… is not requesting the purchaser to provide a viability statement, which would indicate non-compliance with the requirements of SIP16”.  The cheek of it!  If a progress report omitted the date that creditors had approved an office holder’s fees, would the Service suspect that this was because it never happened?  Actually, I can believe that they would.  The Insolvency Service has no evidence of non-compliance in this regard, but they can’t help but stick the boot in and foment doubts over IPs’ professionalism and competence.

Having said that, IPs would do well to double-check that they are asking for viability statements and making sure that there’s evidence of requests on the file, don’t you think..?

I wonder whether a future change will be that the RPBs will ask to be sent, not only the SIP16 statement, but also evidence of having asked the purchaser for a viability statement.

The report’s conclusion is puzzling:

“In discussions with stakeholders no concerns were raised regarding the lack of viability statements. However, the government considers that there continue to be benefits to completing viability statements for the reasons highlighted in the Graham Review. Therefore, we will work with stakeholders to encourage greater use.”

Hmm… so no one seems bothered about their absence, but the government wants to see more of them.  Logical.

 

Compliance with the SIP16 marketing essentials

The review sought to analyse 2016 connected party SIP16 statements as regards explaining compliance with the six principles of marketing set out in the SIP.  The report states:

“the principles that encourage exposure of the business to the market ‘publicised’ (54% compliance), ‘broadcast’ (53% compliance) and ‘marketed online’ (56% compliance) have only been complied with in just over 50% of cases.”

Given that they were reviewing only the SIP16 statements, I’m not sure they can say that the marketing principles have not been complied with.  Might it just be that the IPs failed to explain compliance in the SIP16 statement?

Having said that, the review also revealed that, “of those that deviated from the marketing principles, over 80% of administrators provided justification for their marketing strategy”, i.e. they complied with the SIP16 “comply or explain” principle.  This suggests to me that 20% of that c.50% need to try harder to get their SIP16 statements complete.

 

The value of marketing

The report acknowledges that “in some limited cases it may be acceptable for no marketing… to be undertaken”.  I think that many would go further than this: in some limited cases, it may be advantageous not to market.  The review stated that no marketing had been carried out in 21% of the 2016 connected pre-packs reviewed.  This does seem high to me and I think does not help counteract suspicions of undervalue selling.

Interestingly, though, where marketing was undertaken, 46% of those connected party sales were below the valuation.  But where marketing was not undertaken, 43% were below “the valuation figure”.  As most IPs get valuations on both going concern/in situ and forced sale bases, I’m not sure which “figure” the Service is measuring against here.  But nevertheless perhaps this is some comfort that marketing doesn’t make a whole lot of difference… unless of course it attracted an independent purchaser, which would have taken the case outside the scope of the Service’s review entirely.  Shame that they didn’t analyse any unconnected SIP16s!

 

The compliance problem

The government’s response to the diversity in approach to marketing and to SIP16 disclosure includes that they will:

“work with the regulators to ensure: there is greater adherence to the principles of marketing”; and “there is a continued increase in compliance with the reporting requirements under SIP16”.

As I mentioned above, the report stated that SIP16 statement non-compliance was at 23% in 2019… but in her recent virtual roadshow presentation, Alison Morgan of the ICAEW stated that their IPs’ 2019/2020 rate was at c.50%.  We must do better, mustn’t we?!

I too am frustrated about the levels of compliance with SIP16.  I realise it’s a killer of a SIP – some of the requirements don’t follow chronologically or logically and some leave you wondering what you’re being asked to disclose.  I realise that almost no pre-packs fit neatly into the from-a-to-b SIP16 ticksheet.  But I don’t know when I last saw a 100% fully compliant SIP16 disclosure!  I know I’m harsh, harsher it seems that some of the RPB reviewers, but whatever SIP16 asks for, please just write it down… and tell your staff not to mess with templates – they/you may think that some statements are pointless or blindingly obvious, but please just leave it in.

 

Expect to be “probed”!

Another part of the government’s response is to:

“ensure that where no marketing has been undertaken, the explanation provided by the administrator is probed by the regulator where necessary”.

True, SIP16 allows for a “comply or explain” approach, but if a large proportion of businesses are not being marketed, it just opens us up to the cheap shot that the sale might have been at an undervalue, doesn’t it?

What is a valid reason for not marketing?  Again in her recent presentation, Alison Morgan indicated that a fear of employees walking out or of a competitor stealing the business may not in themselves be sufficient justification.

 

SIP16 changes in prospect

So what changes will we see in SIP16?  The government response is that they:

“will work with the industry and the RPBs to prepare guidance to accompany the regulations and to ensure SIP16 is compatible with the legislation.”

Guidance?  Sigh!  If it’s anything like the moratorium guidance, then I don’t see why they bother: what more can they say apart from regurgitate the regulations, which are only 6 pages long?

And how is SIP16 incompatible with the regulations?  Well, obviously in referring specifically to getting an opinion from the Pre-Pack Pool… but I wonder how the regulations will look when they’re finalised.  With all the murmurings about almost anyone being able to call themselves an evaluator, I suspect it may be the regulations that will be brought more into line with SIP16 on this point!

But let’s hope that SIP16 is not changed to accommodate the regulations’ capture of all connected party Administration business/”substantial” asset sales within the first 8 weeks.  That truly would be sledgehammer-nut territory, wouldn’t it?

The government has also threatened to:

“look to strengthen the existing regulatory requirements in SIP 16 to improve the quality of information provided to creditors”.

“Strengthen” the requirements?  I wonder what they have in mind…

 

What about valuations?

Oh yes, I forgot: that was the third area the government highlighted for greater consistency.

Right, well, they weren’t happy that 18% of the SIP16s they reviewed failed to state whether the valuer had PII.  I don’t know what they think IPs do, have a chat with a guy in a pub?  So, yes, we need to check that our SIP16 ticksheets are working on that point.

The report also noted that some SIP16s didn’t have enough information to compare valuations to the purchase price, although they didn’t make a big deal of it.  In her recent roadshow presentation, Alison Morgan repeated her request that IPs produce SIP16s that neatly detail the valuations per asset category alongside the price paid.  (You’ll have gathered that Alison had a lot to say about SIP16 compliance – I recommend her presentation!)  Although I share Alison’s view, working through the SIP’s requirements in the order listed is not conducive to presenting the valuation figures alongside the sale price, so this is definitely a SIP16 area that I think could be usefully changed.

 

What if SIP16 compliance does not improve?

Ooh, the government is waving its stick about here:

“Should these non-legislative measures be unsuccessful in improving regulatory compliance, the quality of the information provided to creditors and the transparency of pre-pack sales in administration, government will consider whether supplementary legislative changes are necessary.”

SIPs have pretty-much the same degree of clout as legislation.  In the case of SIP16, arguably it carries a greater threat.  There have been several RPB reprimands for SIP16 breaches published over recent years.  How many court applications does the government think will result if they enshrine SIP16 in legislation?  More than the number of RPB reprimands?  If IPs are failing to comply with SIP16, it’s not because the SIP is toothless.

 

Will the measures solve the pre-pack “problem”?

In my view, no.  There is just too much general cynicism about IPs being in cahoots with directors and about directors being determined to stiff their creditors.

What I think might help a little is if our regulators – the Insolvency Service and the RPBs – reported a balanced perspective of SIP16 compliance.  I know that the report acknowledges that most SIP16 disclosure breaches are “minor technical” ones, but the simple stats grab the headline.  We also need a simpler SIP16 so that compliance is easier to achieve and to measure.  Concentrating on the minutiae and concluding that the statement is non-compliant just does not help.  Are the minutiae really necessary?  Does it improve the “quality” of the information and the transparency of the sale?  I know, I know, the SIP isn’t going to get any simpler, is it?

I think the regulators might also help if they were to defend themselves and in so doing defend IPs as a whole.  Do they not realise that the perceptions that pre-packs are not in creditors’ best interests is also a slight on how they may be failing to regulate IPs effectively?  No one naïvely claims that all IPs are ethical and professional, so what steps have the RPBs taken to tackle the actual, suspected or alleged abusers of the process?  If they have identified them and are dealing with them, then can they not publicise that fact and confirm that the rest of the IP population are doing the right thing?  Instead, all we hear especially from the Insolvency Service is that, while pre-packs are a useful tool, IPs do a poor job of acting transparently and that there needs to be an independent eye scrutinising the proposed deal to give creditors confidence.  Are not the regulators the policemen in this picture?


by 2 Comments

Moratorium Muddles

I’m sure we’ve all been flooded with articles on the new moratorium process.  Therefore, I am avoiding the usual broad-brush approach here.  Instead, I hope to draw out some of the niggly complexities and awkward practical consequences of the new provisions… although, to be honest, the closer we look, the more we find…

Jo made an early start on listing some issues in her Technical Update issued earlier this month.  If you’d like a copy, please drop us a line at info@thecompliancealliance.co.uk.

Of course, you all know where to find the Corporate Insolvency & Governance Act 2020 (“CIGA”), but for completeness, it is available at:  www.legislation.gov.uk/ukpga/2020/12/contents/enacted.  The references in brackets in this article are to provisions in CIGA, unless otherwise stated.

The Insolvency Service’s Guidance for Monitors is available at: www.gov.uk/government/publications/insolvency-act-1986-part-a1-moratorium-guidance-for-monitors.

In brief, this article looks at:

  • The need for speed and tenacity in monitoring
  • When monitors might do more than just monitor and how they get paid for this
  • The dangerous timeline of seeking creditors’ consent to an extension
  • A mixed bag of CIGA drafting issues
  • The consequences for SIP9 compliance
  • The ethics of a subsequent appointment
  • The practicalities of a subsequent appointment

 

Monitors Must Monitor, not Supervise

Over the years, I’ve seen several CVA files with seemingly half-hearted or sporadic efforts to extract information, and sometimes even payments, from directors.  A deadline may come and go, a chaser or two might be sent, and at worst efforts simply fizzle away.  The defence is run: but I have discretion… the CVA isn’t strictly in default… it is in creditors’ interests to keep the CVA ticking over even if there’s not 100% compliance, rather than see the company go into liquidation.

This approach will not work in a moratorium: the monitor needs to stay keen, the information flow needs to be far swifter and more frequent.  A monitor must end the moratorium if they think that, by reason of a directors’ failure to provide information, the monitor is unable properly to carry out their functions (A38(1)(c)).   This is not a discretionary power, it’s a “must”, and if a monitor lets things slide, I think they open themselves up to a challenge (A42).

The termination-by-monitor provision (A38) also states that the monitor must bring the moratorium to an end when “the monitor thinks that the moratorium is no longer likely to result in the rescue of the company as a going concern” (albeit that this is modified in these coronavirus times) or when they think “that the company is unable to pay any moratorium debts or non-payment holiday pre-moratorium debts that have fallen due” (subject to the tweak in para 37 Sch 4).

This seems to call for a continual process, not a periodic one.  Of course, monitors are going to have a periodic approach to reviewing the company’s position, checking that the required debts have been paid when they fell due, checking the company’s prospects going forward and making sure that the rescue strategy remains on track.  But surely we are talking days here, not several weeks or months.

Therefore, getting the directors geared up to provide information quickly and regularly and ensuring that you have the internal resources of a disciplined team to keep up the pace are vital.

 

Not all Fees are “Monitors’ Fees”

Over recent years, several IPs have discovered to their loss the idiosyncrasies of R6.7 and R3.1, which restrict what they can be paid for after appointment in relation to pre-CVL and pre-administration costs.  CIGA has given us another trap like this.

CIGA requires the directors to complete several tasks during the moratorium such as notifying the monitor before they take steps to go into another insolvency process (A24), when the moratorium ends.  Worryingly, the directors are also responsible for extending the moratorium.  The InsS Guidance states:

“Directors may not be familiar with the rules surrounding decision making in insolvency procedures and whilst it is not part of a monitor’s statutory duty to assist directors in obtaining the consent of creditors they may choose to do so in an advisory capacity.”

Yep, InsS, I think you can rest assured that no monitor is going to trust a director to run a creditors’ decision procedure without the IP’s strong oversight, as the decision procedure rules are so complex (and made more complex by CIGA’s special voting rules)!

Thus, moratorium extensions will work in a similar way to S100 decision processes: strictly speaking, the director is tasked with the job, but they instruct an IP – almost inevitably the monitor – to do the work for them.  But, as the IP is not carrying out this work in their capacity as monitor, payment will not be classed as the “monitor’s fees”, at least not unless your letter of engagement makes it so.  Therefore, you need to ensure that you have a letter of engagement signed to cover this “advisory capacity” work.

 

Tight Timings

In brief, the timescales of a moratorium are:

  • The first 20 business days are granted on commencement
  • This can be extended by a further 20 business days by the director filing a simple form with the court
  • The moratorium can be extended for period(s) up to the anniversary by getting creditors’ consent via a decision procedure
  • The moratorium can be extended for any length by a court order

In general, the IR16 apply as regards decision procedures, so we’re looking at decisions by correspondence/electronic or a virtual meeting.

What happens if creditors ask for a physical meeting?  What if they say “no” or they simply don’t vote at all?  What if you want to adjourn the virtual meeting, but the moratorium will end in the next day or two?

With these scenarios in mind (and especially as the director needs to sign the docs), you would do well to start a decision procedure long before the moratorium is due to end.

It would have helped if the CIGA had provided that moratoria receive an automatic extension where the decision procedure’s conclusion is delayed, in the same way as an automatic extension is given where a CVA proposal is pending (A14), but hey ho.

 

Impossible Timescale

One timescale in the CIGA simply does not work.  The decision procedure requires five calendar days’ notice, but R15.6(1) (IR16) has not been disapplied, so it seems that creditors have 5 business days from delivery of the notice in which to request a physical meeting.  How does that work then??

It might help, therefore, to hold virtual meetings instead of trusting that creditors will be content with a vote by correspondence/electronic.  At least a virtual meeting is a moderately useful forum for airing grievances and concerns.  Of course, virtual meetings also do not suffer the there’s-no-changing-a-cast-vote issue of the other procedures either, so this might also help if there’s any horse-trading to be done.

 

General Fuzziness

Jo and I have spent far too long debating the following questions:

  • A17(2) requires the monitor to notify creditors of the end of the moratorium in several situations, but we can find no notification requirements if the moratorium simply ends because it has run out of time. The InsS Guidance states that “there is no requirement for the monitor to notify creditors or the registrar of companies that the moratorium has ended on expiry of the initial period of 20 business days”.  Ok, but what about where a longer moratorium ends through the effluxion of time?  And does anyone ever tell the court (or for that matter, the PPF, Pensions Regulator, FCA or PRA)?
  • Court notification of the end of the moratorium also appears lacking in other situations: when a CVA proposal has been disposed of (A14); when a court order’s deadline had been reached (A15); and when the company enters an insolvency procedure (A16). Was this intentional?
  • There also doesn’t appear to be any duty on the monitor to notify relevant persons of the end of the moratorium where a court order under A15(2) has specified a time limit (or event) after which the moratorium is ended. Maybe this is why there is no Companies House form to record this end event?
  • What exactly does A24(2) mean, where it requires the directors to notify the monitor before “they recommend that the company passes a resolution for voluntary winding up under section 84(1)(b)”? Is this triggered when the director issues notices to members or would this occur earlier, e.g. when they instruct an IP to help?
  • Why on earth do we have different prescribed content for the proposed monitor’s consent to act in A6(1)(b) and para 17 Sch 4? Do we need both (e.g. that the IP “is a qualified person” and they certify that they are “qualified to act as an insolvency practitioner in relation to the company”)?  And does a monitor act in relation to the moratorium (A6) or the company (para 17)??
  • A28 requires the monitor’s (or the court’s) consent if the company wants to pay certain pre-moratorium creditors. A28(1) states that, with such consent, “the company may make one or more relevant payments to a person that (in total) exceed the specified maximum amount”.  The “specified maximum amount” is defined in A28(2) as £5,000 or 1% of certain liabilities, but do these thresholds relate to “payments to a person… (in total)” or to payments to all such persons in total?  I think that A28(1)’s grammar leads to a meaning of payments to the person in question, but the InsS’ Guidance states that “total payments shall not exceed…”, which gives the impression that the thresholds relate to payments to all such persons.  Which is it?

 

SIP9

SIP9 applies to “all forms of proceedings under the Insolvency Act 1986”, but clearly it was not written with moratoria in mind.  Does it create any difficulties if we assume that we need to follow it (and assuming that its references to “office holder” include a monitor)?

Well, for a start, it means that we all need to draft a Creditors’ Guide to Fees, which will say… erm… not a lot, as fees are a matter for the IP and the company, apart from a couple of rights to challenge.  Of what rights should we inform “other interested parties”?  What about the requirements to justify why a fixed fee is considered fair and reasonable or to cover the “key issues of concern” such as what work we are proposing to do, the anticipated financial benefit to creditors?  Is there any expectation by RPBs that we comply with these requirements even if compliance is required only in spirit?

I know that there’s a SIP9 consultation going on, but when do we think we might see a revised SIP9 come into force..?  Could the RPBs issue some clarification in the meantime?

 

Ethical Threats

This is another area where RPB guidance would be very welcome.  In my view, the InsS Guidance does a poor job in helping IPs observe the Code of Ethics.  It states:

“The monitor is not prevented from taking up a subsequent appointment subject to the insolvency practitioner making an assessment of any threats to compliance with the fundamental principles.  Practitioners may find it helpful to refer to section 2520 of the Code of Ethics that deals with “Examples relating to previous or existing insolvency appointments” in terms of how any subsequent insolvency appointments following appointment as monitor (as administrator or liquidator for example) may be treated. The monitor should satisfy themselves that they have identified any threats to compliance with the fundamental principles and have been able to put in place appropriate safeguards to reduce any threats to an acceptable level.”

My heart always sinks when someone in the profession goes straight to the Code’s examples to see whether they or their boss can take an appointment.  At best, I think that it’s lazy, but at worst it may mean that they don’t really get it.  My heart similarly sank when I read the InsS’ emphasis on the Code’s examples.

Agreeing to act as a monitor has immediate consequences, including an immediate change in priority of liabilities in a subsequent liquidation or administration.  Some of those given an automatic leg-up may be connected to the company; they could be directors or shareholders.  The IP who becomes monitor probably advised the company on its options.  Then there are the during-moratorium self-review and self-interest threats: whether the monitor failed to terminate promptly; whether their fees were excessive; whether it was the right decision to consent to certain payments or to security being granted; and whether they have any outstanding fees thus making themselves a creditor.  All these threats need to be taken seriously and cannot be ticked off simply by seeing that there is normally no reason why an administrator may not take a subsequent liquidation appointment.

 

But who would want a subsequent appointment?

Surely the CIGA’s shifted priorities would make any IP think twice about taking on a subsequent liquidation or administration!  Would you want to risk discovering a whole host of unpaid moratorium liabilities and pre-moratorium claims ranking ahead, not only of your fees, but also of all the expenses of the liquidation or administration (paras 13 and 31 Sch 3)?  And, if you are an administrator, you must make a distribution to those creditors (para 31 Sch 3)!

I think that directors/monitors would be hard-pressed to find an independent IP willing to pick up such a murky can of worms.  It seems to me that the Official Receivers may find themselves with a delightful new source of work.  Perhaps that’s why the InsS made sure that the ORs’ fees take priority over them all (para 13 Sch 3)!

 

The Marketing Bit

Jo and I have rolled out a large part of our moratorium document pack: all the statutory docs are there – to get in to a moratorium, extend it and exit it (although we do still have the nagging questions above) – and we are in the process of topping and tailing the pack to include items like file notes to record the key decisions, which should become available in the next week or so.

The moratorium pack is available at no extra cost to all our document pack subscribers and we shall continue to update it at no further cost to these clients.  We are also happy to provide the moratorium pack as a standalone purchase – as-is when complete – for £2,000+VAT.

If you would like more information, please contact us at info@thecompliancealliance.co.uk.


by Leave a comment

MLR19: as if we didn’t have enough to do already!

It took less than one month for the draft new Money Laundering Regs to come into force, but I struggle to see how many of the additional burdens loaded onto our shoulders have anything to do with minimising the risks of money laundering.

I realise that I can be guilty of seeing insolvency work as somehow special.  However, the inability or refusal of legislation drafters to recognise that insolvency office holders do not have client relationships with the entities/individuals over which they are appointed means that the ever-increasing AML burdens feel so pointless and nonsensical when it comes to IPs.

I wrote as much when I responded to HM Treasury’s consultation back in June 2019 and I was pleased to see that the ICAEW had responded with many of the same concerns, including that MLR-regulated people should not be burdened with a new requirement to report discrepancies to the Registrar of Companies (see below).  But of course, HM Treasury has been required to make these changes largely to stay in line with the EU’s Fifth Money Laundering Directive (“5MLD”), so inevitably there would be no special treatment for IPs.

The new Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (“MLR19”) can be found at http://www.legislation.gov.uk/uksi/2019/1511/contents/made and I think the Law Society’s summary at https://www.lawsociety.org.uk/policy-campaigns/articles/anti-money-laundering-guidance/ (scroll down for the 5MLD bit) is a particularly good one.

How Accurate are PSC Registers?

I have yet to meet anyone working in insolvency who thinks that the adoption of the new People with Significant Control (“PSC”) register was a good idea.  In the good old days, more often than not companies’ annual returns could be relied upon as a true record of shareholdings.  Now that the annual return has been replaced with the confirmation statement, we often don’t know where we are as regards shareholdings!  In addition, from what I’ve seen, many PSCs are incorrect – it seems that many directors or their agents have trouble with percentages (how difficult can it be to determine whether someone has a shareholding of “more than 50% but less than 75%”?!).

People with Significant Control include, not only 25%+ shareholders, but also anyone who otherwise exercises significant influence or control over the company.  Thus, the traditional formulaic approach to registering PSCs, which only ever seem to focus on 25%+ shareholders, does not take into consideration other signs of control, such as those exerted by shadow directors or those relinquished to the significant others of nominal shareholders.

With the abundance of PSC errors in mind, it seems to me that a new MLR19 requirement could add to IPs’ to-do list in a great deal of cases.

New Obligation to Inform the Registrar of Companies of Discrepancies

The MLR19 introduces to the MLR17 a new Regulation 30A, which requires relevant persons (i.e. IPs etc.) to:

“report to the registrar any discrepancy the relevant person finds between information relating to the beneficial ownership of the customer and… [that which] becomes available to the relevant person in the course of carrying out its duties under these Regulations.”

When might an IP discover a discrepancy?

One could argue that, as AML CDD should be completed right at the start of the engagement, we might not be certain that the register contains any discrepancy until we investigate the shareholdings, say, to draft a Statement of Affairs… and therefore knowledge of any such discrepancy does not become available “in the course of carrying out” AML duties, but rather it emerges after this point.  However, as the MLR17 require “ongoing monitoring”, such an argument is probably a little weak.  (UPDATE 12/08/21: The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 revised this requirement in October 2020 so that the duty to report PSC discrepancies only arises when the discrepancy is identified “when establishing a business relationship with the customer”.  BUT HMT has just issued a consultation (https://www.gov.uk/government/consultations/amendments-to-the-money-laundering-terrorist-financing-and-transfer-of-funds-information-on-the-payer-regulations-2017-statutory-instrument-2022) that proposes to turn this back into an ongoing obligation!)

Companies House has provided guidance on reporting discrepancies on the register: https://www.gov.uk/guidance/report-a-discrepancy-about-a-beneficial-owner-on-the-psc-register-by-an-obliged-entity.

They have also provided an online form (https://www.smartsurvey.co.uk/s/report-a-discrepancy/), but, although they provide twelve categories of people who might use the form, insolvency practitioners are not listed *sigh*

What will RoC do with the information?

The MLR19 state that:

“the registrar must take such action as the registrar considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner.”

So… an IP informs RoC that the PSC register is incorrect on a company in CVL, because someone is recorded as a between-50%-and-75%-shareholder when in fact they are the 100% shareholder.  Is it “necessary” for RoC to resolve this discrepancy?  In an insolvency, it will not make a darned bit of difference, will it?

 

So do IPs really need to inform RoC of the discrepancy?

If you want to comply with the MLR19/17, then yes you do.

Typical, isn’t it?  The Regs require IPs to go to the trouble of notifying RoC of pointless pieces of information, but the Regs give RoC a nice little get-out to avoid having to do anything about it.  What a waste of our time!

Widening the MLR-Regulated Net

The MLR19 captures some new businesses into the MLR-regulated net.  Most will only be relevant to IPs when they are appointed over entities/individuals who are trading in these areas – letting agents, art dealers, cryptoasset exchange and custodian wallet providers – but I wonder if the widened definition of “tax adviser” may capture more non-formal insolvency work carried out by IPs themselves.

“Tax adviser” has been newly defined as:

“a firm or sole practitioner who by way of business provides material aid, or assistance, or advice, in connection with the tax affairs of other persons”.

So… you help a company or an individual to agree a TTP with HMRC in order to avoid a formal insolvency process – does this now make you a “tax adviser”?

I appreciate that some firms already put all prospective new engagements through their AML CDD process whether or not they strictly fall as MLR-regulated engagements, but I suspect that just as many other firms do not.  Now they may have to think twice.

Training for “Agents”

The MLR19 widens the scope of those for whom a MLR-regulated firm is responsible for training.  As well as the MLR17’s “relevant employees”, now firms must train (and keep records of training) for:

“any agents it uses for the purposes of its business whose work is of a kind mentioned in paragraph (2)”, which covers any work relevant to the firm’s compliance with the MLR17 or which is otherwise capable of contributing to the identification or mitigation of the firm’s ML/TF risks or the prevention or detection of ML/TF to which the firm is exposed.

So… an IP instructs agents to sell an insolvent’s assets and to receive the proceeds of sale to pass on to the IP in due course.  It seems to me that, whether or not the sale transaction is caught by the MLR17*, the agents’ work could contribute to the IP’s ML/TF risks or exposure.  And… what about if you use ERA agents, who might come across ghost employees or illegal workers, surely those ERA agents also can affect your ML/TF risks and exposure?  Do the MLR19 capture these agents??

(* If you have not already read the CCAB’s draft insolvency guidance, I would recommend it – at http://ccab.org.uk/documents/20190830CCAB%20InsolvencyAppendixFDraft_18forHMT.pdf.  In brief, the draft guidance explains that only a Trustee in Bankruptcy sells their own assets – all other insolvency office holders act as agents – so, while a TiB must ensure that relevant asset purchasers are subject to AML CDD, no other office holders need “routinely” do so.  Personally, while I see the technical argument, I do wonder whether it reflects the spirit behind the Regs to allow an Administrator to sell a business for £1m without AML CDD, but to require a TiB to do AML checks on someone who wants to buy a bankruptcy asset for >€15,000.)

Jo and I have debated whether chattel agents etc. are truly agents: do they act under the IP’s delegated authority to enter into legal relations on the IPs behalf?  Even if this is a legal definition of “agent”, does this hold true for the application of the word in the MLR19?

The problem I have is that HM Treasury’s consultation was clearly not interested in agents in general.  The consultation document referred to networks of agents used in a Money Service Business, those involving “multi-layer arrangements with sub-agents who deal with frontline customers”.  But the MLR19 make no such distinction.

Prescriptive EDD for Transactions/Parties in High Risk Countries

The MLR17 already highlighted the need for EDD and enhanced ongoing monitoring where a business relationship or transaction involves someone in a “high-risk third country”.  The MLR19 have added (new Reg 33(3A)) six elements of EDD that “must” be included in these circumstances.

In the main, these new statutory requirements are not unusual.  They include: obtaining more information on the customer, their beneficial owner, the nature of the relationship or reason for the transaction, the source of funds/wealth, and getting senior management to approve the establishing or continuing of the business relationship.

The final requirement puzzled me, though:

“conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination”

Unless an office holder is trading (or is monitoring the trading of) the insolvent’s business, it is difficult to see how this works in an insolvency context.

Nevertheless, IPs’ systems may need to be changed in order to cover the newly-prescribed EDD and ongoing monitoring where someone established in a high risk third country is encountered.  For a more thorough explanation of this area, you may want to look at the Law Society’s guidance mentioned above.

Other Clarifications

The MLR19 include several other tweaks, which to be fair are valuable clarifications of the MLR17 and which may affect the finer points of some firms’ processes and templates.  Again, I’d recommend the Law Society’s guidance for a detailed summary.

Should IPs wait until the RPBs issue/endorse new guidance before we make changes?

The ICAEW has posted a summary of the changes primarily for accountants and has noted that the CCAB’s Guidance will be updated in due course (https://www.icaew.com/technical/legal-and-regulatory/anti-money-laundering/fifth-anti-money-laundering-directive-5mld).  The IPA doesn’t appear to have posted anything specific on the MLR19, but I expect that they too will look to the updated CCAB Guidance.  However, in light of the fact that the CCAB insolvency-specific guidance was not issued even in draft for over 2 years after the MLR17 came into force, I won’t be holding my breath.


by Leave a comment

GDPR: Ready or Not!

Compared to the Insolvency Rules, getting to grips with the GDPR has felt a lot more painful.  Personally, I have struggled with the GDPR for two reasons: (i) the position of an IP working within a practice and having control over insolvent entities is so clearly a square peg in the GDPR’s round hole; and (ii) for anyone who has been treating personal data with respect already, it seems to be just lots more hassle, simply more documentation of no interest to anyone except the regulators and those who look for causes to complain.

But, if I have not persuaded you already to go off and do something far more interesting instead, here is a summary of an IP’s GDPR to-do list (or, hopefully, a “done” list).  My special thanks go to Jo Harris, who has endured the pain to get the Compliance Alliance’s packs GDPR-ready and whose webinar has informed most of the content of this blog.

(UPDATE 22/05/2018: far more authoritative than my blog is a fantastic FAQs written by the ICAEW and R3 and released just yesterday: https://bit.ly/2x7HPm2.  I think that this article is pretty-much aligned with the FAQs, but the ICAEW does provide more information on their expectations, particularly when taking on an appointment and in notifying creditors of the necessaries.)

 

Privacy Notices

Privacy Notices are probably the most obvious sign that you have prepared for the GDPR world.

Data controllers must provide privacy information to individuals when they collect personal data from them or, if the data is from another source, no later than one month of receipt.  Although the GDPR prescribes a long list of information that must be given, it also states that privacy notices must be concise and easy to understand – if only the GDPR were written so!

To draft a GDPR-compliant privacy notice, you need to have a clear picture of what personal data you hold and what you do with it… in your role as a data controller.

 

Who is a data controller?

The GDPR defines a data controller as:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

Where an IP processes data as an office holder, they are clearly in control.  An IP deals with personal data on creditors, employees, directors, shareholders, debtors (i.e. insolvent ones and those who owe the insolvent), probably also debtors’ family members…  And we’re not just talking about individual creditors etc.: you will also process personal data on staff working within corporate entities, e.g. emails containing names, email addresses and telephone numbers, sufficient to identify the individual.

What about the personal data contained in the insolvent’s books and records?  Does the IP become the data controller for those on appointment?  I have not attended a GDPR-for-IPs event without the case of Re Southern Pacific Personal Loans Limited ([2013] EWHC 2485 (Ch)) being mentioned.  Although of course this was a decision about the application of the Data Protection Act 1998, it has given many people comfort that at least a liquidator is not considered to be the data controller in relation to data processed by the company prior to liquidation.

So, for practical purposes (unless/until it is overturned), it is probably safe to draw a distinction between data processed by the IP and the insolvent’s data that just sits in a storage facility in case it is needed one day.  This fairly clean line probably doesn’t exist however for a trustee in bankruptcy, as the agency relationship is absent.  Also, at what stage does an IP begin “processing” data in their own right: what if you only review some company records in your possession?  What if you hold electronic data on your system, but never use it?

These fuzzy lines aside, how does understanding when we are a data controller help us draft our privacy notices?

 

The legal basis for processing

For the most part, privacy notices are pretty standard text.  But you do need to hang your flag on a mast when it comes to describing your legal basis/bases for processing the data.

Here are the options:

  • the data subject’s consent – not something that we associate with being in office
  • necessary to perform a contract – again, not something for an office holder, but it may be relevant for work we do (i.e. personal data we process) outside a formal appointment
  • necessary for compliance with a legal obligation – yep, this one is clearly relevant to office holders
  • necessary to protect individuals’ vital interests – nope
  • necessary to perform a task in the public interest – I have heard some say this is relevant for office holders, but it seems to have fallen out of favour more recently
  • necessary for legitimate interests – creditors and others have a legitimate interest in keeping informed and engaging in an insolvency process, so this is relevant

So there are at least two legal bases that are relevant to IPs’ work.

 

The purposes of the processing

Your privacy notice also needs to describe the purposes for which you will be processing data.  It is worth remembering that an insolvency practice will process data for a wide range of purposes: not only formal appointments, but also to deliver other services to clients, and you will also hold data for marketing purposes, for running your business…

Therefore, you might want to consider: should you have one privacy notice covering every purpose or do you want several privacy notices?  A third way, which I’ve seen work well for a particularly large accountancy/insolvency practice, is a single privacy notice with links leading to the descriptions of their processing activities relating to different groups of data subjects.

Taking a look at other firms’ privacy notices might also bring to mind other, less obvious, purposes for processing data, such as carrying out AML due diligence, detecting or preventing crime or fraud.

 

What do you do with the privacy notice?

As mentioned at the start, the GDPR puts data controllers under a requirement to provide the privacy information to all data subjects.  This can seem onerous for an IP: do we really need to send a copy of the privacy notice to all individuals whose data we hold and how can we comply with those timescales, especially on existing cases?

There are a couple of ways you can make life much easier for yourself:

  • Put your privacy notice on your website, preferably on a page with a very simple www address, because…
  • Then you can add the link/address to your email footers and letterhead, so that the next time you email or write to an individual, you have brought the privacy notice to their attention.

 

What about existing cases?

Does the GDPR mean that we must have notified every person whose data we hold of our privacy notice by 25 June?  I would like to think that the regulators – the RPBs and the ICO – might be prepared to give us some slack on this requirement.  Would a more manageable approach be to ensure that such notifications are made, say, at the time of the next progress report?

If this is acceptable, then how about the interaction with R1.50?  Where we have already issued to creditors (and members) a notice stating that every other document will be uploaded to our website without further written notice, would this suffice such that we only need to ensure that the website contains the privacy notice or a link to it?  Or, because R1.50 only provides website-only delivery for documents “required to be delivered in the insolvency proceedings”, does this mean that the privacy notice required to be delivered under the GDPR cannot be delivered by website?

Of course, the requirement stretches further than creditors and members.  For some people, you might like to make an extra-special effort to contact them asap to prove compliance with the GDPR, perhaps those who are most likely to complain – bankrupts and other individual debtors, perhaps.

 

What about closed cases?

Under the GDPR, “storage” is a form of processing.  Therefore, IPs will be continuing to “process” personal data long after a case has closed.  Do we need to contact individuals on closed cases?  Isn’t this taking things too far?!

The new Data Protection Act (currently still a Bill) may help us (thanks, JN, for highlighting this).  S93(4)(b) states that we need not notify data subjects where it “would be impossible or involve disproportionate effort”.  This must apply to closed cases, surely!

 

Privacy notices: is there more?

Oh yes, indeed!

Another meaty requirement of the GDPR is that data processors’ work must be governed by a contract with the data controller.  What data processors does an IP instruct?  And if someone is instructing an IP, does this need to be governed by a contract?

 

Who is a data processor?

The GDPR’s definition of a data processor is someone who “processes personal data on behalf of the controller”.  But a data processor’s activities may mean that they become a controller in their own right.  As I set out above, according to the GDPR’s definition, a data controller determines the purposes and means of processing data.  So logically, if someone has no control over either the purposes and/or the means of processing the data, they must be a processor, right?  For example, you instruct a debt collector to use debtors’ personal data solely to pursue debts – this sounds like a data processor, doesn’t it?

So who might an IP instruct that is not a data processor?  Surely every instruction defines at least the purposes of processing data, doesn’t it?

The ICO has provided guidance on the distinction between processors and controllers (https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf), which, although it was seemingly published in 2014, we understand is still considered relevant by the ICO for the post-GDPR world.

Paragraph 45 is interesting: “Where specialist service providers are processing data in accordance with their own professional obligations they will always be acting as the data controller”.  This is written in the context of an accountant, who will have obligations on detecting malpractice.  The guidance similarly singles out solicitors who “determine the manner in which the personal data obtained from the [client] will be processed” (paragraph 44).

 

And IPs?

Of course, I wouldn’t expect the ICO to mention IPs in their guidance (they don’t).  But I think the ICO’s guidance leads to the logical conclusion that usually IPs/insolvency practices will become data controllers in their own right when processing data on behalf of a client, e.g. when they’re instructed to help put a company into CVL.

 

Controller-processor contracts

But for anyone whom we instruct who is a data processor, we need to ensure that a GDPR-compliant contract is in place with them.  And even though you may personally be acting as agent of a company that continues to trade post-appointment, you will want to ensure that the company trades in a compliant fashion with appropriate contracts in place with their suppliers/service-providers… although remember that it’s only where the supplier/service-provider is processing personal data.

The GDPR sets out what must be included in such a contract and model clauses are widely available (although of course you may like to engage a solicitor to help).

 

Data sharing agreements

Although not mandatory, you may want to consider entering into data sharing agreements with parties who you instruct who are data controllers in their own right – the ICO guidance recommends this where you are sharing large-scale or particularly risky data.

As an IP receiving instructions, you are unlikely to want to volunteer a data sharing agreement.  However, you should amend your engagement letters, not only to refer to your privacy notice, but also to confirm your position as a data controller and remind the client of the need to comply with the GDPR and DPA.  ICAS has suggested some appropriate wording at: https://www.icas.com/regulation/preparing-for-gdpr

 

Fuzzy lines

I confess to remaining confused about the boundary between controllers and processors.  After all, wouldn’t following the GDPR definitions and ICO guidance lead us to a different conclusion from that arising from Re Southern Pacific Personal Loans Limited?  Doesn’t an IP store company records in accordance with their own obligations and doesn’t the IP decide the purposes and means of processing that data?  If so, why are they considered only a data processor?

In addition, different instructions may lead to different levels of control by the third party.  For example, on one case we may ask an agent simply to help us return items to their owners, but on another case the agent may be managing a marketing and sale process, dealing with RoT claims, wiping hardware clean…

Where these fuzzy lines exist, would it be an idea to engage with third parties via a catch-all controller-processor/data-sharing agreement?

 

Managing instructions

If you haven’t already set up a system, perhaps you might start a central register to help you record who has signed up an agreement.  Then, whenever you come to instruct a third party who will be processing personal data provided by you, you can check whether they have already signed up and, if not, you can set the ball rolling.

 

Ok, is that everything?

Nope.  There’s a whole host of additional items on the to-do list, including:

  • If you haven’t already got them, generate policies and procedures to cover areas such as data security, retention, dealing with breaches and subject access requests;
  • Before processing data on a new engagement/appointment, assess the risks associated with the proposed processing, and keep it under review during the engagement (yep, another checklist!); and
  • For each engagement/appointment, document the data held and the reasons why it is held – the ICO has produced 30-column wide spreadsheet for each data controller (and another one for a processor), so admittedly it is stupidly cumbersome for each case, but once completed for one case, there will be little variation needed for the next. But of course, it is worth giving every case a bit of thought, just in case there are some unusual considerations arising from, e.g., a novel business or an entity holding data in different countries.

Certain other aspects of our insolvency work require careful attention:

  • On (or preferably before) appointment, we will need to gather information on what data the insolvent holds and where/how it is stored and accessed;
  • If we are contemplating trading-on, we will need to review carefully the business’ data processing practices and documentation and identify whether any changes need to be made to bring them into line with the GDPR;
  • We should perhaps take more care in deciding what data we need to collect post-appointment and what happens to any data that we choose not to collect (also having regard, of course, to the recent Dear IP on collecting books and records);
  • Although generally databases and customer lists can continue to be sold in an insolvency process, we can expect to be asked more questions by potential purchasers about the insolvent’s data processing (will sale prices decrease and will sales to unconnected parties be less common as a consequence?) and some additional clauses will be required in agreements; and
  • We will want to have a good understanding – and ensure that staff have also – of our obligations on identifying a data breach.

 

Will it all become second nature?

It is a shame that the regulatory current seems to flow to ever more requirements for documentation and disclosure.  The regulatory burden never seems to lighten up, but personally I struggle to see how business or the economy is any better for it.

There remain a number of unanswered questions, some of which I’ve mentioned above, about how the GDPR works practically for IPs.  I’m sure that over time most of these will be resolved, hopefully with pragmatic solutions acceptable to the regulators.  One day, perhaps GDPR-compliance will become second nature.

 

 

 


by Leave a comment

Money Laundering Regulations 2017 – part 2: Customer Due Diligence and more

The objective of the MLR17 is “to make the financial system a hostile environment for illicit finance while minimising the burden on legitimate businesses”. The impact assessment shows a net direct cost to businesses of £5.2m pa… so don’t expect the MLR17 burden to be any lighter than their predecessor’s.

In this blog post, I summarise the key changes in the MLR17 affecting day-to-day activities, including:

  • Focussing the customer due diligence (“CDD”) more squarely onto risks
  • A need to refresh the risk assessment process
  • More than ID checks are required to complete CDD
  • How the impacts of the enlarged definition of a PEP can be managed
  • A simultaneous easing and toughening of the reliance provisions
  • Necessary additions to engagement letters and other letters to insolvents

My earlier blog post reviewing the MLR17’s effects on firms’ systems and controls can be found at: https://insolvencyoracle.com/2017/07/22/mlr17-part-1/

 

Customer Due Diligence: a clearer objective?

For most intents and purposes, the MLR07 CDD requirements boiled down to identifying and verifying identities. Ok, there was also the need for a risk-based assessment, but it seemed that the objective of this was only really to determine the extent of checks employed in the CDD process.

I think the MLR17 provide a welcome adjustment in the emphasis. For example, in setting out the enhanced due diligence (“EDD”) process, Reg 33 puts the risk assessment in the following context:

“When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk…”

This thought – that the focus of the risk assessment is to consider the risk that “a particular situation” gives rise to a high risk of money laundering or terrorist financing – is repeated elsewhere and emphasises the need to manage and mitigate the risk e.g. of becoming an unwitting “enabler”. Realistically, how far does simply identifying who we’re dealing with get us in this process?

I do understand that money launderers generally want to work under a cloak of anonymity, so getting to the root of who really is behind a company and in the process showing customers that we’re serious when we carry out CDD help manage and mitigate the risks: money launderers may go looking for a less diligent professional. But what really are the risks of the particular situation of an insolvency?

If we’re being appointed over a dead company with few assets, what are the risks of money laundering or terrorist financing? If there have been any such activities, they will only be historic, won’t they? There will be negligible, if any, risk that any such activities will continue under our watch. So in what ways can – or should – any risks be managed or mitigated? Increasing the extent of identity checks we carry out surely won’t help; it may only give us more information to add to a SAR, if we develop suspicions about past events.

Although the new CDD requirements of the MLR17 will be a pain to complete, I do think they get closer to the nub of the issue: what does the customer do and what do they want us to do for them? In so doing, it seems that the flipside is that, if we have a defunct “customer” who isn’t asking us to do anything risky, then we might find the CDD simpler.

I hasten to add that this post describes purely my own interpretation of the MLR17 (plus some input from Jo Harris). I would be surprised if the RPBs see all the requirements in the same light. Regrettably, it may be a long time before we learn how they think the regulations should be applied, but until they make their expectations clear, I am not sure we can be heavily criticised for trying to do our best.

 

First things first: the risk assessment

Like its predecessor, the MLR17 state that the extent of CDD measures must reflect the level of risk assessed. However, I think the MLR17 far more clearly explain how this risk should be assessed.

For instance, Reg 28(12) states that there are two factors involved:

  • the Reg 18 risk assessment – this is the business-wide risk assessment, which I covered in my last blog; and
  • an “assessment of the level of risk arising in any particular case” – I think this finally answers unequivocally the question of whether a risk assessment needs to be done on court appointments: surely a case-specific risk assessment must be done each time.

Although I think we all developed passable approaches to risk assessments under MLR07, I think that the MLR17 help us much more. Reg 28(13) lists the factors to consider for the risk assessment, but in particular I found Reg 33(6) valuable. This regulation lists potential flags of higher risks, setting them out nicely into three categories:

  • customer risk factors, e.g. where the business is cash intensive;
  • product, service, transaction or delivery channel risk factors, e.g. where payments are received from unknown or unassociated third parties; and
  • geographical risk factors.

I found a useful exercise was to develop a list of questions that put many of the eighteen Reg 33(6) factors into a practical insolvency context. This generated several questions that were similar to the MLR07, but I discovered that the emphasis on whether ongoing insolvency engagements could lead to encounters with money launderers emerged strongly.

At the other end of the spectrum, Reg 37(3) is helpful in assessing cases for low risk. This regulation lists another fifteen indicators of potential low risk, categorised into the three headings above, some of which similarly can be converted into insolvency-relevant questions.

As the MLR17 are non-prescriptive however, the warning described at Regs 33(7) and 37(4) should be incorporated somewhere into the risk assessment:

“the presence of one or more risk factors may not always indicate that there is a high [or low] risk of money laundering or terrorist financing in a particular situation”

This will no doubt frustrate those that would much prefer a straightforward way to steer risk assessments to a definitive conclusion, but I think that this final sense-check is valuable, as it is impossible to squeeze all scenarios into a bundle of questions.

 

More steps in the process

The process no longer follows the formula: risk assessment + beneficial owner IDs = CDD. The MLR17 require other information to be examined. For example, Reg 28(3)(b) requires us to “take reasonable measures to determine and verify”:

  • “the law to which the body corporate is subject, and its constitution” (Reg 28(3)(b))
  • “the full names of the board of directors and the senior persons responsible for the operations of the body corporate” (Reg 28(3)(b))

Personally, I do wonder how these items can be “verified”, especially the full names of the senior persons – obtaining this information before engagement may be a struggle as it is.

The MLR17 also turn an eye toward a new person not covered by the MLR07: anyone who purports to act on behalf of the customer. Reg 28(10) requires that such a person be identified and their identity verified in all cases.

 

Enhanced Due Diligence

Continuing the theme of a better targeted approach, I like the way the EDD requirements no longer focus simply on increasing the extent of ID checks… although the downside is that the process has become more time-intensive for higher risk cases.

Reg 33(4) states that EDD measures must include:

  • “as far as reasonably possible, examining the background and purpose of the transaction, and
  • “increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.”

Also, Reg 33(5) states that EDD measures may include “among other things”:

  • “seeking additional independent, reliable sources to verify information provided or made available to the relevant person;
  • “taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;
  • “taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
  • “increasing the monitoring of the business relationship, including greater scrutiny of transactions.”

In an insolvency context, I think much of this can be translated into asking oneself: why does this “customer” want to take this step, does it seem logical in the circumstances or could it be a cover for something more sinister?

 

PEPs: are they high risk?

Well of course, in this non-prescriptive world, the answer to this question is always going to be: it depends.

The MLR17 have widened the definition of a PEP to encompass UK PEPs. Therefore, something that for most of us was little more than theoretic under the MLR07, likely will become more of a reality in future. However, PEPs are still likely to pop up only once in a blue moon, which makes it tricky to design systems to accommodate them without overcomplicating processes for the 99.9% of cases.

  • Additional steps for PEPs and PEP connections

In all cases where a PEP or PEP connection (i.e. family member or “known close associate” of a PEP) has been spotted, the MLR17 require the following steps:

  • Assess the associated risk level and tailor the due diligence measures accordingly;
  • Obtain approval from “senior management” in establishing or continuing the business relationship;
  • “Take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person”; and
  • Conduct enhanced ongoing monitoring of any business relationship.

So what do you do if the daughter of a domestic Supreme Court judge wants you to help wind up her insolvent company? Does she really present a high risk? Do you really need to go through all those steps?

  • FCA enlightenment on UK PEPs

The FCA has produced some useful guidance on dealing with PEPs: https://goo.gl/WW2WY1

Understandably, the FCA emphasises the value of the first step: the risk assessment. Helpfully, the guidance states:

“A PEP who is entrusted with a prominent public function in the UK should be treated as low risk, unless a firm has assessed that other risk factors not linked to their position as a PEP mean they pose a higher threat”

This demonstrates to me the pointlessness of this MLR17 change wrapping in domestic PEPs: it has added to the nonsensical bureaucracy, as we now need to (i) note UK PEPs; (ii) consider whether they are low risk; (iii) decide in most cases that they are low risk; (iv) but nevertheless work through the other steps listed above.

If a PEP is low risk, then how practically should we work through the other steps? The FCA suggests:

  • “Senior management” approval need not be at board level; it could be the MLRO.
  • “Take less intrusive and less exhaustive steps” to establish the sources of wealth and of funds; “only use information available to the institution… and do not make further inquiries of the individual unless anomalies arise”.
  • Ongoing monitoring could be, “for example, only where it is necessary to update customer due diligence information or where the customer requests a new service or product”.

Oh well, that’s alright then! Thank you FCA, for bringing a note of reasonableness to the proceedings.

Of course, if a PEP is considered high risk – based, as the FCA points out, on who they are, where they are, and what they want from you – it is only right that additional measures are applied. But, I think that, unless you work in a market that means you encounter PEPs relatively frequently, other than ensuring that staff are alert to the complications arising from PEPs and giving them a place to go when one is spotted, practically on a day-to-day basis there is little point in layering on procedures to deal with PEPs.

 

Reliance on other people’s due diligence: made easier or tougher?

On the one hand, relying on another MLR-regulated person’s customer due diligence checks has been made easier. There is no longer a two-tier supervisory body system, which under the MLR07 meant that an ICAEW-licensed IP could be relied upon, but an IPA-licensed IP could not. Now, the work of any MLR-regulated persons (e.g. including casinos), as well as some overseas equivalents, may be relied upon.

However, there is one new requirement that almost entirely negates this advantage: Reg 39(2) states that the person seeking to rely on another:

“must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10) in relation to the customer, customer’s beneficial owner, or any person acting on behalf of the customer”

In other words, you must obtain from the person on whom you are seeking to rely all the information that you would otherwise gather yourself to complete customer due diligence. It also doesn’t avoid the need to carry out a risk assessment or deal with ongoing monitoring. So what is the point of relying on someone else to do some of the work for you, especially when you remain liable for any failure of the relied-on person to conduct appropriate due diligence? You might as well collect the due diligence information yourself, mightn’t you?

 

Additions to engagement letters… and more?

Reg 41(4) states that;

“Relevant persons must provide new customers with the following information before establishing a business relationship or entering into an occasional transaction with the customer:

(a) the information specified in paragraph 2(3) in Part 2 of Schedule 1 to the Data Protection Act 1998 (interpretation of data protection principles);

(b) a statement that any personal data received from the customer will be processed only for the purposes of preventing money laundering or terrorist financing, or as permitted under paragraph (3).”

In other words, the required information is:

  • The identity of the data controller;
  • The identity of any representative nominated by the data controller; and
  • The purposes for which the data are intended to be processed (including the statement required by Reg 41(4)(b) above).

Complying with this requirement seems fairly straightforward when appointments are preceded with an engagement letter to the insolvent/MVL-seeker: the above information likely would feature in the engagement letter.

  • Is a bankrupt a “new customer”?

What if there is no engagement letter with the “customer”? Does this requirement still apply in bankruptcies, compulsory liquidations and creditor-led Administrations?

Who is the customer in a court or creditor-led process? The old CCAB guidance states: “In the context of insolvency work, the person or entity entering into the business relationship is considered to be the insolvent.” Although I think this was generally accepted and just-about manageable for the MLR07, the shoe-horning of regulations designed for a client-provider relationship into an insolvency context becomes a little more painful with the MLR17.

Are we really expected to view a bankrupt as a “new customer” for the purposes of Reg 41(4)? Do we really need to provide them with the above information? I guess we can add the information to our on-appointment letters to insolvents, but we cannot write to them before establishing the business relationship, i.e. before being appointed as office holder, can we?

Ah but doesn’t the CCAB Guidance give us a back-stop guide of 5 working days after appointment to complete the due diligence? This is true, but this provision related to the timescale for completing the CDD in view of the fact that the MLR07 had stated that in some circumstances the due diligence could be completed as soon as practicable after first contact – a concession that is repeated in the MLR17 – but we’re not talking about the due diligence process here. The MLR17 do not provide an asarp exception to providing the above information before establishing the business relationship, so I cannot see a practical way for us to comply with Reg 41(4) in most court or creditor-led appointments.

 

Not written with IPs in mind

The MLR17 repeat their predecessor’s deficiency in demonstrating ignorance of the mechanisms of the insolvency regime. I have always objected to the assumption that the insolvent is an IP’s “customer”, especially when I remember that technically under the MLR07/17 an IP is only carrying out regulated activities when s/he is formally appointed. Further questions about the drafter’s knowledge came to my mind when I read the new definition of an IP in the MLR17: not only an individual, but also “any firm… who acts as an insolvency practitioner within the meaning of section 388 of the Insolvency Act 1986” – that would be a clever trick!

In my view, the MLRs’ concept of a “business relationship” also has never really worked: what “business relationship” does the IP form with the insolvent when s/he takes office? And the suggestion that an IP engages in an “occasional transaction” when s/he sells an insolvent’s assets is another cruelty on the English language: is it the insolvent or the IP that is carrying out the transaction? An “occasional transaction” is defined as “a transaction which is not carried out as part of a business relationship”, but the IP is considered to have a “business relationship” with the insolvent, so where does the asset sale fit in?

Is there no useful guidance for IPs? In my view, the CCAB Guidance touches on insolvency far too lightly and the Insolvency Service’s and R3’s Guidance notes are showing their age; both have the air of guidance written when the MLR07 were little more than theory. Let’s hope that we will one day receive some authoritative guidance that demonstrates a proper and practical understanding of how the MLR17 should be applied to the insolvency regime.


by 1 Comment

Money Laundering Regulations 2017 – Part 1: Infrastructure Changes

 

“For Insolvency Practitioners there is relatively little change” stated one RPB’s notice to members on the Money Laundering Regulations 2017, but another RPB stated that the new regs “will have wide-reaching changes for accountancy firms and IPs”.   If two RPBs have such polar views on the overall impact of the new regs, this doesn’t bode well for a common approach to compliance with the MLR17.

I have great sympathy for the RPBs, though. The final regulations were only released late on Thursday 22 June and they came into force on Monday 26 June. They also contained some well-hidden changes from the draft regulations and there was no quick way of understanding their consequences. I suspect I was not the only one who spent their weekend scrutinising 116 pages of new legislation and thinking: this is an impossible task for us all!

In this first post on the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR17”), I review the regulations’ impact on the systems involved in managing an insolvency practice:

  • The different approaches expected of large and small firms
  • The appointment of a new person responsible for compliance
  • The need to screen relevant employees
  • The independent audit function
  • Drafting policies, controls and procedures
  • The expanded syllabus for staff training
  • Timely destruction of certain records
  • Drafting a firm-wide risk assessment
  • Seeking “approval” from your Supervisory Authority

The MLR17 can be found at: https://goo.gl/ei8ZB1

Some useful guides on the topic:

 

“Size and nature” matter

In six places, the MLR17 require relevant persons (i.e. those carrying out MLR17-regulated activities) to have regard to the size and nature of their business when seeking to comply with the regs. For example, Reg 19(2) requires relevant persons to adopt policies, controls and procedures that are “proportionate with regard to the size and nature of the relevant person’s business”.

Reg 21 states that, “where appropriate with regard to the size and nature of its business, a relevant person must:

  1. appoint one individual who is a member of the board of directors… or of its senior management as the officer responsible for the relevant person’s compliance with these Regulations;
  2. carry out screening of relevant employees..;
  3. establish an independent audit function…”

What are the RPBs’ expectations here? I cannot see any grey area in complying with Reg 21: either you endeavor to meet all (or some?) of these requirements or you determine that the measures are not appropriate having regard to the size and nature of your business. Where does the threshold between complying with Reg 21 and justifiably ignoring it lie?

I suspect that, at least in the short term, the regulators will say: you demonstrate to us how you’ve come to a conclusion. But they are the ones with the helicopter view of the profession(s) and they are the ones in direct contact with HM Treasury and all the other Supervisory Authorities. Can they not guide their regulated members?

To determine what is appropriate and proportionate, the MLR17 specifically refer to following guidance issued by the FCA or by any other Supervisory Authority or appropriate body and approved by HM Treasury. At present, all that IPs have is the 2008 CCAB Guidance, which I think is woefully inadequate in view of the shift from MLR07 to MLR17.

At the moment, different RPBs seem to be suggesting different expectations on compliance with Reg 21, which is not surprising given how swiftly the MLR17 were enacted. Whilst, understandably, the RPBs stick to the strict wording of Reg 21, they elaborate the idea with phrases such as:

  • IPA: “Large firms must…”
  • ICAS: “requirement for firms of a certain size…”
  • ICAS: “requirements don’t apply to sole practitioners with no staff and no subcontractors”
  • ICAEW: “Sole practitioners with no employees are exempt from this requirement”

Thus, it seems to me that all we can glean is that “large firms” definitely need to comply with these Reg 21 items, “sole practitioners with no employees” (and possibly no subcontractors either) do not, but everyone in between..? Your guess is as good as mine.

 

Reg 21: Infrastructure Changes

It is evident from the Reg 21 quote above that infrastructure changes are necessary for at least some firms:

  • Board/senior level appointment of someone responsible for compliance

All three RPBs have asked to be informed of the appointment of such a person, as is required under the MLR17. Reg 21 also requires firms to notify their RPB of the identity of the first-appointed MLRO (I have not seen any RPB ask for this, so I assume MLR17-appointed MLROs are viewed as simply carrying on from their MLR07 appointment) and any change in identity of the MLRO or other Reg 21 appointed person within 14 days of the change.

This may be, but does not have to be, the same person who acts as MLRO, a position that is repeated in the MLR17. ICAS is calling this person the BSMLP (board or senior management level person) and ICAEW is calling them the MLCP (money laundering compliance person). The IPA has not given them a name.

  • Employee-screening

“Relevant employees” are those involved in the firm’s compliance with the MLR17 as well as those “capable of contributing” to the identification, prevention, detection or risk-mitigation of money laundering or terrorist financing – so, for insolvency practices, I would think about all those working in compliance, cashiering, case administration and take-on. As employee-screening and staff-training are themselves MLR17 requirements, anyone involved in those activities would also be “relevant employees”.

The draft regs had included “agents” in this screening process, but “agents” were removed from the final version (which might explain why the IPA’s notice to members still referred, I think incorrectly, to screening agents).

“Screening” means “an assessment of the skills, knowledge and expertise of the individual to carry out their functions effectively and the conduct and integrity of the individual”. I suspect these items are generally covered in recruitment and appraisal processes, but they will need to be adequately documented in future specifically with the MLR17 in mind.

Reg 21 requires “relevant employees” to be screened, both before they are appointed and whilst so employed.

  • Independent audit function

Two questions came immediately to my mind: how independent is “independent” and what constitutes an “audit”?

  • What is an “audit”?

Reg 21 describes it as entailing the following:

  1. An examination and evaluation of the adequacy and effectiveness of the policies, controls and procedures adopted (see below)
  2. recommendations in relation to those policies, controls and procedures; and
  3. monitoring compliance with those recommendations.

This sounds very much like the process followed for the ICAEW’s Insolvency Compliance Reviews. Indeed, the ICAEW believes that firms’ money laundering compliance reviews, which they should already be performing, address the MLR17 requirement. ICAS is awaiting confirmation on how their current compliance review requirement stacks up against this audit requirement. The IPA has not made any comment, although I cannot see that the self certification process bears any resemblance to what is required here.

  • How independent is “independent”?

As far as I can see, the ICAEW is the only RPB that has made any comment: “you should make sure that your Money Laundering Compliance Principal is responsible for performing this review”. The Law Society explains: “the regulations do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed”. It seems to me, therefore, that if the “MLCP” is heavily involved in, say, the customer due diligence process, then they might not be the right person for the job.

 

Reg 19: Policies, Controls and Procedures

I’ll skip through this section quickly, not because it is unimportant – I accept that it is vital and I suspect it will feature heavily in monitoring visits – but because it is so dull! Sorry, it had to be said.

All firms will need to maintain written policies, controls and procedures covering pretty-much all relevant areas of compliance with the MLR17. I think that anyone drafting these would do well to tick off every Reg 19 item plus carry out an overall sense-check, much as we would double-check a SIP16 Statement.

These policies, controls and procedures must also:

  • be approved by the firm’s “senior management” (defined, I think quite widely, in Reg 3);
  • be regularly reviewed and updated, with all changes made being documented in writing; and
  • be communicated within the firm, with such steps taken (and steps to communicate any changes) being documented in writing.

Regs 19 and 20 adds further requirements for firms with overseas subsidiaries or branches.

 

Reg 24: Staff Training

Of course, the MLR07 required regular staff training, so have things changed under the MLR17?

Setting aside the vague “size and nature” references to what “appropriate measures” might look like, the material changes are that:

  • measures must include making relevant employees aware of, not only the usual MLR matters, but also of “the requirements of data protection, which are relevant to the implementation of these Regulations”

Data protection newly features elsewhere in the MLR17, most practically around record-keeping (see below) and in the client take-on process (which I will cover in a future blog), although it would also be relevant to make employees aware of the principles around handling personal data gathered for the purposes of complying with the MLR17 (Reg 41).

  • a written record must be maintained of the “measures taken” and “in particular, of the training given”.

I’m sure we’re used to documenting evidence that staff have completed regular MLR training, but the above quote indicates that we should document other measures taken to make staff aware, perhaps for example the receipt of induction training, staff handbooks and manuals.

 

Reg 40: Record-Keeping

Although the MLR17 have retained the MLR07’s basic standard of 5 years for record-keeping, there is a problematic change in emphasis.

Both MLRs require customer due diligence records to be retained for “at least” 5 years, but the MLR17 require any personal data contained in these records to be deleted after 5 years from the completion of an occasional transaction or the end of the business relationship. The MLR17 also put the same record-keeping requirements on documents to support transactions that are the subject of customer due diligence measures or ongoing monitoring.

Although there are some exceptions to this deletion requirement, e.g. where the records need to be retained for legal proceedings, this could add a burden to firms whose systems are set up to store records to a 6- or 10-year standard. To be fair though, the data protection principles have for a long time now included that personal data should not be kept for longer than is necessary, so the implementation of smarter archiving practices may be long overdue.

 

Reg 18: the Relevant Person’s Risk Assessment

Personally, I think this Reg may present the greatest challenge: a relevant person must “take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject”. This is not referring to the risk assessment carried out as part of the customer due diligence process. This is a risk assessment of the relevant person’s business, i.e. where do the risks lie in the work undertaken by the IP?

  • What is the purpose of this risk assessment?

It needs to feed into:

  • the design and maintenance of the policies, procedures and controls;
  • decisions regarding employee-screening and the independent audit function; and
  • the extent of customer due diligence measures taken in each case, including (but not only) whether enhanced or simplified due diligence should apply.

The MLR17 state that relevant persons must provide their risk assessment to their Supervisory Authority on request. Supervisory Authorities must review firms’ risks assessments (on a risk-based approach) and the IPA has stated that it will be reviewed as part of routine monitoring visits.

  • How do you write the risk assessment?

The IPA and the ICAEW direct members to the CCAB’s current Guidance: https://goo.gl/LBgRKX. It’s true, Section 4 of the Guidance provides some pointers, but personally I think the Guidance is showing its age, as the MLR17 add more to the statutory list of risk factors that you need to consider than are covered by the Guidance. Therefore, if you do refer to the Guidance, I would also recommend cross-checking against Reg 18 itself to make sure that you have captured everything relevant.

The Reg 18 risk factors that you need to consider (although there could be others) are:

  • your “customers”;
  • the countries or geographic areas in which you operate;
  • your products or services;
  • the transactions you engage in or handle; and
  • your delivery channels.

The task requires some lateral thinking to see these risk factors through an IP’s eyes, but I think it is a valuable exercise: one of the problems with MLR07 is that it all became process-driven, it soon boiled down to ticking boxes seemingly with the sole purpose of confirming identities. I think these new regs are an opportunity for us to take a fresh look at the risks: in what areas of our work are we most – and least – likely to encounter money laundering or terrorist financing? What services or transactions could be attractive – or prohibitive – to potential money launderers? Simply considering these questions could help us and staff to be more alert to strange potential clients, behaviours or requests.

Admittedly, this still doesn’t help much in drafting the risk assessment. If it is any consolation, the ICAEW has stated that, as the risk assessment will depend on the size and nature of your firm, the overall risk assessment of a small firm “may be quite succinct”.

 

Reg 26: Seeking the Approval of the Supervisory Authorities

The MLR17 give the Supervisory Authorities a great deal of new work to do. (I wonder how all this extra work is going to be paid for..?) For example, they need to conduct their own risk assessment and must create risk profiles of their members to inform their monitoring activities.

Reg 26 creates a whole new “approval” process, not only for licensed IPs, but also for firms’, beneficial owners, officers and managers (which include MLROs). The Supervisory Authority’s approval must be granted unless the person has been convicted of a “relevant offence” (Schedule 3 to the MLR17 lists 35 such offences).

  • What if we’re not yet “approved”?

Those requiring approval can act as IPs, beneficial owners, officers or managers of relevant firms provided that they apply for approval before 26 June 2018. Although Reg 26(4) states that “a relevant firm must take reasonable care to ensure that no-one is appointed, or continues to act, as an officer or manager of the firm unless they have been approved or have applied for approval and the application has not yet been determined”, my enquiries to the main RPBs suggest that they are not viewing this provision as being triggered until 26 June 2018 (and who can blame them, given the lack of notice we have all had?!), i.e. provided that we take steps before 26 June 2018 to become approved, there should be nothing to worry about.

Indications from the main RPBs are that the approval application process will become clear around licence-renewal time.

  • Who is my Supervisory Authority?

Under the MLR07, I think the answer to the above question gradually became clear. The MLR07 had stated that each professional body was the Supervisory Authority for relevant persons regulated by it. Therefore, for example, if I held my insolvency licence with the ICAEW, but I was also an ordinary member of the IPA, the ICAEW would be my Supervisory Authority, as ordinary membership of the IPA carries no real regulation with it (I just need to make sure I comply with the membership rules).

However, the MLR17 introduced a small but significant change. Reg 7(1)(b) states that:

“each of the professional bodies listed in Schedule 1 is the supervisory authority for relevant persons who are members of it, or regulated or supervised by it”.

Therefore, it seems to me that, under the above scenario, I would now have two Supervisory Authorities. I suspect there are lots of members of professional bodies who look to a different body to act as its regulator, especially considering the wide range of activities falling under the MLR17.

Whilst having two Supervisory Authorities is nothing new (as IPA-licensed IPs working in an accountancy practice know well), I think that these developments – the widened scope from solely regulated members to members generally, the introduction of new approval processes (which may require applications to more than one body?) and the additional expensive burdens falling on Supervisory Authorities – may lead members to question the value of paying annual subs to more than one body.

Alternatively, perhaps we will get some clarification on the interaction of multiple Supervisory Authorities. Both MLRs encourage cooperation between bodies so that regulatory efforts are not duplicated, but we have seen little such cooperation to date.

 

Your to-do list

In summary, I think you might tackle the practice-level changes brought about by the MLR17 as follows (depending, of course, on what is proportionate and appropriate with regard to the size and nature of the business):

  1. Document the appointment of a principal as the person responsible for the firm’s MLR17 compliance and inform your Supervisory Authority/Authorities of the appointment
  2. Create/refresh the firm-wide risk assessment based on Reg 18
  3. Create/revisit policies, controls and procedures for meeting all aspects of the MLR17 based on Reg 19 (including revised due diligence measures etc., which I have not covered above) and document their approval by the firm’s senior management
  4. Included in (3) should be incorporation of MLR-specific assessments in staff recruitment and appraisal processes per Reg 21
  5. Also included in (3) should be a revisit of the firm’s archiving processes to ensure that due diligence documentation is held in line with Reg 40
  6. Carry out a staff training session to communicate 2, 3, 4 and 5 above and retain evidence of who has received what training and what new documentation
  7. Schedule a review of the procedures etc. (the “independent audit”) for a few months after the new processes have been rolled out
  8. Ensure that the annual and induction MLR staff training provisions reflect the MLR17, including relevant data protection matters; if a suitable product is available (and if (6) above did not update staff on the MLR17 changes), consider running it early for existing staff

 

More Changes

Although this is a meaty to-do list already, I have not even started on the MLR17 changes impacting on our day-to-day business, such as the customer due diligence measures and ongoing monitoring.

In my next post, I will examine the changes from an engagement basis.