title slide one - kpmg · 2020. 4. 17. · isle of man new york uk fca european commission delaware...

1© 2017 KPMG Advisory Limited, a Gibraltar limited company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Summer School

18 July 2017


Agenda– A Bluffer’s Guide to the Blockchain – Micky Swindale– Recent & future changes to AML – James Shimmin– UK Tax update – Greg Jones– GDPR – Personal data privacy at any cost? – Allan Christian– Brexit – Jon Tricker– Insurance – David Brown– Cyber Security Risks/Challenges – Daniel Kniveton– Gibraltar Tax update – Darren Anton


KPMG Summer School—July 2017

A Bluffer’s Guide to the Blockchain


The first Blockchain


Blockchain Structure


Blockchain Applications


Blockchain Value Proposition

Transparency, security and speed


Developments & Regulation


Globally

WEF – By 2027, 10% of global assets held on blockchain

AR - $16bn of cost savings from blockchain

Flurry of activity from mid-2016:

WEF

Goldman Sachs

US

Chinese

UK

IOM


Regulation

Isle of Man

New York

UK FCA

European Commission

Delaware

Gibraltar


Your ‘Bluffer’s’ line….

‘An outcomes-focused, principles-based approach to regulation which will

support innovation and nurture start-ups’


Boom or Bubble?

‘Blockchain will change finance forever, and for the better. Investing in it now may feel like prospecting for gold in a

freezing mountain stream…but you may just strike it rich.”’

Spectator Money, 27 May 2017


Boom or Bubble? (continued)

It is rapidly becoming the underlying approach of the global system infrastructure

It is enabling future competitive advantage

It is fundamentally disrupting the value chain

It will be ubiquitous within the next 5 years

It is supported by regulators and watchdogs

KPMG on ‘Real use cases for blockchain and Distributed Ledger Technologies in the Asset Management sector’July 2017


Final Tip

Don’t say Blockchain…

Say Distributed Ledger Technologies


Micky SwindaleHead of Advisory+447624 [email protected]

July 2017

The Good, The Bad & The Ugly?


The Ugly, The Bad & The Good

Regulatory Decisions Hopes for the future

New Regulations and MoneyVal


Fines/Regulatory Decisions


Top Eleven Global Banking Fines

$1.9 Billion - HSBC, AML Lapses

$1.5 Billion - UBS, Libor Rigging

$920 Million - JP Morgan, Trading Scandal

$780 Million - UBS, Aiding Tax Fraud

$667 Million - Standard Chartered, Breaching Sanctions

$619 Million - ING, Breaching Sanctions

$612 Million - RBS, Libor Manipulation

$550 Million - Goldman, Misleading Investors

$536 Million - Credit Suisse, Breaching Sanctions

$500 Million - ABN AMRO, Breaching Sanctions

$451 Million - Barclays, Libor Manipulation


Regulatory Decisions in GamingDuring the period from 17 June 2014 to 15 March 2017 the UKGC produced sanctions against 46 Operator / Personal licence holders for failure under various Licence Conditions and Codes of Practice (“LCCP”) these sanctions ranged in severity.

Warning with financial penalty – x 1 (£300k)Warned, conditions attached and financial penalty – x 1 (£10k)

Warning – x 14

Warning with conditions attached – x 4

Warning with attached conditions – x 1

Financial penalty – x 1 (£5k)

Licence terminated – x 1

Licence revoked – x 3

Operator Licences - 26

Revoked - x 34Warning - x 3Warning with conditions attached - x 3

Personal Licences - 40

Compared to Banking the Gaming sector is very much in its infancy with regards to regulatory sanctions.

However, this is not a time for complacency as regulators start to get tougher with non-compliance.


NewRegulations andMoneyVal


Issues observed (Examples)

• Lack of training / awareness

• Limited understanding on who the MLRO is

• Limited understanding on what a PEP`s are

• Limited understanding of the basic principles in preventing money laundering

• Lack of registers

•PEP`s/SAR`s/Sanctions/Gifts/Breaches/Enquiries/Technological Developments

• Poor policies and procedures

• Limited information and not up to date

• Non qualified MLRO`s / DMLRO`s

• Limited resource and experience

• Lack of support from Board

• Limited information and guidance provided or discussed via board meetings

• No ongoing risk assessments / No internal audit function

• Limited Sanctions screening

• Reward over Risk

• Failures in acquiring Enhanced Due Diligence (“EDD”)


What is Current

• 4th Money Laundering Directive• Key features• Impacts• Beneficial Ownership Act• Key features• Impacts


MONEYVAL – Council of Europe (47 member states 28 of which in EU)

What is Next

• 14th October 2015 – Committee of Ministers of the Council of Europe adopted a resolution allowing Gibraltar to be evaluated by MONEYVAL , and be subject to its procedures

• A detailed assessment report on Gibraltar’s compliance with anti-money laundering and terrorist financing international standards was published by IMF in May 2007

• IMF identified then the considerable progress in enhancing its effectiveness of existing preventative measures – but identified that its principal AML risk was its involvement in the layering and integration of proceeds of crime.

• It set out the steps needed to continue the momentum in moving the legal and regulatory regime forward and the need to enhance its Financial Services Commission and Financial Intelligence Unit.

• With the MONEYVAL visit fast approaching – what progress has been made? And based on the experience of others how is Gibraltar likely to measure up?

MONEYVAL 5th Round of Assessments


What is Next (continued)

It is interesting to note from the MONEYVAL visits to date under the (new) 5th round of assessments that here are consistent areas of concern being noted. In particular with regards to the following which have affected a number of jurisdictions globally via the various FATF Style Regional Bodies (“FSRB”):

• Recommendation 13 / Special Recommendation IV – Suspicious transactions reporting.

• Recommendation 3 – Confiscation and provisional measures. • Recommendation III – Freezing and confiscating terrorist assets. (This has not

been addressed)

EAG The Eurasian GroupAPG Asia/Pacific Group on Combating Money Laundering

CFATF Caribbean Financial Action Task Force

MONEYVAL

Committee of Experts on the Evaluation of Anti-Money Laundering Measures and Financing of Terrorism of the Council of Europe

ESAAMLG Eastern and Southern Africa Anti-Money Laundering GroupGAFILAT Financial Action Task Force of Latin America

GIABAIntergovernmental Action Group against Money-Laundering in West Africa

MENAFATF Middle East and North Africa Financial Action Task ForceGABAC The Task Force on Money-Laundering in Central Africa

Based on what we have seen in other jurisdictions – it is likely that MONEYVAL will identify areas where progress still needs to be made and therefore likely to place Gibraltar on “ENHANCED FOLLOW UP”

Only be acting now can the number of areas requiring additional work be reduced

It is important to understand what is meant by ‘enhanced follow up’ and its impact for Gibraltar


What is “Enhanced Follow-Up”?

In deciding whether to place a country / territory in enhanced follow-up, the Plenary consider the following factors:

a) After the discussion of the Mutual Evaluation Report: a country/territory will be placed immediately into enhanced follow-up if any one of the following applies:

i. it has 8 or more Non-Compliant (“NC”) or Partially Compliant (“PC”) ratings for technical compliance, or

ii. it is rated NC/PC on any one or more of R.3,5,10,11 and 20, or iii. it has a low or moderate level of effectiveness for 7 or more of the 11 effectiveness outcomes,

or

iv. it has a low level of effectiveness for 4 or more of the 11 effectiveness outcomes.

b) After the discussion of a follow-up report: the plenary could decide to place the country/territory into enhanced follow-up at any stage in the regular follow-up process, if a significant number of priority actions have not been adequately addressed on a timely basis.

MONEYVAL – Enhanced Follow-Up

R.3 = Money Laundering and ConfiscationR.5 = Terrorist Financing and Financing of proliferationR.10,11 & 20 = Preventative Measures


Under the 5th round of evaluations each jurisdiction will be assessed against 11 specific Areas, these are called “Immediate Outcomes” for the following:

1) Risk, Policy and Co-ordination 2) International Co-operation 3) Supervision 4) Preventative Measures 5) Legal Persons and Arrangements 6) Financial Intelligence 7) Money Laundering Investigation and Prosecution8) Confiscation 9) Financial Terrorism Investigation and Prosecution10) Financial Terrorism Preventative Measures and Financial Sanctions11) Proliferation Financing Financial Controls

MONEYVAL – Immediate Outcomes

Effectiveness Ratings (NewTest)

High

Substantial

Moderate (major improvementsrequired)

Low (fundamental improvementsrequired)

Of the 30 Countries evaluated in 5th round, only 4 not in “Enhanced Follow Up”

CUBA

ITALY

ARMENIA

SPAIN


Effectiveness Ratings – Immediate OutcomesImmediate Outcome IO.1 IO.2 IO.3 IO.4 IO.5 IO.6 IO.7 IO.8 IO.9 IO.10 IO.11Isle of Man Sub Sub Mod Mod Mod Low Low Low Mod Mod ModItaly Sub Sub Mod Mod Sub Sub Sub Sub Sub Mod SubArmenia Mod Sub Mod Sub Sub Mod Low Low Sub Sub SubSpain Sub Sub Sub Mod Sub High Sub Sub Sub Mod ModCuba Mod Mod Sub Mod Sub Mod Mod Sub Sub Sub ModHungary Low Sub Mod Mod Low Sub Low Low Mod Mod ModJamaica Mod Mod Mod Low Low Mod Low Sub Low Low LowSerbia Mod Mod Mod Mod Mod Mod Low Mod Mod Low LowSingapore Sub Sub Mod Mod Mod Sub Mod Mod Low Mod SubSwitzerland Sub Mod Mod Mod Mod Sub Sub Sub Sub Sub SubUnited States Sub Sub Mod Mod Low Sub Sub High High High HighZimbabwe Low Low Low Low Low Low Low Low Mod Mod LowAustralia Sub High Mod Mod Mod Sub Mod Mod Sub Mod SubCanada Sub Sub Sub Mod Low Mod Mod Mod Sub Sub ModMalaysia Sub Mod Sub Mod Mod Sub Mod Mod Mod Sub ModBelgium Sub Sub Mod Mod Mod Sub Mod Mod Sub Mod ModHonduras Mod Sub Mod Mod Low Mod Mod High Sub Mod LowAustria Mod Sub Mod Mod Mod Low Low Mod Sub Mod SubBangladesh Mod Sub Mod Low Low Mod Low Low Sub Mod SubNorway Mod Sub Mod Mod Mod Mod Mod Mod Sub Mod ModSamoa Mod Sub Low Mod Mod Low Low Mod Mod Mod LowCosta Rica Mod Sub Mod Mod Low Mod Mod Mod Mod Low LowSri Lanka Mod Low Low Low Low Low Low Low Sub Low LowGuatemala Mod Sub Mod Mod Mod Sub Sub Sub Mod Mod ModFiji Mod Mod Mod Mod Low Mod Mod Low Low Low LowBhutan Low Mod Low Low Low Low Low Low Mod Low LowUganda Low Low Low Low Low Low Low Low Low Low LowTunisia Mod Mod Low Low Low Mod Mod Mod Low Low LowTrinidad & Tobago Mod Mod Mod Mod Mod Mod Low Low Low Low LowVanuatu Low Low Low Low Low Low Low Low Low Low LowEthiopia Low Mod Low Low Mod Low Low Low Low Low Low


Hopes for the future


What is the Gibraltar doing right

There is a still work to be done and it sis important to champion the good points as well as negative, such as (for those that are regulated):

• Increasingly a good understanding especially within the gaming industry that regulations are important to encourage clients to use their products.

• The technology being used and developed is impressive and the exchange of this between industries means that the benefits are being shared.

• Whether it is banking, financial services or gaming there is a greater understanding that there are costs to dealing with implementing regulations wherever you are based in the world.

• Cross pollination of expertise between banking sector and gaming industry and vice versa.

• Industry are willing to seek third party advice and support - and realise just how much added value they can contribute .


Summary


In SummaryReputational Risk Prison Time / Fines

• There will continue to be more and more regulatory pressure placed on the jurisdiction and all sectors will be impacted

• The impact of the impending Moneyval visit should not be underestimated – there will be material changes to the regulations and guidance as a result – but these should be embraced.

• All sectors must ensure that they have the risk- reward balance correct

• Failure to follow regulations will ultimately end in sanctions and continue to place the sectors in the media and political headlights.

What regulatory ‘waves’ will arrive on Gibraltar’s shore in next few years and what changes will it bring?

Only time will tell

Gibraltar’s history indicates that it will adopt and adapt to the changes in order to make itself stronger.


Questions


UK Tax Update

Gregory JonesDirector of Taxation

18 July 2017


Finance Bill 2017 (…. and again)• Original version contained well-trailed proposals specifically covering:

– Non-Doms (15 year deeming rule with transitional reliefs and future trust protection), and

– UK residential property (to come within scope of IHT regardless of ownership).

• Proposals due to take effect 6 April 2017.

• Due to calling of General Election all proposals removed from what became Finance Act 2017.

• On 13 July HMRC published draft legislation to be contained in Finance (No 2) Bill 2017.

• Above proposals re-introduced with minor modifications.

• Effective date still 6 April 2017.


Finance (No 2) Bill 2017• Retrospective legislation – or just retroactive?

• All following now (retrospectively?) within scope of IHT:

– death of non-dom BO of offshore company (holding UK residential property) since 5 April 2017;

– death of non-dom life tenant of pre-March 2006 IIP trust (holding UK residential property via offshore company) since 5 April 2017;

– gift into trust by non-dom of shares in offshore company (holding UK residential property) since 5 April 2017.

• But confirms CGT position for non-doms becoming deemed dom on 6 April 2017 who have made disposals in interim in reliance on re-basing relief.


UK Trusts Register• Part 5 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the

Payer) Regulations 2017 introduces new reporting requirements for trusts which are:

– UK resident, or

– Non-UK resident but liable to pay UK tax on income/ assets.

• Trustees need to file information on the HMRC online Trust Register on or before 31 January 2018 (or by 31 January after tax year in which trust created, if later) and keep up to date.

• Trustees must declare they are acting as trustee when entering transaction with “relevant persons” (trust providers, estate agents, financial institutions, tax/ accounting professionals) and provide beneficial ownership information on request.

• Trustees must also provide BO information to any law enforcement authority.

• Not accessible by general public.


UK Trusts Register(information to be filed by trustees – I)

• Beneficial ownership – for each of (i) trustees, (ii) settlor, (iii) beneficiaries, (iv) any individual who has control over the trust:

– full name and date of birth,

– NINO and UTR (or usual address),

– if non-UK address, passport or ID card number and country of issue/ expiry date,

– description of role in relation to trust.

• Where beneficiaries defined by class, do not need to record information for everyone in class.

• “Control” = ability (even if another’s consent needed) to direct, veto or consent to disposals/ applications of trust property, distributions, variations, adding/ remaining beneficiaries, appointing trustees etc.


UK Trusts Register(information to be filed by trustees – II)

• Information about the trust:

– full name and date of creation of trust,

– statement of accounts (describing trust assets and identify value of each category of assets),

– place of tax residence and administration,

– full name of any remunerated legal, financial or tax adviser.


Rangers: the final chapter• Rangers FC (& other group companies) paid sums into an offshore trust for benefit of

employees (inc players),

• Club recommended that trustee resettle on sub-trusts for named employees and that income/capital of trust be applied in accordance with employee's wishes,

• Trust arrangement explained to new players:

– Availability of loans (none ever refused),

– Player would be trust protector (with extensive powers),

– Loan interest rolled up / could be paid from estate on death,

• Foreign players who left to return overseas could unscramble trust arrangements,

• Payments into the trust held to be taxable earnings,

• Supreme Court decision handed down on 5 July 2017.


Questions?

July 2017

GDPR

Allan Christian –KPMG Gibraltar


General Data Protection Regulation

Already in force! Effective from 25th May 2018

EU Regulation – overrides existing national law in member states

“A more 21st century approach to the processing of personal data” which “puts an onus on businesses to change their entire ethos to data protection” UK ICO Chief

“Make no mistake, this one’s a game changer for everyone” UK ICO Chief

Extra-territorialGDPR enforces the fundamental rights of EU residents, so if you handle any of their personal data, you are in!


GDPR Fundamentals

Not all data – specifically covers personal data

EU Regulation, but applicable to those handling EU residents’ data, hence our interest as a jurisdiction

(Brexit notwithstanding).

Changes data governance expectations at strategic, tactical and operational levels for public,

private and charitable entities


KPMG Research – subjects cautious at outset

Source – KPMG Crossing the Line survey

https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2016/11/crossing-the-line.pdf


Data Protection Law

- Gibraltar’s position


Current State of PlaySince then…

LinkedIn

Facebook

YouTube

Instagram

Skype

Snapchat

Whatsapp

Tinder

Grindr

Ashley Madison

The Cloud

Google Maps

EU Data Protection Directive 1995

Directives require transcription into national law

Data Protection Act 2004

http://www.gra.gi/home/data-protection-act-2004


Gibraltar Regulatory Authority

Independent Supervisory Body

Covers multiple functions (below)

Over 800 registered data controllers

Opt-out register also maintained

GRA’s “Getting Started with GDPR” available here

http://www.gra.gi/data-protection/rights-register-search

http://www.gra.gi/data-protection/opt-out/the-register

http://www.gra.gi/download/955/IR03-16.pdf


The Regulators


Key supervisory bodies in context of Gibraltar

Gibraltar Regulatory Authority

• Direct supervisor• Advise and assist

Information Commissioner’s

Office

• UK body• Been a useful big

brother to date, and at vanguard of EU approaches

European Data Protection Supervisor

• EU “supervisor of supervisors”

• Role will evolve by 2018 in context of EDPB (below)

http://www.gra.gi/data-protection

https://ico.org.uk/

https://edps.europa.eu/


UK ICO – GDPR approach

Move away from “box ticking exercise” to “framework that can be used to build a culture of privacy that pervades an entire organisation”

“Today many companies think data protection is just about “compliance”

Move from “…mindset of compliance to a mindsetof commitment”

New approach from non-EU leader, which will suit the move towards supervisors “monitoring and enforcing” rather than “advising and assisting”


European Data Protection Supervisor - approach

“A more human-centric approach is needed which empowers individuals to control how their personal data is collected and shared”

“People will realise that the limitless accumulation of personal data, including the most intimate genetic and biometric data, creates the risk of a tsunami…We cannot assume that the hands which use the data will be as benign as the hands which collected it.”

“…we need to start to internalise the notion of accountability, far more important than box ticking compliance. And we need to apply these principles to international data flows.”


European Data Protection Board – the new boss?

Reality – a “One-Stop Shop”

• EDPB an independent body of the EU, with its own legal personality.

• EDPB work will be susceptible not only to criticism, but also to contestation before the courts.

• Conciliate and determine disputes between national DPAs

• EDPB will still be responsible for adequacy assessments

Article 29 Working Party

European Data Protection Board

Same People!

“…a new platform for modern, effective, real-time supervision of how personal information is handled in the big data world, and for modern, effective, real-time cooperation between the authorities responsible for that supervision”

http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083


Basic Concepts


Revised elements - reference tableArt “Pre-DPR” GDPR

Protection by design and default

25Reactive – “appropriate technical and organizational measures”

Compulsory, and must be demonstrable - “default” being protect, not misuse

Data Protection Impact Assessments

35, 36 Good practice Compulsory, potential need to

consult for high risk processing

Data Protection Officers

37-39

Good practice, compulsoryfor EU institutions

Compulsory for public sector and certain entities (see below) – professional qualities, independent

Notification of Breaches

33, 34 Some firms All entities, 72 hours, potentially

have to inform subject

Access Rights 15 40 Days, can charge 1 month, can’t charge

Transfer limitations across borders

44-50

“Adequate territories”, or model clauses or BCRs

Range of additional mechanisms, all needing local and/or EC approval

Consent 7“Opt out” permitted, and frequently used

“Opt in”. Children policed with additional vigour

Inventory of personal information

30 Not required Required


Sea Change elements - reference table

Topic Art GDPR

Accountability

Obligations on both data controllers and processors to: • Demonstrate compliance with GDPR on request• Demonstrate security adequacy (certifications?)• Follow codes of practice• Employ Data Protection Officers in many cases

Sanctions and Penalties

83, 84

• From country-by-country variance (but all at a modest level) to a maximum of €20m or 4% of global turnover.

Extra-territorial 3,4,27

• Applicable if you provide goods or services to an EU Resident, or process their data

• Will be subject to supervisory intervention from the “most relevant” EU supervisor (mostly UK?)

• MUST have a physical representative in one member state in which you are doing business

Right to Erasure 17• Expands on rights which were previously generic, providing

multiple avenues for subjects to request erasure


Topical concerns - Data Protection Officers

• Required if

• Public Authority

• Personal data processing is a “core activity”

• Regular and systematic monitoring of data subject is a “core activity”

• Can be outsourced

• Article 29 Working Party Guidance released recently providing practical examples of what activities should require the assignment of a DPO

• Isle of Man approach (for comparison)

Necessary for Finance, Gaming, and any licenceholder who performs Due Diligence in an AML/CTF context.

“a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation”. GDPR Recital 97

Large Scale Processing

Patient data in hospital

Processing real-time geo-location data of customers

Customer data in the regular course of bank or insurance business

Behavioural advertising data processing by search engine

Phone or ISP companies processing content or traffic data


Topical concerns - Country Representatives

• Post-Brexit, you will need a physical being in an EU state should you process personal data of EU residents (not every state).

• Explicit designation via written mandate.

• Representatives will co-operate with national authorities to help compliance.

• Representatives will be subject to enforcement proceedings in the event of non-compliance.

• Ultimate responsibility of data controllers and processors not avoided.

• Some carve outs for occasional, low risk processing.

“natural or legal person established in the Union who, designated by the controller or processor in writing…represents the controller or processor with regard to their respective obligations under this Regulation; GDPR Art 4(17)


GDPR basics - DerogationsThere are some GDPR obligations which member states are permitted to tweak, specifically:

Topic Nature of derogation

Online consent from children Permitted to reduce age from 16 (in GDPR) to 13

Data Protection Officers Can be made mandatory if member state prefers

Data relating to employees Permitted to allow for more restriction

National Security Permitted to pass laws to limit rights for security reasons

Freedom of information Permitted to reconcile GDPR with FoI if necessary


Recent fines and GDPR


Supervisory Powers under GDPR

Art. Powers of Data Protection Authorities

58.1(a)Order the provision of evidence of compliance from Controllers, Processors and their Representatives

58.1(b) Perform Data Protection Audit investigations

58.2(a & b) Issuance of warnings and reprimands

58.2 (d)Order achievement of GDPR compliance, including manner and time period

58.2 (j) Ban or suspend processing and transfers to third countries

84 “Other penalties” for infringements not subject to fines

58.2 (i) & 83 FINES…


ICO Fines in the UK - RSA

RSA Case

• Lost 60,000 Customer Records (inc. bank and card details)

• Fined £150,000

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/01/150-000-fine-for-insurance-company-that-failed-to-keep-customers-information-safe/


ICO Fines in the UK – various UK Charities

Link to main landing page

• “…contravened the fundamental rights of millions of individuals…driven by financial gain” - Broke Fair Processing requirements

- Performed Wealth Screening over a period of years

- Data Matching and Tele-Matching (i.e. filling in the blanks)

• Fines between £6,000 - £18,000

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/12/ico-investigation-reveals-how-charities-have-been-exploiting-supporters/


ICO Fines in the UK – Talk Talk Telecoms plc

Talk Talk Case

• Failure to prevent cyber security breaches which allowed exfiltration of 150,000+ personal records and 15,000+ bank details

• Fined £400,000

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/


Crime and Punishment - trends

Entity type Observable trend

Local governmentMore subtlety and discretion used

Healthcare

Charities Fined as exception (ongoing tidy-upnotwithstanding)!

Financial Services Fined as a rule, eager to enforce and prosecute, new director liability rules for UK telemarketingfirms from April

Marketing companies

Telecoms

“Since April last year my office has issued more than £1.3million worth of fines. We’ve got at least that again in the pipeline.” – UK ICO Chief, Feb 2017


Takeaways


What to do next?

“[GDPR] is not the final step in the process. Instead, it should be seen as the foundation for further efforts to improve how we enforce control over our online identities” – Head of EDPS, Oct 2016

Briefing and upskilling

Consider tactical options

Documentation

Compliant on time and beyond

Adapt culture


Where we can help


Bretix

KPMG Summer School

Jon Tricker, Managing Director, KPMG Gibraltar


UK perspective Latest

UK economic performance

UK election

German elections end of September

Adversarial rhetoric

Possible extension to March 2019 deadline

EEA – 12 months’ notice required (due March 2018!)

Scenario planning

Outcome of negotiations very difficult to predict


Gibraltar perspective “Planning for hard Brexit”

UK negotiation difficulties

Spanish veto

Sovereignty claim

Potential impacts of hard Brexit

Loss of passporting

Changes to free movement of workers (around 10,000 frontier workers out of 25,000)

Impact on the border


Gibraltar perspective - gaming Border

Around 3,500 jobs in gaming, more than half are frontier workers

Potential changes to free movement of workers

Impact on company’s senior management

Business impact

Predominance of UK-facing business

Licensing regimes already in place in large EU jurisdictions (eg France, Spain, UK, Italy, Ireland)

Reliance on Gibraltar’s EU status

Opportunities


Gibraltar perspective - insurance Loss of passporting

93% of premiums are UK (distorted by motor insurance)

Scenario planning needed on EU business

Gibraltar as a gateway to the UK market

“Passporting” via Gibraltar Order

Government pushing for recognition of rights (UK/Gib)

Opportunities from impacted EU businesses / PCCs ?

Accessibility of FSC

Border impact


Gibraltar perspective – other considerations

Funds/investment management

Funds market currently largely UK focussed through private placement

Possible more flexibility as Gibraltar could use 2 effective regimes (EU compliant and non-EU compliant)

Financial services businesses passporting in to the EU

Gibraltar airport

What’s hot in UK Motor?

Gibraltar Insurance Briefing

—

July 18, 2017

76

Document Classification: KPMG Confidential

© 2017 KPMG Advisory Limited, a Gibraltar limited company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

KPMG Benchmarks – Why are we doing this?Introduction

With the advent of Solvency II, PRA returns are no longer available.Our benchmarks are available earlier and provide more detail thanthe new QRTs, including…

trends by claim type, including split by small and large TPBI

insurers’ actuarial best estimate and margin separated

an ultimate frequency and severity view

UK insurers outside PRA regulation

Our benchmarks are unique and complementary to the TPWP aswe have…

insurers' actuarial best estimate

both TPPD and OD

the year-end view is available earlier than TPWP report

The comparison to the TPWP is not fully like-for-like due to…

Differences in underlying insurers

Claims number definition, i.e. including or excluding nils*

TPBI threshold definition

* Our results are largely excluding nil claims and therefore shouldbe on a basis that is substantively consistent with the TPWP.

-

5,000

10,000

15,000

0.0%

0.5%

1.0%

1.5%

2008 2009 2010 2011 2012 2013 2014 2015 2016

Severity (£)Freq

uenc

y (%

)

TPWP - Frequency & Severity TPBI Capped

TPWP Severity KPMG Mean SeverityTPWP Frequency KPMG Mean Frequency

60%

70%

80%

90%

100%

110%

2006 2008 2010 2012 2014 2016 2018

ULR

PRA - Gross ULR

PRA Return KPMG Weighted Mean

77



KPMG Benchmarks – Our ApproachIntroduction

Motor >70%

Based on adjusted* 2015 PRA returns, our benchmarks cover:

and this is expected to grow as final results come in.

* PRA returns plus clients included in survey outside PRA returns

Our approach in compiling these benchmarks:■ Data is gross of reinsurance and commission and is based on 2016 Year End data.■ All data is relative to companies’ actuarial best estimates (ABE).■ Means are simple average unless otherwise stated. Weighted Averages are based

on premium (net of IPT) for Average Earned Premium, ULRs and Burning Cost. Forall other graphs the weighted averages are based on ABE reserves.

Motor specific:■ The majority include a combination of comprehensive and non-comprehensive,

though non-comprehensive proportion is expected to be below 10%.■ Largely based on private motor. Commercial vehicle / fleet are excluded where

identifiable.■ Frequency is on a per claim basis and the total frequency is the sum of frequency for

each claim type and as such will overstate the number of claims made.■ Large TPBI claims include PPOs and Ogden uplift to the extent that these held in

the ABE.■ Large losses are on an excess basis. We have adjusted insurers’ data if we received

from ground up information and have also adjusted the data to align the threshold forlarge TPBI claims to be £100k in 2011 terms.

■ Own Damage claims include windscreens and are net of salvage and subrogation.

78



How to read the graphsIntroduction

DisclaimerWe draw attention to the fact that every company has different underwriting practices and claims handling procedures along with a different mix ofbusiness and risk profile. Therefore, these benchmarks are intended to serve only as a guide to the trends in motor and household market based onthe experience of the KPMG personal lines clients and other publicly available information. It is possible that the overall experience of the UK personalmotor and household market may be different, perhaps materially in some areas, from these benchmarks. Anyone relying on these benchmarks woulddo so at their own risk and KPMG hold no obligation to any individual or firm in this respect.

Where we have compared a client’s statistics against our benchmarks, this should not in any way be interpreted as KPMG’s view on our client’sstatistics. This pack is our interim pack based on provisional data which may be subject to change.

This document is provided to our clients for discussion only. It should not be distributed to third parties.

25th percentile

75th percentile

Maximum of benchmark clients

Mean of benchmark

Minimum of benchmark clients

60%

70%

80%

90%

100%

110%

2007

2008

2009

2010

2011

2012

2013

2014

ULR

ULR Total

Interquartile Range Mean Client X Weighted Average

Weighted average of benchmark

2010

2011

2012

2013

2014

2015

2016

2017

79



Personal Line ULRsOur benchmarks include Motor total ULRs (aggregates of all perils), and ULRs by peril.

The simple and premium weighted average ULRs are converging for Motor in recent years.

There has been a slight reduction in the Motor total ULR between AY2015-16, although note that these results do not include the effects of the Ogden discount rate change.

50%

70%

90%

110%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Motor ULR - Total

Interquartile Range Mean Weighted Average

5%

15%

25%

35%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR OD

Interquartile Range Mean ABC Weighted Average

80



Motor claims inflationTotal Level

■ Total Burn Cost has seen c.5% inflation, driven by severity, with no change in frequency.

TPBI

■ Overall a small increase in burn cost, where a c.5% severity inflation is offset by a c.4% reduction in frequency.

Non-BI

■ OD shows continued inflation in the region of 11%, albeit lower than the PY 20% inflation observed.

■ This is likely due to insurers charging market equivalent repair rates. However, we have not seen a similar level of inflation on TPPD.

■ This disconnect between TPPD and OD inflation could potentially lead to under-reserving in TPPD

-30%

-25%

-20%

-15%

-10%

-5%

0%

5%

10%

15%

20%

25%

30%

Infla

tion

from

AY

2015

to A

Y20

16

Inflation (AY2016 compared to AY2015) by claim typeWeighted Market Inflation

Total TPBI TPBI ExcessTPBI Capped ODTPPD

81



Motor Own Damage burning cost• Our AD benchmarks reveal that the inflation 2015 to 2016 inflation on AD has been present

in Own Damage claims burning cost since 2013.

20

50

80

110

140

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

£

Burning Cost - OD


82



PPO real discount rate – Pre-OgdenPrior to the Ogden rate change, we benchmarked clients’ PPO real discount rate under UK GAAP. While the nil-real rate is predominant, a significant fraction of the market was already adopting negative real rates at Q4 2016.

21%

19%

51%

9%

0% 10% 20% 30% 40% 50% 60% 70%

(0.75%) - (1.75%)

(0.00%) - (0.75%)

0%

Larger than 0%

Proportion of Benchmark Clients

PPO UK GAAP real discount rate(weighted by reserves)

83



Ogden uplifts We have benchmarked the proportional uplift on open claims exposed to the Ogden discount rate change, separated into bands of case reserve size.

The detailed shape of these benchmarks will change over time as they are enriched with more data.

There always was uncertainty in case estimation. There is even more uncertainty around the Ogden uplift. And yet more around dependent actuarial reserving processes.

The outcome of the Ogden consultation process could lead to a different mechanism of determining the discount rate, and the product of this, could be a higher, even positive discount rate. However …

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100-400k 400-700k 700-1000k >1000kClaim band

Open Ogden Case Uplift - Gross

Interquartile Range Mean Median

84



Ogden uplifts: effect on ULR We have used Ogden case reserve uplifts to approximate the IBNR uplift, and hence the total impact on the ULR.

We have only considered claims >£100k, so the effect may be larger than that shown here.

However, as we have shown, the proportional uplift is smaller on smaller claims, so the majority of the effect should be captured in the Large claims.

The Ogden uplift is most material on recent, less developed, years where claims are still to settle.

The increase is approximately 6 percentage points increase in ULR for 2016.

50%

70%

90%

110%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR Total

IQR pre-Ogden PreOgden PostOgden

0%

5%

10%

15%

20%

25%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR TPBI Excess

IQR pre-Ogden PreOgden PostOgden

85



Ogden rate change – PPO propensity The fall in Ogden rate is associated with a reduced propensity for claims to settle as PPOs.

We have benchmarked the pre- and post-Ogden propensities adopted by our clients, by number and weighted by ABE reserves, below.

8%

37%

37%

15%

0% 20% 40% 60% 80% 100%

0% - 24%

25% - 49%

50% - 74%

75%-100%


Propensity reduction

19%

52%

18%

8%

0% 20% 40% 60% 80% 100%

0% - 10%

10% - 20%

20% - 35%

35% - 50%


Post propensity

10%

20%

60%

10%

0% 20% 40% 60% 80%

0% - 24%

25% - 49%

50% - 74%

75%-100%

Number of Benchmark Clients

Propensity reduction

20%

50%

20%

10%

0% 20% 40% 60%

0% - 10%

10% - 20%

20% - 35%

35% - 50%

Number of Benchmark Clients

Post propensity

86



Ogden Rate – How negative it can be?Ogden Rate = -0.75%

• Based on 3-year average index-linked gilt yields with maturities greater than 5 year

• On average, the reference portfolio hasthe following characteristics:

• Maturity = 25 year• Nominal Yield = 2.4%• Implied Inflation = 3.2%

Market Implied Rate = -1.41%

• Based on the Bank of England gilt yield data as at December 2016, the 25-year forward real yield is approx. -1.41%.

• This is the market observable of the 25-year real rate, based on future interest rates and inflation expectation.

Bad Case = -2.0%

• Based on our real world expectation, it is not unreasonable for the 25-year real yield to hit -2% during an adverse scenario.

• For example, if Bank of England could lower interest rates by 0.6% or inflation expectation may increase by 0.6%.

Worst Case < -3.0%

• In an extreme scenario where interestrate fall significantly, alongside rising inflation, Ogden rate of -3% could be possible. For example:

• Nominal Yield = 2.4% - 1.2% = 1.2%

• Implied Inflation = 3.2% + 1% = 4.2%

• Real Yield = 4.2% - 1.2% = 3.0%

Current

87



Management margin

21%

45%

8%

26%

0%

10%

20%

30%

40%

50%

0-5% 5-10% 10-15% 15%+Prop

ortio

n of

Ben

chm

ark

Clie

nts

% of ABE reserves

Management margin benchmarks

88



Market high level summaryAverage earned premiums are once again rising in 2016 following the decline from 2012 to 2014, addressing some of the deterioration seen in total ULR over the same period.

The OD ULR has risen every year since 2012, while the total ULR fell in 2016.

200

250

300

350

400

450

500

550

600

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

Ave

rage

Ear

ned

Prem

ium

£m

Average Earned Premium


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

ULR Breakdown

OD TPPD TPBI Small TPBI Large

89



ODWhile there has been a steady decline in the OD frequency since 2010, the greater increases in severity have driven the rising ULR and burning cost since 2012.

5%

15%

25%

35%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR OD


-

500

1,000

1,500

2,000

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Severity (£)Freq

uenc

y

Freq-Sev OD

Severity Frequency

20

40

60

80

100

120

140

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

£

Burning Cost OD


90



TPBI

20%

30%

40%

50%

60%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR TPBI


-

5,000

10,000

15,000

20,000

0.00%

0.20%

0.40%

0.60%

0.80%

1.00%

1.20%

1.40%

1.60%

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Severity (£)Freq

uenc

y

Freq-Sev TPBI

Severity Frequency

The frequency reduction seen in OD since 2010 is also seen for TPBI. While severity has also increased it has not been sufficient to undermine the reduction in frequency, leading to a steady burning cost since 2013, and even a reduction in ULR from 2014 onwards.

75

125

175

225

275

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

£

Burning Cost TPBI


91



TPBI - capped

10%

20%

30%

40%

50%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR TPBI Capped


-

2,000

4,000

6,000

8,000

10,000

12,000

14,000

0.00%

0.20%

0.40%

0.60%

0.80%

1.00%

1.20%

1.40%

1.60%

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Severity (£)Freq

uenc

y

Freq-Sev TPBI Capped

Severity Frequency

50

90

130

170

210

250

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

£

Burning Cost TPBI Capped


92



TPBI - excess

0%

5%

10%

15%

20%

25%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR TPBI Excess


-

200

400

600

800

1,000

0.000%

0.002%

0.004%

0.006%

0.008%

0.010%

0.012%

0.014%

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Severity (£k)Freq

uenc

y

Freq-Sev TPBI Excess

Severity Frequency

There has been considerable increase in TPBI excess frequency since 2012, as well as a more mild and less consistent increase in severity. The increase in frequency from 2012 may be related to the introduction of the Gender Neutral Pricing Directive in 2012, bringing more young, high risk, drivers onto the road.

-

20

40

60

80

100

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

£

Burning Cost TPBI Excess


93



TPPD

10%

15%

20%

25%

30%

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

ULR

Gross ULR TPPD


-

1,000

2,000

3,000

4,000

0%

1%

2%

3%

4%

5%

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Severity (£)Freq

uenc

y

Freq-Sev TPPD

Severity Frequency

TPPD shows the same reduction in frequency seen for OD, as well as the increase in severity. Burning cost has risen steadily, but is showing a slowdown in 2016 and even a fall in ULR. Given the rise in OD and the strengthening of TPPD reserves on 2014 and 2015 (see next slide), this may indicate systematic under-reserving of TPPD in 2016.

40

60

80

100

120

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

£

Burning Cost TPPD


94



Reserve releasesOverall, the market has seen reductions in ULR for all years from the 2015 AY ultimates. This is driven by TBPI , with the opposite trend seen for TPPD and OD since 2013 AY.

In particular, there have been market wide reductions in the TPBI ultimates for 2014 AY, and market wide strengthening on the 2015 AY non-BI claims.

-15%

-10%

-5%

0%

5%

10%

15%

2007 2008 2009 2010 2011 2012 2013 2014 2015

ULR

Mov

emen

ts

Gross ULR Movement Total

Mean Weighted Average

-6%

-2%

2%

6%

2007 2008 2009 2010 2011 2012 2013 2014 2015

ULR

Mov

emen

ts

Gross ULR Movement TPBI


-1%

1%

3%

5%

7%

9%

2007 2008 2009 2010 2011 2012 2013 2014 2015

ULR

Mov

emen

ts

Gross ULR Movement Non-BI



Cyber RiskDan Kniveton

Manager

Risk Consulting, IT Advisory


Agenda

• Cyber Risks

• WannaCry

• Challenges

• Insider Threat

• Help is at Hand

• Questions to Ask


• Regular penetration testing

• Password for the website publisher

was insufficiently complex

• Unencrypted data, and insecure

decryption key source

• Financial information kept longer

than necessary


• What would make an attacker look elsewhere?

• What really makes their life difficult?

• How much will the attacker spend?

• What is the link between risk and £ spent?

• How much should I spend on security?

• Is this really worth the money?

• How effective are my security controls?

• What risks am I running?

• Do other parts of the business understand their incident response role?

• Have I got the right balance of controls?

Cyber risk what is it?


Examples of Cyber Crime

• Hacking – Exploiting weaknesses in a computer system or network to gain access and utilise person or sensitive information

• DDoS – An attempt to make a machine or network resource unavailable to its intended users through flooding the target bandwidth

• Malware – Malicious software used to disrupt computer operations and gather data and information

• Identify Theft – Acquiring personal data and information, usually with intent for financial gain

• Phising/SMSishing – Computer or mobile devices are infiltrated by the sending of an email or SMS which when opened releases malware


WannaCry - Key PointsVirus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY

Affected Systems: Windows – Vista SP2, Windows 2008 R2, Windows 7, Windows 8.1, Windows 2012 R2, Windows 10, Windows Server 2016

Vector: It uses ETERNALBLUE (SMBv1) MS17-010 to propagate. Windows XP and Windows 2003 do NOT have the MS17-010 patch and are forever vulnerable.

Ransom Amount: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.

Persistence Techniques: Malware loops through every open RDP session on a system to run the ransomware as that user (using tscon.exe equivalent as SYSTEM). Various reports that variants also install the in-memory DOUBLEPULSAR backdoor.

Example Infections: NHS (UK), Telefonica (Spain), FedEx (US), University of Waterloo (US), Russia interior ministry & Megafon(Russia), Сбера bank (Russia), Shaheen Airlines (India), Neustadt station (Germany), University of Milan (Italy) amongst others….

Spread so far: Over 45,000 attacks in 74 countries

Entry Routes: Phishing and vulnerability in Microsoft protocol


Ultimately;


Key Cyber challenges

Classification and protection of crown jewels – too many

Privacy & the new GDPR regulations

Doing Data Loss Prevention (DLP) properly

The movers part of joiners, movers and leavers

Security Op Centre (SOC) –

reactive to proactive

Managing privileged

accesses

Supply chain –real time

monitoring

Managing the insider threat

Cyber challenges


“Cyber security is about people, processes and technology, and organisations need to bolster the

weakest link – which invariably is the human element”

Kevin Mitnick


Five most common cyber security mistakes

Mistake 3Relevance

Mistake 5Attitude

Mistake 4Proactive vs

reactive

Mistake 2Investment

Mistake 1Mind-set

“We have to have 100% security” or “We are a small business, no one will target us”

100% security feasible or the goal? Smaller companies likely to be easier targets?

“Our weapons have to better than those of the hackers”

Goals should determine the security policy – risks and crown jewels

“Our cyber security compliance should be all about effective monitoring”

Ability to learn >= ability to monitor, be proactive

“Recruiting the best professionals will best defend us against cyber crime”

Cyber security is an attitude, not a department

“If we invest in the best-of-class technical tools we’ll be safe”

Human element, investment in employees is the key


KPMG Cyber transformation

Key assets Threat and risk assessment

Gap analysis/penetration

testingCyber strategy

1 2 3 4


Questions for the Board of Directors to ask

Do current management processes adequately highlight cyber risk to the board?

Does the organisation’s risk appetite take account of cyber risk?

Do current management processes adequately highlight cyber risk to the board?

Is the corporate value of information assets clearly understood?

Is the corporate impact clearly understood if information assets are stolen, corrupted or destroyed?

Is there an appreciation of the business benefits of proactively managing cyber risk?


Questions?


Gibraltar tax update

18 July 2017


Gibraltar Budget 2017: Tax IndividualsABS - increases in allowances, including:

– Personal Allowance increases from £3,215 to £3,300

– Spouse Allowance increases from £3,215 to £3,300

– Deduction for first child increases from £1,105 to £1,135

– Nursery School Allowance increases from £5,025 to £5,160 (per child)

– Low earners allowance increases to £11,150 from £11,050 (applies to GIBs and ABS)

– Medical Insurance allowance increases from £5,020 to £5,155

– Single Parent Family Allowance increases from £5,290 to £5,435

Other points

– The minimum wage increases slightly

– No increase in Social Insurance contribution rates following increase in April 2017.

– Cat 2 Working Group to reconvene to further consider proposals.


Gibraltar Budget 2017: Tax Import duty – Mechanism for importation into bond

of very high value retail items (£25k+) sent to retailers on consignment –duty paid when sold by retailer

– Plastic bags up to 10p

– Diesel fuel increase

– Other changes:

Goods New Rate (%)

Handbags 3Jewellery 3

Prams 0Sports trackers 3

Sports or dance apparel 0Indoor sports equipment 0

Classic cars 0Gold bullion 1

Jet Skis 20


Gibraltar Budget 2017: TaxOther – Corporate tax yield up 24% to £135.7m

– No changes to the corporate tax regime

– No increase in utilities and general business rates

– Gaming taxes to be modernised and consolidated

– Modernisation of the ITO initial stages:

– digitising records/files of all taxpayers

– online filing to be introduced for CT

– machine readable tax returns for CT

– bulk filing facility for CT

– Plan is for a totally digitised ITO

– Tax refunds:

– cumulative total owed £29.1m

– cautious and fair approach to eliminate

– increasing yearly tax rebate budget to £10m

– £28m owed to ITO and “Name and shame” list for defaulting employers to apply to SI and be published in any newspaper circulating in Gibraltar


Gibraltar Tax: Other Reminders• AEOI Reporting by 31 July 2017 (portal

open)

• UBO Register – Register of UBOs Regulations 2017 (transposed on 26 June 2017)

https://uboregister.egov.gi/

• All companies that are registered in Gibraltar must file a tax return

• Country by country reporting –regulations effective from 5 June 2017 (Part 1B ITA 2010)

https://uboregister.egov.gi/


Questions?


Thank you

title slide one - kpmg · 2020. 4. 17. · isle of man new york uk fca european commission delaware...

Documents