Financial Regulation - In the know: Financial Crime – October 2024

New trade sanctions enforcement apparatus

The regulatory framework is codified in the Trade, Aircraft and Shipping Sanctions (Civil Enforcement) Regulations 2024, made under the Sanctions and Anti-Money Laundering Act 2018. OTSI has already supplemented the regulatory framework with additional guidance on issues such as how it plans to enforce under the civil enforcement regime, the imposition of monetary penalties, licence applications and specific guidance on preventing Russian sanctions and trade control evasion.

Under the framework, OTSI can now investigate and enforce breaches of prohibitions or failures to comply with obligations imposed by or under certain sanctions regimes related to aircraft, shipping and trade. OTSI will assess suspected breaches to determine if there has been a failure to comply with trade sanctions. Breaches may be determined on a 'strict liability' or 'civil' basis, meaning there is no need for the regulator to be able to prove intent or knowledge of the breach, with the non-criminal standard of proof being the balance of probabilities. In deciding on the outcome of any enforcement action, OTSI will consider factors such as voluntary or mandatory disclosure of breaches, compliance with information requests, and previous sanctions breaches.

The regulations provide OTSI with various enforcement tools. It can issue warnings, publish information about breaches, impose civil monetary penalties and refer cases for criminal investigation to HM Revenue and Customs (HMRC).
OTSI's jurisdiction extends to all UK persons and entities globally, as well as any person or business within the UK or its territorial sea.

When publicising the changes, the DBT emphasised the UK's commitment to enforcing trade sanctions as part of its foreign policy and international obligations.

It is important for UK businesses to understand that HMRC retains responsibility for enforcing certain trade sanctions where they relate to the import or export of goods to, or from, the UK, the transfer of technology to, or from, the UK and goods and technology, such as military and dual-use goods and technology, which are subject to strategic export controls. HMRC is also responsible for the criminal enforcement of trade sanctions.  This increased complexity of the enforcement landscape in the UK, where a single transaction could fall under the purview of HMRC, OTSI and OFSI needs to be factored in to risk assessments.

Civil monetary penalties

OTSI is empowered to impose penalties on those responsible for breaching sanctions in sums of £1 million or 50% of the estimated value of the breach (whichever is higher). This aligns trade sanctions enforcement with financial sanctions enforcement. In relation to aircraft and shipping sanctions, where it is possible to estimate the value of the aircraft or ship used in connection with the breach, the penalty could be calculated by reference to the estimated value of the aircraft or ship. The Secretary of State, acting through OTSI, must give advance notification of the intention to impose a monetary penalty.

Mandatory reporting and powers to compel information

The changes also include new mandatory reporting obligations on relevant persons (e.g., financial services, legal services and money service businesses etc) who suspect a breach of trade sanctions, as well as new legal risks around failure to respond to information requests. OTSI has the power to request information for purposes such as monitoring compliance, detecting evasion of sanctions, or investigating suspected breaches. Failure to comply with these requests can amount to a criminal offence. Among the documents OTSI might demand are due diligence reports, electronic transfer evidence and customer risk assessments.

The broad powers OTSI has to request information underscore the importance of robust record-keeping and due diligence processes. Businesses must be prepared to respond promptly and accurately.

Under regulation 26, HMRC gains similar new powers for the purpose of determining whether an offence concerning a failure to comply with a reporting obligation, or whether an information offence has been committed, insofar as they relate to trade sanctions.

Trade sanctions compliance risk assessments

Risk assessments can help affected businesses to identify areas where they may be vulnerable to breaching the regulations and develop or update internal policies and procedures to ensure they reflect compliance requirements. This should include clear guidance on reporting obligations and how to handle information requests from OTSI. Businesses can also look to review their training provision, record keeping and due diligence processes.

Given the strict liability basis for enforcement, it's key to adopt a proactive approach to risk management i.e. not just meeting the minimum compliance requirements but actively seeking to understand the broader geopolitical context so as to be able to anticipate changes in the regulatory framework early on and adjust accordingly.

Limitations on enforcement

If faced with the prospect of an enforcement investigation, businesses should understand the process for making representations, seeking reviews, and appealing decisions. OSTI may not impose a monetary penalty for a breach of a prohibition or a failure to comply with an obligation in trade sanctions regulations where the suspected offence is capable of being investigated by HMRC, without any referral to them or any decision by them to treat the suspected offence as having been referred to them. The framework also identifies specific provisions that are not subject to the enforcement mechanisms. The excluded provisions currently relate to maritime transportation of certain oil and oil products, which are within the remit of HM Treasury (via the Office of Financial Sanctions Implementation (OFSI)) or internet services sanctions, which fall under the remit of Ofcom.

Privilege protections

The regulations and guidance both make it clear that reporting obligations and requests for information do not apply to information protected by legal professional privilege, but it is essential that businesses and their legal advisors are able to accurately and realistically identify whether a claim to legal privilege applies to any particular piece of information. This is a complex area, particularly given the reporting requirements on legal professionals as relevant persons under the wider regulatory framework.

Parasitic liability

As with the equivalent financial sanctions framework, provision is made for individual directors to be held liable and at risk of monetary penalties on the basis of consent, connivance or neglect, when a non-natural person is found to have committed a breach or failed to comply with an obligation imposed by the regulations.

AG regularly advises a wide range of businesses on sanctions compliance. If you would like to discuss any of these matters further, please reach out to Harriet Territt for more information.

Current areas of focus

Responding to a question at the FCA's annual public meeting, FCA Joint Executive Director of Enforcement and Market Oversight, Steve Smart, reiterated that fraud, investment and crypto-asset scams are real areas of focus for the regulator. He went on to describe actions the regulator is taking under the headings of 'prevent, protect and pursue'. This included working with a tool that obtains data from 100,000 websites daily and gives the FCA the ability to spot potential scams happening in real time, and working with technology platforms to try to get the relevant sites taken down. In a similar way, the FCA has worked to ensure unauthorised financial promotions are routinely taken down.

Mr Smart spoke about the additional challenges created by financial promotions via social media channels, the rise of 'finfluencers' and how this has now begun to impact the typology of frauds the FCA is looking at. This is reflected in a reduced age range of the people most likely to be impacted by investment frauds, based on the data. The FCA has published guidance for financial promotions on social media this year and continues its work with financial services and technology firms to ensure that strong financial crime systems and controls are in place.

The FCA's strategy is also to make consumers more aware of firms that the FCA is concerned about. The FCA issued 2283 warnings last year and, to September this year, had issued approx. 1500 warnings. Mr Smart noted that the agency had run six campaigns under its 'Scam Smart' initiative since 2022 and is seeing real impacts from this, in terms of people checking the register before going ahead with investing. Similar campaigns have also been run under the InvestSmart banner.

The FCA remains concerned about fraud and scams online.  Mr Smart said that tackling this needs focus from all sides, including the government, industry, law enforcement agencies and partner regulators. He said that the FCA has a significant role to play in enforcement and explained that there are currently 163 live operations, over half of which are aimed at reducing financial crime and 1/3 of which are against unauthorised businesses engaging in fraud and crypto-scams. Last year, 21 individuals were charged with financial crime offences, predominantly fraud and money laundering, and there were nine successful prosecutions. According to the annual report, this marked the highest number of charges made in a single year brought by the authority. This financial year to date, the FCA has decided to charge 12 individuals for financial crime offences. Further, the FCA recently announced the conviction of an individual for running multiple crypto ATMs, which news came hot on the heels of its first regulatory enforcement in relation to crypto-asset trading. Nikhil Rathi gave further comments indicating that the agency plans to remain focussed on this in the next multi-year strategy and on crypto-related fraud in particular.

Stronger use of the authorisation gateway

According to the Annual Report for 2023-24, throughout the year to March 2024, the FCA intensified its action around the regulatory perimeter, resulting in the cancellation of the authorisation of 1,261 firms, a figure that is double that of the previous year. Of those firms applying to be registered and supervised for money laundering purposes only, 36% were rejected, withdrawn or refused compared to 21% in 2021/22. Over 87% of crypto registrations were withdrawn, rejected or refused for weak money laundering controls. Just 44 crypto firms had achieved money laundering registration by the time the report went to print. When speaking at the annual public meeting, Mr Rathi referred to the fact that they had received criticism for taking a rigorous approach to authorising crypto-platforms, resulting in some of the largest being unable to get registered, but his view was that the robust authorisation gateway had proved critical to financial crime prevention. The data showed there had been a deceleration in the growth rate of investment fraud victims from 28% in 2021 to 4.2% in 2023, alongside a significant (40.8%) reduction in reported losses suffered by victims compared to the previous year. Similarly, the growth rate of authorised push payment (APP) fraud cases slowed to 12% in 2023, with losses reducing by 5%, demonstrating an improvement against the baseline year of 2021.

Market integrity

The data in the FCA's annual report shows that market integrity remains an area of focus. The FCA conducted 9 supervisory visits and intervened 120 times with firms on market abuse controls in high-impact, high-risk sectors. Three skilled person reviews were initiated for transaction reporting or market surveillance failures.  The FCA made one enforcement referral for transaction reporting failures.

Outlook for whistleblower protections

In response to live questions at the annual public meeting on the FCA's position with respect to whistleblowing, Mr Smart emphasised how important whistleblowing reports and disclosures are to the FCA as a source of intelligence for the agency, which allows them to identify and deal with potential harm early. Reflecting on the data in its latest whistleblowing report, Mr Smart noted that there were 1000 disclosures in 2023 and 50% of those led to direct action. He also encouraged members of the public to report fraud via its Supervision Hub and to report frauds to Action Fraud or other appropriate law enforcement agency. Ashley Alder said that the FCA is looking carefully at feedback to whistle-blowers, recognising that whistle-blowers often feel frustrated around this, and is working hard to ensure the feedback is meaningful to ensure confidence in the system. The context to this is that the FCA has recently published the outcomes of its internal review conducted by a senior independent director into the handling of internal whistleblowing communications within the agency. At the time of writing, the FCA was expected to publish a revised internal policy shortly.

A hard line on financial crime

In addition to the discussion at the FCA's annual public meeting, the regulator has emphasised its robust approach to tackling financial crime in a series of other speeches delivered recently by its key leaders. In a speech given on 5 September 2024, Sarah Pritchard (Executive Director, Markets and Executive Director, International) highlighted the necessity of a partnership approach to combat financial crime effectively. She highlighted the FCA's data sharing partnership with the National Crime Agency (NCA) and major UK banks as an example. In an address given by Andrea Bowe (Director of the FCA's Specialist Directorate) at the Westminster Legal Policy Forum on 17 September 2024, Ms Bowe underscored the substantial impact collective efforts can have in disrupting the flow of fraudulent funds, particularly through addressing money mule activity. Finally, in a speech given by Therese Chambers, Joint Executive Director of Enforcement and Market Oversight, on 24 September 2024, Ms Chambers emphasised again the FCA's ongoing fight against financial crime, noting that this was not only a focus area in the FCA's current strategy, but is expected to remain so in its next strategy due in 2025.  Ms Chambers commented specifically on the issue of deterrence: "enforcement action is not just about dishing out punishment; it’s also about educating the whole market on what we expect, and where others have fallen short."  The speeches also collectively reinforce the FCA's commitment to leveraging innovation and technology, including using data analytics and AI, to identify financial crimes including illegal financial promotions, frauds and sanctions breaches.

The regulator remains focussed on reducing financial crime through a robust enforcement strategy. Please get in touch with David Pygott should you want to discuss any of the themes covered in more detail.

AI regulation

There is a distinct tension between innovation by and control of AI that is deeply rooted in both the extraordinary capabilities and rapid pace of development of the technology and the challenges around establishing effective regulatory frameworks. Globally, moves to regulate AI have resulted in a patchwork of initiatives. The EU, for example, is introducing horizontal regulation focused on reducing the anticipated risks across the EU. The UK, by contrast, is working towards a pro-innovation approach, using a principles-based framework established by the Department for Digital, Culture, Media and Sport (DCMS), under the goal of making the UK the most trustworthy jurisdiction for the development and use of AI. DCMS's 2022 policy paper calls for individual regulators to implement within their own regulatory frameworks within their regulated domains. The current Government will, according to the King's Speech, bring forward legislation to place an overarching layer of regulatory architecture on those working to develop the most powerful models but it seems unlikely this will apply across the board.

As a result, businesses are struggling to identify a single-source of principles by which to assess or assure themselves of their use of AI, in particular where AI is used as a preventive or compliance tool. It is very much left up to individual boards to decide what opportunities the rapid development and deployment of AI technologies present them with and what level of risk they can get comfortable with across e.g. data privacy & security, ethical use, so-called hallucinations (where the tool provides incorrect or misleading information as if it were fact), misinformation, output transparency, bias, de-skilling and compartmentalisation (to name just a few).

Against this backdrop, the recent updates to the U.S. DOJ's ECCP provides a roadmap for those involved in corporate compliance to begin to assess and assure their compliance frameworks around the risks associated with AI. It indicates both that those responsible for compliance should not only be aware of the risks posed by AI but also be proactively managing these risks as part of their compliance programmes.   While the guidance is specific to the U.S, the principles articulated around effective use of AI in a compliance model are of general interest.

AI assurance objectives of the ECCP

Companies operating in the US, whose compliance frameworks may come under the spotlight, must now proactively identify, assess, mitigate, and manage the risks associated with their use of emerging technologies, including AI within their compliance systems. There is the expectation of a holistic approach to risk management, where AI-related risks are not siloed but rather are considered as part of the company's overall risk landscape. They are expected to conduct thorough risk assessments of the technologies they use, integrate these assessments into their broader enterprise risk management strategies, and implement controls to mitigate identified risks. They must also identify how they assess the impact of new technologies on their ability to comply with criminal law. There is also an expectation that companies will develop and implement appropriate training to ensure employees understand the responsible use of AI and other emerging technologies and that there will be continuous monitoring and testing of AI systems to ensure they function as intended in alignment with the company's values, risk appetite and legal standards. The ECCP recognises that every company's risk profile and solutions to mitigate risks warrant individualised evaluation, considering various factors like size, industry, geographic footprint, regulatory landscape etc.

As part of evaluating companies' compliance programmes, US prosecutors are expected to scrutinise their efforts to ensure AI and technology use is trustworthy, reliable, and in compliance with applicable laws and their codes of conduct. This, in turn, feeds into decisions around charging companies for offences including whether and to what extent to enter into a resolution with those companies. In short, proactive and effective management of AI-related risks can lead to more favourable outcomes in the event of DOJ scrutiny.

AI as a shield not a sword

The emphasis on AI within the ECCP underscores the increasing use of AI tools within the compliance sphere – indeed financial services firms have been using non-generative AI tools for many years to assist with screening of customers, portfolios and transactions.  However, with the introduction of newer, generative AI tools, the importance of transparency and accountability in the deployment of these technologies has increased significantly. By integrating AI responsibly and ethically into their operations, firms can potentially achieve a higher degree of precision in monitoring transactions, identifying potential compliance issues, and automating complex compliance processes. This perspective encourages firms to view AI as a tool; a shield rather than a sword. This in turn can lead to a more proactive approach to compliance, where potential issues are identified and addressed before they escalate into significant legal or regulatory challenges.

UK financial services firms who want to ensure that their use of AI is transparent to regulators, employees, and customers alike should be able to provide clear documentation of AI systems' decision-making processes, as well as the criteria used for risk assessments around AI deployment, and the measures implemented to mitigate those risks. Firms should also establish robust oversight mechanisms to monitor AI systems continually, ensuring they operate as intended.  Another area of focus should be the underlying data used to train and supplement the model and tool, both in terms of its stability, the risk of bias, but also the legality and precision of the source material from which the AI output is derived.

By adopting a proactive, holistic approach to managing AI-related risks, firms can not only mitigate potential legal and regulatory challenges but also harness the transformative potential of AI to enhance their compliance efforts. This requires a commitment to continuous learning, adaptation, and improvement, as the landscape of AI technology and regulation continues to evolve. UK firms should therefore remain vigilant, ensuring their compliance frameworks are flexible and robust enough to accommodate the rapid pace of technological change while upholding the highest standards of integrity and accountability.

If we can help you to navigate this rapidly developing landscape, please contact Harriet Territt or your usual AG contact.