The end of 2020 is finally within sight, and what a strange year it has been. In terms of financial crime prevention, 2020 has been a mixture of continuing to deal with known issues and progressing improvements, but against the backdrop of Brexit and a pandemic. In this year's review for Financial Regulation International, Emma Radmore of Womble Bond Dickinson looks back on the key legal and regulatory priorities for the UK authorities and the year's relevant enforcement actions. As usual, we then look at initiatives that will be progressing over 2021.
The pandemic brought with it challenges to every aspect of life and work. Financial crime prevention was not alone in having to adapt to the demands. From a UK perspective, the regulators, particularly the FCA, made its expectations clear early on. It understood that firms were facing unprecedented pressures in unaccustomed ways of working. It urged them to prioritise areas of the most risk, while trying also to keep up with business as usual. On the one hand, firms had to be alert to new types of fraud and financial crime, and not let their suspicion reporting slip in terms of any of timing, quality and quantity of SARs. There were also new fraud risks arising from the government schemes to help businesses. On the other hand, firms had to adapt to new working practices and appreciate that their clients needed to do so too. FCA appreciated that firms may need to re-prioritise or delay some activities. Key challenges included:
- Customers who were unused to online banking needing to start using it and potentially leaving themselves vulnerable to frauds
- Doing appropriate customer due diligence when onboarding a new customer, for whom the norm would have been face-to-face verification – FCA has started to encourage the use, for example, of selfies being sent by the customer. Of course, there were already many firms whose business model had evolved to deal only in the online world, but more traditional businesses struggled
- Whether to delay regular monitoring of CDD. This was something FCA was prepared to accept, but most firms considered this too risky and tried to stick to their regular cycles
- Similarly, FCA suggested firms could place more reliance on the diligence of others, but, again, this has never been popular, and again, firms would have been reluctant to use this route at all and, if they did, would have wanted to verify all information first hand as soon as possible in their remediation measures.
Added to this were the operational and HR challenges. FCA was clear that it would not expect key managers and senior management function holder to be furloughed, and in many firms it would have been surprising if large numbers of compliance and operational staff had been furloughed. Firms would have wanted to prioritise ensuring their systems and controls for keeping track of their customers and their activities remained appropriate. Part of this would include making sure staff working at home were properly supervised and, where appropriate, trained.
By now, most, if not all, firms will have reached and adapted to a new normal. Any that did let their usual standards slip should by now have embarked on a programme to fill any gaps, and have in place systems and controls to ensure consistent compliance for as long as the pandemic affects them.
The UK has, of course, spent much of the year wondering whether there will be any form of deal as it finally reaches the end of the Brexit transition period on 31 December. The legislators have been busy making laws that will, variously:
- Freeze EU requirements that applied before 31 December at that point of time, for future reference
- "onshore" EU Regulations, which had not needed to be transposed into UK law, by making a UK equivalent, amending terminology as appropriate to reflect the fact that the UK will not be in the EU
- Amend existing legislation that implemented EU laws to reflect the fact that the UK will not be in the EU
- Make new laws using new powers
- Amend regulatory rules and guidance.
The key pieces of primary legislation remain more or less unchanged. The money laundering and terrorist financing offences in the Proceeds of Crime Act 2002 and the Terrorism Act 2000 do not change, and nor does the Bribery Act 2010. But the Terrorist Asset Freezing etc Act 2010 will be replaced by two separate sets of regulations, one for the domestic and one for the international regime. The Sanctions and Anti-Money Laundering Act 2018 (SAMLA) was one of the earliest pieces of Brexit-related legislation introduced to the statute books, and the UK regulators had already been using it to make UK autonomous financial sanctions. Powers will now be used more extensively to account for the panoply of EU sanctions previously having direct effect in the UK. The Money Laundering Regulations will remain, with appropriate onshoring amendments. And the UK was never going to implement the 6th Money Laundering Directive anyway. The EU's list of High Risk Third Countries will apply frozen in time at the end of the year, and the UK will in future make its own list.
The Office for Financial Sanctions Implementation (OFSI) has been providing guidance to firms throughout the period, including noting the work already carried out by the Foreign, Commonwealth and Development Office in laying regulations before Parliament for over 30 regimes in preparation for Brexit. It cautions, though, that the new regulations will not necessarily be identical to the old, and that firms should check the precise scope of each regime, paying particular attention to those that have been merged, separated or renamed. UK Finance has produced a lengthy guide to help firms see which regimes may be subtly different next year.
The Consolidated List that OFSI maintains will be updated at 11pm on 31 December and, as a result, firms may need to screen all designations under SAMLA as new fields will be added. It's not all bad news, though, because in principle licenses issued by OFSI under EU regulations will remain valid until they expire or are revoked – although there will be changes to the licensing process going forwards.
Finally, the Department for International Trade has published a UK version of the retained Blocking Regulation, which continue to protect UK persons trading with countries affected by the extraterritorial application of certain laws – specifically US sanctions against Cuba and Iran.
There were some major enforcement actions and cases over the year.
On the bribery front, the main publicised SFO actions were two deferred prosecution agreements, with very different entities. The first, published in February, with Airbus SE, saw the company agreeing to pay a fine and costs totalling €991m as part of a €3.6 bn global resolution. The action related to five counts of failing to prevent bribery in the commercial and defence and space divisions and across five jurisdictions between 2011 and 2015. Part of the reason for the DPA was that once SFO was engaged (although the company could have acted more quickly to do so), it cooperated fully and had new leadership that put in place a programme of corporate reform and compliance.
The second was with Airline Services Limited, published in November. The company won three contracts to refit commercial airliners for Lufthansa, through using an agent who was a Lufthansa employee, who used his knowledge to get the company a competitive advantage. The company fully self-reported, and accepted responsibility for three counts of failing to prevent bribery. Evidence showed that it had decided not to take advice it had sought on how to implement the Bribery Act, and had not communicated any procedures to staff. As a result, it was not compliant with the Bribery Act for around four years. The company is dormant, but is remaining in existence in order to fulfil the terms of the DPA, which require overall payment of nearly £3m, of which nearly a third represents disgorgement of profits.
In an interesting court case on sanctions, a consortium of reinsurers had tried to trace funds owned by the Syrian state and its agents which were frozen and which, if found, they planned to ask the Government to release an amount to satisfy a judgment debt which they were owed. The reinsurers believed that Treasury knew where the funds were, but Treasury stated that it was not permitted to tell them. It said that information it received must be used only for the purposes for which it was provided to it, one of which is "facilitating compliance", but it said that did not include facilitating the release of funds in these circumstances. The Court thought otherwise, and the judge said there should be a balance between the punitive measures in sanctions and derogations and exceptions to moderate their impact. The judge felt that conceptually, the reinsurers were in a similar position to civilians deprived of supplies because of sanctions, and felt that Treasury would not be prevented by regulations from providing the information the reinsurers sought.
Elsewhere, the Court of Appeal upheld the ruling that a borrower UK bank was entitled to withhold repayments under a loan where the ultimate beneficial owner of the lender was a Specially Designated National by US OFAC. Cynergy had borrowed £30m as Tier 2 capital, and, when, 3 months after signing the facility, the beneficial owner of the lender, Lamesa Investments, became an SDN, Cynergy said the Ukrainian Freedom Support Act would allow the US to ban Cynergy from operating a USD correspondent account if it had "knowingly facilitated" a financial transaction on behalf of an SDN.
At first instance, the judge said this was a mandatory provision of law, and was not the less so simply because it created a risk of a penalty or sanction rather than actually requiring or prohibiting an action. The judge had also noted that the parties were both aware of the likely designation at the time of signing the facility, so would not have been likely to have intended to limit the words “in order to comply” in the facility agreement to only an express statutory prohibition, given that they would understand the potentially “ruinous” effect of secondary sanctions on Cynergy’s business.
The High Court found that the judge had perhaps overlooked some relevant factors – specifically that the clause in question was a standard term in common usage, so a detailed consideration of the parties’ intention in using it may not have been appropriate. The judge said the process of interpretation should be a unitary exercise, starting with the words and relevant context, and then an iterative process checking each suggested interpretation against the provisions of the contract and its commercial consequences. He said the “relevant context” in this case was that the court was considering a standard provision in a loan agreement used for Tier 2 capital and that the facility agreement made it clear the capital was required under “Capital Regulations” including CRD 4. He said non-payment provisions for loans of Tier 2 capital are not of the kind seen in ordinary loan agreements because the loans are subordinated and repayment events controlled. The original borrower had been the UK subsidiary of a Cypriot bank, which was subsequently sold to the Cynergy group. It appeared to the Court of Appeal that the relevant clause was drafted, in principle, to deal with possible future events beyond sanctions, and that the High Court had lost sight of this. The key, said the Court of Appeal, was that the relevant clause did not extinguish the entitlement to be repaid, but that if the proviso is engaged, there would be no default and therefore the lender could not seek to wind up the borrower. He concluded the context to the clause was a balance between the desire of the lender to be paid timeously and the desire of the borrower not to beach any laws etc. Then the court considered what a “mandatory provision of law” would mean in the context and concluded it was possible to give it different meanings – either compliance with a statute or, more broadly, that it can relate to actual or implied provisions of law. In this case, Cynergy was relying on the EU Blocking Regulation wording which, in a different context, uses similar language to prevent compliance with US statutes that impose secondary sanctions. Ultimately, the judge felt that the clause had been drafted by those who understood the nature of international sanctions, and the effects of US secondary sanctions, so the drafter must surely have intended the borrower to be able to seek relief in these circumstances.
So, all in all, although the Court of Appeal did not necessarily agree with all the reasoning of the High Court it agreed with the order.
FCA enforcement action – AML
In June, FCA fined Commerzbank AG London Branch nearly £38m for AML systems and controls failings spanning a 5 year period to September 2017. The bank benefited from a 30% discount for early settlement. Many of the bank’s global customers use products and platforms managed through the London branch, which acted as a hub for sales, trading and due diligence processes for a significant number of global customers. The failings started in October 2012 and FCA raised specific concerns in 2012, 2015 and 2017 and was at the time also publishing guidance about its expectations on firms and taking enforcement action against a number of firms for AML failings. Additionally, the US regulators had taken action against the bank in 2015 for AML failings (which did not involve the London branch) Nevertheless, the failings in the bank continued.
The failings included:
- shortcomings in its financial crime controls applicable to introducers and distributors, specifically in the use of group introduction certificates;
- instances where identification and risk assessment of PEPs was inadequate
- failure by certain business areas to comply with the London branch policies on verification of beneficial ownership
- a lack of full process for terminating a client relationship because of financial crime concerns
- failure to have a clear articulation of risk and issue owners
- failure to conduct timely periodic due diligence on clients. Many clients were as a result overdue on updated checks, and of those many were able to continue dealing with the branch under an improperly controlled or overseen exceptions process – both senior branch management and Compliance lacked understanding and awareness of this process. FCA commented that by the end of 2016 this was “out of control”
- failure to address long-standing weaknesses in its transaction monitoring tool – which, among other things, it noted that, in 2015 lacked 40 high-risk countries and over 1,000 high risk clients
- failure to have adequate CDD policies and procedures in place.
FCA commented that its expectations on financial crime prevention controls include expectations on branches of overseas firms. The failings meant the bank was open to being used for financial crime although there was no evidence that it was in fact occasioned or facilitated by the breaches.
Some of the failings were due to understaffing at key times – with the financial crime team in Compliance consisting of only 3 full time staff in 2016 (this was increased to 42 in 2018).
FCA found Commerzbank had conducted a significant remediation exercise to bring its controls into compliance, which were being tested by a skilled person, and has also looked back to identify suspicious transactions. The bank had also agreed a VREQ, which included temporarily stopping taking on high-risk customers, ceasing new business with existing high-risk customers who were overdue a review, and suspending all new trade finance business activities. The remediation period is now complete and the bank is requesting a lifting of the restrictions.
So what can we look forward to in 2021? It seems like the Brexit-related changes may not be too hard to adapt to, so in some ways the challenges and changes will relate more to business as usual. We see the statistics of rising SARs, especially defence SARs, and we see a continuing theme of financial crime in skilled persons reports. We know it takes quite some time for FCA concerns to result in publicised enforcement decisions, and we are also seeing a pattern of fewer, but harsher, decisions. We can surely expect at least one large enforcement action with a financial crime prevention systems focus.
Firms will continue to get used to the changes that MLD5 brought, such as the additional obligations for trusts and the reporting of beneficial ownership discrepancies. Meanwhile, the bank account portal which was due to take effect in September 2020 has been delayed. When it takes effect, credit institutions and providers of safe custody services will need to use it to respond to requests for information from enforcement agencies.
Otherwise, the spectre of the "failure to prevent" offence is ever present. The Government's response to its call for evidence on corporate liability for economic crime identified several possible reform options, including a failure to prevent offence like the Bribery Act one, or a variant on it. It feels as if we are not much further forward than we were some years ago – everyone agreed at the time the Bribery Act was made that the previous framework did not provide sufficient deterrent to corporate misconduct, and that the "identification" doctrine inhibits holding companies to account. Currently, the Law Commission is working on the options and aims to publish a paper in late 2021. So it seems we won't be seeing any early reform.
On the supervisory review side, FCA is likely at some stage to focus on firms' response to the effects of the pandemic, looking at how they coped with compliance during it, what new risks they identified and what they have done to remedy any issues that they could not deal with adequately during lockdown. Financial crime prevention, both in terms of risk detection and assessment and business as usual, is likely to be high on the list.
Emma and the financial services regulatory team at Womble Bond Dickinson regularly update on financial crime prevention and financial regulatory issues in their FIN news site. You can follow it on; www.financialinstitutionsnews.com