On 22nd July 2021, Her Majesty’s Treasury opened a consultation inviting views on government proposed amendments to the Money Laundering Regulations (“MLRs”). The consultation is open until 14th October 2021 and more details can be found here.
There have already been a couple of amendments to the 2017 MLRs (2019; introduction of the EU’s fifth money laundering directive, 2020 and 2021; high-risk countries), but the new proposals would make for a more substantial amendment.
This post will focus on the proposed amendment I find most interesting:
AML Supervisors and Suspicious Activity Reports
Currently, due to vague wording within the MLRs, some AML Supervisors are requesting access to Suspicious Activity Reports (“SARs”) submitted by their supervised members.
The consultation asks respondents whether such access should be permitted and whether respondents feel the MLRs already permit such access or whether there needs to be any clarification written into the Regulations.
The argument for permitting access, via their members (not the UK Financial Intelligence Unit to whom SARs are reported) is that it enables a supervisor to “draw overarching themes of threat or identify emerging risks/trends” which could then be fed back to their supervised members and be included in risk assessments.
SARs are extremely sensitive and the data within them is supposed to be extremely privileged. This makes sense as the more individuals who are aware of the existence of a SAR (let alone its contents), the more likelihood there is of the subject being “tipped off” – a crime under the Proceeds of Crime act 2002 (“POCA”).
In my opinion, the argument for the proposed amendment is akin to governments requesting “backdoor access” to encrypted services on the grounds of “detecting and preventing crime”; ultimately, if you open the door for the good guys, the bad guys will always be able to slip in and exploit the vulnerability.
For me, one clear example comes to mind.
I have personally been aware of an AML supervisor investigating one of their own employees for fraud. This proves what we all knew anyway; those working within supervisory bodies are not all perfect, model citizens – some are criminals.
In such a situation, were a supervised member to have suspected illegal activity from the employee, and submitted a SAR, and were said employee to be in the AML supervision department reviewing SARs and come across one of which they were the subject, then the subject (employee) would have been tipped off.
One might consider the odds of this to be low, and perhaps they are, but even if we were to amend the scenario by removing the employee from the AML supervision department and replacing them with someone else, what is to say that the replacement is not aware of or even friends with the offending employee? Do we not all know, and have friendships with, colleagues in different departments of our companies? Would most of us not give our friends a “heads up” if we suspected they were in trouble?
Even if you were not a criminal, having access to such sensitive information is a risk. If you are purchasing a property with your spouse, but your conveyancer disinstructs themselves because you cannot sufficiently demonstrate your source of funds (even though you know they are legitimate), would you not be tempted to look and see whether the conveyancer submitted a SAR about you/your spouse? Not to evade capture (after all, you haven’t done anything wrong), but just to know, out of curiosity?
By permitting access to SARs, even with the best intentions, you immediately increase the risk of abuse and consequently the risk of tipping off, thereby increasing breaches of POCA.
Given supervisors have access to the numbers of SARs submitted by supervised members, how about providing them with access to the category of SARs submitted (e.g. tax evasion or human trafficking) which can be easily identified by the glossary codes provided by the National Crime Agency? Would that not be a better, risk-free way of supervisors being able to identify themes (nationally or regionally)?
Louis Lancaster
Risk & Compliance Manager at Credas Technologies Ltd