With the 3 February 2021 announcement by Santander, the Madrid-based financial services company, that it is cooperating with a civil regulatory investigation by the U.K. Financial Conduct Authority (the FCA) into its compliance with the U.K. Money Laundering Regulations 2007 and potential breaches of FCA principles and rules relating to anti-money laundering and financial crime systems and controls, it is clear that financial crime is a significant area of focus for the U.K. in 2021.
At the end of 2020, the FCA confirmed that, as of 26 October 2020, it was investigating 16 financial institutions for failing to implement adequate safeguards to prevent the flow of illicit money. Moreover, in its 2020 Business Plan, the FCA identified “operational and financial resilience” as one of its key areas of focus for 2021, noting that:
“…this year we will start to implement changes to how we reduce financial crime…We will continue to take enforcement action where we uncover serious misconduct, particularly where there is a high risk of money laundering.
Fraud falls within our priority of reducing the risk of financial crime. Our work is focused on ensuring that firms meet our requirements to have effective systems and controls to detect, disrupt and reduce the risk of financial crime.”
FCA Business Plan, 2020 – 2021
In guidance issued by the FCA in 2020, it also made clear that, whilst recognising that regulated firms face operational issues as a result of the pandemic, firms should not lower their risk appetites as a result of those issues. Any positive decisions made during the pandemic not to investigate potential financial crime issues, or any instances where red flags were inadvertently missed, for example, will be scrutinized by the regulator and may ultimately result in enforcement action. Past FCA enforcement actions have seen Deutsche Bank fined in the amount of £163 million for allowing Russian customers to transfer over $10 billion to offshore bank accounts and Standard Chartered fined in the sum of £102 million for anti-money laundering breaches at its UAE branches. In the U.K., penalties for breaches of anti-money laundering and counter-terrorist financing requirements range from up to 14 years imprisonment to unlimited fines.
The FCA is not the only U.K. agency hot on the heels of breaches of U.K. money laundering regulations. In January 2021, the U.K.’s tax agency – Her Majesty’s Revenue and Customs (HMRC) – published the latest list of businesses which have been handed fines for breaching regulations aimed at preventing criminals from laundering illicit money. HMRC’s list includes a money transfer company which was fined £23.8 million related to “risk assessments and associated record-keeping; policies, controls and procedures; and fundamental customer due diligence measures”.
The deluge of U.K. enforcement activity should also be seen in the context of the launch, at the end of 2020, by the Treasury Committee (a committee of the U.K. parliament) of an inquiry into what progress has been made in the U.K. in combatting economic crime. The inquiry was launched in the light of the September 2020 release of the so called “FinCEN files,” in which the world’s press reported on over 2,500 leaked reports sent to the U.S. Treasury Department detailing suspicions of money laundering.
Mitigating the Risks
With financial crime systems and controls, and particularly those related to anti-money laundering and counter-terrorism financing, high on the list of priorities for U.K. law enforcement agencies, relevant businesses should consider the following:
- Ensure that all legislation is adhered to. Within the space of the past year or so, there have been significant developments in anti-money laundering laws, with the entry into force of various laws and regulations including the Fifth Money Laundering Directive (MLD5). The MLD5 includes, for example, a requirement on relevant firms to flag any discrepancies they discover between their own client due diligence and those persons with significant control who are registered at U.K. Companies House. Firms should also consider whether their business activity is covered by the laws and regulations of other jurisdictions, and will need to navigate any differences and nuances between the various laws that apply to their respective businesses.
- Regularly assess changes in relevant legislation. With the increased focus by law makers, regulators and prosecutors on financial crime, it is expected that there will continue to be changes in legislation designed to combat it. For example, the European Union is expected to introduce new legislation and guidance aimed at cryptocurrencies, and anti-money laundering issues around the use of medicinal cannabis continue to grow particularly in the US and Canada. There is also a question as to whether, in the future, the U.K. will diverge from the European Union’s anti-money laundering legislation. Businesses are well advised to horizon scan, to keep on top of developing laws, regulations and best practices, and to ensure that their systems and controls meet relevant requirements.
- Learn the lessons of those who have gone before. As noted above, significant fines have been imposed on a number of banks and financial institutions relating to the ineffectiveness of their financial crime systems and controls. In the corruption and bribery arena, we have also recently seen some significant penalties for breaches of applicable anti-bribery laws: most notably the E3.6 billion fine of Airbus for various breaches of applicable anti-corruption laws. Businesses should review the details surrounding those fines, as set out in final notices, judgments and press releases, and consider whether there are any gaps or deficiencies in their own processes and policies.
- Reevaluate financial crime systems and controls, and evolve. With the introduction of new legislation as well as law enforcement’s increased zeal for taking enforcement action, businesses are well advised to review their financial crime controls. This should include an assessment of any changes to the business’ profile, including as a result of the pandemic. For example, some businesses are seeing a change in customer habits from more use of online services to increased incidents and sophistication of fraud and cyber-crime. Businesses are also well advised to consider any industry developments, including the increased use of technology. Any identified changes should inform the scope of the business’ financial crime systems and controls, including applicable risk assessments, governance and oversight mechanisms, and training.
- Regularly revisit financial crime systems and controls, and assess their appropriateness and effectiveness. Related to the above, businesses should regularly review their systems and controls. It is unlikely to be appropriate to review applicable systems and controls only in response to a specific incident, such as the pandemic. Businesses are well advised to have a documented plan in place to ensure that financial crime systems and controls are regularly revisited, and that the plan is followed. A failure to follow one’s own processes can itself be a reason for regulatory sanction.
- Have a clear plan for returning to Business-As-Usual processes. The COVID-19 pandemic has meant that, on a risk basis, some businesses had to delay or curtail certain of their financial crime compliance processes, including periodic reviews of clients and ongoing monitoring. As the world slowly starts to return to normal, a written plan should be developed for returning to pre-pandemic processes and, as applicable, revisiting decisions that were made during the pandemic.
- Consider revisiting past decisions. In a previous blog post (“The Benefits and Risks of Conducting an Internal Investigation: Is it Better to Let Sleeping Dogs Lie?”), we considered the advantages and disadvantages of undertaking a voluntary investigation and lifting up the floorboards on decisions that were made during the pandemic. Companies should now consider whether the risks of not revisiting past decisions are greater than doing so.
There can be little doubt that 2021 will see a significant increase in the number of U.K. enforcement actions against businesses whose financial crime systems and controls are found to be wanting, and that we will see significant penalties being imposed against them. This says nothing of the business and reputational impacts which invariably flow from such actions. Relevant businesses are well advised to consider how they can best position themselves to ensure that they are not caught in the crosshairs of enforcement action or, if they are, they are in the best possible position to defend – or reduce – the allegations put to them.