Newsletter - Template
October 2017

Welcome to our first newsletter

Our newsletters are designed to keep financial institutions updated on topical issues of interest and where appropriate Fairmort solutions that address these areas.

We hope to make this a regular feature on our website. If there is something you would like to read about in the next update or have any suggestion or feedback, please .

Save the Date

On the 18th January 2018 we will be hosting the WILFr User Group Forum for WILFr ('What I'm Looking For' Reporting) users to hear about how our latest developments can help your business and to discuss future developments including joint sponsored developments.

Further details coming soon or contact for more information.

Save the Date
Laptop

What does GDPR mean to a Financial Institution?

General Data Protection Regulation (GDPR) is a large subject and a huge amount of time has been expended already to understand what this means to each individual business. The following section explains the main steps, as taken from the Information Commissioner's Office (ICO) document on GDPR preparation. We have added additional thoughts in the context of banking and the financial sector in general.

Although the ICO refers to these steps as forming a 'checklist', they are far from exhaustive. Given the potential penalties incurred for failing to comply with the GDPR, organisations should interpret the ICO's checklist as an opening dialog, and adapt these recommendations to suit their own operational specifics. From the work we have undertaken so far on GDPR it is clear that the effort required will vary between companies depending on their size, client base, product offerings and even how long they have been in business.

  • The organisation should document what personal data they hold, where it came from, and who they share it with
    • An inventory of personal information will be necessary. In most organisations the starting point will be identifying what systems may contain data, it is normally easy to identify the major systems but spreadsheets that contain personal data are more common than one would expect and identifying these is important.
    • In our experience, many organisations start by saying they don't share much data with third-parties but often the number of third-parties increases as a more detailed review takes place (for example, regulators, tax authorities and credit reference agencies).
    • The GDPR obliges controllers to ensure contracts with third parties are compliant, so any external access to personal data should be fully documented.
  • The organisation should amend their privacy notices to comply with GDPR
    • Lawful basis of processing, data retention periods and details of the individual's rights to complain to the ICO.
    • The requirements for inclusion are detailed in the ICO's Privacy Notices Code of Practice.
  • The organisation should ensure that their procedures cover the rights of the individual introduced in the GDPR, including the deletion of personal data and provision of data electronically in a commonly used format
    • Operational compliance may involve extensive revision to current procedures.
    • Many organisations will already offer some electronic data downloads and this touches other areas such as the payment accounts directive and the payments services directive which have new requirements coming into force over the next 12 - 18 months.
  • The organisation should update their procedures to take account of the logistical implications of new rules and restrictions related to the handling of access requests
    • All personal data for a single individual will need to be collated from various systems used by the organisation.
    • Requests for access and objections will need to be processed in shorter times and for free as standard.
    • Depending on the size of the organisation and expected volumes of requests this may be something that is made available automatically via the internet channel based on customer requests.
    • As these requests are now free-of-charge the barrier to requesting them is lower than it was and there is likely to be significant publicity about this right, potentially leading to more requests.
  • The organisation should identify the lawful basis for each type of data processing activity they carry out, from one of the listed bases in the GDPR. Every activity should have a basis, which needs to be documented and explained in the updated privacy notice
    • This is especially important where consent is relied upon as a legal basis, as individuals can withdraw consent at any time.
  • The organisation should update how they seek, record and manage consent to meet the more rigorous criteria introduced in the GDPR. In addition, existing consent should be refreshed to meet the GDPR standard if they don't already do so
    • Consent must be kept separate from other terms and conditions and a simple means for individuals to withdraw their consent should be provided.
  • The organisation should ensure any processes relating to offering 'information society services' to children are compliant with the more stringent requirements introduced in the GDPR, including the potential requirement for a parent/guardian's consent to collect their data, and use of clear simple language a child can understand in provided information and privacy notices
    • If a child is younger than 16, the GDPR requires that consent from a person holding parental responsibility is obtained before processing their data.
    • This consent must be verifiable.
  • The organisation should ensure that they introduce the necessary processes to investigate any data breaches and report them to the ICO and in most cases the individual, stating why the breach occurred
    • The GDPR only requires the organisation to report a data breach where it is likely to result in a risk to the rights and freedoms of individuals.
  • The organisation should ensure that their handling of personal data meets the GDPR requirements of 'privacy by design' and that they can carry out data protection impact assessments in situations where data processing could result in a high risk to individuals
    • This includes the deployment of a new technology, a profiling operation which significantly affects individuals, or there is large scale processing of data falling into one of the special categories.
  • The organisation should formally designate at least one data protection officer responsible for GDPR compliance if they are a public authority, carry out regular and systematic monitoring of individuals on a large scale, or they carry out processing of special categories of data
    • Data protection officers are separate to IT security, as in this context the role is dedicated to monitoring GDPR compliance.
  • The organisation should determine their lead supervisory data protection authority, where they operate in more than one EU member state/GDPR area state
    • This is the supervisory authority in the location of the organisation's main establishment.
    • 'Main establishment' should be interpreted as the administrative centre where the organisations main data processing decisions are made.

For more information about products and services Fairmort can offer around GDPR please contact

Update on Tax Reporting

Now that banks in the UK have made their first Automatic Exchange of Information (AEOI) submission, attention is now turning to next year's submission which will include an additional 53 countries on top of the 49 countries previously reported. This provides new challenges in terms of identifying customers who should be reported, communicating with them and gathering the necessary tax information such as Tax Identification Numbers (TINs).

Update on Tax Reporting

The latest version of WILFr Tax Reporting has been released covering both AEOI and Bank, Building Society Interest (BBSI) reporting. This release covers all the requirements for 2018 reporting together with additional reports and dashboards to assist banks with their indicia checking.

Further updates have also been made to the WILFr Companies House Checks to include Persons with Significant Control checking which is also assisting banks with their Indicia checking process.

Contact to talk about the capabilities of WILFr and how we can help.

Releases and New Features


WILFr AEOI v1.1
This release ensures the AEOI component is ready for the December 2017 submission (due May 2018). It also contains performance improvements for sites with larger volumes as the number of countries included increases to beyond 100. Improved search functionality has been provided alongside improved mandatory data and indicia checking tools.

Update on Tax Reporting

WILFr Financial Services Compensation Scheme (FSCS) Patch F
A change has been made to the apportioned amount in the compensation details, Table D, following clarification from FSCS after conflicting advice was received by different licensees from FSCS.

WILFr Companies House v1.02
New rules have been added to the Companies House API to identify changes to the Persons with Significant Control and to check for company account filings within the last 14 days. This enhanced functionality allows banks to identify where their records are out of sequence with the information held at Companies House, whether this is for AML checks for directors, monitoring borrowers or checking whether companies still meet the FSCS criteria.

WILF Data Migration v1.3.3
The new release contains functionality that allows data analysis of the source system to be carried out before any mappings have been configured, or migrations taken place. It highlights fields that contain no data, fields that contain the same data in every record, provides a list of the distinct values in each field and the last date that each field was updated. The results of the analysis are displayed on the screen in a colour coded fashion. This information can then be used to make business decisions regarding which fields should be included in the migration and help in configuring lookup tables and reports.

Status Management allows fields to be marked as 'mandatory' or 'ignored' and allows notes to be applied to fields or mappings to assist in task management and to keep a record of comments or outstanding questions regarding each field or mapping. Notes can be marked as completed and a report created listing all uncompleted notes.

Regulatory Updates and Consultation Papers

AEOI
There will be an extension to the number of countries signed up for AEOI implementation before September 2018. Many of these are developing countries which required an extended timeline for implementation. There have also been additional signatories recently, with Nigeria becoming included in August 2017, for which the intended date of the first exchange of information is September 2019. For full information, see the Organisation for Economic Co-operation and Development .

Update on Tax Reporting

BBSI
In the 2017 - 2018 tax year return, there will be changes to the list of fully reportable countries. The BBSI returns for tax year 2017 - 2018 onwards only require data about people living in the UK. As a result, 'fully reportable' countries are being discontinued. For full information, see the .

Common Reporting Framework (COREP)
IFRS 9: changes to reporting requirements
On Wednesday 16 August, the Prudential Regulation Authority (PRA) issued an information request to firms subject to reporting requirements set out in Policy Statement (PS) 36/16 'Financial statements - responses to Chapter 3 of the Consultation Paper (CP) 17/16' and PS18/17 'IFRS 9: Changes to reporting requirements', which take effect from 1 January 2018. Specifically, the request is relevant to firms required to submit Financial Reporting (FINREP) and PRA104 -107 instead of FSA001, FSA002 and FSA014, and depending on the accounting standard used, those required to submit certain FINREP templates instead of FSA015.

The request, which was sent to GABRIEL principle users, sought information about the reporting schedules firms are planning to use and responses were submitted in September 2017. The responses will enable the PRA to update reporting schedules on GABRIEL in advance of the 1 January 2018 effective date. For full information, see the .