The Criminal Finances Bill
The Criminal Finances Bill 2016-2017 (the Bill) was introduced into Parliament on 13 October 2016. The main portion of the Bill is a range of measures that amend the existing anti-money laundering and suspicious activity reporting regime under the Proceeds of Crime Act 2002 (POCA). Alongside this, there are enhanced powers to investigate and seize the proceeds of crime and terrorist property in the form of disclosure orders, unexplained wealth orders and enhanced civil recovery powers. The Bill also contains a corporate offence of failing to prevent the facilitation of tax evasion, which has been the subject of a long consultation process spearheaded by HM Revenue & Customs. The Bill is expected to become law in 2017, although no implementation date has been announced.
The Bill includes proposals to allow information to be shared between regulated entities on specific suspicious transactions. Regulated entities include banks, financial institutions and professional advisers that carry out a regulated business within the meaning of Schedule 9 to the POCA.
While the aim of the proposals, to help both law enforcement agencies and the private sector investigate and tackle money laundering, is undoubtedly admirable, they bring potential challenges and pitfalls for regulated entities, and further consideration and guidance is needed to ensure that the proposals are workable in practice.
Suspicious activity reports
A suspicious activity report (SAR) is the formal mechanism for making an authorised disclosure under the POCA: section 330 (a SAR to provide information) or section 338 where consent is sought to proceed with a transaction. Making an authorised disclosure under section 338 and seeking appropriate consent from the NCA provides a defence to the primary money laundering offences under sections 327 to 329 of POCA. An authorised disclosure can be made:
• After money laundering has occurred, if there is good reason for not disclosing it earlier and if the disclosure is made as soon as practicable (section 338).
The Bill gives the National Crime Agency (NCA) a new power to request further information where a SAR has been filed or a request has come in from the NCA’s equivalent in another jurisdiction. This appears to be a sensible extension to the current regime, albeit it is important that the power is used in a proportionate way, given the costs to regulated entities of responding to requests of this sort. If this proposal helps lead to increased dialogue between the NCA and regulated entities, with the aim of sharing information and providing additional clarity, then such a proposal is likely to be welcomed.
The real novelty of the Bill lies in permitting the sharing of information within the private sector to help determine an issue in relation to a specific suspicion of money-laundering. Either the NCA or another regulated entity may make a disclosure request to a regulated entity (section 339ZB(3)). The goal appears to be to enable regulated entities to access information that in turn enables them to assist more effectively in the collective effort to combat money laundering. This is commendable, but there are a number of issues that require additional thought and clarification, and it is important to recognise that regulated entities do not have unlimited resources.
Under the Bill, a regulated entity may only request information from another regulated entity where it has grounds to suspect that a person is engaged in money laundering (section 339ZC(2)(a)). Therefore, a suspicion must have been formed, and the test for making a SAR must be made out before information sharing can be considered.
If a regulated entity makes a disclosure request, it must notify the NCA and provide details of the request. The notification must include the same information that the regulated entity would have put in a SAR. Assuming that the other regulated entity has responded to the disclosure request, the regulated entities involved in the information sharing (there may be more than one) may file a joint SAR setting out the continuing grounds for suspicion and any additional information not already included in the requester’s prior notification.
Where a regulated entity notifies the NCA that it has made a disclosure request, this satisfies the requirement to submit a SAR under section 330 of POCA. However, there is no indication that a notification satisfies the requirement to make an authorised disclosure under section 338 POCA (where consent is requested for a transaction which relates to criminal property). This would mean that where consent to act is required - the situation which gives rise to a large number of SARs - a disclosure would need to be made, in addition to a notification, and a duplication of effort would occur. It is hoped that the making of a disclosure request will not trigger a delay in the granting of consent (e.g. where the NCA awaits the product of the request before consenting to a transaction) as a matter of policy, rather than only where this is appropriate on the facts.
The disclosure of information by one regulated entity to another is only permitted where prompted by the NCA, or where there is a request for information. There is no provision for one entity to share information of interest, without seeking anything in return. Given the principles underpinning the anti-money laundering (AML) regime, regulated entities are likely to take a risk-based approach to the making of disclosure requests, and will not be making them as a matter of course.
Regulated entities' discretion
While not explicitly stated in the Bill, the inference is that a regulated entity has a discretion over whether to make a disclosure request (and related notification) or simply to submit a SAR. The drafting should be made clearer on this point. However, the Bill does make clear that the entity receiving the request has a discretion over whether to respond (clause 10, section 339ZB(1)).
This raises a question: if a regulated entity has a discretion in making and responding to a disclosure request, what is the incentive for a regulated entity to go further than its statutory obligation to make a SAR? Law enforcement agencies and regulators will be watching closely the development of information sharing under the Bill, and it may be the risk of intervention by either, or both, which shapes how a regulated entity responds to the new regime.
The NCA may expect to receive a reason if a regulated entity refuses to comply with a disclosure request – although the Bill is silent on this. An entity must be satisfied that the disclosure requested of it will or may assist in determining any matter in connection with a suspicion that a person is engaged in money laundering (clause 10(5)). If an entity decides that the information requested would not assist in determining a money laundering issue, and therefore does not accede to the request, or refuses to respond to the request for any other reason, it should record and retain its reasons for that decision so that it can respond to any questions from the NCA or scrutiny by the Financial Conduct Authority (FCA).
The FCA may start to view decisions about when and whether to employ, or respond to, disclosure requests as part of a firm’s systems and controls to address the risk of being used to further financial crime. It may also begin to look at information sharing between regulated entities as part of its AML "deep dive" programme. This would mean regulated entities being able to explain how they are using the information sharing channel and, to the extent that they are not, the reasons for their position. In a recent speech, the FCA’s Head of Financial Crime praised the work of the Joint Money Laundering Intelligence Taskforce (JMLIT – a partnership of banks, law enforcement and regulators) and the benefits of sharing information. He stated that FCA supervisors would “stand back from JMLIT…they will not seek to probe or second-guess how banks participate”. The industry will be keen to see whether a similar ‘stand back’ approach is taken to information sharing under the Bill.
Regulated entities are understandably worried about the risks of sharing customer information with others. The Bill attempts to protect regulated entities from legal exposure as a result of information sharing. If a “relevant disclosure” is made in good faith, it will not breach any obligation of confidence or any other restriction on the disclosure of information (section 339ZF). While this is welcome comfort, further clarity is needed on whether this carve out really addresses regulated entities' concerns, which include:
- Customer challenges;
- Data protection;
- Overseas data transfer; and
- Anti-competitive conduct.
Regulated entities may welcome a tightening of the language in the carve out (section 339ZF) such that a “relevant disclosure” is one made ‘in response to’ a disclosure request. A customer challenge could be foreseen on the basis that the required conditions (in section 339ZB) for a disclosure were not met, that the disclosure is not therefore ‘made under’ the appropriate question, and the carve out from litigation does not apply.
The relationship between the Bill's information sharing provisions and the Data Protection Act 1998 (DPA) will require careful consideration. It may be that the carve out intends to cover the applicable restrictions on disclosure in the DPA, although clarity on this point would be welcomed. However, it does not exempt regulated entities from their wider obligations with respect to the processing of personal data pursuant to the DPA.
The regulated sector covers a broad spectrum of organisation, from large multinational operations to small financial advisers. While the Bill allows any regulated entity to request information from any other, banks may feel more comfortable sharing customer information with other major institutions, which have similarly sophisticated systems and controls to protect customer data, than with smaller entities.
In addition, the loss or accidental disclosure of customer data could harm a customer and damage a regulated entity's reputation: an outcome that regulated entities will be keen to avoid, even if the law offers a defence to any civil claims.
An amendment to the Bill to make the section 339ZF carve out wider, with explicit references to the DPA, and the Data Protection Directive (95/46/EC) from which it is derived, could give regulated entities additional comfort. Such an amendment might also focus Parliament’s attention on the issue of whether the section 339ZF carve out will protect banks from liability under the new General Data Protection Regulation (679/2016/EU) (GDPR), which will take precedence over domestic law while the UK remains in the EU, and in particular what derogations from the GDPR may be necessary.
Overseas data transfer
Another concern for regulated entities is the confidentiality obligations that they may owe under foreign laws. The carve out, as currently worded, protects against claims brought under English law, pursued in the UK, but not against action taken by customers or regulators overseas. The FCA and the NCA may have to accept that regulated entities may legitimately decide not to share information in circumstances where such sharing would expose an entity to liability under a foreign law. Thought should be given by law enforcement agencies to how entities should act where conflicts of this kind arise.
Switzerland is an example of a jurisdiction with stringent secrecy laws that can inhibit the flow of information for AML purposes. Where regulated entities have shared internally information subject to these laws for AML purposes, it is important that they are not pressurised to share the information more widely. Any such pressure could be counterproductive by leading them to be less comfortable about internal cross-border information sharing, where doing so would expose them to liability under foreign law.
Concerns arise that the sharing of information between regulated entities could amount to anti-competitive conduct, for example, where product or pricing information is integral to the set of facts which are shared as part of a disclosure request. It would be helpful to have language in the Bill, such as that in 339ZF, making explicit reference to an exemption from Competition Law where a ‘good faith’ disclosure is made.
Extension of the moratorium period
Currently, there is a 31-day moratorium period during which a party that has filed a consent SAR must refrain from proceeding with the transaction pending the NCA’s decision on whether to take further action. The Bill proposes an extension of this period of up to a total of six months in order to give the NCA more time to investigate whether the activity should be permitted (clause 9, section 336A(6)).
While these investigations are undoubtedly important, the potential for a six-month delay for a regulated entity with a transaction pending, or a client awaiting access to funds, is a real concern and a balance must be struck. In this respect, the Bill provides some safeguards. An application must be made to the court by a senior officer of e.g. police, HMRC or the NCA. The extension will be permitted only where it is ordered by the court. The test for the court includes consideration of whether the investigation is being conducted with diligence and expedition, and whether it is reasonable in all the circumstances to grant the extension. It is assumed that the application would be served on the owner of the funds under consideration (e.g. the account holder) – this would be a reading consistent with other parts of POCA (e.g. cash seizure provisions). As such, the existence of an ongoing money laundering investigation would become known to all parties and could be given as a reason for the delay to a transaction. The practical aspects of the application process will, it is hoped, be made clearer in the forthcoming rules of court referred to in the Bill.
In practice, it is to be hoped that the NCA will invoke this measure only in exceptional cases and will adopt a proportionate approach, including expediting decisions where the value of the transaction is comparatively high and the financial crime risk comparatively low.
Where to go from here
Making the UK financial services sector a more hostile environment for money laundering and terrorist financing is undoubtedly a good thing. The JMLIT 12-month pilot, which provided a space for the private sector to share information with enforcement agencies, has generally been recognised as a success in this regard.
While the Bill seeks to build on the success of that information sharing, there are legitimate concerns with how the proposals will work in practice. Some of these may be addressed as the Bill progresses through Parliament or through guidance from the NCA. Regardless of the final picture, the Bill is likely to require regulated entities to consider how to update their existing procedures.
From a systems and controls perspective, the proposals on information sharing in the Bill will require regulated entities to create and embed new procedures, and amend policy and internal guidance, on:
- When outgoing disclosure requests should be made;
- How incoming requests should be handled;
- How both outgoing and incoming requests, and decision-making around those requests should be recorded; and
- How that recorded information should be incorporated into the regulated entities' various monitoring systems to inform future alerts and decisions.
This text is based on an article first published in Practical Law magazine on 1 December 2016.