ECCTA - Financial Services Regulation

The Act aims to reform the traditional “identification principle” for attributing criminal liability for economic crimes to corporate entities or partnerships. Traditionally, under the identification principle, an organisation could only be held criminally liable if an individual, who is the “directing mind and will” of the organisation, is found guilty. This principle, illustrated by the case Tesco Supermarkets Ltd v Nattrass, has proven challenging to apply to large companies or partnerships with complex structures, sparking debates on its effectiveness.

The Act proposes a new approach for attracting criminal liability. Rather than relying on the identification principle, the organisation will now be liable for actions committed by a “senior manager” acting with their actual or apparent authority.

Who is deemed a "senior manager"?

The definitions of “senior manager” under the Act and the Senior Managers Regime (“SMR”) established by the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority (“PRA”) are particularly relevant to financial services institutions, albeit with nuanced distinctions.

The Act defines a “senior manager” as an individual who plays a significant role in decision-making or in managing or organising a substantial part of the corporate body’s activities. This definition broadens the scope of liability by focusing on the managerial role and decision-making authority of individuals in a general context, without being specific to the financial services sector.

In contrast, the FCA refers to “senior managers” under the SMR as “the most senior people in a firm with the greatest potential to cause harm or impact upon market integrity”. This definition narrows the scope to those positions that require prior FCA or PRA approval as they have a direct bearing on specific controlled functions involving compliance, financial services regulation, and market integrity, such as executive directors of regulated firms and those responsible for FCA and anti-money laundering compliance.

For firms subject to both regimes, the distinctions are important. While the SMR focuses on individuals with the potential to influence market integrity and compliance, the Act’s definition is potentially broader and includes individuals engaged in strategic decision-making and substantial management activities. This means that firms must be vigilant in ensuring that their senior managers, as per the Act’s definition, are aware of their potential liability for a broader range of economic crimes, in addition to compliance with financial regulations governed by the SMR. Thus, the Act’s definition potentially widens the pool of senior individuals whose actions could lead to corporate liability.

What should financial services firms do to prepare?

As the new corporate criminal liability regime enters into force on 26 December 2023, it is crucial for financial services firms to prepare immediately to align their practices with the forthcoming requirements. That means assessing ‘senior managers’ within scope of the Act and SMR and understanding the impact of any gaps, reviewing existing internal policies and procedures and considering whether the require amendment to reflect the new regime. Immediate steps are likely to involve training on corporate criminal liability prevention and ensuring appropriate mechanisms are contained in whistleblowing policies and contracts of employment.

The Act introduces a significant new offence for “failing to prevent fraud” for large organisations. This new provision is triggered when a person associated with the organisation commits fraud with the intention of bringing direct or indirect benefits to the organisation or any person to whom they provide services on the organisation’s behalf. This includes fraud offences listed in Schedule 11, mirroring the majority of offences in Schedule 17 of the Crime and Courts Act 2013. The Act also specifies that indirect complicity, such as aiding or abetting in the commission of a listed offence, also falls within its scope.

Organisations can mount a defence by demonstrating that they had reasonable prevention procedures in place at the time the fraud was committed. Alternatively, it might be argued that it was unreasonable to expect any procedures to be in place under the circumstances. The government is expected to publish guidance on what constitutes reasonable procedures to prevent fraud. The offence will become effective likely within the next year.

The Act specifically targets large organisations, defining them (using the standard Companies Act 2006 definition) as organisations meeting at least two of three conditions:

• a turnover exceeding £36 million
• a balance sheet total over £18 million
• or a staff numbering above 250.

However, as there are discussions around potentially expanding the offence to cover small and medium-sized enterprises (SMEs), financial services firms, irrespective of their size, should stay prepared and proactive in their approach to fraud prevention. Further, if resources held across a parent company and its subsidiaries cumulatively meet the size threshold that group of companies will be in scope of the offence.

Although the offence is not yet in force, the upcoming publication of government guidance on reasonable fraud prevention procedures is a crucial development that firms should monitor closely. Once this guidance is released, the timeline for the offence coming into force will likely be announced, providing a clearer framework for compliance.

What should financial services firms do to prepare?

In anticipation, financial services firms should begin a comprehensive review and risk assessment of their existing fraud prevention and detection policies and procedures. This review should focus on identifying any gaps in current practices that may not align with the new offence’s requirements. Key actions may include enhancing financial commercial, and accounting controls, implementing targeted training on fraud prevention, and ensuring that effective mechanisms are integrated into whistleblowing policies and employment contracts.

Additionally, firms should consider extending or adapting their current frameworks to adequately cover the requirements of the new offence. The focus should be on developing robust internal processes that can prevent fraudulent activities by associated persons with a view to minimising exposure of the organisation to potential liability.

Under the previous framework, firms have faced challenges in quickly sharing information regarding economic crime concerns. The existing “super SAR” mechanism has required businesses in the AML regulated sector to notify the National Crime Agency and await a sharing request before disclosing information. This has hindered the prompt exchange of relevant data among firms (e.g. banks and financial institutions), typically restricting them to their internal information and slowing down the detection or investigation of economic crimes.

The Act seeks to alleviate these hurdles by facilitating easier data sharing between firms. Under the Act, businesses can share information for the purpose of preventing, detecting, and investigating economic crimes without necessitating law enforcement intervention or a request from the recipient firm. This sharing, provided it meets specific conditions, shields the firms from certain civil claims by the concerned customer or other parties.

The Act offers two options for information sharing

1. Direct sharing (section 188): A firm (A) can directly share customer information with another firm (B) either upon request by B or voluntarily if A has taken action against a customer due to economic crime concerns. However, voluntary information sharing is only protected against civil liability claims if firm A has committed to taking action against the concerned customer. Firms are encouraged to thoroughly document their decisions and considerations prior to volunteering information to ensure compliance and be prepared to respond to any queries from regulators or customers.

2. Indirect sharing via a third-party intermediary (section 189): In situations where it is challenging to identify a specific firm that might benefit from the information, the Act allows for indirect sharing through a third-party intermediary. This model, which may operate similarly to the National Fraud Database (CIFAS), enables the dissemination of relevant information without direct involvement. A pilot scheme involving various banks and the NCA is in progress to assess the feasibility and interest in this platform.

Despite these new provisions, firms must still adhere to their existing obligations, including compliance with UK GDPR, customer rights as per the Equality Act 2010 and the FCA’s Principles for Businesses, and continued suspicious activity reporting obligations. While information sharing under the Act is voluntary, it is anticipated to enhance efficiency in onboarding, due diligence, and remediation processes. However, the exact impact and regulatory expectations surrounding these new provisions are still evolving, and firms are encouraged to stay abreast of developments.

What should financials services firms do to prepare?

To adapt to this change, financial services firms should begin by reassessing their current information sharing protocols and ensuring they align with the new provisions. This reassessment involves understanding the nuances of direct and indirect sharing options provided by the Act. For direct sharing, firms should establish clear guidelines and documentation processes, particularly when sharing information voluntarily, to ensure compliance and readiness to respond to any regulatory queries. In the case of indirect sharing via a third-party intermediary, firms need to stay informed about the evolving landscape and potential platforms that could facilitate this process. Regular training sessions for staff on the updated information sharing protocols and their legal implications are also advisable.

Before the Act, the UK’s approach to cryptoassets under the Proceeds of Crime Act 2002 (“POCA”) was limited. The confiscation powers primarily targeted traditional assets, and cryptoassets were not explicitly addressed, which allowed misuse in crimes like ransomware attacks and potential terrorist financing. POCA’s last substantial update was in 2017, and the rapid evolution of cryptoassets necessitated reform.

In broad terms, there are two distinct category of asset recovery powers and the Act has introduced changes relevant to both regimes.

1. Criminal regime (in personam powers):  

The Act expanded in personam powers, which target individuals, by allowing law enforcement to seize cryptoassets more proactively. Authorities may now take control of crypto wallets even prior to an arrest, preventing the assets from being dissipated. The Act also permits courts to authorise the sale of seized cryptoassets to maintain their value in the faceof market volatility and, in some cases, sanctions the destruction of the seized assets.

2. Civil regime (in rem powers):

The Act strengthened in rem powers, which target the assets themselves, by enabling law enforcement to recover cryptoassets when executing a search warrant. These detained assets can be converted into cash to preserve their value pending the outcome of a final forfeiture hearing. Provisions were introduced to allow victims of crimes to apply to the court for the release of their assets or a portion of them, which is expected to help negate negative impacts of fraud and ensure public confidence in the regime. Moreover, the Act aligned the civil regime with the criminal one, allowing for the destruction of assets in certain (exceptional) circumstances.

The Act also addresses the growing concern of cryptoassets being exploited in terrorist activities, which have been identified in a rising number of investigations. Such activities include fundraising on social media platforms where pseudo-anonymous cryptocurrencies are preferred as a method of payment. While the UK’s counter-terrorism legislative framework is robust, it required an update to keep pace with the evolving landscape, particularly noting again that the last substantial amendment to POCA was in 2017. The Act amends the Anti-Terrorism, Crime and Security Act 2001 and the Terrorism Act 2000, mirroring changes made to POCA. These amendments ensure that law enforcement possesses adequate civil forfeiture and seizure powers pertaining to cryptoassets, allowing for the effective freezing, seizure and forfeiture of assets tied to terrorist purposes.

What does this mean for financial services firms?

Firms must ensure compliance with enhanced recovery and seizure powers, recognising the growing use of cryptoassets in crime. The Act mandates rigorous checks to prevent economic crimes and manage market volatility. Adaptation to these legislative changes is essential to prevent firms from being associated with illicit activities. In accordance with the Financial Crime Guide and SYSC of the FCA Handbook, the regulator expects firms to continue to evaluate their approach to identifying and assessing the financial crime risks they are exposed to and ensure that their control framework remains fit for purpose.

What should financial services firms do to prepare?

Firms should start by conducting thorough risk assessments to understand how the expanded asset recovery powers affect their operations, especially in areas involving cryptoasset transactions. Emphasis should be placed on enhancing monitoring systems and internal controls to detect and prevent the misuse of cryptoassets.

Training programmes for staff should be updated to cover the new legal landscape regarding cryptoassets, focusing on compliance, risk management, and the implications of non-adherence. Legal and compliance teams within firms need to be well-versed with the Act’s provisions to advise on transactions and client engagements involving cryptoassets. Additionally, firms could prepare for potential scenarios involving the seizure or freezing of cryptoassets, developing clear response strategies and compliance protocols. This is particularly crucial given the volatile nature of cryptoassets and their growing relevance in financial operations.