Risk management – impact of increased regulatory risk
March 2018 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2018 Issue
Financial institutions and businesses in the UK and the EU are some of the most heavily regulated in the world, for the purposes of anti-money laundering (AML) regimes and to prevent terrorists financing (TF), tax evasion and market abuse. A key element of such regulation is the requirement for companies in the regulated sector to provide information to the authorities whenever they have suspicions about the provenance of funds or assets.
This requirement is enforced through the criminal law whereby, for example, dealing with assets suspected to represent the proceeds of crime is prohibited unless the suspicious activity report (SAR) process has been followed. Also, through the regulatory regime whereby a failure to report certain matters, such as suspicious trading activity, is treated as a regulatory breach, punishable with the imposition of financial penalties.
This duty to provide information to the authorities in effect deputises businesses to act as the eyes and ears of the authorities in their fight against financial crime, the impact of which is discussed in the first part of this article. The second part of the article considers the cross-border requirement on businesses to provide information to regulators and the conflict this can cause with data transfer restrictions.
Before turning to the first topic, a brief outline of what is meant by the regulated sector. For the purposes of the UK AML regime, the regulated sector means those firms that are subject to the Money Laundering Regulations 2017 (MLR 2017), such as firms in the financial sector (banks, insurance companies, investment firms and brokers) and firms in the legal, accountancy and gambling sectors.
Reassuringly, most businesses in and outwith the regulated sector do want to comply with the law and understand that there are very good public policy reasons for being required to assist the state in its effort to counter money laundering, terrorist financing and so on. Businesses also devote a considerable amount of resources to compliance. The British Bankers’ Association estimates that its members collectively spend at least £5bn annually on core financial crime compliance.
To further put things into perspective, it is estimated that £90bn of illicit funds is laundered through the UK annually. The National Crime Agency (NCA), the body which monitors SARs, received 634,113 SARs in an 18 month period from October 2015 to March 2017. In that same period, the NCA stated in its 2017 annual report, assets of around £56m were denied to suspected criminals as a result of SARs. SARs are also a valuable source of intelligence for the NCA and other agencies.
There is empirical evidence that SARs are not only increasing in number year-on-year but are also becoming increasingly complex due to more cases having an international dimension and using complex money flows and structures, and more trade-based money laundering.
The UK government’s 2015 call for information on the operation of the SARs regime states that many businesses believe the regime is not working properly because, among other things, ‘defensive’ SARs are being submitted due to a fear of failing to comply with the Proceeds of Crime Act 2002 rather than any genuine suspicion, there is duplication of reporting, and the sheer volume of reporting, especially in the banking sector.
The UK government in its 2016 Action Plan for anti-money laundering and counter-terrorists finance (2016 Action Plan) stated that “the current regime does not work as well as it could” and that it was committed “to reducing the regulatory burden on business, which can distract or make it harder for companies to focus on real risks and will ensure that any additional burden placed on businesses…are targeted, proportionate and justified by evidence of significant need”.
A key measure that underpins the UK government’s aim to more effectively tackle money laundering is the need for companies to take a risk-based approach to identifying where in its business it needs to devote the most attention and resources. This theme of taking a risk-based approach runs through the MLR 2017. A key reform is a requirement for regulated firms to conduct a firm-wide risk assessment taking into account the size of the firm and the nature of its business to assess the AML and TF risks to which the business is subject, having regard also to the UK National Risk Assessment and sector-specific risk assessments.
Other key measures in the UK government’s strategy to strengthen the AML regime is reform of the SARs regime and to foster a stronger information sharing partnership between government and the private sector, the latter having been piloted through the Joint Money Laundering Intelligence Taskforce.
The Criminal Finance Act 2017 (CFA 2017) is another important piece of the UK government’s strategy to combat financial crime. It gives the NCA the ability to obtain extensions for up to a maximum of six months – previously it was 31 days – in which to decide whether to restrain the assets referred to in a SAR on the basis that it is suspected criminal property. During this moratorium period there can be no dealing in the assets. The CFA 2017 also introduces super SARs which allow multiple regulated firms to submit a SAR on the same subject matter and to share information and coordinate their response.
The UK government and the EU do wish to enhance the flow of information from the regulated sector to aid their fight against financial crime, while acknowledging that there is a tremendous regulatory burden on businesses which needs to be reduced. A key step by the authorities is the adoption of the risk-based approach to regulation and compliance which aims to refocus businesses to concentrate their resources to be more smartly deployed to the areas of greatest risk. The requirement on business to be another set of eyes and ears for the regulators remains a key component of the authorities’ long-term strategy to combat financial crime, which leaves business with little option but to comply having regard to, among other things, the size and nature of the business. There is a modicum of relief, however, with measures such as the risk-based approach to regulation and compliance and the UK government’s stated intention, in the 2016 Action Plan, to try to ease the regulatory burden on businesses.
Another major risk arises when businesses are required to provide information from overseas offices and subsidiaries to a regulatory authority to assist that authority’s investigations. Although police-to-police enquiries allows for a speedy exchange of information between international authorities, such information is usually for intelligence purposes only and cannot be used as evidence. This leaves the mutual legal assistance treaty route for authorities to obtain overseas evidence. As this route is usually very slow, businesses are often seen as a speedier means for an authority to obtain the overseas information it seeks. Unfortunately, in such circumstances regulatory authorities attach little weight to the legal restrictions on international data transfer.
Businesses that are subpoenaed or requisitioned to assist in this way will be wise to understand and manage a number of risks associated with transferring information from one jurisdiction to another for the purposes of providing it to a regulatory authority which is foreign to the jurisdiction where the information is hosted.
There are laws, known colloquially as blocking statutes, in countries such as France and Switzerland, that make it a criminal offence to transfer information out of the jurisdiction to provide to a foreign authority or for use in foreign court proceedings, unless the information is transferred through a recognised treaty route or with permission of the relevant home authority. There are also data protection laws in the EU that require certain safeguards to be in place before ‘personal data’ can be transferred out of the jurisdiction. Indeed, the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, specifically prohibits such transfers of information unless the transfer is under a recognised treaty or with permission of the relevant home authority.
Businesses are therefore faced with a balancing of risk exercise. That is, to assess the risks of not complying with the regulatory authority’s request, such as being seen as uncooperative and risking becoming a target of the investigation rather than simply a holder of useful information and possibly being penalised for failing to provide the information. The risks associated with not complying have to be assessed against the risks associated with breaching the blocking statute or data protection regulations or both, such as the possibility of a criminal conviction and fines against the company or its officers or both. To illustrate the point, breach of the GDPR carries a potential fine of up to €10m or 2 percent of annual global turnover or €20m or 4 percent of annual global turnover, whichever is the higher, depending on the seriousness of the breach.
These risks can, however, be managed by, for instance, liaising with the respective authorities and using legal contacts in the host jurisdiction to speed up the treaty route for information transfer, or by finding the information in another jurisdiction that does not have such prohibitions against transfer. In any event, it is imperative that expert legal advice is taken to navigate a clear course through these complex and serious issues.
Neill Blundell is a partner and Tapan Debnath is a principal associate at Eversheds Sutherland. Mr Blundell can be contacted on +44 (0)20 7919 4533 or by email: firstname.lastname@example.org. Mr Debnath can be contacted on +44 (0)20 7919 0911 or by email: email@example.com.
© Financier Worldwide
Neill Blundell and Tapan Debnath