2021 Economic Crime Summary

Whilst the news over the last 12 months has been filled with (amongst other things) the COVID-19 pandemic and geopolitical crises, there has also been an abundance of key updates and developments in the economic crime arena. In this annual news summary for 2021, we aim to provide you with an overview of the most significant legislative, regulatory, and industry economic crime news which has occurred over the previous year. For the purposes of this summary, these have been categorised as follows:

• Evolving legislative/regulatory framework
• Shifting regulatory expectations
• Consequences of non-compliance
• What should firms be doing
• How BDO can help

Evolving Legislation / Regulatory Framework

Corporate Criminal Liability consultation

The Law Commission are reviewing the law relating to the criminal liability of non-natural persons, including companies, and providing options for reform.

In recent years, concern has been expressed that the identification principle does not adequately deal with misconduct carried out by and on behalf of companies (and other ‘non-natural persons’). In particular, some have suggested that it has proved disproportionately difficult to prosecute large companies such as banks for economic crimes committed in their names, by senior managers, for the company’s benefit.

In June 2021, the Law Commission sought views on whether, and how, the law relating to corporate criminal liability can be improved so that they appropriately capture and punish criminal offences committed by corporations, and their directors or senior management. The responses are now being analysed, and an options paper is being developed, with a publication aim of early 2022.

HM Treasury Call for Evidence and Consultation on the UK’s AML/CTF regulatory and supervisory regime and amendments to the Money Laundering Regulations 2017

In July 2021, HM Treasury ("HMT") published a call for evidence and consultation, both relating to the UK's anti-money laundering ("AML") and counter-terrorist financing ("CTF") regime.

The call for evidence related to a review of the UK's AML/CTF regulatory and supervisory regimes, principally in relation to three key themes: the overall effectiveness of the regimes and their extent (i.e. the sectors in scope as relevant entities); whether key elements of the current regulations are operating as intended; and the structure of the supervisory regime including the work of the Office for Professional Body Anti-Money Laundering Supervision (“OPBAS”) to improve effectiveness and consistency of Professional Body Supervisor (“PBS”) supervision.

The consultation on the other hand sought views on proposed amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLRs"). The consultation invited views and evidence on the steps that the government proposes to take to amend the MLRs in relation to:

• whether to exempt particular payment service providers that present a low money laundering (“ML”) and terrorist financing (“TF”) risk, and to remove artists from the scope of the definition of Art Market Participant;   
• more clearly defining “financial institution” and “credit institution” and whether the definitions should be amended to align with the Financial Services and Markets Act 2000;
• whether AML/CTF supervisors should have a right of access to view the content of SARs submitted by those they supervise;
• whether Regulations 16, 18, and 19 should be amended to cover proliferation financing;
• whether the requirement to report any discrepancies between the beneficial ownership information held by firms and the information recorded by Companies House should be expanded to be an ongoing obligation, rather than a one-off obligation; and
• how the UK should implement the Financial Action Task Force (“FATF”) Recommendation 16 (the ‘travel rule’) in relation to Cryptoasset transfers

The consultation ran from July to October 2021 and, at present, HM Treasury is analysing the responses received, prior to publishing feedback.

European Commission overhauls of AML/CTF rules

In July 2021, the European Commission presented a package of legislative proposals to strengthen the EU's AML/CTF rules. The package consists of four legislative proposals relating to:

1. the creation of a new EU AML authority that will transform AML/CTF supervision in the EU
2. the creation of a new EU AML/CTF Regulation containing directly applicable rules
3. the creation of a new AML directive which will replace the existing Fourth Anti Money Laundering Directive (Directive 2015/849/EU)
4. the revision of the 2015 Funds Transfer Regulation (Regulation 2015/847/EU) to make it possible to trace Cryptoasset transfers.  

In the context of Brexit, this will be particularly relevant to firms with operations in the EU (for example UK branches/subsidiaries with a Head Office in the EU) and/or those who wish to provide services to EU customers.

FATF updates its Virtual Asset Service Provider guidance

In October 2021, the FATF published updated guidance relating to Virtual Assets (“VAs”) and Virtual Asset Service Providers (“VASPs”). This builds upon its previous guidance and aims to help countries understand and implement money laundering (“ML”) and terrorist financing (“TF”) obligations relating to this growing sector.

In particular, the updated guidance focusses on six discrete aspects of the VASP landscape:

1. Providing greater clarity on the definition of VAs and VASPs and, crucially, which types of these are in scope for national ML/TF obligations;
2. Setting out more granular guidance relating to “stablecoins” (i.e., VAs or financial instruments tethered to a physical asset, such as a fiat currency or high value goods, to reduce its level of volatility and thus increase mass-market attractiveness and usability);
3. Detailing additional guidance relating to the risks associated with peer-to-peer (“P2P”) VA and VASP transactions, and tools and techniques which could be adopted to mitigate these;
4. Details of the licensing/registration of VASPs which should occur at national level;
5. Providing guidance with respect to the “travel rule,” which places identification obligations on both beneficiary and remitter institutions; and
6. Setting out guidance as to how national VASP supervisors can communicate and collaborate effectively to share intelligence and support investigations.

Under the 2019 Amendments, the MLRs increased in scope to include Cryptoasset exchange providers and custodian wallet providers (UK terms for VASP) and, in December 2020 the Financial Conduct Authority (“FCA”) established the Temporary Registration Regime (“TRR”) for Cryptoasset businesses. Relevant firms were required to register for the TRR to apply to undergo a fit and proper test by the FCA. The UK has not yet implemented the “travel rule”, however the Government, in its July 2021 consultation (see above), discussed the national implementation of the “travel rule” and how the FATF provisions should be reflected in updates to the MLR. Firms should be prepared for new statutory instruments to include obligations pertaining to the “travel rule” and, in particular, uplifted remitter and beneficiary KYC and due diligence requirements. Therefore, as the regulatory scrutiny increases, firms seeking to engage with the VA sector will need to keep a close eye on both international and UK regulatory changes.

Back to top

Shifting Regulatory Expectations

Government guidance around understanding risks relating to accountancy service providers

In February 2021, Her Majesty’s Revenue and Customs (“HMRC”), in its role as AML supervisor for the accountancy sector, published guidance (in the form of a risk assessment) in relation to key areas that accountancy service providers (“ASPs”) should consider as they carry out supervised business activities.

The guidance outlines that ASPs should be aware of the following risks:

• The use of accountants to legitimise funds;
• Organised crime groups trying to infiltrate legitimate ASPs or corrupt their employees;
• The use of client accounts to legitimise fund movements;
• Criminals taking advantage of weak or inadequate risk assessments, policies, controls or procedures.

The guidance then details common key risk indicators that all ASP sub-sectors should be aware, and key risk indicators which are specific to the following sub-sectors – accountancy, audit, bookkeeping, company formation, payroll services, and tax advisors.

As mentioned, whilst the guidance is aimed at helping ASPs to understand the risks to which they are exposed, it may also prove useful to other types of firms who enter into a business relationship with ASPs.

FCA issues ‘Dear CEO’ letter to retail banks over AML failings

Retail banks were issued a warning by the FCA about continuing weaknesses and failings surrounding their financial crime controls.

The ‘Dear CEO’ letter was issued in May and made public via the FCA’s website hub on 29^th June. It outlined the key issues and weaknesses surrounding retail banks’ financial crime systems and controls and requested that each firm complete a gap analysis of each of the identified weaknesses and take prompt and reasonable steps to resolve them by 17^th September 2021.

The letter warned that, although firms did not need to present its work to the FCA, the regulator is likely to request a demonstration of the steps taken after this date at its next visit and, if deemed inadequate, the FCA may consider appropriate regulatory action in order to manage the financial crime risk posed.

The common control weaknesses identified and cited were in the following areas:

• Governance and Oversight -
  • Blurring of the lines between the first line business roles and second line compliance
  • UK branches/subsidiaries being reliant on Head Office/Group controls over which they cannot demonstrate reasonable assurance as to its effectiveness, nor as to how those processes are adequate for the UK entity’s business/risk profile
  • Lack of evidence of senior management sign-off of high risk situations
• Risk Assessments -
  • Business Wide Risk Assessments not containing sufficient detail regarding firms’ inherent financial crime risks, their assessment of the strength of the mitigating controls, or the rationale in respect to their level of residual risk
  • Customer Risk Assessments being too generic to cover different types of risk exposure, and not considering risks such as tax evasion or bribery and corruption
• Due Diligence -
  • Not seeking and (where appropriate) assessing information on the purpose and intended nature of a customer relationship
  • Not demonstrating an assessment of actual customer activity versus expected activity
  • Enhanced Due Diligence, not being applied in all high risk scenarios and/or being insufficient to mitigate the customer risk
• Transaction Monitoring -
  • UK branches/subsidiaries using Group-led systems which have not been calibrated for the business and customer base of the UK entity
  • Systems using arbitrary or ‘off-the-shelf’ thresholds
  • Those responsible for the operation/effectiveness of the systems not having a sufficient understanding of the technical set up
  • Rationales for discounting alerts requiring enhancement
• Suspicious Activity Reporting (“SARs”)
  • Policies/procedures for internal SAR escalation being unclear or misunderstood
  • Not demonstrating the investigation, decision-making processes and rationale for either reporting or not reporting SARs to the National Crime Agency

The common weaknesses detailed within the letter are in relation to retail banks, however the issues identified are deficiencies that have been observed in firms across the wider industry, therefore a review of these controls may also prove useful to other types of firms.

Firms reminded about potential financial crime risks linked to Afghanistan

In August 2021, following the withdrawal of foreign troops from the region, both the FCA and the Office of Financial Sanctions Implementation (“OFSI”) released statements, reminding firms about the potential financial crime risks linked to the situation in Afghanistan.  

Specifically, in their statements, the FCA and OFSI highlighted that:

• firms should be aware of the possible impact these events may have on patterns of financial activity when they assess risks related to particular customers and flows of funds;
• while Afghanistan is not currently listed as a high-risk jurisdiction in Schedule 3ZA of MLRs, firms are required to apply risk sensitive enhanced due diligence measures where there is a high risk of ML and/or TF;
• firms should ensure that they appropriately monitor and assess transactions to Afghanistan to mitigate the risks of being exploited to launder proceeds of crime or finance terrorism;
• suspicious activity should continue to be reported to the UK’s Financial Intelligence Unit National Crime Agency (“NCA”); and
• sanctions are already in place in respect of Afghanistan (against individuals and entities associated with the Taliban), and firms should continue to screen against the UK Sanctions List and in particular the regime specific list for Afghanistan.

The above approach should be considered by Firms with respect to all high-risk jurisdictions requiring the application of enhanced due diligence.

FCA and PRA issue ‘Dear CEO’ letter to Firms carrying out Trade Finance activity

Firms carrying out trade finance activities were issued a letter from the FCA and the Prudential Regulation Authority (“PRA”) highlighting key failures and reiterating the regulators’ expectations.

The letter was prompted after several high-profile failures of commodity and trade finance firms in the last 18 months. Such issues have increased the risk exposure of the firms in a conduct and prudential context. A summary of the issues and regulators’ expectations are as follow:

• Risk Assessment – across business-wide, customer, and transactional risk assessments there is an insufficient focus on:
  • the assessment of financial crime risk factors (such as the risk of dual-use goods);  
  • the impact which the customer risk rating has on the level of due diligence required for trade finance transactions; and
  • the assessment of internal mitigating controls. 
•  Counterparty Analysis – Firms should:
  • undertake appropriate credit analysis of all trade finance counterparts prior to formal credit limits being put in place;
  • ensure that policies and procedures set out clearly when to conduct due diligence on other parties to a trade finance transaction; and
  • consider whether the activity is in line with the expected activity of their client.
• Transaction Approval - Firms are expected to determine if further specific analysis is required prior to transactions being approved. A structured assessment of risks/red flags should be conducted, and clearly defined policies and procedures should be maintained to enable identification of higher risk which requires enhanced due diligence or escalation to the Second Line of Defence.
• Adequate oversight is crucial to ensure that policies and controls are operating effectively. This includes monitoring the discounting of red flags, transaction approval rationales, and the quality of escalations from the First Line of Defence.

The letter sets out the FCA and PRA expectations of firms when undertaking trade finance activity, which should be considered alongside relevant rules and guidance such as Joint Money Laundering Steering Group guidance, the PRA Rulebook and the FCA’s Financial Crime Guide.

Back to top

Consequences of Non-Compliance

Below we have summarised the most relevant fines relating to economic crime failings over the past 12 months. Whilst the fines relate to businesses in different sectors, they present a holistic overview of where UK firms have been failing to meet their AML and CTF obligations. 

HMRC issues record £23.8m fine money laundering breaches

In January 2021, HMRC published the list of businesses handed fines for breaching strict regulations aimed at preventing criminals from laundering illicit cash. Money transfer company MT Global Limited, which is based in Luton, was handed the largest ever fine issued by HMRC for significant breaches of the regulations between July 2017 and December 2019 relating to:

• risk assessments and associated record keeping;
• policies, controls and procedures; and
• fundamental customer due diligence measures.

The business was ultimately accused by HMRC of flouting the rules on money laundering prevention. Nick Sharp, a deputy director at HMRC’s fraud investigation service said the record fine shows that HMRC will take action against those who fail to meet their legal obligations under the regulations.

HMRC, as the AML supervisor for Money Service Businesses (“MSBs”), works closely with partner law enforcement agencies and government departments to reduce the criminal abuse of the sector through tightened registration, greater understanding of the risks, and joint periods of concerted action focussing on those firms at greatest risk of being used by organised crime.

£5.85 million fine for Alderney online gambling firm after license breach

In September 2021, a gambling firm based in Alderney has been fined £5,850,000 by the UK Gambling Commission (“UKGC”). The UKGC’s investigation revealed social responsibility and AML failures. From an AML perspective, the failures primarily focussed on the Firm’s controls in respect of customers’ source of funds. The UKGC cited the following as examples of such failures:

• one customer was allowed to deposit £50,000 before the operator sought source of funds evidence;
• a second customer was allowed to deposit £41,500 in a month without supplying adequate source of funds evidence; and
• over an eight-month period a third customer was allowed to lose £53,000 but during that time the only source of funds evidence obtained by the operator was to establish that the customer lived in a house estimated to be worth £233,000

EU Lotto fined £760k

In September 2021, EU Lotto were ordered to pay a £760,000 fine and undergo extensive independent auditing after a UKGC investigation revealed social responsibility and AML failures. From an AML perspective, the failures included:

• not effectively reviewing or analysing bank statements provided by customers to prove address;
• not restricting customer accounts following source of funds (SoF) requests;
• allowing customers to register third-party debit cards (such as those in a different name to the customer) to their account; and
• relying too heavily on ineffective threshold triggers and generally lacking information regarding how much a customer should be allowed to spend based on income, wealth or any other risk factors.

NatWest fined £264.8 million for AML failures

In December 2021, National Westminster Bank Plc (“NatWest”) was fined £264,772,619.95 following convictions for three offences of failing to comply with the MLRs. The charges covered NatWest’s failure to properly monitor the activity of a commercial customer, Fowler Oldfield, a jewellery business based in Bradford, between 8 November 2012 to 23 June 2016. When taking on the customer, NatWest initially understood it would not handle cash from the Fowler Oldfield business. However, over the course of the customer relationship approximately £365m was deposited with the Bank, of which around £264m was in cash.

Some of the Bank’s employees reported their suspicions to staff responsible for investigating suspected ML, however no appropriate action was ever taken. The ‘red flags’ that were reported included significant amounts of Scottish bank notes deposited throughout England, deposits of notes carrying a prominent musty smell, and individuals acting suspiciously when depositing cash in NatWest branches. In addition, the Bank’s automated transaction monitoring system incorrectly recognised some cash deposits as cheque deposits.

Crucially, this is the first time a financial institution has faced criminal prosecution by the FCA under MLRs in the UK. The case sets out how a financial institution could be sentenced in future for a breach of the MLRs and is an example of how other financial institutions may be sentenced for similar breaches. Previously, these types of offences typically have been dealt with by way of civil penalties, but the FCA has taken a more doctrinaire approach to dealing with particularly breaches of the regulations.

HSBC fined £63.9 million for deficient transaction monitoring controls

In December 2021, HSBC Bank plc (“HSBC”) was fined £63,946,800 for failings in its AML – specifically, its transaction monitoring systems and controls. As dictated by the MLRs, a firm must carry out ongoing monitoring of its business relationships. This includes

scrutiny of transactions undertaken throughout the course of a relationship to ensure that transactions are consistent with a firm’s knowledge of the customer, the customer’s business and risk profile. The charges covered the period of 31 March 2010 to 31 March 2018, during which HSBC failed to comply with the MLRs because its policies and procedures for two of its key automated transaction monitoring systems were not adequate or sufficiently risk-sensitive, and HSBC did not ensure the policies that managed and monitored those systems were appropriately followed. In particular, HSBC failed to:

• consider whether the scenarios used to identify indicators of ML or TF covered relevant risks until 2014; and carry out timely risk assessments for new scenarios after 2016;
• appropriately test and update the parameters within the systems that were used to determine whether a transaction was indicative of potentially suspicious activity; and
• check the accuracy and completeness of the data being fed into, and contained within, monitoring systems.

Back to top

What should firms be doing?

• Horizon scanning – Firms should ensure that they pay keen attention to key regulatory and best practice developments on a continuous basis. Where we have highlighted changes or updates to the regulatory and/or legislative environment that are currently being discussed or consulted on, firms should ensure that they:
  • keep appraised of the evolving discussions on such topics;
  • understand what impact these would have on their own frameworks and risk profiles;
  • what the timelines for any formal changes to regulation or legislation are; and
  • what updates to their policies, procedures, systems, or controls will need to be made.
• Retail Banks should ensure they have conducted the necessary gap analysis in light of the FCA’s ‘Dear CEO’ letter and made enhancements to their frameworks where necessary. Any relevant Banks that have not yet done, must ensure it is done as a matter of priority. Non-retail banking firms should still consider the issues which the FCA highlighted in the letter and (on a risk-sensitive basis) should use this as an opportunity to mark themselves against the regulator’s expectations.
• Firms involved in trade finance activities should use the FCA/PRA ‘Dear CEO’ letter as an indication of what the regulators expects in relation to this complex area. Firms would be wise to review their frameworks in light of the issues highted and make relevant enhancements to:
  • Business-wide, customer, and transactional risk assessments;
  • Policies and procedures regarding credit analysis and due diligence on counterparts; and
  • internal governance arrangements in respect of transaction approval and oversight of policies, procedures, systems, and controls
• ASPs or firms dealing with such business should review HMRC’s risk guidance and factor this into their own risk management frameworks – most crucially, in respect of business-wide and customer risk assessments
• Firms should ensure that their risk assessments (from a business-wide, customer, and country perspective) have been updated to consider the impact of the Afghanistan situation. Further to this, risk-based due diligence and transaction monitoring controls should be applied in situations where customers and/or their transactions have links to Afghanistan
• Similarly to horizon scanning, firms should ensure they pay close attention to the detail of relevant fines and court cases to enable them to monitor areas and controls that the regulators have identified as being particularly weak across the industry. Firms should then use the detail of the fines/cases to assess their own frameworks and ensure any similar risk areas are promptly mitigated.

Back to top