The ‘Shellshock’ IT exploit: what you should do to protect your home and office systems

James HarrisIn April I provided advice to STEP members on how to handle the protection of their online accounts following the revelation of the ‘Heartbleed’ exploit. A new exploit dubbed ‘Shellshock’ was discovered last week and it is widely recognised as being more serious and far reaching than Heartbleed. With the potential to affect everything from web hosting servers to Apple’s OSX operating system and a large number of home user items such as routers and home automation systems, Shellshock could have very far reaching implications. Particularly worrying is that the vulnerabilities of Shellshock have been in existence in home and office software for over 20 years. Given so many of our members manage firms with extensive IT set-ups, and most would work from home or in transit using Wi-Fi networks each week, I strongly encourage you to review your online security against Shellshock. If your firm has an IT department or IT support provider, I urge you to contact them to ensure your system is secure.

What is Shellshock?

The exploit centres on BASH (Bourne Again SHell), which has a very similar role to the Windows command prompt and allows you to run commands on Unix and Linux systems (popular alternatives to Windows). The problem lies in the fact that you are able to define variables in BASH which specify a function — for example, you could define a variable called Hello_World, the function of which would be to make the message ‘Hello World’ appear on the screen when executed. The code for this would look something like: HELLO_WORLD_VAR='() {echo “Hello World”;};’

The problem with Shellshock is that you can put any command at the end of a normal function and BASH will process whatever you add. You could add a function at the end of the code like this: HELLO_WORLD_VAR='() {echo “Hello World”;}; DELETE ALL FILES. BASH would define the HELLO_WORLD function and then carry out the ‘DELETE ALL FILES’ function. Obviously, ‘DELETE ALL FILES’ is a simplified example, but there is the potential for a hacker with knowledge of BASH to run any command they wish from here.

The good news for users is that this exploit is very different from Heartbleed and you don’t need to change all of your passwords, however the bad news is that it has the potential to impact items that the average users would never think of updating, such as routers and modems. When you also consider Shellshock is likely to affect some very old products still in use that manufacturers are unlikely bother updating, you begin to understand just how much of an impact this could have if you’re unlucky enough to get targeted by a hacker.

Anyone that’s read news articles already will likely have seen mention that Apple users are at risk, which is likely to be the main concern in the minds of home users, however Apple has released the following statement in order to reassure customers:

The vast majority of OS X users are not at risk to recently reported BASH vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to re
motely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users
.’Shellshock

That statement implies that the average mac user is not affected; I would certainly recommend paying extra attention to keeping your mac up to date with the latest patches. For anyone else, my opinion is that you should keep up to speed and check for updates where possible. The list of potentially affected products is so large at this point that it wouldn’t be possible for me to give more detailed advice than that.

What does this mean for STEP?

  • STEP’s website host provider was vulnerable to this exploit however we have already taken action to ensure patches are applied
  • Whilst the STEP site was vulnerable, we have no reason to believe we have suffered a breach of security
  • We have also reached out to all our service providers to confirm that no breach was incurred on any of the sites they host

What does this mean for members?

  • Due to the nature of the exploit, members do not need to take any action with regards to their STEP accounts, however everyone should be vigilant to developments over the coming weeks and apply patches where manufacturers provide them

Again, if your firm has IT support I encourage you to contact them to ensure that your systems are secure. If you have any queries about Shellshock and what you need to do please feel free to contact me.

James Harris is STEP’s Information Technology Manager. For more information on cyber security, check out this article from the STEP Journal

Family finances – a private matter?

George HodgsonIn a largely secret process, this autumn will see tense negotiations between Parliament and member states about the extent to which many hundreds of thousands, if not millions, of families should have intimate details about their financial affairs placed on public display.

The public are rightly outraged that criminals, including tax evaders, so often seem to be able to hide funds away beyond the reach of investigating authorities. To tackle this problem, the Financial Action Task Force (FATF), the worldwide inter-governmental body responsible for setting global anti-money laundering standards, has brought forward proposals for reforms designed to make it harder for illegal funds to flow through the financial system.

For the past two years the EU has been working on a revised EU Anti-Money Laundering Directive to implement the reforms put forward by the FATF. The EU Commission’s initial proposals closely followed the new international standards. After prolonged debate, however, member states  agreed a way forward which went well beyond the FATF’s recommendations in some key areas, with the focus on ensuring quicker and more effective access to information on who owns financial assets by investigating authorities.

In contrast, the EU Parliament has taken its own path on the new Directive. In a fundamental shift, MEPs are proposing the introduction of publicly accessible registers. The register will give full details to the public of all those who might benefit – the ‘beneficial owners’ in the jargon – from both companies and trusts. In the case of trusts the EU Parliament also calls for full details of the trust, including the assets held in the trust, to be generally made public.

These proposals from MEPs raise some fundamental problems when it comes to trusts.

In the popular view of those unfamiliar with them, trusts are used by the wealthy to evade taxes and hide money. This view seems to lie behind the pressure from the EU Parliament to open up trust details to the public.

The reality is very different. Trusts are very common in countries with an English legal tradition. In the EU this includes not just the UK but other Members States such as Ireland and Malta. Research by the UK tax authorities confirms that the majority of trusts are set up because a family wishes to help provide for a family member, often because the family wish to protect the long-term interests of a relative (a ‘beneficiary’) not currently able to look after their own affairs. As a result, one in four trusts have beneficiaries who are considered vulnerable.

Looking at trusts with vulnerable beneficiaries in more detail, the study found that in over a third of cases one or more of the beneficiaries were children aged under 18. In 17% of cases the trust beneficiaries were elderly and needed help running their financial affairs, in 15% of cases a beneficiary was mentally handicap and in 7% of cases they suffered from a physical disability.

Is it either fair, or safe, that the names of such vulnerable people should be freely available to the public as the EU Parliament proposes? Particularly if, as proposed, the details of the assets in the trust also appear on the register there would seem to be an all too obvious risk that this information will be abused.

The issue of compulsory registries open to public inspection is thus the key issue that will need to be hammered out in the negotiations that will get under way in a few weeks between Parliament and Member States. All sides expect this so-called ‘trialogue’ process to be even more than usually contentious.    Green-Money---Piggy-bank--001

It is worth bearing in mind that trusts are in any case not secret. Most trusts are potentially subject to tax and will be reported for tax purposes just like, for example, a bank account. Moreover trusts are subject to full anti-money laundering checks, so both the trustees and their bank will need to establish who the beneficial owners are and provide that information to the authorities if requested. The current proposals from member states would make this information even more easily available to investigating authorities, but crucially the general public would not be given access to such sensitive information.

What is the legitimate public interest in exposing the details of people who might benefit from a trust to the public gaze? The EU Parliament has never provided an answer to this key question, but it exposes a fundamental point of principle with implications that extend well beyond the issues surrounding trusts.

When the new global FATF standards which have prompted the revised EU Directive were drafted there was a lengthy debate on how to balance the need for investigating authorities to have effective access to information without losing core protections for the individual in terms of privacy and data protection. Reflecting this debate, the FATF standards do not require compulsory public registers for trusts. It is disturbing that there seems to have been little equivalent debate within the EU Parliament when it considered requiring details of all trusts to be placed on a publicly accessible register.

Families normally expect, quite legitimately, that their financial affairs will remain confidential. But the EU is now in real danger of stumbling into a situation in which large numbers of ordinary families will see their affairs opened up to the merely curious, the intrusive and the potential criminal alike. That should not happen without a very serious public debate about where the boundaries of any right to family confidentiality should be set.

George Hodgson is STEP’s Deputy Chief Executive

*This article originally appeared in Accountancy Live

STEP LATAM and North America News Digest wrap-up – August’s top stories

blog-banner-cab

Catching up on the latest trust and estate sector news on the go? Welcome to the wrap-up of the top ten most popular stories in the STEP North America and LATAM News Digests throughout July. In case you missed them, here are the top STEP LATAM and North America News Digest stories most clicked by our readers.

Robin Williams’ estate plan could give his heirs some consolation: As the world mourns the tragic death of actor Robin Williams, it appears as if the family he left behind can focus on grieving without having to worry about what happens to the estate. Media reports suggest the wealthy entertainer took care of his family with solid estate plans, including at least one revocable trust for the primary portion of his estate planning. This will avoid some of the complications and tax liabilities other celebrities’ families have had to endure.

Opposition candidate considers wealth tax: Large fortunes may face a wealth tax in Brazil if presidential candidate Aecio Neves wins the next election this coming autumn. He explained earlier this month that a tax on super wealth was on his agenda, and he would be discussing the idea with his economic advisors. The tax, versions of which have been proposed in the past in Brazil but never approved into law, is part of a broader plan to modernise and simplify Brazil’s complex taxation system.

Crociani v Crociani: On 7 April 2014, the Jersey Court of Appeal delivered its judgment in the case of Crociani v Crociani [2014] JCA 089. In a landmark ruling that will have far-reaching implications for contentious and non-contentious trust lawyers in both the onshore and offshore worlds, the Court of Appeal has clarified what is meant by ‘exclusive jurisdiction’ and ‘forum for administration’ in trust deeds, and in doing so overruled its previous decision in the 2002 case of Koonmen v Bender [2002] JCA 218.

US LLLPs not always advisable for cross-border investment: The limited liability limited partnership (LLLP) is a relatively new modification of the limited partnership, a form of business entity recognized under US commercial law. Some Canadian advisors have recommended that Canadians use US LLLPs to invest in US commercial property or businesses. But how does the Canada Revenue Agency view a US LLLP?

Michelle Bachelet faces challenges implementing tax reforms: Chile’s president Michelle Bachelet is facing serious political challenges following the announcement of a series of changes to her high-profile tax reform proposal. The updated legislation dramatically waters down the proposed changes to the country’s corporate tax structure, and the promised new powers to enable Chile’s tax collection agency to crackdown on tax evasion have now been omitted.

Banks will be forced to conduct beneficial ownership checks: The US Treasury has proposed a new regulation requiring banks and other financial institutions to identify and verify the beneficial owners of corporate bank accounts. The main purpose, it says, is to comply with the US government’s reciprocal obligations to other countries under FATCA intergovernmental agreements.

Artist’s trustees earn millions in fees: A US court has ordered the Rauschenberg Foundation to pay three of its trustees a total of USD24.6 million for the “extraordinary services” they rendered. The trustees originally charged the artistic foundation more than USD50 million in “reasonable compensation” for their success in increasing the value of the estate, while the foundation had offered to pay them USD375,000.

More Americans give back US passports before FATCA starts: A record number of 1,577 Americans have renounced their US citizenship in the first half of 2014, just before FATCA came into effect on July 1. That’s already more than half of the 2,999 expatriations registered in 2013. The passports or green cards have been returned in a bid to avoid unwanted US tax reporting obligations as the US Treasury and the IRS ramp up their efforts to trace undeclared assets and earnings abroad. Under the US ‘worldwide’ tax code, all of an individual’s income is subject to US taxation.

Fully compliant with OECD tax standards: Mexico has been found ‘compliant’ in a new batch of Organization for Economic Cooperation and Development (OECD) Phase Two Peer Review reports and compliance ratings. The Global Forum reviewed exchange of information practices in ten jurisdictions, with Mexico the only state found fully compliant. The positive assessment has led some experts to praise the effort of new president Enrique Peña Nieto, who was elected in late 2012.

US tax agency is collecting dual citizens’ passport information: Dual US-Canadian citizens are finding it increasingly difficult to enter the USA on their Canadian passport, and are now being told that they will need to apply for or renew their US passports. The US Immigration Service will then pass on their names and addresses, US tax identification numbers and date of birth to the Internal Revenue Service for enforcement purposes.

The STEP Industry News Digests provide a round-up of relevant industry news for trust and estate practitioners and other professionals in the wealth management sector. They provide brief summaries of topical news stories gathered from news providers internationally, providing a quick reference for busy practitioners to all the relevant news and issues. The News Digests also feature job listings from our recruitment site and list local STEP branch events and conferences. STEP’s digest services include twice weekly UK and Wealth Structuring (international) editions as well as a bi-weekly North America Digest focusing on the US, Canada and Mexico, and a Latin America Digest.

To subscribe to STEP’s digest services you will need to first register here: http://www.step.org/register

STEP Wealth Structuring News Digest wrap-up – August’s top stories

blog-banner-atomium

Need to put all the pieces of trust and estate industry news together? Welcome to the wrap-up of the top ten most popular stories in the STEP Wealth Structuring News Digest throughout August. In case you missed them, here are the worldwide industry news stories most viewed by our readers.

Anger at UK’s listing of Cayman as high-risk jurisdiction: The Cayman Islands government has expressed astonishment and horror at its inclusion on the UK financial regulator’s list of jurisdictions with a high risk of money laundering. The list does not include any other British Overseas Territories or Crown Dependencies.

Surprise move against non-doms’ loans backed by foreign income: In an overnight change of policy, HM Revenue & Customs has announced that non-domiciled UK residents must now pay UK tax on offshore income used as security for a loan. The change is effective immediately, although non-doms are being given a grace period to re-finance their existing borrowings.

Amended guidance on UK-US IGA: STEP, The Law Society and ICAEW have amended the UK-US FATCA IGA Guidance and corresponding flowchart to incorporate some new wording from HMRC. This is not a change of substance, simply a clarification that only affects the wording in questions 3, 4 and 5 (on p12 of this guidance). The core message remains the same – practitioners need to take action now to ensure their obligations under FATCA are met.

Pensioner convicted for banking his life savings: A retired nurse became a money launderer when he paid his life savings and pension into his Mauritius bank account, although he had lawfully earned all of it while working for the UK National Health Service, the Privy Council has ruled. Toolsy Beezadhur could not prove that his 45 years’ work as an NHS nurse constituted a lawful business activity under the Financial and Anti-Money Laundering Act 2002, and was duly fined MUR50,000 (EUR1,250).

Clients may sue Standard Chartered over account closures: Standard Chartered Bank may be forced to close 8,000 accounts held by clients in Dubai, as a result of money laundering enforcement action by the New York State regulatory authorities. Some of the clients are reported to be preparing to sue the bank.

Amendments to withholding foreign trust agreements: The US Internal Revenue Service has updated the text of the standard withholding foreign partnership and trust agreements on the FATCA website.

Industry ordered to report tax planning schemes to regulator: From 1 October, Jersey financial firms will have to report any new business connected to tax-planning schemes that are registered under the UK’s Disclosure of Tax Avoidance Scheme (DOTAS) regime.

Canadian government sued over disclosure provisions: Two Canadian-American dual citizens are challenging the Ottawa government’s implementation of the US Foreign Account Tax Compliance Act, which requires banks to report US clients to the US Internal Revenue Service.

Artist’s trustees earn millions in fees: A US court has ordered the Rauschenberg Foundation to pay three of its trustees a total of USD24.6 million for the “extraordinary services” they rendered. The trustees originally charged the artistic foundation more than USD50 million in “reasonable compensation” for their success in increasing the value of the estate, while the foundation had offered to pay them USD375,000.

US authority seizes Abacha funds: The US Department of Justice has seized USD480 million hidden in bank accounts around the world by the former Nigerian head of state Sani Abacha and his colleagues. Abacha embezzled billions of dollars from Nigeria’s central bank while in power from 1993-1998, and laundered it through bank accounts in Jersey, France and the UK before investing it in US securities.

The STEP Industry News Digests provide a round-up of relevant industry news for trust and estate practitioners and other professionals in the wealth management sector. They provide brief summaries of topical news stories gathered from news providers internationally, providing a quick reference for busy practitioners to all the relevant news and issues. The News Digests also feature job listings from our recruitment site and list local STEP branch events and conferences. STEP’s digest services include twice weekly UK and Wealth Structuring (international) editions as well as a bi-weekly North America Digest focusing on the US, Canada and Mexico, and a Latin America Digest.

To subscribe to STEP’s digest services you will need to first register here: http://www.step.org/register

STEP UK News Digest wrap-up – August’s top stories

blog-banner-brighton

Been too busy enjoying the summer to keep up to date with all the laest UK industry news? Welcome to the wrap-up of the top ten most popular stories in the STEP online Digests throughout August most clicked by our readers.

Amended guidance on UK-US IGASTEP, The Law Society and ICAEW have amended the UK-US FATCA IGA Guidance and corresponding flowchart to incorporate some new wording from HMRC. This is not a change of substance, simply a clarification that only affects the wording in questions 3, 4 and 5 (on p12 of this guidance). The core message remains the same – practitioners need to take action now to ensure their obligations under FATCA are met.

Newspaper sets ‘pay before you die’ hare running: The Daily Telegraph has started a scare that people who set up trusts to avoid inheritance tax might in future be forced to pay it before they die. It may be referring to HM Revenue & Customs’ new accelerated payment powers, which could be used to enforce the existing periodic IHT charges on trusts under the relevant property regime.

LPA does not legally exist until registered: The England and Wales Court of Protection has ruled that a lasting power of attorney (LPA) is legally created only when it is registered by the Public Guardian, not when it is executed by the donor. The decision – made in the complex case of N & S v E & M (2014 EWCOP 27) – was important because it established that an LPA executed by a donor took precedence over a ‘living will’ (an advance decision to refuse medical treatment) that she had signed on the same day.

Attorney spent too much on improving her mother’s living accommodation: A woman who took her elderly mother into her own home and gave up her career to look after her has had her power of attorney revoked by the England and Wales Court of Protection. The court considered she had spent too much of her mother’s money on adapting the property to accommodate her mother’s needs (Public Guardian v AW, 2014 EWCOP 28).

Never specify a legacy twice: What does the executor do if a will specifies the value of a legacy both in words and in numerals, but the two values are different? It appears that the practice of duplication is common despite being deprecated by experts for exactly this reason.

Impact of the accelerated payment rules: Experts at law firm Baker & McKenzie summarise HM Revenue & Customs’ new powers under the accelerated payment regime that came into effect on 17 July 2014, covering income tax, capital gains tax, corporation tax, inheritance tax and stamp duty land tax.

Official receiver winds up dubious estate-planning firm: The government’s Insolvency Service has wound up a Nottinghamshire company that marketed schemes claimed to protect clients’ assets through wills, trusts and lasting powers of attorney. Goldstar Law of Newark received GBP400,000 in clients’ advance payments but provided very little in return.

Call to report QCs who give deliberately misleading tax advice: A claim that some barristers make a practice of giving misleading opinions about the validity of tax-planning schemes has provoked a reaction from the Bar Standards Board. Its chief executive says QCs should report colleagues whom they believe to be breaching its code of practice.

Government yields on electronic LPAs: The Ministry of Justice has postponed plans to introduce a fully electronic online process for the creation and registration of lasting powers of attorney in England and Wales. Instead it will simplify the paper-based process, which will soon allow donors to specify when the power is to take effect.

Forcing trusts into DOTAS ‘will hurt ordinary families’: New proposals to bring mainstream trust-based inheritance tax planning into the Disclosure of Tax Avoidance Schemes regime will disadvantage ordinary families with modest assets, not just the wealthy, according to Standard Life’s family finance expert Julie Hutchison TEP. She says the proposals will impose a compliance and reporting burden even where no tax is due, for example where trusts are used to hold life and pension policies.

The STEP Industry News Digests provide a round-up of relevant industry news for trust and estate practitioners and other professionals in the wealth management sector. They provide brief summaries of topical news stories gathered from news providers internationally, providing a quick reference for busy practitioners to all the relevant news and issues. The News Digests also feature job listings from our recruitment site and list local STEP branch events and conferences. STEP’s digest services include twice weekly UK and Wealth Structuring (international) editions as well as a bi-weekly North America Digest focusing on the US, Canada and Mexico, and a Latin America Digest.

To subscribe to STEP’s digest services you will need to first register here: http://www.step.org/register

The Risk Based Approach – implications for international business

George_HodgsonMany STEP members will have been on holiday over the past few weeks. If so, they may have missed some important indicators of how the authorities plan to use the Risk Based Approach in anti-money laundering regulations aimed at tackling illicit money flows.

One of the most significant technical developments in the revised FATF Recommendations published in 2012 was a new methodology formalising procedures regarding the so-called Risk Based Approach (RBA). As part of the RBA, all national governments are now required to conduct National Risk Assessments (NRAs) and STEP has been working closely with some of the teams putting together NRAs. All financial institutions are also expected to undertake their own risk assessment as part of the RBA.

Even before the UK NRA has been completed, a key UK regulator, the Financial Conduct Authority (FCA) has published a list of ‘high risk jurisdictions’ for AML purposes. The FCA is not suggesting that financial institutions it regulates should stop dealing with anyone from a jurisdiction listed as high risk. It is nevertheless making it plain that in supervisory visits, regulators will expect regulated entities to be able to demonstrate clear mechanisms for managing the risk in any business originating from such jurisdictions.

What is really striking, however, is the length of the FCA’s high-risk jurisdiction listing. While the inclusion of Cayman on the list has provoked a lot of comment – and talk of an application for judicial review from the Caymans, the real issue is that the FCA is deeming over 90 jurisdictions to be ‘high risk’. Among these are a string of major economies, including Brazil, India and China.

Alongside this development in the UK, and just as significant, is a powerful reminder from the US of the sort of penalties regulators can impose for perceived failures in applying the RBA. Standard Chartered recently reached a settlement with US regulators, which not only imposes a USD300-million fine, but also effectively bans the bank from acting for high-risk customers in Hong Kong and the UAE. The regulator’s allegation was that the institution had failed to demonstrate adequate risk management processes in the relevant jurisdictions, and in the wake of the bans it is now reported that the bank is looking to scale back its exposure to the UAE.

There could be some significant implications for STEP members. Recent years have been marked by strongly growing business flows from Brazil, India and China as the BRICs and other developing economies have boomed. Practitioners with clients from these areas should consider if their own risk management processes will be acceptable to regulators in their home jurisdiction if they were to follow the trend in the UK and US of deeming such economies ‘high risk’.

Just as importantly, it is worth asking how financial institutions are likely to respond to the new regulatory emphasis on the RBA. The penalties being imposed on banks for any breach of the regulations are now such that many banks are likely to take an extremely risk-averse approach. They may well seek, like Standard Chartered in the UAE, to scale back their exposure to business connected with any jurisdiction considered to be high risk. Others may continue to accept business from such jurisdictions, but will be looking at risk management plans that imply much tougher customer due diligence procedures in these areas. In addition, financial institutions that continue to do business in jurisdictions perceived as high risk will probably also be looking for wider margins to compensate.

Trustees focused on international business flows, particularly from developing economies, could therefore shortly see some interesting conversations with both their anti-money laundering regulators and their banks.

George Hodgson is STEP’s Deputy Chief Executive