Brexit gauge

An impact assessment template for financial institutions

March 2018
Analytical contacts

Alan L Paris
Director
Financial Crime and Compliance Analytics
alan.paris@crisil.com

Subrato Banerjee
Manager
Financial Crime and Compliance Analytics
subrato.banerjee@crisil.com

2
Executive summary
After all the debate, no one knows how the concept of Brexit, or „Britain exits the European Union‟, will
look like in practice.

The phrase “Brexit means Brexit” sounds meaningless as well, as the thought “Leave means Leave”
does not help achieve the actual purpose of the referendum of June 23, 2016. What we do know is that
the United Kingdom‟s (UK) separation from the European Union (EU) will completely change how we
think about, legislate, and regulate affairs related to the banking industry.

The UK, and especially London, is currently Europe‟s major international financial center and leads in
most of the financial services areas. The UK dominates wholesale financial services and has done so for
decades. It also dominates the world‟s foreign currency trading market, a trend that accelerated initially
with the creation of the EU Single Market and again with the arrival of the euro (€) in 1999. Today, the
UK is by far the largest center in the world for trading the €.

While many businesses are deliberately waiting to understand more about Brexit, they are also nervous
about their inaction. They want to understand what, exactly, everyone else is doing about Brexit before
making a call on whether to act. We also know that whilst some businesses are actively preparing for the
unknown, they, too, have a simple question: “Whatever is being done, assuming, to comply with Brexit
expectations, are those the right things to do and what are the points that are being missed?”

One thing we can say for certain is that there is no right or wrong in this strange post-Referendum world.

Brexit will force many banks in the UK and elsewhere to undertake a fundamental review of their
operations and structures.

This paper is an attempt to understand and highlight the possible steps that financial institutions can take
to ascertain their acceptance to the changes resultant of Brexit.

3
Prelude

Britons have elected to „leave‟ the European Union (EU) to gain greater control over their policies,
regulations and immigration. This move, widely referred to as „Brexit‟ – coined by merging of the words
„Britain‟ and „Exit’ – will affect the economy and financial services of the country.

By way of this paper, we will map out the impact on financial services sector with marked interest on
aspects of financial crime and compliance.

The decision

On June 23, 2016, as many as 51.9% of Britons elected to „leave‟ the European Union (EU) membership
via a referendum with 71.8% turnout.

Why Brexit

Three primary reasons cited for the departure:

 Immigration: Citizens of the EU were free to work anywhere in the EU, and Britain was and still
is the first and largest choice of immigrants. Britons voted to regain control over immigration and
its own borders.

 Economics: Britain was expending more to the EU than it was receiving.

 Sovereignty: The biggest single reason for leaving the EU was „the principle that decisions about
the UK should be taken in the UK‟.

The way forward for the UK and rest of the EU

Article 50 (exiting the EU) was officially triggered on March 29, 2017, after which there is a two-year time
limit set for negotiations to etch out the details. The UK, therefore, exits the EU by March 29, 2019.

Hard and soft approach

A „hard‟ Brexit could involve the UK refusing to compromise on issues such as free movement of people
even if it meant leaving the single market. At the other end of the scale, a „soft‟ Brexit might follow a
similar path to Norway, which is a member of the single market and has to accept free movement of
people as a result of that.

4
The change in scenario between the UK and the EU

The UK‟s situation is unprecedented; no full member of the EU has ever left, other than Greenland in
1982. With Brexit into effect, the UK‟s relationship with the EU opens up an infinite number of
possibilities; with some seen a bit more workable than others, and are also being used by other
European nations that are not a part of the EU.

The Brexit roadmap

Possible models of relationship to the EU

Free trade Most favored Swiss style Norwegian style

agreement nation-based bilateral EEA EFTA states
relationship relationship relationship relationship
Trade
FDI
Regulation
Immigration
Financial service
Uncertainty

Scale of impact:  Moderate  Significant  Severe

5
Sprawl of Brexit on the banking and financial services sector

Post Brexit, three major influencing perspectives emerge, while the UK still aspires to be the EU‟s
principal financial services hub. The issues below illustrate the UK‟s impediment.

Regulatory impact: Post Brexit, passporting arrangements and dependence on data and intelligence
sharing become questionable as businesses in the UK have to obtain new licenses and regulatory
approvals to gain access to the EU single market. The UK also needs to sign up for the EU-defined data
regulations.

Economic aspects: With the high account deficit of the UK, Brexit poses short-term risk to financial
stability. The UK would also lose protection from the European Court of Justice enforcement of the single
market rule. Impact is also seen with restriction of talent movement in the banking and financial services
between Europe and the UK.

Cross-border trade impact: Being no longer bound to the European Securities and Markets Authority
trade reporting regulations, the UK has to worry about acquiring new banking licenses for its EU
locations, along with movement of the bank headquarters, new trade reporting requirements, and
changes to market infrastructure. There would be significant reduction of exports of financial services
into the EU. In the long run, there are opportunities of loss compensation via trade agreements with
emerging financial centers like Hong Kong and Singapore.

Post-Brexit compliance hurdles

Regulation and passporting

The greatest challenges to cross-border fintech expansion is the lack of uniformity between different
legal and regulatory environments. Passporting allows all UK-based companies to use their UK financial
licenses to do business in other EU countries, which will be a hindrance with the loss of rights. All the
UK-based companies will have to obtain new licenses from an EU member state, and this might also
involve moving out operations from the UK. Though the loss of rights is not yet certain, remember that
passporting works both ways: With the UK‟s exit, firms located in the European Economic Area will not
be able to passport into the UK either. Passporting does not apply to the activity of operating an
electronic lending platform. It would be a UK-only regime.

Data protection and data sharing with the EU

The UK needs to renegotiate new data sharing arrangements with both the EU and the US, which will
affect UK fintech companies as they attempt to utilize the data they hold, the data which may be one of
their biggest assets.

6
The UK‟s data protection rules under the Data Protection Act of 1998 are in line with the EU‟s Data
Protection Directive. This is likely to be replaced with the more stringent General Data Protection
Regulation (GDPR) on May 25, 2018. If free data movement between the UK and the EU has to
continue, the UK will have to prove it offers levels of protection tantamount to those in the GDPR. This
will require changes to UK law. The GDPR obligations will apply to organizations located anywhere in
the world that process EU citizens‟ personal data in connection with their offer of services and other
activities. This will have direct effect in all EU member states, and among other changes, will introduce
more onerous rules on how personal data must be handled and protected, and higher penalties for non-
compliance.

While the eventual position will mainly be driven by the nature of the UK‟s relationship with the EU post-
Brexit, the following represent some of the possible outcomes, which ultimately infer that a regulatory-lite
future is highly unlikely.

 Obtaining an adequacy decision from the European Commission.

 Joining the European Economic Area

 Reduction in personal data restrictions

 Agree for a „UK Privacy Shield‟ with the EU

Aspects of financial crime and compliance (AML, KYC, Directives, et al)

The Financial Action Task Force (FATF) had established in 1989 the International Anti-Money
Laundering (AML) framework that is applicable to all FATF members. The UK is traditionally ahead of
the EU curve on anti-money laundering legislation and the UK government is likely to keep leading the
way, often gold-plating the EU legislation.

The UK‟s AML legislation is considered to be one of the most draconian regimes, and the country has
already taken steps to achieve a higher standard than that imposed by the Fourth Anti-Money
Laundering Directive (4MLD), by creating a public register of beneficial ownership and encouraging other
countries to follow its lead.

Since the 4MLD stems from the latest recommendations of FATF, the UK will have to adhere to FATF‟s
AML rules even after Brexit.

The „Persons with Significant Control‟ (PSC) Register is a new statutory register in which most UK
companies and LLPs are required to register the identities of their ultimate beneficial owners.

Anti-bribery & corruption (ABC)

Solutions to financial crimes require international collective action, which a Brexit from the EU would
seriously undermine. The global trend in enforcement is towards countries sharing information with each
other, and the UK has already committed to host a new International Anti-corruption Coordination Centre
7
in London which would work in liaison with enforcement agencies based out of the US, Canada,
Australia, New Zealand and Switzerland.

The Bribery Act of 2010, considered one of the strictest anti-bribery and corruption laws, stemmed from
the OECD‟s anti-corruption convention and is unlikely to be affected post Brexit.

Sanctions and PEPs

Export and sanctions control strategies would be different post Brexit. Exceptions for Iran and politically
exposed persons (PEPs) checks have been made by the UK, which is against the provision in 4MLD.
This divergence could be magnified post Brexit, though, there is no evidence the UK and the EU would
adopt drastically different approaches to sanctions against PEPs. Moreover, much of the policy on
sanctions comes from UN resolutions which would still bind the UK regardless of its European status.

Terrorist financing

The UK‟s laws on terror financing fall under United Nations (UN) Security Council resolutions. The UK‟s
policies are also aligned with other international conventions, including the Vienna Convention, the
Palermo Convention, the UN Convention against Corruption and the UN Convention for the Suppression
of Terrorism, so the UK law is bound by these requirements. With Brexit, new laws would need to be
passed to fill any legislative gaps. With vulnerabilities in the UK legislative actions, whenever there are
terrorist concerns, the UK can still have the authorities designate financial sanctions targets and apply
export and other controls to goods of any description. Ultimately, the UK would still have the power to act
on suspected inflow and outflow of money related to terrorism.

The EU’s 4MLD

The 4MLD reflects the 2012 revision of Financial Action Task Force (FATF, 40 Recommendations).
Notwithstanding uncertainty over the shape and extent of the UK‟s future with the EU, Britain has voiced
its intent to implement the EU‟s 4MLD. The UK‟s own AML/CTF framework will undergo changes based
on 4MLD implementation, for which Britain has already played a significant role in the negotiations. The
next FATF evaluation for the UK is in 2018.

Proposed amendments to the 4MLD

The amendments broadly cover the following aspects, where the directive places greater accentuation to
a risk-based approach to prevent ML/TF at all levels;

8
Gambling
Extends to all gambling services,
not just casinos
Record keeping
Client information to be maintained
up to a maximum period of 5 years
after the end of the business
relationship
Parent and subsidiary
companies
The UK requirements have to be
met for those subsidiaries that are
located in other jurisdictions with
less strict AML requirements than
those of the member states
Beneficial ownership
Corporates and legal entities to
maintain clear information on their
beneficial ownership and detail
them in a central government
register, which will be accessible by
law firms, banks and any other
person that can show a 'legitimate
interest'
Third-party equivalent Correspondent relationship
A 'Black list' is being introduced for This includes all relationships
higher-risk countries. between two financial or credit
institutions
Threshold being reduced to
€10,000 for CDO to be conducted
when receiving cash payment for
goods
High-value dealers Written risk assessment
Threshold being reduced to Euro The risk assessment steps taken by
10,000 for CDD to be conducted the firms in the regulated sector
when receiving cash payment for must be well-documented and
goods. readily available for sharing
PEPs Trusts
Has been extended to include HMRC will be the registering
domestic individuals. An individual authority for all trust and company
is to be considered as PEP up to pay service providers not registered
one year after leaving office, post by the FCA. HMRC will maintain a
which a risk-based approach to be register of beneficial owners of
taken taxable trusts
Know your customer (KYC/CDD/SDD), with impact to e-money products
and services
 Automatic simplified due diligence (SDD) to be discontinued. This
can be used following a risk assessment legitimizing its use
 Non-reloadable vs reloadable products: CDD on e-money products
waived for non-reloadable products, subject to conditions of
maximum storage value of €250; redemption limit of €100 imposed,
and transaction monitoring to be carried out by issuer
 SDD approach: Issuers are allowed to do SDD in low-risk situations.
SDD is not an exemption of CDD, but an obligation to collect certain
information on customers that constitute identity, coupled with a
delayed obligation to verify that information or the possibility of
applying a lighter degree of verification based on risk
9
Implications of breaches

There are both criminal and civil sanctions. HMRC and the FCA have the power to impose appropriate penalties
where they are satisfied that the person has breached a relevant requirement

Criminal sanctions cover Civil sanctions cover

Contravention of a relevant requirement  A public statement identifying the natural or

legal person and the nature of the breach
Prejudicing an investigation, and
 An order requiring the natural or legal person to
Making false, misleading or reckless disclosure cease the conduct and not repeat it

 A temporary ban against any person discharging

managerial responsibilities in an obliged entity,
or any other

 Natural person, held responsible for the breach,

from exercising managerial functions in obliged
entities

 Maximum administrative pecuniary sanctions of

at least twice the amount of the benefit derived
from the breach, where it can be determined, or
at least €1 million

Payment Service Directive 2

The Payment Service Directive 2 (PSD2) extends the scope of the first Payment Service Directive
(PSD), which was launched in 2007. PSD was an attempt from the European Commission to bring
harmony and set the stage for a European-wide payment standard framework for Single Euro Payments
Area (SEPA) for payments made throughout the EU and the European Economic Area (EEA). The aim
of PSD was to create a level playing field in payment domain, increase competition, reduce costs and
increase payment efficiency.

10
PSD2 carries the same theme set out in the original Payment Services Directive with focus on three key areas:
concepts and roles of third-party providers, strong customer authentication, and one leg out transactions

Third-party provider (TPP)

This concept allows third-party access to accounts with the customer consent. By allowing access to accounts,
PSD2 creates two major roles for third parties to play

 Payment initiation service: It will allow payers to make payments using third-party payment initiation
service providers, which, in turn, use the mechanisms provided by the banks, referred to as APIs.
Payment initiation service will provide an alternative to card payments by moving money from payer
accounts to merchants directly.

 Account information service: This will allow third parties to provide aggregated views of customer
accounts. This allows quicker, more transparent services, access to money and digital apps, which gives
consolidated view of finances as well as more help to manage funds.

Strong customer authentication (SCA) One leg out transactions

With the inclusion of third-party access, PSD2 brings in
SCA that goes beyond the 2-factor authentication
(Factor 1: User known, like a password; and, Factor 2:
Mobile device code). SCA introduces Factor 3:
Inherence (customer recognition, like fingerprints,
voice biometrics)
An original PSD term for transactions where
payers/recipients are based outside the EU. PSD
targeted only the EU currencies. PSD targets any
currency here either the payer's payment service
provider is located in the EU, irrespective of the other
PSPs located outside the EU.

End of the line

The risk of money-laundering creates serious reputational, legal and financial risks. While stringent anti-
money laundering regulations create red tape, they provide important certainty for banking and financial
services, and related businesses. The UK has one of the toughest anti-money laundering legislation in
the world and it is unlikely the UK standards will decline following its departure from the EU.

Increasing awareness of anti-money laundering obligations through compliance training is essential in

order to protect staff across levels in any organization from criminal prosecution, and also to maintain the
reputation of the UK financial market and minimize the risk of a money laundering investigation which
may result in businesses becoming liable to comply with the Money Laundering Regulations. This is a
heavy compliance burden indeed.

One prediction that we are confident to make is of a sustained period of business uncertainty in the run
up to a „Brexit‟ and beyond. By understanding their level of exposure to the most probable outcomes and

11
putting strong plans in place to handle them, firms can ensure they are well placed to mitigate any
immediate risks and also capitalize on longer term opportunities ahead of the competition.

Gauging the consequences

Banking and financial institutions need to prepare themselves citing the big issues at stake for the sector,
and the number of risks and unknowns. The following possible guiding questions, spread across a few
major areas, can be used to assess the likely consequence of „Brexit‟ on a business.

a. First, understand the degree of exposure, not only directly but also of their counter-parties,
customers, suppliers.
b. Second, gauge the impact to their business under „Brexit‟ scenarios.
c. Finally, complete appropriate contingency planning, to cover off the largest risks and outcomes.

1. Finance

 How will short term £ volatility impact the firm and what measures are in place to manage exchange
rate risk?

 How will Brexit impact investment decisions and the ability to raise capital from EU investors?

 What is the likely impact on capital requirements?

 What impact will Brexit have on the firm‟s cost base and cost-income ratio?

2. Regulation and strategy

 How would an adverse outcome on passporting impact location strategy?

 For subsidiaries of European parents, how is the parent likely to respond and how can decisions be
influenced?

 How essential is the need to comply with new EU regulation, e.g. MiFID II?

3. Communication

 What will the firm‟s response to a Brexit be to clients, shareholders, suppliers and key staff from the
EU?

 Do you have a Brexit communication plan and resources in place?

12
4. Distribution

 What is your market access exposure and likely impact of loss of passporting arrangements?

 What adjustments to pricing strategies will be required?

5. Operations

 What impact would Brexit have on existing legal contracts and mandates?

 What documentation will need to be changed? What measures and resourcing have been put in
place to do this?

 Review counter-party risk, direct and indirect impact on suppliers. How do impacted suppliers plan to
respond?

 What are the implications for cross-border data management?

 What is your key man risk and level of reliance on talent from the EU? How are key individuals likely
to respond?

6. Customers

 Do you have the insights you need in terms of the strategic decisions being made in your customers?

 Will your customers face additional complexity as a result of Brexit? Can you turn this into an
opportunity by solving emerging problems?

 Can you create greater “attachment” with customers (by adding more value or addressing other
customer challenges)?

 Have you reviewed the clauses in existing contracts that may require re-negotiation?

7. Competition

 How are existing competitors responding to Brexit?

 Is new competition emerging e.g. as a result of cost or risk pressures?

 Is your existing offering sufficiently differentiated?

 European companies are looking at supply chain risk posed by UK suppliers. Is this an opportunity
for you?

13
8. Supply chain

 Tariffs and customs controls associated with a hard Brexit could interrupt continuity and reliability of
supply. Do alternatives exist?

 Is there unnecessary complexity in your supply chain which could lead to cost savings or other
improvements if addressed?

 Can cost or complexity associated with e.g. UK intermediaries be overcome by going direct to the
supplier?

9. Transport & logistics

 Receipt of supplies and delivery of goods could be delayed to, from and through the UK. Are you
satisfied with your understanding of current routes? Have suppliers been queried on this? What
alternative options exist?

 Additional complexities add cost to the business. What opportunities exist to reduce costs in the
business?

10. Regulations & standards

 In a hard Brexit scenario, UK standards and regulations may begin to diverge from current common
European norms. Is this a risk on the supply side or customer side of the business?

 Are you satisfied with your understanding of the standards and regulations relevant to your
business?

11. Customs, tariffs & taxation

 Customs and tariffs would add administrative costs to the business, increase the price of supplies
and prices for customers. Customs could lead to delays. Are you satisfied with your understanding of
how these may apply to your business?

 Shared VAT collection rules may change post Brexit. Could this have cash flow or other implications?
What could be done to protect the business in advance?

14
12. Movement of people

 Do you have European or other non-UK citizens in your team to deliver services in the UK?

 Could it become more difficult to recruit new staff in the UK?

 In what way could employment contracts, visas, etc, be impacted?

 Is there an opportunity to recruit key talent for non-UK workers looking at alternatives to the UK?

 Are you satisfied that existing staff concerns are understood and are receiving an appropriate
response?

15
References

13. https://studentsurveyor.com/brexit-what-are-the-next-steps-to-leaving-the-eu/

14. https://www.fenergo.com/resources/blogs/regulatory-impact-of-brexit.html

15. http://www.nortonrosefulbright.com/knowledge/publications/136980/impact-of-brexit-on-financial-
institutions

16. http://economia.icaew.com/en/opinion/march-2017/how-brexit-will-impact-the-uk-financial-sector

17. http://financeandriskblog.accenture.com/regulatory-insights/regulatory-impacts-of-brexit

18. http://blog.northhighland.com/brexits-regulatory-impact-to-the-banking-industry/

19. http://www.grantthornton.co.uk/globalassets/1.-member-firms/united-kingdom/pdf/brexit-impact-
financial-services.pdf

20. https://publications.parliament.uk/pa/bills/lbill/2017-2019/0069/18069.pdf

21. https://hsfnotes.com/fsrandcorpcrime/2017/10/26/uk-government-introduces-new-sanctions-and-anti-
money-laundering-bill/

22. https://bis.lexisnexis.co.uk/blog/posts/anti-money-laundering/will-brexit-affect-uks-approach-to-
tackling-financial-crime

23. http://www.klgates.com/brexit-data-protection-07-18-2016/

24. http://www.klgates.com/privacy-shield-approved-new-legal-framework-for-transatlantic-data-transfers

25. https://www.securetrading.com/blog/psd2-brexit-need-know/

26. https://www.lexology.com/library/detail.aspx?g=a65839c1-18b2-4621-86d3-bfc4f79739d9

27. https://www.finextra.com/blogposting/12833/does-psd2-still-matter-to-uk-after-brexit

28. https://www.lexology.com/library/detail.aspx?g=d3d02bdd-7013-4d49-86c3-92882d9fa21f

29. https://www.int-comp.com/ict-views/posts/2015/08/24/the-4th-eu-money-laundering-directive-(4mld)-
explained-in-90-seconds-(transcript)/

30. http://blog.arachnys.com/cross-country-compliance-eu-proposes-urgent-updates-to-the-fourth-
money-laundering-act-interconnected-business-registries-for-2017

31. http://europa.eu/rapid/press-release_IP-16-2380_en.htm

32. https://www.lexology.com/library/detail.aspx?g=24030ac1-2c0a-4123-b202-83c5a34a1d6e

16
33. https://www.regulationtomorrow.com/eu/hm-treasury-memorandum-on-proposals-to-amend-the-
4mld/

34. https://www.anaplan.com/blog/how-uk-companies-can-better-prepare-brexit/

17
 About CRISIL Limited

CRISIL is an agile and innovative, global analytics company driven by its mission of making markets function better. We are
India‟s foremost provider of ratings, data, research, analytics and solutions. A strong track record of growth, culture of innovation
and global footprint sets us apart. We have delivered independent opinions, actionable insights, and efficient solutions to over
100,000 customers.

We are majority owned by S&P Global Inc., a leading provider of transparent and independent ratings, benchmarks, analytics
and data to the capital and commodity markets worldwide.

About CRISIL Global Research & Analytics

CRISIL Global Research & Analytics (GR&A) is the world's largest and top-ranked provider of high-end research, risk and
analytics services. We are the world's largest provider of equity and fixed-income research support to banks and buy-side firms.
We are also the foremost provider of end-to-end risk and analytics services that include quantitative support, front and middle
office support, and regulatory and business process change management support to trading, risk management, regulatory and
CFO functions at world's leading financial institutions. We also provide extensive support to banks in financial crime and
compliance analytics. We are leaders in research support, and risk and analytics support, providing it to more than 75 global
banks, 50 buy-side firms covering hedge funds, private equity, and asset management firms. Our research support enables
coverage of over 3,300 stocks and 3,400 corporates and financial institutions globally. We support more than 15 bank holding
companies in their regulatory requirements and submissions. We operate from 7 research centers in Argentina, China, India,
and Poland, and across several time zones and languages.

CRISIL Privacy Notice

CRISIL respects your privacy. We use your contact information, such as your name, address, and email id, to fulfill your request and service
your account and to provide you with additional information from CRISIL and other parts of S&P Global Inc. and its subsidiaries (collectively, the
“Company”) you may find of interest.

For further information, or to let us know your preferences with respect to receiving marketing materials, please visit www.crisil.com/privacy. You
can view the Company‟s Customer Privacy at https://www.spglobal.com/privacy

Last updated: April 2016

Argentina | China | Hong Kong | India | Poland | Singapore | UK | USA

CRISIL Limited: CRISIL House, Central Avenue, Hiranandani Business Park, Powai, Mumbai – 400076. India
Phone: + 91 22 3342 3000 | Fax: + 91 22 3342 3001 | www.crisil.com