AIA | News

Practice Compliance | Know Your Statutory Obligations

Last updated: 27 Feb 2024 09:30 Posted in: AIA

Ian Waters explains the ethical principle of professional behaviour, and some of the statutory obligations placed upon accountancy practices.

AIA members, like anyone else, must comply with the law. But as professional accountants, that obligation is underpinned by the requirements of the International Ethics Standards Board for Accountants (IESBA) Code of Ethics (as adopted by AIA) with which all AIA members must comply.

In particular, the fundamental ethical principle of Professional Behaviour requires a member to ‘comply with relevant laws and regulations and avoid any conduct that the professional accountant knows or should know might discredit the profession’. So I am keen to remind you of your obligations under UK law, although the time and space available in this article won’t allow me to cover all those obligations in detail.

Statutory limitations

Before addressing statutory obligations, let us acknowledge our statutory limitations, by which I mean the areas of work undertaken by some firms that are subject to statutory regulation (and beyond the bounds of ‘general practice’). I am thinking of audit work, insolvency, regulated investment business and reserved legal activities (such as probate). Unless you and your firm are authorised in these areas, you must be aware of the risk of straying into them and thus fundamentally breaching the law.

For example, you might not even realise when you are going beyond your role as executor of a deceased client’s estate or undertaking regulated activities specified under the Financial Services and Markets Act 2000. Sometimes, our wish to help our clients – especially those we have known for a long time – can lead us to overlook the fact that our relationship is a professional one, and we are not authorised to provide services in certain areas.

What are your statutory obligations?

Understanding the limitations on what you can do without needing authorisation within a statutory framework might be something you need to research further. In this article, I can only focus on your ‘general practice’ legal obligations. I should, of course, mention anti-money laundering compliance, but there is little I could say in this article that couldn’t be covered better in a more focused article or CPD event. However, you should be aware of the wide range of resources AIA makes available to members on its website.

So the rest of this article considers two other important areas of statutory compliance.

The accountability principle

As stated by the Information Commissioner’s Office: ‘The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.’ These are the six key principles regarding the processing of personal data.

1. Lawfulness, fairness and transparency

  • You must identify valid grounds under the UK GDPR (known as a ‘lawful basis’) for collecting and using personal data.
  • You must ensure that you do not do anything with the data in breach of any other laws.
  • You must use personal data in a way that is fair – not in a way that is unduly detrimental, unexpected or misleading.
  • You must be clear, open and honest with people from the start about how you will use their personal data

2. Purpose limitation

  • You must be clear about what your purposes for processing are from the start.
  • Record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
  • You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.

3. Data minimisation

  • You must ensure the personal data you are processing is: adequate (sufficient to properly fulfil your stated purpose); relevant (it has a rational link to that purpose); and limited to what is necessary (you do not hold more than you need for that purpose).

4. Accuracy

  • You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
  • You may need to keep the personal data updated, although this will depend on what you are using it for.
  • If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
  • Carefully consider any challenges to the accuracy of personal data.

5. Storage limitation

  • You must not keep personal data for longer than you need it.
  • Think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
  • You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

6. Integrity and confidentiality

  • You must ensure that you have appropriate security measures in place to protect the personal data you hold.
  • This is the ‘integrity and confidentiality’ principle of the GDPR – also known as the security principle.

Data privacy and security

The careful handling of personal data makes good business sense for your practice, as well as being a legal requirement. You will be holding personal data about your clients, their officers and employees, and perhaps your own employees.

A small accountancy practice is perhaps particularly vulnerable to non-compliance with data privacy legislation. Furthermore, a practitioner may be compliant but lack sufficient understanding of the legislation when the rights of a data subject are exercised.

The legislation is complex. The UK General Data Protection Regulation (UK GDPR) interacts with the Data Protection Act (DPA) 2018, and Part 2 of DPA 2018 supplements the UK GDPR.

However, the principles are relatively straightforward. The UK GDPR and DPA 2018 together:

  • require personal data to be processed lawfully and fairly;
  • confer rights on the data subject concerning the processing of their personal data; and
  • confer functions on the Information Commissioner, giving them responsibility for enforcing the provisions of the UK GDPR and DPA 2018.

Your practice must be able to justify how and why it uses personal data. This is known as the ‘accountability principle’, which is relevant to the six key principles regarding the processing of personal data (see above).

Unfortunately, it is easy to retain large amounts of data without necessarily realising it. So think about the six principles and whether you can justify the way your practice processes personal data. It is  advisable to document your policies and procedures for complying with these data processing principles and set aside time to periodically monitor compliance.

There is a comprehensive guide to the UK GDPR on the website of the Information Commissioner’s Office (ICO). It explains each of the key principles, and provides checklists and examples that you may wish to consider when assessing your practice’s risk of non-compliance.

Different responsibilities apply according to whether your practice is in the role of ‘data controller’ or ‘date processor’. In brief, a controller determines the purpose and means of processing the data; a processor simply processes data on behalf of a controller, in accordance with their instructions. Guidance on the ICO website sets out how to identify who is determining the purpose and means of processing the personal data.

This is important because if your practice is, in fact, using a data processor (perhaps where a third party is processing a client’s payroll), your practice is responsible for the processor’s compliance. You must ensure that your contract with the data processor will enable you to meet your data protection obligations.

You must also be clear about your clients’ rights and those of other individuals whose personal data your practice holds. For example, a data subject’s right of access means, in effect, their right to copies of that data. A ‘subject access request’ can be quite disruptive for any small business, so it makes sense that personal data held is kept to a minimum. (Your employees must be trained on the risks of retaining personal data unnecessarily.)

Provision of Services Regulations 2009

Your practice is required to provide specified information to its clients and those wishing to become clients. In effect, the appropriate means of providing much of the required information is by way of an engagement letter, although further information must be supplied if requested by the client.

Information provided must be clear and unambiguous. You must inform all clients (and potential clients) of where they may send a request for information about your services (or a complaint about the service). Unsurprisingly, those details must include:

  • the name of the practice;
  • its postal address and/or email address;
  • its telephone number; and
  • its official address (such as a registered office), where relevant

Providing this information should not present a problem for your practice, as it will appear on your letterhead (when sending the engagement letter, if not before). But you must also make the following information available to clients and potential clients:

  • the practice’s legal form;
  • its geographic address (not necessarily the same as its postal address);
  • where the practice is authorised for a regulated activity (such as audit or insolvency), the name of the competent authority;
  • where the practice’s name appears in a public register, the location of that register;
  • the practice’s VAT registration number, where applicable;
  • the fact that the practice is required to hold professional indemnity insurance, the contact details of the insurance provider and the territorial coverage of the insurance;
  • the main features of the services to be provided, the price (if it has been pre-determined) and the general terms and conditions of the practice; and
  • the contractual terms, if any, concerning the competent courts or the law applicable to the contract.

This information may be provided in a number of different ways, including your practice’s website, brochures, factsheets, letterhead, etc. However, you should be clear (and confident) about where you provide this information. In my opinion, your standard engagement letter is the best means of demonstrating compliance.

Further information must be provided if a client (or potential client) requests it, namely:

  • the basis for calculating your fees where a fixed fee arrangement has not been offered;
  • if you are providing services regulated by statute, the professional rules applicable in the UK and how the client may access them; and
  • details of any codes of conduct to which your practice is subject.

Handling complaints

Advising your clients at the outset of how they would be able to complain, if necessary, is not only a requirement of the Regulations, but a matter of professionalism. It demonstrates your respect for high technical and ethical standards. But the Regulations go beyond the provision of information and set out how your practice must react to a complaint from a client. You must respond to a complaint as quickly as possible, and use your ‘best efforts to find a satisfactory solution’ (unless the complaint is vexatious).

A practice would be expected to have processes in place to ensure that reasonable complaints receive the attention they deserve and are not (deliberately or inadvertently) put to one side.

Final thoughts

Of course, there may be other areas you need to consider when reviewing your practice’s compliance with the law. Given what you know about your practice (including any employees and subcontractors you may engage), how confident you are that you are compliant in areas such as bribery and corruption, health and safety, and employment law? What resources do you have available should you need advice in such areas? I recommend that you assess the risk to your practice of non-compliance with the law, and establish clear policies and procedures that define what you and your colleagues may and may not do.

Furthermore, as an AIA member, you are required to plan and undertake CPD that must be relevant to your current role and development. Therefore, you should plan your CPD to cover any aspects of statutory compliance that may be concerning you.


Author biography

Ian Waters supports accountancy firms with compliance – AML, ethics, professional standards and more.

"As an AIA member, you are required to plan and undertake CPD that must be relevant to your current role and development. Therefore, you should plan your CPD to cover any aspects of statutory compliance that may be concerning you.

Ian Waters, Director at Compliance for Accountants Limited