Even if the pace at which regulations are drafted seems to be slowing down, at least at the EU-level, regulations in general are still trending toward bullish proliferation. In the financial-crime field alone, around 1,300 binding pieces of legislation have been brought to light in the span of 20 years (2000-2020), with about 228 directives and 1100 regulations.
Today, around 186 directives and 800 regulations are in effect.
Additional potential regulations are also looming, including those that could establish a long-debated European central anti-money laundering authority or new, potentially extraterritorial, regulations in the post-Brexit UK.
Until fairly recently, the response from compliance officers to such new mandates could be compared to that of a soldier replying to an order: “Roger Wilco,” short for “received and will comply.” And then one day, it happened.
On July 18, 2018, the High Court of Justice in the UK ruled in favour of a claimant who had requested that his bank disclose the contents of Suspicious Activity Reports (SARs) filed to the National Crime Agency (NCA). Breach of the non-tipping-off principle? Not at all, according to the court.
Will this decision broader political conflict over the imposition of regulations and laws? Perhaps. Will it open a Pandora’s box of long proceedings to challenge the existing anti-financial crime and compliance legislative framework? Most probably.
At least one thing is clear: with all our legitimate and justified intentions to combat financial crime, we have been living in some sort of a legislative paradise, where all laws and regulations match together as the pieces of a jigsaw puzzle. But what if this paradise is lost?
The road paved with good intentions
We all seem to agree that the whole point behind compliance efforts is ultimately to serve the general welfare of humanity. Still, one may argue where the limits of the “general interest/common good” umbrella end.
Let’s take the example of AML/CTF requirements on the collection of data related to Politically Exposed Persons (PEPs). We remember that their 1st and 2nd degree relatives and close associates are also considered to be PEPs. Oftentimes, the research performed by financial institutions can be inclusive but also highly intrusive. What if a client has an extramarital affair? And what if it concerns a same-sex partner?
These cases clearly fall under the GDPR provisions regarding sensitive personal data. No particular issue with this unless we consider, for example, that many financial institutions operate in countries whose AML regulations do not impose any data protection for the information collected during compliance procedures; therefore, it seems that the key European requirement of the same level of safeguards is not met. Moreover, PEP definitions may vary even across the EU (e.g., Italy where a list of national PEPs has been published), further amplifying the scope.
More food for thought: national FIUs receive hundreds of SARs containing sensitive data. If we refer to Recital 14 of the GDPR, it seems that FIUs are not covered by the regulation’s provisions in general, nor by its specific safeguards. What will happen in case of a major breach or a cyberattack? Off the radar for now.
How about counterterrorist financing? Even when there are genuine security and welfare objectives, there may be data-privacy concerns. One of the most well-known affairs relates to SWIFT. Indeed, in 2006, the world was shocked with the revelations published by The New York Times that US authorities secretly and illegally gained access to SWIFT messages containing personal data as part of their Terrorist Finance Tracking Program. Back in 2006, this practice was judged as a breach of the then-applicable regulations. Two years later, however, the initial position was entirely reversed to recognize the legitimacy of the US program. In France, for instance, such practices would be violating the Blocking Statute of July 1968, updated in July 1980, which prohibits companies incorporated in France from transferring specific data to foreign authorities without using the channel of international criminal cooperation. Have you ever tried to use this channel, via Mutual Legal Assistance Treaties or otherwise? Well, good luck, and arm yourself with patience and snacks to nosh during your long legal siege.
In the context of such legal instability, we seem to be shifting towards a completely new compliance order.
Strange new world
We already know – and the European Commission itself highlighted this fact in a July 2019 press release – that AML and other financial crime regulations drastically lack harmonisation, whether it be across the EU Member States or between the EU and third countries, such as the US.
The US example is a flagrant one; suffice it to mention the fundamental difference between the FCPA and the rest of most well-known, anti-corruption laws lies in the treatment of passive bribery and facilitation payments. A small historical digression: several US Courts of Appeal confirmed at every occasion that their constitutional double jeopardy provision does not apply to the FCPA when it comes to foreign judgements, while most of the countries recognize, at least partially, the non bis in idem principle. A dangerous mismatch.
However, certain discrepancies may cause genuine issues or even larger disorder.
This is very often the case when it comes to the conflict between AML laws and privacy regulations. Let’s take the example of Lonsdale v National Westminster Bank. The claimant’s business and personal accounts were frozen by his bank. A barrister himself, he put two-and-two together, assumed a SAR was filed, and, according to the then in-force Data Protection Act 1998, requested access to the SAR. However, we all know that disclosing a SAR to the customer concerned is tantamount to the tipping-off offence, already clearly prohibited in the 3AMLD and seq. Legal crossroads in its splendour.
The court judged that “there was no evidence that the SARs are required to be kept confidential. The SARs were plainly relevant to the assessment of whether the bank’s employees genuinely held a relevant suspicion” .
Guillaume Rudelle, a Parisian barrister and Associate at Norton Rose Fulbright in France admits: “Practically speaking, such action could only be successful if the customer is able to demonstrate that the suspicious activity report (SAR) was unlawful, which is impossible if one cannot have access to the content of the SAR. Accordingly, denying a request made by the customer to obtain the disclosure of the SAR could be seen as a denial of the right to a fair trial”.
According to American lawyers, such an action would be impossible in the United States. The same holds true for France, though with nuances.
“SARs are confidential (art. L.561-18, French Monetary Code). Both their existence and the content of the report, along with any follow-up action, cannot be disclosed to the subject of the report or to any third party. Should an individual concerned by a SAR wish to consult what personal data was used in the SAR, he/she can ask the CNIL for “indirect access” which then nominates one of its members, who is also (or has been) a member of one of the French Supreme Courts, in order to investigate and potentially make relevant amendments to personal data. The individual gets access when the CNIL establishes with the bank that communicating the information will not reveal any sensitive information (i.e. the SAR itself, the amount at stake, declarations from bank employees, follow-up actions etc.) and, most importantly, does not risk to hinder the objectives of anti-money laundering and terrorism financing”, specifies Emmanuel Breen, Counsel at Laurent Cohen-Tanugi Avocats (Paris, France).
It remains unclear what the purpose of such a disclosure to the claimant would be, absent the above data.
Additionally, we must not forget the French Constitutional Council’s decision that deemed the public register of trusts required by the 4AMLD to be unconstitutional due to its infringement of the right to privacy. As of today, there is still no further progress on this point, at least in France.
While still a member of the EU, the UK somewhat customised their approach by creating a trust register that is not accessible to the public and therefore less of an invasion of privacy. This regime seems unlikely to be amended after Brexit.
In Italy, it seems that the UBO of a trust can oppose the publication of his/her data in the register.
Speaking of registers: what a fascinating exercise as to compile the data on the UBO registers in countries on every continent in terms of existence and availability. We can note that, in some cases, even the so-called “developing” countries have exceeded the developed European ones; Ghana, would be a good example of this.
On this basis, the recent decision taken by the European Commission to designate “high-risk” jurisdictions is more than nebulous. Nor will the EU’s plan to create a unique European AML supervisory body sort out this lack of consistency and harmonisation; this proposal gloomily promises only to add another layer to the bureaucratic blame game.
Finally, there is the mismatch between sanctions regulations, with perhaps the most conspicuous being the differences between OFAC’s programs and those under the EU Blocking Statute. In a nutshell, the problem arises because entities established or incorporated in the EU are prohibited from complying with specific US sanctions regimes, on pain of penalties.
“It is important to note, however, that the EU Blocking Regulation does not provide for a formal sanction mechanism and leaves it to Member States to define sanctions and enforce them. There are therefore huge discrepancies in the enforcement record of the EU Blocking Regulation among Member States. Certain governments have been more aggressive than others in this respect. For example, the UK adopted the Extraterritorial US Legislation Sanctions against Cuba, Iran and Libya – Protection of Trading Interests Order in February 2019, which provides for an unlimited fine. At the other extreme, countries like France and Luxembourg have yet to introduce any national legislation on this issue and are not yet in a position to prosecute violations of the EU Blocking Regulation”, says Mr. Breen. “The EU is not, though, alone in this aspect. Canada and Mexico also implemented their own blocking statutes to respond specifically to the US Helms-Burton Act”, he adds.
If jurisdictions continue this ping-pong game, who can unhesitatingly and confidently say where we are headed?
Towards a No-Man’s Land?
Mr. Breen tilts toward a further increase in regulations. During our discussion, he used the term “overcompliance”. Quite a fair one. Despite its positive connotations – i.e., going beyond explicit regulatory requirements and expectations – Mr. Breen still considers it a risk.
Pierre-Manuel Sroczynski, ex-Director of the Compliance and Permanent Control department at the French La Banque Postale and now a consultant at Somerset Advisory, holds a diametrically opposed view.
“The AML and sanctions-related legislative and regulatory corpus is already quite extensive and complete. A further increase? Definitely not. I guess the governments have taken heed of the fact that the crux of the matter now lies with the relevant and appropriate supervision, coordination and harmonisation”, he believes.
Today, we are waiting to find out what lies ahead, and what the current and upcoming regulatory efforts have in store for Compliance Officers. The territory remains challenged and contentious. Personally, being a Cartesian Compliance Officer, I believe that the “holy war” Compliance wages on financial crime may justify specific gambits, i.e. sacrifices (for example, data protection), in order to effectively pursue a just cause, unless there are truly no regulatory conflicts involved. I am also convinced that compliance should go beyond regulatory expectations, not to complicate our lives but to make it easier.
I have to admit that sometimes it feels like compliance has taken the wrong path, with regulations having too many loopholes that seem designed to satisfy particular shadow interests. Even the FATF Executive Secretary David Lewis admits that no country has a solid AML framework that works as it should. Take the recent EIB case, as an example: the drastic shortcomings in the AML framework were known to EIB’s top management, who actually considered the regulations and rules and insisted on their implementation throughout Europe. Or the whatever-Leaks or Papers: how many of you know what the state of play is after all the whistleblower-journalists to and fro, and the books written and disclosures published?
But as a compliance professional, I hope that no regulatory evolution in this field will force the return to ground zero.