Five challenges for European CCOs heading into 2021

Many of the problems the profession faced in 2020 will remain in place going into the new year—such as remote working and the associated compliance risks around fraud, cyber-security, data protection, and the lack of consolidated oversight—but new risks will also present new challenges, Brexit being one of them. Irrespective of whether the European Union and the United Kingdom can agree to a trade deal, legislative and regulatory changes are likely to appear across a range of industry sectors as a result of the U.K.’s decision to leave the single market.

Other compliance risks that have featured highly in recent years are set to remain, too. For example, experts still complain about the lack of a coherent enforcement approach between the EU’s data protection authorities with regard to policing the General Data Protection Regulation (GDPR), and companies still live in fear of being the first to be handed a penalty that equals 4 percent of their global revenues.

What follows are some of the key compliance challenges in Europe experts have identified for the year ahead:

Remote working and cyber-security

Employees working from home have forced businesses to widen their use of technology systems. But such changes come at a price: Organizations need to invest in data protection and cyber-security training and systems, and in a harsh financial climate, other priorities tend to come first.

A survey by cloud services firm Atlas Cloud indicated 63 percent of workers said their employers have invested in upgraded software or hardware to enable remote working during the pandemic. However, less than a third of respondents said they had received training to deal with the associated cyber-security risks.

To address these potential problems, says Jane Sarginson, a barrister at St Philips Chambers specializing in regulatory issues, compliance teams must set up robust security measures, ensure proper governance, and audit the systems in place. Above all, she says, compliance functions need to ensure the organization trains staff so they can recognize a potential threat or breach.

“With proper systems in place, the greatest risk is human error,” says Sarginson. “There is little that can be done about an individual employee determined to steal your data, but in all other respects, the risks can be minimized by appropriate preparation.”

EU’s 6th Anti-Money Laundering Directive

Failure to tackle money laundering effectively has led to the European Commission producing three anti-money laundering directives in less than 30 months, with the latest (the 6th directive) coming into force in December and set to take effect in June 2021. As a result, financial institutions don’t have much time to beef up compliance.

According to Charles Delingpole, CEO at software vendor ComplyAdvantage, “the directive aims to increase international cooperation and hit offenders with tougher punishments” while placing the responsibility for AML and combatting terrorism financing controls firmly on management, along with those employees involved in facilitating it.

The key changes include a unified list of 22 “predicate” offenses (crimes that may be part of larger money-laundering activities, such as insider trading, market manipulation, cyber-crime, and human trafficking) and additional money-laundering offenses of aiding and abetting, inciting, and attempting money laundering. The directive also extends criminal liability to “legal persons,” meaning companies and partnerships. The legal person will be considered culpable for the crime of money laundering if it is established they failed to prevent a “directing mind” from within the company from carrying out the illegal activity.

The directive also introduces a minimum prison sentence of four years for money-laundering offenses (previously just one year) while also giving judges the power to fine individuals and exclude entities from accessing public funding.

The legacy of ‘Schrems II’

The European Data Protection Supervisor confirmed in December a replacement for the now-defunct EU-U.S. Privacy Shield is not even “months away” from being finalized. Until a revised mechanism is agreed, companies run the risk of being held liable under the GDPR for any unsafe transfer of data to the United States or any other third country with strong surveillance laws (including the United Kingdom possibly, post-Brexit).

So far, no organization has been penalized. But some data protection authorities across the European Union have shown they have lower levels of tolerance for a failure to adopt the “supplementary measures” the European Data Protection Board issued in November to help companies provide adequate protection on data transfers.

Phil Brown, commercial, IT and regulatory specialist at law firm Conexus Law, says the situation “clearly poses a huge threat to international business,” adding that “the contrasting views of Europe and the U.S. as to data protection mean it is a difficult one to see resolved without wholesale legislative changes to either the European or U.S. regimes.”

Regulatory pushback

During the pandemic, several regulators—such as data protection authorities and competition authorities—scaled down their monitoring activities and reduced the level of fines due to the restrictions and financial pressures imposed by COVID-19.

Experts warn those organizations that have taken advantage of reduced regulatory oversight to act more aggressively and/or without due care may be in for a shock.

“By and large, regulators have scaled back their monitoring and have indicated they will take a more pragmatic approach to enforcement, but that is not going to go on forever,” says Liz Sandwith, chief professional practice adviser at the Chartered Institute of Internal Auditors. “There are likely to be many examples of poor corporate governance that are going to catch the eyes of regulators in the coming months, and compliance officers need to be prepared for that.”

Embracing new technologies

With compliance functions under pressure to provide more assurance on a broader range of issues, the need to find technological solutions that can give teams greater support becomes more urgent (perhaps more so in heavily regulated industries like financial services).

Naturally, RegTech firms are keen to push their products, but it is difficult to see how the compliance profession is going to provide the level of real-time assurance management now needs without investment in IT.

Remonda Kirketerp-Møller, CEO of RegTech firm Muinmos, says the profession can’t continue without the investment in technology. “It is the only way forward,” she says. “Given what we have witnessed over the last few years, from financial crisis to increased regulation and COVID-19, it’s become apparent that the traditional methods used by compliance officers are not sustainable.”