On 29 March 2017, the United Kingdom (UK) invoked Article 50 of the Treaty on European Union and began the process of withdrawing from the European Union (EU), commonly known as Brexit. Negotiations between the UK and the EU on the terms of withdrawal have concluded and it is fair to say it will take a while to digest the ramifications about what has been agreed or what may not be.
During this last year, Tungsten Network has been undertaking a regular and a comprehensive review of our systems and processes as they pertain to potential Brexit outcomes, and the impact that would have on our business and our customers. Our Legal, Operational, Procurement, Security and Human Resources teams have assessed all aspects of our business, including using readily available resources, such as European Commission Website(s), the Information Commissioners Office Website as well as the UK Government website (Gov.Uk), in order to prepare this statement. We have also validated our findings with our own external advisors (such as PwC).
Please note that this statement is about the impact of a Brexit Deal in respect to Tungsten Network’s business (primarily a technology-based service), not the businesses of our customers, and we strongly urge our customers to identify what challenges they may have in terms of Brexit.
The key areas of impact are split into five groups:
1. Core solutions delivered to our customers
In any scenario, the UK Government has stated that businesses will have to apply the same VAT and customs rules to goods moving between the UK and EU as currently apply to trade between the UK and non-EU countries. Customs declarations will be required when goods enter or leave the UK and importers will be liable to pay import VAT and/or customs duties.
Similarly, the EU will apply EU customs rules (and duty and VAT at EU rates) to goods it receives from the UK, requiring customs declarations on goods imported from the UK just as for goods imported from other non-EU territories. For more details, please see the following:
There are some potential changes we think you should be particularly aware of:
Under the current withdrawal agreement and to avoid a hard border between Northern Ireland and the Irish Republic, Northern Ireland will have a “dual status”. This means that movement of goods to/from NI from/into EU member states will remain largely subject to the EU VAT Directive. This will happen regardless of UK and EU agreeing a free trade Agreement, unless the UK Government decides to reinsert Brexit clauses allowing it to disapply parts of the withdrawal agreement into the internal market bill.
The dual status for Northern Ireland does not apply to services, so UK will largely follow the Place of Supply rules currently already in place.
We recommend that you check what the Northern Ireland status means for your company.
VAT Registrations of UK companies in EU Member States
If you are established for tax in UK and you have foreign VAT registration(s), it is our opinion that you should ensure that the country(ies) where your UK entities are registered for VAT allow you to maintain that registration and if they do not, you should consider appointing fiscal representation.
Cut-off and Cut-over processes
We also think it is important that you consider your ERP’s tax calculation processes for cut off and cut over where orders have been made pre-Brexit and invoiced for post-Brexit, considering the moment of invoicing versus time-of-supply rules.
Also, we believe that is important that you consider the VAT treatment of credit notes referring to transactions that were invoiced for pre-Brexit but corrected post-Brexit.
What is the likely impact to Tungsten Network’s solutions?
We have analysed what, if any, changes need to be made to our services in respect to our customers. The overall practical effect is negligible. From a regulatory compliance perspective, the UK would be treated by Tungsten Network like any country outside of the EU invoicing to or from the EU.
There might be some changes to UK domestic (UK to UK) tax rates or tax types. There also may be some impact to cross border transactions (EU to UK and UK to EU) in the form of changes to custom rules, duty and VAT in relation to cross border transactions and we are following such developments daily
What mitigations/plans have we or are we putting in place?
Tungsten Network’s country compliance is based on domestic rules (i.e. where the “supply” originates from), and as such is not involved in cross border tax settlement or reporting. Duties are recorded and paid outside of the invoice. As mentioned above, Tungsten Network already facilitates non-EU to EU invoices and vice versa. Invoices to and from the UK would be treated in the same manner.
In addition, where there will be changes to relevant VAT rates or tax types, the Tungsten Network has been specifically designed to deploy these very rapidly if required.
2. Customer contractual obligations (delivery of services, products, data protection and security)
Outside of compliance, we have also analysed the continuity of our services to customers including aspects such as our technical and operational capability. In particular, we have considered the standard that Tungsten Network complies with in respect to security and audit (ISO 27001 and ISAE 3402) and data protection (including personal information data flows).
Our assessment is from the perspective of both our customers and our supply chain, including personal information data flow into the UK from the EU as well as personal information data flow within the UK and UK to the EU.
What will be the impact?
In terms of any deal, at this moment, the UK automatically becomes a “third country” in terms of data protection and in particular, data transfer.
ISO, ISAE 3401 and Security
Tungsten Network ascribes to ISO 27001 as a benchmark of the information and security systems it has in place. This is not just a European standard, but also globally recognised one. We do not expect a No Deal Brexit to have any effect to validity of that standard. The British Standards Institute (which governs the implementation and maintenance of this standard in the UK), has confirmed as such.
ISAE 3402 is also an internationally recognised method of assessing a company’s compliance with its own internal standards; so, the validity of our ISAE 3402 Report remains unaffected.
Security and Data Protection: the UK Government has adopted General Data Protection Regulations into UK law (commonly known as UK GDPR) and already has in place country specific legislation such as the Privacy and Electronic Communications Regulations. As such, UK business will have to comply with the same concepts and principles that apply in the EU with respect to ensuring there are adequate and appropriate technical and organisational measures in place to protect Personal Information, commensurate to the risk represented by the Processing and the nature of the Personal Data to be Processed.
As part of our GDPR exercise undertaken in 2017, we had already analysed our customer and internal data flows. In addition to adopting GDPR locally, the UK Government has “recognised” the EEA (and countries that the EEA deems have “adequate” laws in place for safe data transfer) as having laws in place to enable the safe transfer of Personal Data from the UK. In addition, we are actively looking at the impact of what is known as the Schrems II case.
UK to EU data transfer
No changes are required operationally or legally for any personal data transfer from our UK operations to the EU. Outside of the EU we already have the relevant undertakings and Standard Contractual Clauses in place.
EU to UK data transfer
The EU has yet to confirm that the UK is an “adequate” country for the purposes of safe transfer of Personal Data and has confirmed there will be a formal process of assessment that will need to take place after 1st of January 2020 in order to formally adopt that finding. It is highly likely, given the UK’s infrastructure for Data Protection (and its intention to maintain it), that this will be a formality.
Controller to Processor undertakings
Many of our EU Customers have already signed up to our GDPR-compliant undertakings, which, by virtue of our service, have standard contractual clauses embedded. This is the interim measure that has been recommended industry wide prior to any adequacy finding.
All our sub-processors have already signed up to GDPR-appropriate undertakings (including for those outside of the EEA (and including the US) standard contractual clauses)). We have not relied on Privacy Shield alone as an adequate transfer mechanism in respect to the US.
There is conflicting advice as to whether it is appropriate for our UK sub-processors to enter into standard contractual clauses (as they fall out of the EU framework). This is because the GDPR undertakings we have in place with them effectively cover standard contractual clause requirements. Notwithstanding this, preparations are in place to send Standard Contractual Clauses to this small group of sub-processors if we deem it necessary.
Data Protection Officer and DPA Representative
Given the nature of what Personal Information we process and the frequency with which we process it, it was not strictly necessary for us to appoint a Data Protection Officer. However, we took the view that we should.
We have established trading branch offices in the European Union, so there is no need for us to physically establish a new entity in Europe as part of the EU DPA Representative requirements.
Other than for US Federal customers (where we have dedicated US data centre), our customer data is stored in a secure Oracle database hosted on an Amazon Web Services cloud environment located in Dublin. Our current assessment is that there is no requirement for this to change. However, we continue to monitor this situation and if we feel it is appropriate, we have a contingency.
3. Supply chain (critical vendors)
Our Procurement and Legal departments have undertaken a review of our current critical vendor relationships. The vast amount of these are for the provision of services and not products, therefore we do not consider any risk that needs to be mitigated for these vendors in respect to our day-to-day operations. However, the situation is being continually monitored by your Procurement Team.
We have communicated with our brokers about our internal and external (customer facing) insurance placements and their validity in a No Deal Brexit or thin deal scenario. They have confirmed our assessment that our underlying insurers almost without exception are global providers of insurance (and some place insurance for us out of the United States). We do not envisage any disruption to our delivery of insurance.
5. Human Resources (internal staff/ contractors/ locations)
Tungsten Network’s staff are a critical factor in our success. Given the global nature of our business, many staff have multi-lingual capabilities. Many people in our global headquarters in London come from or are based in Europe and they are an essential part of our business.
The UK and the EU have broadly reached an agreement as to EU citizens’ rights in the UK. There is some debate as to whether that arrangement will apply in the event of a No Deal Brexit or a thin deal Brexit, but currently both the EU and UK are giving reassurances that citizens’ rights will be protected. We have informed our EU colleagues of their rights, including how they can register and apply for the EU settlement scheme.