2018: Another year, more financial crime prevention requirements

Emma Radmore Annual Update looks back at what has happened in the world of financial crime prevention since the 2017 update. It seems as if we are still coming to terms with the changes of 2017 yet now must adapt to more. And all this in the (at the time this article was written) uncertain climate as to when, or even whether, Brexit will happen and the terms on which any orderly or disorderly exist will take place. There have been some key developments on the EU front with the fifth Money Laundering Directive (MLD5) and the domestic front with the Sanction and Anti-Money Laundering Act 2018 (SAMLA). There are some key changes in the pipeline (reform of the Suspicious Activity Reports (SARs) regime, and in the mix the usual interesting enforcement actions and regulatory reviews.

MLD5

MLD5 was adopted in May and, after publication in the Official Journal of the EU, must be implemented by Member States by 10 January 2020. Last year's update summarised its key provisions, and little of substance changed in the months leading up to its final adoption. In brief, the major changes affect:

• The scope of controls: bringing within scope virtual currency exchange providers and custodian wallet providers, art dealers, brokers and storers, letting agents and those who "materially aid" in tax matters
• E-money products, by reducing the limits below which exemptions apply
• Bans, on anonymous safe deposit boxes and optional bans on all anonymous pre-paid cards
• CDD obligations, particularly to broaden the situations in which enhanced due diligence will be required (and to require the European Commission to take into account additional factors when carrying out its risk assessments) and to require verification of a senior manager where no beneficial owner can be identified
• Establishment, permitting Member State laws, variously, to refuse registration of branches or subsidiaries of entities with parents in specific countries, and to require a first payment from a customer to come from an EU or equivalently-regulated institution
• PEPs, requiring Member States to issue and keep up to date a list of prominent public functions
• Enforcement, requiring appropriate sanctions for breach of beneficial owner registration requirements.

It's too early for Member States to have started to plan implementation; but for the UK it is almost inevitable that Brexit (whether hard or soft) or no Brexit, the UK will change its laws insofar as it needs to, to take in the MLD5 additions.  As ever, some of the changes MLD5 brings are already in place.

The Directive for Criminal Sanctions against Money Laundering has also been adopted. This sets down minimum requirements that all Member States should set a maximum term of imprisonment for money laundering offences of no less than 4 years as well as imposing a range of civil and administrative sanctions. This Directive will need to be implemented in late 2020.

SAMLA

SAMLA got Royal Assent on 23 May and parts of it are already in force. Its main purpose is to give the UK powers to implement sanctions after Brexit in cases where they currently have direct applicability through an EU Regulation. That said, it makes several other improvements and modifications to the way the UK currently operates and monitors its financial sanctions and AML legislation.

SAMLA:

• Gives powers to the relevant Minister to make regulations (for complying with a UN or other international obligation or otherwise) for preventing terrorism, in the interests of national or international security or to further a foreign policy objective
• Allows those regulations to designate persons, groups of persons and countries for various purposes. It controls the use of powers by requiring that there must be reasonable grounds to suspect the person is involved in the specified activity and that the designation is appropriate
• Carries forward the licensing regime
• Keeps the maximum imprisonment of 10 years, and fines of up to £1m or, if higher, 50% of the gross value of the funds;
• Keeps the current territorial scope
• Requires the relevant Minister to publish guidance, and gives protection against civil proceedings to a person who has acted in reasonable belief their behaviour was compliant with the guidance
• Widens coverage to allow making of AML legislation implementing FATF guidelines and to change existing laws
• Allows for the use of deferred prosecution agreements (DPAs) in allegations of breach.

A set of regulations made in anticipation of Brexit will also address the mechanics of requesting reviews, variations or revocations of designations.

Criminal Finances Act 2017: Unexplained Wealth Orders (UWOs)

The NCA obtained the first UWO in February, against the wife (Mrs X) of a banker (X) from a non-EEA country.  The order, which froze £22m of UK property, was appealed in July. The basis for the order was that the government of the relevant country had a stake in the bank, and X had been related of various fraud-related offences. On appeal, the court held that Mrs X was a PEP, because the bank was a state owned enterprise, and therefore X and as a result Mrs X were PEPs. It also said it was reasonable to suppose that Mrs X's known sources of wealth were insufficient to afford the properties in question.  Her anonymity, originally granted, was then waived.

There has been some criticism of the court's reasoning, and we await the next UWO and the next challenge.

Registration of Overseas Entities Bill

The Government has also brought forward a bill to require all foreign companies that own UK properties to disclose their beneficial owners, and for this to be recorded on a public register. Entities breaching the requirement and individuals who fail to register when instructed to do so or who knowingly try to deceive the register would be liable for unlimited fines and/or imprisonment.

Law Commission consultation on the SARs Regime

The main consultation of the year was the Law Commission's paper on the potential reform of the SARs regime. It is widely agreed that the current regime brings with it many problems, but what is less clear is how to address them. The Law Commission's research focussed on ways that might reduce the number of SARs by minimising those that are of low intelligence value. It also sought to assess whether there are misunderstandings of aspects of the current regime and the burdens and impact of suspensions on both SAR makers and their subjects.  It considered:

• Whether the current approach that all crimes are relevant and could form the subject of a SAR was good or bad: the advantage is that the reporter does not have to identify a specific underlying crime, but this does mean that minor offences and regulatory breaches are caught and reporting these creates disproportionate burdens. But, if the approach moved to a "serious crimes" only approach, how would this be categorised?  Any solution would almost certainly exclude offences that the regime would want to cover. So, on balance, the Law Commission thought maintaining the status quo would be best
• What is a suspicion? The paper goes into some detail on what this could be, before concluding that the best articulation is that it is "a possibility, which is more than fanciful, that the relevant facts exist".  But within this, it set out a hierarchy of states of mind, comprising of knowledge, blind eye knowledge, belief, reasonable grounds or cause to believe, reasonable grounds or cause for suspicion and suspicion.  As if this were not complicated enough, there is the question of whether "reasonable grounds to suspect" should be subjective or objective, which ultimately raises the question of whether a person commits an offence or not if there were reasonable grounds to suspect, but they did not in fact do so
• The "failure to disclose" offence: following on from the confusion around what is a suspicion, is the confusion around the failure to disclose offence.  In principle, there are four ways to commit this – by knowing, by suspecting, by having reasonable grounds to know, or by having reasonable grounds to suspect. But, the Law Commission asks, is "suspecting" actually redundant as it means the same as "having reasonable cause to suspect", or is it not, because "having reasonable cause to suspect" cannot mean "actually suspects"? The Law Commission believes it is reasonable to have a different construction for the failure to disclose offence than for the predicate offence – so that it is reasonable for it to be an offence for a person to have failed to disclose when there were reasonable grounds for suspecting notwithstanding that they did not in fact suspect; and
• Whether, therefore, there should be a definition of "suspicion" – but this is unlikely to work. Guidance, however, could be useful. And, for the reporting offences, a test that incorporates a proof of substantive suspicion and objectively reasonable grounds could also work. But, for the "authorised" disclosures, the disclosure level should probably be kept at "mere suspicion".

Prosecutions under Bribery Act

The main story of the year was the prosecution of Skansen Interiors.  This was the first prosecution brought by the Crown Prosecution Service (CPS) for breach of s7 Bribery Act (the previous cases were all Serious Fraud Office (SFO)) cases. This case has really thrown the cat among the pigeons. Skansen was a small refurbishment contractor which was invited, in 2013, to tender to DTZ for office refurbishments worth £6m. It was alleged that a project manager (A) at DTZ had passed on information that would give Skansen an advantage or recommended them for the project based on offers or requests for bribes involving Skansen's managing director (B). Following award of the contract, Skansen made two payments totalling £10,000 to A and intended to pay a further £29,000. The payments, to a company set up by A, were alleged to be for various services for which there was no evidence. Senior management at Skansen had approved the payments.  However, before the £29,000 was made, a new CEO joined Skansen, and carried out an internal investigation when asked to approve the payment. The new CEO also found that no bribery prevention policy existed, and put one in place. The payment was stopped, both A and B were fired by their respective employers, and a SAR was submitted.  A and B were subsequently convicted under sections 1 and 2 of the Bribery Act, and Skansen charged with breach of s7. It argued it had adequate procedures, saying, among other things, that:

• Its office was small and open plan so did not need sophisticated controls
• The overall ethics policy should have been enough, and the company ethos was to behave with honesty and integrity – and a policy of this nature was in place before 2014
• Financial controls required multiple approvals
• Senior management had put anti-bribery clauses in contracts
• Email evidence showed that B was aware of the law and
• Stopping the largest payment showed the procedures were effective

However, a jury found the firm guilty – although the only remedy available was an absolute discharge as the firm was dormant and without assets. 

Much of this flies in the face of the pattern SFO prosecutions had set. CPS said it needed to "send a message". Even though the company self-reported, it seemed to get no credit for this, and CPS said a DPA would not have been appropriate because there could be no ongoing benefit to a dormant company. However, one wonders both how it was in the public interest to prosecute the company and also what the jury would have regarded as "proportionate" procedures for this small company.

Meanwhile, the SFO has successfully concluded its first DPA, against Standard Bank. All the conditions were met, the Bank has of course incurred significant costs in having its controls reviewed and changes implemented as well as the more direct remedial amounts. SFO has also seen a change of director, and the new team have made a number of speeches continuing to encourage firms to speak out, and giving clear indications that DPAs will be considered for those who speak out honestly and fully, who do not try to hide anything, who take genuine action to put things right and, perhaps importantly given the Skansen case, where innocent shareholders and employees would suffer if there were a damaging prosecution.

And, while all this has been going on, a Parliamentary enquiry into the Bribery Act has started, and we discuss this below.

Enforcement Actions: Tesco, Canara, Sonali...

FCA has had a busy year, with three major actions in the financial crime prevention space:

• Canara Bank was fined nearly £900,000 and banned from taking deposits from new customers for 147 days after FCA found it had failed to remedy failings FCA had pointed out to it in its trade finance business – despite having confirmed to FCA that it had done so. The failings, ultimately confirmed by a skilled persons review, included inability to recognise PEPs, lack of monitoring and a governance and risk management framework that was not fit for purpose;
• Tesco Personal Finance, which was fined over £16m for breach of Principle 3 in the way it had acted both before and during a cyber attack. FCA criticised the bank for having allowed cards not designed for contactless MSD transactions to be allowed that use. Because of the nature of the original card issue, it was easy to predict their PAN numbers, so, when criminals launched a cyber attack it was easy to predict numbers. This was exacerbated by flaws in the checks the system made and the bank ignoring warnings of the precise risk in relation to the cards. Once the attack happened, a series of errors, including failures in correct communications and coding errors, meant the attack went on for longer than it need have, and senior management were not alerted as soon as they should have been. FCA praised senior management's actions once alerted, and the bank benefited from its full co-operation with FCA, its prompt action once senior management were alerted and its willingness to share its story to help others; and
• Finally, in December, FCA published a notice of its decision to fine the former CEO of Sonali Bank (UK) £76,000 for his part in failing to establish and maintain effective AML systems and controls – which led to the action already settled against the bank and its former MLRO.

Cases: Lonsdale v Nat West

This was an interesting and concerning case. The bank had made several SARs in relation to Mr Lonsdale, a respected barrister, and companies he was involved with, and froze all relevant accounts. After Mr Lonsdale applied to court, the freeze was lifted but the bank then gave him notice of closure of all the accounts. Mr Lonsdale submitted a subject access request for disclosure of the documents relating to the freezing decision, and the response included no SARs or any mention that they had been made, so Mr Lonsdale applied to court for inspection of the SARs. The case was about many other issues as well, but in relation to the request, the Court considered:

• Whether or not the bank had a genuine suspicion: the court said that this was a matter of fact that would need to be tested at trial, because whether or not there were reasonable grounds for suspicion did not matter;
• Whether the suspicion had to relate to a specific account before that account could be frozen – again, the court said they must be tested on the specific facts; and
• Whether requiring the bank to make the SARs available would cause it to tip off – the Court thought it was reasonable to make the order, but gave NCA 14 days to object.

NCA did not object, and the case settled, so unfortunately we will never know how the first two issues would have been decided.

Parliamentary enquiries

Parliamentary Committees have started reviews into the Bribery Act and the sanctions regime. The Bribery Act enquiry asked for evidence on, and is hearing experts from law enforcement, academia, business and the legal profession about:

• The Act's deterrent effect;
• Its quality of enforcement
• Quality of the guidance
• Challenges for compliance
• Use of DPAs 
• The impact on overseas business and
• Unintended consequences (and other issues)

The Committee's report is due at the end of March 2019.

The sanctions enquiry is focussing on how the UK should operate its sanctions regimes after Brexit, and is asking questions on:

• The effectiveness of sanctions
• The advantages and disadvantages of the EU's approach
• The advantages and disadvantages of the US approach
• How the UK should make use of the Magnitsky powers
• The desirability of alignment with EU laws post-Brexit
• How effective FCA has been and
• Use of sanctions alongside other tools such as UWOs.

Other regulatory snippets

In other news:

• FCA has completed the first cycle of its systematic AML programme and has reviewed all 14 banks in it at least once since 2012. It will review 150 other high risk firms over a 4 year period. Unsurprisingly, it is still focussing its concerns on failure to identify high risk customers and PEPs and treat them appropriately
• FCA's thematic review into selected e-money providers' AML compliance found pleasing results
• FCA's report following its analysis of Financial Crime Returns showed an overwhelming majority of customers are UK based and well under 1% are high risk. The 2,000 firms involved had made 923,000 internal SARs, of which around one third were reported to NCA
• HMRC has signalled its intentions to take action against those who are registered with it for AML compliance. It has published several documents outlining actions it may take against those who fail to comply with its requirements; and
• UK Finance published guidance on compliance with the Funds Transfer Regulation, FCA updated its Financial Crime Guide and JMLSG updated its main and sectoral guidance.

Conclusion

It's been a busy year with much to keep track of in financial crime prevention. More than ever firms need so much resource to ensure they do not miss something of relevance to them. Next year is unlikely to be any quieter as we deal not only with the (currently unknown) effects of Brexit, but also business as usual as current law, practice and enforcement develop.

Note:  This article was originally written on 7 December for Finanical Regulation International -  before publication of the FATF mutual evaluation of the UK and a range of other financial crime prevention developments. To keep up to date on developments, sign up to FIN