Regulatory Compliance Legislation

1MLD/1AMLD/AMLD1 (1991)

The First Money Laundering Directive (Directive 91/308/EEC) (1AMLD) provided the initial framework for the subsequent Second and Third Directives.

Key preventative measures were established, including customer/client identification, record-keeping and central methods of reporting suspicious transactions.

It was passed to ensure a universal approach was adopted by the EU Member States to combat the problem of money laundering, thus protecting the EU Single Market.

The 1AMLD was succeeded by two further directives, the second Anti-Money Laundering Directive (Directive 2001/97/EC) (2AMLD) and the third Anti-Money Laundering Directive (Directive 2005/60/EC) (3AMLD).

2MLD/2AMLD/AMLD2 (1997)

2AMLD broadened the focus of European Anti-Money Laundering (AML) legislation to restrict the financing of terrorist organisations and imposing requirements to identify customers and guard against money laundering on non-financial businesses, such as accountants and notaries.

3MLD/3AMLD/AMLD3 (2005)

3AMLD went further than earlier directives. Creating an obligation on institutions covered by the Directive to identify the beneficial owner of legal or corporate entities on whose behalf a transaction was conducted. The 3AMLD was repealed with effect from 26 June 2017 and replaced with the fourth Anti-Money Laundering Directive (Directive 2015/849/EU) (4AMLD).

4MLD/4AMLD/AMLD4 (2015)

The 4AMLD introduced the current risk-based approach to legislation tackling money laundering and counter-terrorist financing.

Changes placed an onus on businesses to call out suspicious clients and transactions, requiring them to put in place compliance systems and work with national Financial Intelligence Units to minimise the risk of assisting money laundering and terrorist finance activities.

5MLD/5AMLD/AMLD5 (2018)

In July 2016, following terrorist attacks in Paris and Brussels and revelations in the Panama Papers of extensive multinational tax evasion, the European Commission tabled a proposal for the fifth Anti-Money Laundering Directive (Directive 2018/843/EU) (5AMLD).

5AMLD imposed new responsibilities on businesses, further addressing issues including Enhanced Due Diligence (EDD), Politically Exposed Persons (PEP), new technologies and beneficial ownership.

6MLD/6AMLD/AMLD6 (2018)

The sixth Money Laundering Directive 2018/1673/EU) (6AMLD) closely followed the 5AMLD, covering the Schengen Group of countries.

It focused on tackling crimes enabled by money laundering (including trafficking, bribery, and so on).

Alternative Investment Fund Managers Directive (2011)

Alternative Investment Fund Managers Directive (2011/61/EU).

Anti-terrorism, Crime & Security Act (2001)

This Act supplements the Terrorism Acts of 2000 and 2006 by further defining terrorist activities and heightening the powers of police and enforcement authorities to deal with suspected terrorists and terrorist activities proactively.

It provides the means by which terrorist property may be forfeited. Terrorist property is defined as that intended to be used for the purposes of terrorism, assets and resources of a proscribed organisation, or property obtained through terrorism.

Bank Secrecy Act (1970)

The Bank Secrecy Act (primary U.S. anti-money laundering law, amended by the USA Patriot Act in 2001. Among other measures, it imposes money laundering controls on financial institutions and many other businesses, including the requirement to report and to keep records of various financial transactions.

Bribery Act (2010)

The UK Bribery Act 2010 is one of the toughest anti-corruption laws in the world. Bribery is defined as giving someone a financial or another advantage to encourage them to perform their functions or activities improperly or to reward them for having already done so; it includes grease or facilitation payments.

The Act makes it illegal under any circumstance to offer, promise, give, request, agree, receive or accept bribes.

Individuals and companies convicted of breaching this law anywhere in the world face unlimited fines and up to 10 years imprisonment. A statutory defence exists for corporations if they show that they have ‘adequate procedures’ to prevent bribery.

Bribery Act Guidance

The UK Ministry of Justice Guidance to the Bribery Act 2010 provides businesses with tips on how they can avoid falling foul of the law prohibiting bribery.

Fundamentally, the guidance confirms that an organisation may be liable under the Act for the actions of employees and contractors working on behalf of the organisation if the organisation does not have adequate procedures to prevent bribery. The guidance explains that the test for whether procedures are adequate is subjective, assessing whether it would be reasonable and proportionate to expect the relevant organisation to have certain procedures in place.

Relevant procedures may extend to a high-level executive commitment and corporate policy, a requirement to conduct periodic reviews and risk assessments, conduct due diligence of clients, and put in place communications schemes and formal monitoring and review processes. The guidance also notes highlights that the provision of hospitality does not necessarily translate to bribery.

Competition Act (1998)

The Competition Act aims to address two forms of anti-competitive behaviour – anti-competitive agreements and abuse of a dominant market position. Under the legislation, anti-competitive behaviour is assessed in relation to its effect on competition, not its wording or form.

It expressly prohibits cartel behaviour, with the highest penalties reserved for 'hardcore' cartel behaviour, involving price-fixing, market sharing, bid rigging or limiting the supply or production of goods or services.
An agreement that restricts competition is not automatically prohibited under the legislation unless it is considered 'hardcore' cartel behaviour as certain types of agreements are excluded or exempted from competition rules.

Although the UK legislation aligns closely with the EU Competition Law (Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU); EU Directive 2019/1), after 31 December 2020, EU law no longer directly applies.

The Competition and Markets Authority (CMA) is primarily responsible for enforcing competition law with the Serious Fraud Office. Together with Trading Standard Services, the CMA also regulates consumer protection law in the UK (the Consumer Rights Act 2015, Consumer Protection from Unfair Trading Regulations 2008, General Product Safety Regulations 2005 and Consumer Contracts (Information, Cancellation and Additional Charges Regulations) 2013. The work of the CMA is governed by the Enterprise Act 2002, which also sets out the functions of the Competition Appeals Tribunal and regulates corporate mergers.

CMA Guidance on the Competition Act 1998 recommends that businesses regularly review whether their practices and agreements comply with competition law, especially if that business holds a significant share of the markets in which it operates. The guidance states that it is also important for businesses to promote an understanding amongst employees as to what type of behaviour is and is not permissible under competition law.

Computer Misuse Act (1990)

The Computer Misuse Act 1990 protects personal data held by organisations from unauthorised access and modification.

It creates offences for:

• Unauthorised access of material stored electronically (hacking)
• Unauthorised access to computer materials with intent to commit a further crime
• Data theft or disrupting and/or destroying a device or network
• Unauthorised modification of data
• Making, supplying or obtaining anything that may be used in the commission of another computer misuse offence.

Further protection from acts of identity theft is provided by section 2 of the Fraud Act 2006, which criminalises acts of false representation.

Confined Spaces Regulations (1997)

These regulations prohibit workers from entering a confined space to carry out work unless it is not reasonably practicable to achieve that purpose without such entry.

Control of Noise at Work Regulations (2005)

These regulations aim to protect persons against risks to their health and safety from exposure to noise at work.

Criminal Finances Act (2017)

The Criminal Finances Act (2017) targets corruption, money laundering and tax evasion and affects all UK organisations.

It creates corporate offences for failing to prevent the criminal facilitation of tax evasion, effectively making businesses directly liable for the actions of their employees and other ‘associated persons’ who intentionally facilitate tax evasion.

The offences cover both UK and foreign tax evasion, so long as there is a UK link. A statutory defence is provided where a corporate body can show it put in place ‘reasonable prevention procedures’ or such procedure would be unreasonable in the circumstances

Data Protection Act (2018)

This Act updated and replaced the 1998 Act. It aims to protect personal data and uphold the rights of individual data subjects.

Together with the UK GDPR (2021), it establishes the UK data protection regime. The Act comprises three main parts, setting out a general processing regime (the UK GDPR), a regime for law enforcement authorities, and a regime for the three intelligence services.

Electricity at Work Regulations (1989)

This regulation obliges employers to maintain electrical equipment provided for work purposes in a safe condition (domestic electrical supply, items and sockets are the employee's responsibility).

Equality Act (2010)

The Equality Act 2010 provides individuals with legislative protections against discrimination in the workplace and wider society. Enforcement of the Act falls primarily to the Equality and Human Rights Commission.

Discrimination may be direct or indirect and may involve harassment and/or victimisation. It occurs when a person treats another person less favourably than others because of the affected person's protected characteristic. The characteristics protected under the Act are age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation.

It also protects people from discrimination experienced as a result of protected characteristics of their close connections (such as family members and friends) and as a result of making a complaint about discrimination (whether it relates to the individual or another).

Employers have a responsibility to protect their workers from harassment, discrimination and bullying in the workplace.

Public service authorities have further obligations under the equality legislation under the Human Rights Act 1998, and under the Public Sector Equality Duty found in section 149 of the Equality Act 2010 and the Equality and Human Rights Commission's Code of Practice on Services, Public Functions and Associations.

Employment Rights Act (1996)

The Employment Rights Act created a number of statutory rights relating to contracts of employment, rest breaks, parental leave, long service, notice of dismissal, unfair dismissal, redundancy payments and employer insolvency. Since then, a number of amendments have augmented the scope of rights, affecting holiday pay and the introduction of parental bereavement leave.

The Act was also amended in 1998 by the Public Interest Disclosure Act 1998 (PIDA), which aimed to protect whistleblowers by allowing them to claim unfair dismissal if they lose their job due to making a disclosure. Protected disclosure now protects whistleblowers from suffering other disadvantages in the workplace if the disclosure relates to specified topics.

Environment Act (2021)

This Act aims to halt the decline of nature by 2030, mandating net biodiversity gain for developments. It strengthens the duty to protect biodiversity and puts in place conservation covenants. Provisions also prohibit larger businesses in the UK from using commodities associated with wide-scale deforestation.

The legislation also requires regulated businesses to establish a due diligence system and enforcement for each regulated commodity used in their supply chain, requiring them to report on their due diligence.

EU Market Abuse Regulation (2016)

The EU MAR came into effect on 3 July 2016. As a result of Brexit, it was onshored into UK law through section 3 of the EU (Withdrawal) Act 2018. Amendments were made to the EU MAR through the Market Abuse (Amendment) (EU Exit) Regulations 2019, designed to ensure that the EU regulation would work effectively in the UK. The resulting rule, the UK Market Abuse Regulation (UK MAR), aims to increase market integrity and investor protection, enhancing the attractiveness of securities markets for capital raising. UK MAR applies to all issuers with securities listed or traded on a UK market or which have applied for admission.

The UK MAR contains requirements such as an express obligation to keep insider lists and for Persons Discharging Managerial Responsibilities (PMDRs) and their Persons Closely Associated (PCAs) to notify their company and the FCA within three business days of any share dealings. PDMR covers directors and senior executives with regular access to inside information relating directly or indirectly to the company and with the power to take managerial decisions affecting the company's future developments and business prospects.

The UK MAR also contains prohibitions of insider dealing, unlawful disclosure of inside information and market manipulation, and provisions to prevent and detect these.

Export Control Act (2002)

The Export Control Act is the main UK legislation on export controls on military and dual-use goods.

The Export Control Order 2008 consolidates previous orders made under the 2002 Act. The Order is now the main legislation controlling the export of strategic goods, the transfer of technology and the provision of technical assistance; trade in goods - including not only physical export items but also trade in military or Dual-Use items between overseas countries; and trade with countries subject to non-binding sanctions and embargoes introduced by the UN, the EU and the Organization for Security and Co-operation in Europe and implemented in the UK.

FATF Guidelines (2012)

Policies and legislative approaches to money laundering and terrorist financing in the UK, the EU, the USA and many OECD economies have been significantly influenced by the recommendations of the Financial Action Taskforce (FATF).

The FATF is an inter-governmental body established in 1989 by the G-7 (as it then was) group of leading world economies, with the primary object of addressing financial crime.

Since 1990, the FATF has issued and revised policy recommendations to combat money laundering and terrorist financing. These recommendations act as a template to FATF members for AML/CFT legislation.

The most recent edition released in 2012 comprises 40 recommendations. The FATF augments its recommendations with a series of guidelines and publications, for example, in June 2019, FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

FCPA (1977)

The US Foreign Corrupt Practices Act (FCPA) is often used to target corporate malpractice both domestically and extra-jurisdictionally, covering all US persons and foreign persons who act within the territory of the United States, and some foreign issuers of US securities. The Act makes it illegal for certain classes of person to make payments to foreign government officials to assist in obtaining or retaining business.

The FCPA prohibits the use of corrupt practices by offering a financial incentive to a foreign official with the intention of securing an improper advantage and/or influencing the foreign official acting in an official capacity to perform an act (or omission) in violation of their lawful duties.

Fraud Act (2006)

This Act creates a general offence of fraud. It identifies three ways the offence may be committed: fraud by false representation, fraud by failure to disclose information when there is a legal duty to do so, and fraud by abuse of position.

Fraud by false representation is judged by reference to the conduct of the accused who must be shown to have made a false representation, dishonestly, knowing that it would be untrue or misleading and with the intent to make a gain or cause a loss.

A person would be found guilty of fraud by failure to disclose if the accused failed to disclose information when under a legal duty to disclose and had the dishonest intention to make a gain or cause a loss. It is irrelevant if the gain or loss took place.

Fraud by abuse of position occurs where a person is entrusted with the financial interests of another person, and they abuse that position dishonestly, intending to make a gain or cause a loss. Again, it is irrelevant as to whether the gain or loss resulted.

Further offences under the Act include possession, making or supplying articles for use in fraud, obtaining services dishonestly and fraudulently carrying out business in the name of a business that does not exist.

Company officers who are party to the commission of an offence by the company are liable to be charged with the offence and the company.

FSMA (2000)

In 2013, the UK Financial Services and Markets Act (2000) was amended, dissolving the Financial Services Authority (FSA) and installing the Financial Conduct Authority, the regulating body for financial services, banking, investment, insolvency and insurance. It also established the Prudential Regulation Authority (PRA) to supervise banks, building societies, credit unions, insurers and major investment firms.

It created a general prohibition restricting regulated activities in the UK to authorised and exempt persons, who may only conduct regulated activities in accordance with permission. The prohibition applied to persons purporting to provide regulated services.

The FCA has published a Handbook that includes a consolidated view of relevant financial services rules and guidance. Similarly, the PRA has published a similar text called the Prudential Regulation Authority Rulebook.

GDPR (2018)

The General Data Protection Regulation (GDPR) was implemented in May 2018 driving a complete overhaul of data protection laws as we know it.

It affects every organisation that processes the personal identifiable information (PII) of EU residents as well as organisations outside of the EU who provide services to EU businesses.

The financial penalties are much tougher with the fines for GDPR breaches now representing up to 4% of your global annual turnover or EUR 20 million, whichever is the highest. So it is critical to ensure your organisation understands and adheres to GDPR.

Global Anti-Corruption Sanctions Regulations (2021)

These regulations establish sanctions measures aimed at preventing and combating serious corruption. Persons designated under these regulations are included on the UK sanctions list.

Global Human Rights Sanctions Regulations (2020)

These regulations set up a sanctions regime for the purpose of deterring and providing accountability for, activities which, if carried out by or on behalf of a State (by a State or a State-actor), would amount to serious violations of human rights by the State.

Health & Safety (Consultation with Employees) Regulations (1996)

Under this regulation, employers have a duty to consult with their employees, or their representatives, on health and safety matters.

It applies in workplaces where employees are not in a trade union and/or the employer does not recognise the trade union or the trade union does not represent all employees, the Health and Safety (Consultation with Employees) 1996 Regulations apply.

Also, see Safety Representatives & Safety Committees Regulations (1977)

Health & Safety (DSE) Regulations (1992)

This regulation was amended in 2002 and obliges employers to assess and minimise the risks for employees who habitually use Display Screen Equipment (DSE).

Health & Safety (First Aid) Regulations (1981)

This regulation created an obligation for employers to provide adequate first aid provisions.

Health & Safety (Training for Employment) Regulations (1990)

These regulations extend the concept of work and being at work under the HWSA to include times when the employee is undergoing relevant training for work.

Health & Safety Inquiries (Procedure) Regulations (1975)

These regulations outline the procedure under the HSWA covering inquiries into any accidents, occurrences or situations by the Health and Safety Executive.

HSWA (1974)

The Health and Safety at Work Act (HSWA) is the primary legislation covering occupational health and safety in the UK. It creates a general obligation on employers to protect employees' health, safety, and welfare. The HSWA covers duties owed by employers to employees and members of the public, owed by employees to themselves and each other, and owed by certain self-employed towards themselves and others.

The HSWA is complemented by Factories Act 1961 and the Offices, Shops and Railway Premises Act 1963, providing workplace health, safety and welfare standards in those working environments. The Employment of Women, Young Persons, and Children Act 1920 is another piece of primary legislation which prohibits the employment of children in any industrial undertaking and creates obligations on employers of persons under the age of 16 years.

Numerous regulations have been made under the HSWA, covering most industries and workplace scenarios.

Income Tax (Earnings and Pensions) Act (2003)

Chapter 10 of Part 2 of this Act regulates contracted workers' services provided through intermediaries to public authorities or medium or large enterprises.

This legislation requires public authorities, and medium and large private companies, to determine whether individual contractors providing services fall within the IR35 off-payroll working rules and whether they must be considered deemed employees for the purposes of the legislation.

Insurance Act (2015)

Described by the UK government as "the biggest reform to insurance contract law in more than a century". It applies to policies renewed, incepted or are varied after 12th August 2015.

Intellectual Property Acts (1949-2014)

Several pieces of legislation in force protect rights to intellectual property in the UK. The legislation covers copyright, design, patents, trademarks, and intellectual property in general.

The main primary legislation includes the Intellectual Property Act 2014, the Copyright, Designs and Patents Act 1988, Trade Marks Act 1994, the Patents Act 1977, the Registered Designs Act 1949 and the Video Recordings Act 2010.

Market Abuse Regulation (2016)

The EU Market Abuse Regulation (EU MAR) came into effect on 3 July 2016. As a result of Brexit, it was onshored into UK law.

The UK Market Abuse Regulation (2020) aims to increase market integrity and investor protection, enhancing the attractiveness of securities markets for capital raising.

It contains prohibitions of insider dealing, unlawful disclosure of inside information and market manipulation, and provisions to prevent and detect these.

Malicious Communications Act (1988)

The Malicious Communications Act 1988 makes it an offence in England and Wales to send or deliver paper or electronic communications with the intention of causing distress or anxiety.

Similarly, section 127 of the Communications Act 2003 makes it an offence to send or cause to be sent, by means of a public electronic communications network, a message or other matter that is grossly offensive or of an indecent, obscene or menacing character or that causes annoyance, inconvenience or needless anxiety to another.

Management of Health and Safety at Work Regulations (1999)

These regulations oblige employers to conduct a risk assessment of work activities undertaken by employees.

Modern Slavery Act (2015)

The Modern Slavery Act aims to tackle slavery and human trafficking. It creates obligations on businesses to report slavery and human trafficking in their business and supply chains. The provisions apply to any business or part of a business that supplies goods or services in the UK with an annual turnover of £36 million or more.

Businesses to which the rules apply must produce a statement under the legislation and publish it on their website. The statement should include information on the organisation’s structure, its business and supply chains, its policies and due diligence processes on slavery and human trafficking, and it should identify risks and mitigation measures taken by the business and its supply chain.

Money Laundering, Terrorist Financing and Transfer of Funds - Information on the Payer Regulations (2017)

These money-laundering regulations (MLRs) were issued as a means to transpose the 4AMLD. They have since been amended to include the relevant provisions of the 5AMLD.

In essence, the regulations require regulated businesses to conduct money laundering and terrorist financing risk assessments, implement systems, policies, controls and procedures to address money laundering and terrorist financing risks, adopt internal controls and ensure adequate training, and apply the controls and procedures across the group structure if relevant. They also established new customer due diligence (CDD), enhanced due diligence (EDD) and simplified due diligence (SDD) requirements, requirements relating to dealings with politically exposed persons (PEPs), and requirements relating to record-keeping and data protection.

Amendments to the MLRs have expanded their scope, bringing in new sectors outside of the original financial industry focus, sharpening the focus on high-risk third countries, changing thresholds for conducting CDD and requiring more transparency in reporting beneficial ownership structures.

OECD Declaration on International Investment & Multinational Enterprises (1976)

This declaration includes guidelines for multinational enterprises and recommendations for responsible conduct in a global context.

As noted by the guidelines, it aims to ensure that the operations of multinational enterprises are in harmony with government policies, to strengthen the basis of mutual confidence between enterprises and the societies in which they operate, to help improve the foreign investment climate and to enhance the contribution to sustainable development made by multinational enterprises.

Oversight of Professional Body Anti-Money Laundering and Counter-Terrorist Financing Supervision Regulations (2017)

This regulation establishes the Office for Professional Body Anti-Money Laundering Supervision, which is housed within the Financial Conduct Authority.

The body plays a supervisory role, overseeing the legal and accountancy sectors and facilitates collaboration, and information and intelligence sharing with law enforcement agencies.

PECR (2003)

Privacy and Electronic Communications (EC Directive) Regulations (PECR) transposed the e-privacy Directive (Directive 2002/58/EC) into UK law. The PECR complements the UK GDPR, setting out more specific privacy rights on electronic communications.

Specifically, the PECR regulates marketing by electronic means, including marketing calls, texts, emails and faxes; the use of cookies or similar technologies that track user information; security of public electronic communications services; and privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg caller ID and call return), and directory listings.

Non-broadcast advertisements, sales promotions and direct marketing communications are further regulated by the Committees of Advertising Practice's Code for Non-Broadcast Advertising.

Personal Protective Equipment at Work Regulations (1992)

The Personal Protective Equipment at Work Regulations 1992 defines employers duties concerning the provision and use of personal protective equipment (PPE) at work.

PPE is equipment that will protect the user against health or safety risks at work. Later 2016 Regulations cover the supply of PPE, while the 2018 Regulations cover the enforcement of the 2016 Regulations. 

PCI-DSS (2004)

The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

The standard came into being through collaboration between the major payment brands (American Express, Discover, JCB, Mastercard and Visa), and it is administered by the PCI SSC (Payment Card Industry Security Standards Council). The Standard applies to all merchants and service providers that process, transmit or store cardholder data in the UK, applying a business even if the processing of the card has been subcontracted to a third party.

Proceeds of Crime Act (2002)

The Proceeds of Crime Act underpins much of the financial crime and AML/CFT legislation.

It empowers Authorities such as the Crown Prosecution Service to confiscate money and assets gained by criminals whilst undertaking criminal activities and money laundering.

The Act also establishes three further offences – concealing (includes transferring, disguising and converting), arranging (or aiding) and acquisition, use and possession. Culpability under the legislation is split into high, medium and low. Culpability and the value of the assets concerned affect sentencing..

Provision & Use of Work Equipment Regulations (1998)

These regulations created an obligation for employers to control risks to health and safety from all work equipment that workers use.

Protection from Harassment Act (1997)

The Protection from Harassment Act 1997 provides both a criminal offence and a civil remedy against anyone who pursues a course of conduct that amounts to harassment of another and knows or ought to know that it would result in harassment.

RIDDOR (1995)

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations created an
obligation for employers to obtain information from workers on any accidents, work-related ill health, incidents and near-misses and report them to the authorities.

Safeguarding Vulnerable Groups Act (2006)

This Act established the legal basis for the Independent Safeguarding Authority who managed the two lists of people barred from working with children and/or vulnerable adults.

It places a statutory duty on all those working with vulnerable groups to register and undergo an advanced vetting process with criminal sanctions for non-compliance.

Safety Representatives & Safety Committees Regulations (1977)

Under this regulation, employers have a duty to consult with their employees, or their representatives, on health and safety matters.

This regulation applies in workplaces where the employer recognises trade unions and trade unions are recognised for collective bargaining purposes.

Also, see Health and Safety (Consultation with Employees) Regulations 1996.

Sanctions & Anti Money Laundering Act (2018)

This Act provides the primary legislative basis upon which the UK Government is empowered to make provisions relating to the detection, investigation and prevention of money laundering and terrorist financing.

In effect, it takes the UK out of the EU AML/CFT legislative regime, allowing the government to directly implement FAFT standards.

The legislation also empowers the government to issue independent sanctions under its own sanctions framework outside the EU and UN systems.

Terrorist Asset-Freezing Etc. Act (2010)

This Act provides the legislative basis to allow authorities to freeze the assets of individuals, groups and corporations linked to money laundering and terrorist financing.

Terrorism Act (2000/2006)

These Acts indirectly affect the CFT legislation by changing the definition of terrorism and terrorist acts.

The Terrorism Act (2000) established a very wide definition of terrorism, focusing on both the motivations of terrorist conduct as well as its methods. It also formalised procedures and powers allowing the detention of suspects without charge for specified periods.

The Terrorism Act (2006) extended the length of time that a suspect could be detained without charge. It also criminalised participation in preparatory acts of terrorism, conspiracy to commit a terrorist act and aiding terrorist acts outside the jurisdiction of the UK. The 2006 Act also created offences of publication or dissemination of terrorist publications, and of attending a location known to be used for the training of terrorists.

UK Corporate Governance Code (2018)

The Financial Reporting Council's Corporate Governance Code 2018 is underpinned by Companies (Miscellaneous Reporting) Regulations 2018, which amends the Companies Act 2006, to introduce new reporting requirements on large companies to declare their corporate governance arrangements and to report on how directors have considered the factors listed in section 172(1)(a)-(f) of the Companies Act 2006.

Although the Code only applies to large companies, the Code integrates a "comply or explain" design. The Code includes a broader definition of governance to set higher standards of corporate governance in the UK to promote transparency and integrity in business. The Code was published together with revised Guidance on Board Effectiveness which aimed to supplement the Governance Code by suggesting good practices to assist companies in applying the Code.

UK GDPR (2021)

The UK General Data Protection Regulation 2021 (UK GDPR) came into effect on 1 January 2021. The law outlines the key principles, rights, and obligations for processing personal data in the UK, except for data processing by law enforcement and intelligence agencies, which are covered by the Data Protection Act 2018.

The UK GDPR is closely based on the EU GDPR (General Data Protection Regulation 2016/679/EU), which applied in the UK before 2021. Some changes were made to the EU GDPR to make it work more effectively in a UK context.

UK companies may find themselves in a position where they need to comply with both the UK GDPR and the EU GDPR. For example, if a company operates in Europe, offer goods or services to individuals in Europe, or monitors the behaviour of individuals in Europe, the EU GDPR would apply to these actions. Also, any overseas personal data collected before 2021 (referred to as 'legacy data') is subject to the rules in the EU GDPR as they stood on 31 December 2020 (the 'frozen GDPR'). The EU GDPR is regulated separately by European supervisory authorities.

The Information Commissioner's Office has published a comprehensive Guide to Data Protection on its website. The guide explains that the concept of personal data includes (private or public) information about any particular living individual (PII), including a customer, client, employee, partner, member, supporter, business contact, public official or member of the public.

The data protection rules apply to any personal data that is subject to processing, which covers almost any action performed on the data, such as collecting, recording, storing, using, analysing, combining, disclosing or even deleting. The rules regulate the manner in which personal data may be processed and the policies and procedures that must be in place to protect the data of PII.

Financial penalties may be significant for breaches of data protection rules.

UK Stewardship Code (2020)

Adherence to the Financial Reporting Council (FRC) Stewardship Code is purely voluntary. To become a signatory to the Code, organisations must submit to the FRC a report demonstrating how they have applied the Stewardship Code’s principles over the previous 12 months.

The FRC then assess the report, and if it meets expectations, the organisation will be listed as a signatory to the Code. Once listed, organisations must report annually to remain a signatory.

UN Guiding Principles Reporting Framework (2015)

The framework provides comprehensive guidance for companies to help them report on their adherence to respecting human rights in practice, putting the corporate responsibility to respect human rights into everyday language.

Working Time Regulations (1998)

These regulations created an obligation for employers to ensure that employees do not work more than 48 hours a week (less for under 18s) unless they have opted out.

Workplace (Health, Safety and Welfare) Regulations (1992)

These Regulations cover a wide range of basic health, safety and welfare issues and apply to most workplaces (except those involving construction work on construction sites, those in or on a ship, or those below ground at a mine, which are covered by industry-specific regulations).