The purpose of the current database project is to help streamline the data collection the Board performs. Standardizing the data collected will help to ensure the accurate determination of a firm’s regulatory status and risk rating. The data collected will also play an essential role in sectoral trend spotting, helping in generating appropriate statistics for the generation of the National Risk Assessment. In addition to the above, the database will help the Board achieve a goal of becoming a paperless office.

The next major step in the development of the database is the establishment and functioning of industry working groups. As requested at the July 9th town hall, separate working groups for accountants and lawyers will be formed. The formation of each group will be controlled by each profession’s governing body. It is expected these working groups will begin to meet in September of 2019. 

The goal of each working group is to develop an appropriate taxonomy of business transactions which fall within regulatory scope as per the Proceeds of Crime Act 1997 s49(5). The working groups should take into consideration already existing guidance offered in the Guidance Notes created by the Board for each sector, as well as guidance documents produced by intergovernmental bodies such as FATF (see linked document below for lawyers).

If you're interested in joining your profession's working group, please contact the Bermuda Bar Association or CPA Bermuda accordingly, with the Board's Technical Officer Joshua Correia copied on the request (This email address is being protected from spambots. You need JavaScript enabled to view it.). 

It is envisioned the entire database project will be complete and online by 2021. Between now and then once an operational version of the database is online, optional online registration will be available to firms once a firm's MLRO is listed as active on the database platform.

Below are the documents which were circulated for the town hall presentation relating to the database project on July 9 2019.

 

Frequently Asked Questions:


Do we have to supply data on all files that we open, or just “specified activity files”?

ANSWER: 
The Board performs a two-step process.  Step 1, registration, which involves analysis of ALL files per section 30C(1) of SEA, in order to understand the nature of business and activities of a Firm.  This is a high-level, anonymized analysis of aggregated anonymized data on files.  The Board assesses a logic tree of 1) Advisory/Advocacy; 2) Financial/Real estate or Not; 3) transactional or non-transactional; 4) if transactional, does the matter fall within any head of Section 49(5) of POCA.  Step 2, designation as an RPF and designing a supervisory program.  At this second stage, only ‘specified activities” are considered and the files relating thereto are the ones subject to detailed review per the POCA regulations.

 -------------------------------------------------------------------------------

Personal Data and the Data Privacy Act. 

ANSWER: 
The first step of registration and file analysis does not involve collection of personal data EXCEPT in relation to the owners, directors and senior executives of a firm applying for registration.  The PIPA Act entitles regulatory authorities to collect such data.  At the registration stage, client data is anonymized, aggregated matter types. At Step 2, risk analysis and supervision, it may be that PEP personal data will be collected, which the Board is entitled to do by PIPA as part of its supervisory function [PIPA s24(2)(a)(i)].

 -------------------------------------------------------------------------------

Do the rules on Professional Legal Privilege affect a Firm when completing the Questions in the Registration, especially when supplying answers to Section X, Questions Y and Z (analysis of client transactions)?

ANSWER:
In The Law Society’s text “Solicitors and Money Laundering: A Compliance Handbook” there is reference to a judicial authority, Bowman v. Fels [2005] 4 All E R 609.  The case is cited as precedent that the disclosure provisions of UK’s POCA 2002 do not override the common law legal professional privilege owed to clients.  So, solicitors are obliged to refuse to disclose clients’ information protected by such privilege, and accordingly have a sufficient defence to disclosure offences under their POCA.

Legal Professional Privilege applies to communications between a client and his legal adviser.  The Board’s registration process does not seek disclosure of communications.  The Board only requires descriptive data of the firm’s own activities in relation to its clients.  Such data is not a communication.

In Bowman v. Fels and also P v P, which is referred to in the case notes, it is clear these cases discuss solicitors’ duties of disclosure of client criminal conduct to the Financial Intelligence Agency (equivalent in the UK).  These cases do not relate to the description of a solicitor’s own business practices supplied to such solicitor’s own AML/ATF regulatory authority. Such information is not client information. It is the solicitor’s own file management information. The UK does not have a body like Bermuda’s AML/ATF Board nor legislation equivalent to our SEA Part4A.  Thus, UK cases will not be wholly relevant.

Butler- Sloss in P v P makes quite clear the usual principle that express statutory words override the common law on privilege.  In the case of the POCA Supervision and Enforcement Act, section 30C(1) (taken together with POCA Section 7 and Section 30D(6) of SEA) there is express statutory authority for the Board to collect ANY information necessary to understand the nature of the business and activities of a law/accounting firm. That is to say, the firm’s own business and activities. Per section 49(5) of POCA, the Board is concerned with what firms themselves are doing in relation to transactions involving ‘specified activities”. A full description of the transactions that a lawyer/accountant advises on is therefore required.  The Board is not, however, responsible for what the underlying clients are doing in relation to criminal conduct.  The latter is between a law firm and Bermuda’s Financial Intelligence Agency. Naturally, if the Board itself has reasonable grounds for suspicion, it will report to FIA likewise. In all events, Bowman v Fels deals with the relationship between firms and FIA in respect of disclosure of criminal conduct.  They do not concern self-description for the purpose of regulatory registration of the firm.

 -------------------------------------------------------------------------------

Cyber-security: 


ANSWER:
The database itself will be hosted on a Microsoft Azure server, located at a secure location. The IT service provider the Board has contracted with also has 24/7 monitoring of their servers.

 -------------------------------------------------------------------------------

Will there be developmental milestones: 

ANSWER:
Yes, a program of committee meetings and outcomes at fixed points along the way to January 2021 will be developed and released for the first Working Committee meeting in September.

-------------------------------------------------------------------------------

Will Lawyers and accountants be split out into separate sub-committees as they have separate file methods and risks? 

ANSWER:
The Working Committee is led by Bar Council and CPA Bermuda and if they so decide, then the Board would consider adapting the database on a sectoral basis, particularly if this helps with risk analysis and “nature of business” analysis.

 -------------------------------------------------------------------------------

If you have any questions regarding the database project, please send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. with your question included.