Compliance Review 2017
The end of the year is approaching – we also take the opportunity to review the year and summarise what we found particularly noteworthy in 2017:
EU General Data Protection Regulation (GDPR).
In March 2016, the official German version of the EU General Data Protection Regulation (GDPR) was published; it will apply directly in all member states of the European Union and come into force on 25 May 2018. The European legislator has set itself the goal of standardising data protection law and strengthening both the protection of personal data and its free movement – a conflict of goals. The remaining time until entry into force is slowly running out, 2018 will show how well prepared German companies are in dealing with the protection of personal data, “data leaks” can now become expensive! We will address challenges and innovations in data protection law in connection with the GDPR in our next blog entry.
ePrivacy Regulation
The ePrivacy Regulation, which is intended to complement the GDPR and has been available as an official draft since February, is linked to the GDPR. It is to enter into force together with the GDPR in May 2018, but is currently still being discussed in EU committees. Users are to receive a right to encryption and be protected from tracking. Industry associations criticise that the regulation torpedoes efforts to digitise society.
4th EU Money Laundering Directive
The 4th EU Money Laundering Directive together with the new Money Transfer Regulation brings new rules for the fight against money laundering and terrorist financing. The German law implementing both sets of rules came into force in June. Payment flows and amounts are to be individually assessed on the basis of a risk analysis, checked before they are executed and stopped if necessary. This means additional effort in data management and homework for German financial institutions!
Anti-Tax Avoidance Act
The pressure on politicians resulting from the “Panama Papers” to do something against tax avoidance through the involvement of companies in tax havens has resulted in the so-called Tax Avoidance Prevention Act (Steuerumgehungsbekämpfungsgesetz). It is to come into force on 01.01.2018. It aims to create greater transparency through extended obligations to cooperate on the part of taxpayers and banks and new extended powers of the tax authorities. The higher risk of being caught with a letterbox company in the Caribbean should also increase the preventive effect.
EU list of tax havens
The – brand new! – official EU list of tax havens, which was published on 5 December 2017. 17 countries that had shown themselves uncooperative in closing tax loopholes in recent months are officially named, even if there are no direct sanctions. The list represents the result of a 10-month investigation process and political tug-of-war. Notable, however, are the names that are missing from the list – for example, those of the British Channel Islands or Virgin Islands – “honni soit qui mal y pense”….
Payment Services Directive (PSD2)
The revised Payment Services Directive (PSD2) aims to change the European payment market by improving consumer protection and increasing legal certainty. It also aims to promote technical innovations (new payment methods, e.g. eWallet) and increase competition among providers. Entry into force: 13.01.2018. The technical regulatory standards (RTS) published by the European banking supervisory authority will form the essential basis for implementation. Transactions involving European and non-European payment service providers (so-called “one leg out” transactions) will now fall within the scope of the directive. Banks will also be forced to grant third-party providers access to their accounts at the customer’s request.
Minimum Requirements for Risk Management (MaRisk)
Last but not least, BaFin adapted its Minimum Requirements for Risk Management of Banks (MaRisk) to new European and international requirements at the end of October 2017. The main changes concern the areas of data aggregation, risk culture and outsourcing. In November, it also issued new banking supervisory requirements for IT (BAIT), which are effective immediately and explain what the banking supervisory authority considers to be appropriate technical and organisational equipment of IT systems. Both circulars interpret the legal requirements of §§25a and 25b of the German Banking Act.
We will go into more detail on individual topics in further blog entries and thank you for your interest.