The criminal future of AML enforcement

We have also commenced a small number of investigations into firms’ systems and controls where, for the first time, we have indicated to those firms that we are looking at whether there has been any misconduct that might justify a criminal prosecution under the Money Laundering Regulations.

I am conscious that starting criminal investigations against firms in relation to poor Anti Money Laundering systems and controls may draw some sharp intakes of breath.

Mark Steward, FCA Director of Enforcement and Market Oversight, July 2018^[1]

It may be surprising to recall that, even a decade after the implementation of the Money Laundering Regulations 2007 (‘the 2007 Regulations’), (since superseded by the Money Laundering Regulations 2017 (‘the 2017 Regulations’))), which expressly included criminal offences for firms and individuals found in breach, Mark Steward was still expressing caution about the prospect of the FCA investigating anti money laundering (AML) failings on a criminal basis.

Mr Steward’s reticence to launch a prosecution is consistent with the UK law enforcement community’s longstanding disinterest in enforcing the AML failings by criminal sanction. The first iteration of the money laundering regulations were promulgated by HM Treasury in 1993 as a result of a 1991 EU Directive concerning compulsory AML measures to be adopted by all Member States. The Directive marked the first occasion when the EU purported to have jurisdiction as regards the national criminal laws of its members. In 1996 the CPS brought the first prosecution pursuant to them against a North London FX bureau for alleged failure to maintain adequate identification procedures. (The business catered exclusively for members of the Orthodox Stamford Hill-based Jewish community). Represented by a partner of this firm, the prosecution collapsed after the judge ruled that the regulations were ultra vires as regards their creation of criminal offences. No further prosecution was attempted despite this defect being cured by the next iteration of the regulations in 2003.

The first successful prosecution (by HMRC) of an individual under the 2007 Regulations did not occur until 2012, and only four followed in the next five years. Despite having the power to prosecute AML failings for well over a decade, the FCA has yet to do so.^[2]

However, despite this slow start, a recent shift in rhetoric suggests changing priorities at the FCA, and may well signal significant growth in criminal enforcement in the near future.

‘I think it is time that we gave effect to the full intention of the Money-Laundering Regulations which provides for criminal prosecutions…’ said Mr Steward at the GIR Live London conference in April 2019. ‘I suspect criminal prosecutions, as opposed to civil or regulatory action, will be exceptional. However, we need to enliven the jurisdiction if we want to ensure it is not a white elephant and that is what we intend to do where we find strong evidence of egregiously poor systems and controls and what looks like actual money-laundering.’^[3]

Earlier in the same speech, he acknowledged the increasing frequency with which the FCA now opens ‘dual track’ investigations with the prospect of either criminal or civil proceedings, in line with the established practice in cases of suspected market abuse. Whereas previously such criminal investigations had justified ‘sharp intakes of breath’, less than 12 months later Mr Steward asserted that such an approach should not be ‘anything controversial’ and that it would be inappropriate for the FCA to make overly hasty decisions as to the appropriate investigative track.

So it appears that there is the will to bring more criminal prosecutions in respect of breaches of the 2007 Regulations and the 2017 Regulations. Assuming so, when and how might this come to pass? What will be the threshold for ‘egregiously poor’ systems and controls and, if such circumstances are proven, is it inevitable that the individuals responsible for those failings will also be in the firing line?

Standard Chartered

One timely benchmark is the FCA settlement published a few days after Mr Steward’s most recent comments, in which Standard Chartered Bank agreed a penalty of £102.2m (after a 30% early settlement discount) for AML failings related to the activities of its UAE branches and its UK wholesale correspondent banking operations between 2009 and 2014.

The use of the 2007 Regulations to sanction the conduct of Standard Chartered’s UAE branches is unusual (some might say creative), in that it did not concern failings within the UK financial system. Rather, the FCA relied upon Regulation 15 of the 2007 Regulations, which required branches and subsidiary undertakings in non-EEA countries to apply AML measures at least as stringent as the UK regime. The FCA concluded, and Standard Chartered accepted, that there were significant shortcomings in the internal assessment of its AML controls and the systems for identifying, mitigating and escalating money laundering risks in the UAE. At its most extreme, the lax controls had allowed a customer to open an account with £500,000 in cash from a suitcase, with little evidence of any investigation into the source of the funds.

With regard to the UK wholesale operations, the FCA lamented ‘serious and systematic Due Diligence shortcomings’ in assessing counterparty AML controls, exacerbated by the volume and value of transactions, and high-risk jurisdictions involved. The position will not have been helped by a poor track record of AML compliance and risk response by the bank, with some of the issues involved being flagged as long ago as 2010.

Bearing these features in mind, Standard Chartered will likely be glad that the FCA restricted itself to civil penalties, and allowed some leniency in negotiating the fine. Equally, those involved in implementing (or not, as the case may be), the relevant Compliance programmes will be relieved that it remained a corporate matter. However, this may be the last time that the FCA sits on its hands.

What happens next?

When the next significant MLR enforcement case arises, and assuming the FCA cross the criminal Rubicon, what are the prospects of an individual Compliance or Money Laundering Reporting Officer also being in the firing line?

Under Regulation 92 of the 2017 Regulations, where an offence committed by a corporate defendant is proved to have been committed with the consent or connivance of, or is attributable to neglect on the part of an officer, he or she can also be personally liable. As such, there will need to be some demonstrable link between the corporate breaches and the officer’s conduct, even if only by dereliction of duty rather than knowing consent. Even if the investigation into Standard Chartered had been a criminal, the scale of the breaches and the size of the firm, together with the cross-jurisdictional elements, may well have prevented any single officer being sufficiently culpable to justify individual prosecution.

However, if the runes cast by Mr Steward are being correctly interpreted, criminal MLR enforcement has become an increasing priority for the FCA. If this is the case, it can only be a matter of time before a firm becomes the target of a prosecution. Assuming the breaches concerned are as ‘egregiously poor’ as Mr Steward suggests, it seems inevitable that those individuals responsible in the firm for creating, implementing and enforcing the failed systems and controls will also be considered fair game.

[1]                https://www.fca.org.uk/news/speeches/mifid-ii-and-fight-against-financial-crime

[2]                https://www.fca.org.uk/publication/foi/foi5745-response.pdf

[3]                https://www.fca.org.uk/news/speeches/partly-contested-cases-pipeline-and-aml-investigations

This article was originally published in Thomson Reuters Regulatory Intelligence.