NatWest has pleaded guilty to failures under the UK’s money-laundering regulations – but is it right to call this a ‘failure to prevent’ on its part?
Corporates and crime: the context
Did one of the UK’s ‘big four’ banks, NatWest plc (‘NatWest’), just plead guilty to a ‘failure to prevent’ money laundering? Some of the headlines certainly seem to suggest that it has, in the first prosecution by the Financial Conduct Authority (‘FCA’) under ‘new money laundering regulations’. And yet, for those who follow the glacial development of UK prosecutors’ attempts to change the basis for corporate entities’ liability for economic crimes, this would seem an incongruous result – hinting, perhaps, that the laws they seek are already on the statute book. So, are the offences to which the bank has pleaded guilty, either ‘new’, or fairly characterized as a ‘failure to prevent’?
The starting point (under Tesco v Nattrass  UK HL 1) is that banks, like other companies, can generally be guilty of offences in UK law only via their ‘directing minds’ – typically, someone at board level – at least, where the offence in question involves a ‘fault’ element, such as intention or recklessness. In the principal money laundering offences in the Proceeds of Crime Act 2002 (‘POCA’), that fault element is buried in the definition of ‘criminal property’, in that the person accused must either know or suspect that the money (or other property) they are dealing with represents the proceeds of crime, a low but subjective threshold. A set of ‘failure to disclose’ (report) offences applies to persons working in the ‘regulated sector’ (such as at banks), and can be committed where they have ‘reasonable grounds for suspecting’ that another person (such as their customer) is money laundering (an objective test).
The obligations of the banks
These are not, however, the offences to which NatWest has pleaded guilty. Rather, it has confessed to breaches of the more prosaic, regulatory obligations under the 2007 iteration of the UK’s Money-Laundering Regulations (‘MLRs’), which transposed the third of the EU’s money laundering directives (‘MLDs’). The scheme of the EU-wide MLDs was and is to require regulated bodies to carry out customer due diligence (‘CDD’), both at the outset of the relationship (as reflected in Regulation 7 of the 2007 MLRs) and on an ongoing basis (Regulation 8), with those procedures sometimes required to be ‘enhanced’ (Regulation 14). The rationale of the MLDs was and is to detect, discourage, displace, and disrupt the misuse of financial and other institutions, protecting the integrity of the EU’s single market, by way of administrative obligations.
At the UK level, the MLRs made breaches of those obligations a criminal offence, for which regulated businesses – including companies – could be convicted and fined without an additional ‘fault’ element (although individual officers of a convicted company could also be guilty if the offence involved their ‘consent, connivance and neglect’ (Regulation 47)). But they also gave supervisors – in the banks’ case, the FCA – powers to deal with such breaches by way of civil procedures and penalties. The fact that these powers have previously been the default is the reason why we have only now seen the first prosecution under the MLRs.
Failure to prevent… what?
Importantly, neither a prosecution nor a regulatory intervention for breach of the MLRs requires any admission or proof that any underlying customer has committed a principal money laundering offence in POCA (or, indeed, that anyone has ‘failed to disclose’ such an offence) – even based on an inference from the way funds are handled, using the precedent of R v Anwoir  EWCA Crim 1354. In that respect, they are different from the corporate ‘failure to prevent’ offence in Section 7 of the Bribery Act 2010, which makes a company liable for bribes paid by an ‘associated person’, subject to a defence that it had ‘adequate procedures’ to prevent such activity.
The Section 7 offence has been the basis of several Deferred Prosecution Agreements (‘DPAs’) in recent years, in which companies have (in effect) made admissions to the Serious Fraud Office (‘SFO’) about the guilt of ‘associated persons’, as well as their own lack of ‘adequate procedures’, and accepted financial and other penalties as a result. The fact that the ‘associated persons’ are conspicuous by their absence, despite their guilt being an essential ingredient of the offence, has been a controversial aspect of the DPA scheme.
So, what did NatWest do (or not do) in this case? The customer involved was Fowler Oldfield, a jeweller and gold dealer based in Bradford, who in 2012 had told the bank that it expected a turnover of £15m a year, and that it would not make any cash deposits. While no criticism seems to be made about the bank’s initial CDD under Regulation 7, it then failed to institute ongoing monitoring under Regulation 8, or to conduct enhanced CDD as it should have done under Regulation 14 in later years. Between 2013 and 2016 the business deposited £365m, including £264m in cash (on occasion, £1.8m in a single day), at which point, a police raid effectively shut the business down.
The extent of individuals’ involvement in money laundering in this case remains unclear. While the fact that no officers of NatWest were identified for prosecution under Regulation 47 is unsurprising, the reported lack of any disciplinary action against individuals within the bank is perhaps more notable, suggesting a serious institutional failure rather than a personal one. As for Fowler Oldfield itself, while a handful of couriers have been convicted, the outcome of prosecutions against others is still awaited at the time of writing.
So, while it may appear from the headlines about its cash-based activities that money laundering did take place, and NatWest is not in a position to gainsay that for the time being, it is important to note that the FCA did not have to prove that any offence under POCA occurred. Nevertheless, the MLRs provided a route to prosecute NatWest for its failure in ongoing monitoring with respect to this customer.
Policy choices and opt-outs
Interestingly, while both NatWest and those associated with Fowler Oldfield were being investigated, the UK government was navigating its turbulent exit from the EU’s legal system, and quietly opting out of the latter’s latest MLD, which requires member states to have a corporate offence of money laundering. In doing so, it was able to cite the combination of ‘failure to disclose’ offences for the regulated sector under POCA, and their obligations under the MLRs (which were meanwhile replaced by their current, 2017 equivalent), which can certainly be characterised as putting an onus on those businesses to prevent money laundering activity, underpinned by criminal penalties.
Simultaneously, however, it was also exploring options for making corporates more generally (that is, not only within the regulated sector) liable for economic crimes of its personnel, including money laundering, with options including a new law to override Tesco v Nattrass, or a new offence or offences using Section 7 of the Bribery Act as a template. In other words, the very offence that the government had told the EU that it did not need to implement, was in its sights as a potential reform. So, is it happy with its corporate money laundering offences, or not?
Sanctions: a comparison
Freed from the obligation to transpose the EU’s MLDs, the UK’s power to amend or replace its MLRs is now contained in the Sanctions and Anti-Money Laundering Act 2018 (‘SAMLA’). Notably, sanctions regulations made under SAMLA impose liability for conducting activity in breach of sanctions (often, simply handling funds) while having ‘reasonable cause to suspect’ that this is so, and companies (invariably banks) can be, and have been, made subject to civil penalties on that basis. (The regulations also impose reporting obligations on the regulated sector, while it is the FCA’s role to ensure procedures to detect and prevent sanctions breaches are in place; indeed, it has imposed fines for a lack of such procedures at NatWest.)
SAMLA does not appear to enable similar provisions to be introduced into future versions of the MLRs; nor, in the Law Commission’s recent Discussion Paper on corporate criminal liability, is there any discussion on an equivalent basis of corporate liability for the principal money laundering offences in POCA. The distinction in UK law between money laundering (which requires subjective suspicion as a minimum) and sanctions breaches (which require only ‘reasonable cause to suspect’, and so can be more easily attributed to companies) is far from obvious, and may simply reflect the involvement of different enforcement agencies and policy-makers at different times.
The FCA is undoubtedly benefiting from the impression that it is (finally) ‘getting tough’ on banks’ role in connection with money laundering, and the scale of the activity by Fowler Oldfield (together with its role in a police investigation) doubtless justifies its decision to deal with this case via a criminal rather than a regulatory route (it does not, unlike the SFO, have the power to agree a DPA). Counter-intuitively, that decision is unlikely to have an impact on the financial penalty (whose basis of calculation would, broadly speaking, be the same), and removes various other options (such as the imposition of a monitor, or restrictions on future business) that might otherwise have been available. Putting a bank through the ignominy of a criminal court procedure is a declaratory rather than a functional act, sending a message about the seriousness of its obligations under the MLRs. It is, and is likely to remain, a rare occurrence.
Is it wise, however, to present this case in terms of ‘failure to prevent’? On the facts, it might seem clear enough that, had NatWest complied with the MLRs properly, large quantities of cash would not have been deposited with it by Fowler Oldfield without explanation. While we might infer (as in Anwoir) that the provenance of cash was criminal, we do not yet know enough about the circumstances to say for certain where it came from, or to hypothesise about what would have happened had NatWest refreshed and enhanced its CDD on the business as required, made a disclosure about it under POCA, and/or turned away its custom. Unless the timing of a disclosure is such that funds can be subject to freezing and forfeiture, the idea that a bank might prevent (as opposed to detect, discourage, displace or disrupt) money laundering is arguably naïve in any event.
Bribery: another comparison
A comparison with the offence under Section 7 of the Bribery Act is instructive. Here, it is the customer who is the equivalent of the ‘associated person’: an important difference, as the former will act in his or its own interests, while the latter may act on the company’s behalf. Rather than make the bank liable for the actions of that customer, subject to a defence of ‘adequate procedures’, the MLRs make it mandatory to put procedures in place, and allow the bank to be prosecuted for failing to do so.
What the customer has or has not done is not an ingredient of the offence, although of course it may have an effect when deciding on the bank’s sentence. Nor is the case about what the bank has done, but about what it has failed to do. This might be considered somewhat ironic, n circumstances where (in contrast to the corporate whose associated person has paid a bribe, which may not have done anything at all, on an institutional level) it provided the customer with a valuable service, handling its monies over a period of years in a way that turned (hypothetically) ‘dirty’ cash into apparently ‘clean’ funds. But ultimately, it may suit neither the FCA nor NatWest in this case to make any distinction of this type between the two regimes.
No cause for complacency
What we should not do is allow the facts of this case to encourage complacency that the basis of corporate liability for money laundering in UK law is either clear or settled, or that it can be straightforwardly equated with the equivalents in bribery or sanctions offences. Rather, the truth is that UK law in these areas has evolved piecemeal over the years, with the scheme of POCA and the MLRs staying relatively static, while debates and reforms in other areas of economic crime, not to mention the EU’s approach to MLDs, have swirled around it. While the practice of prosecuting a bank for not having procedures under the MLRs is certainly novel, it is worth emphasising that the laws involved have been in place for decades, and there is a reasonable argument that they are already past their sell-by date.
Ultimately, the question for policy-makers – indeed, for society as a whole – is to what extent we want to make companies, including those that provide access to the financial system, play a role in preventing financial crime. For decades, the answer for money laundering has been that we require strict procedures, but usually deal with failures civilly. This case is unlikely to change that, but it provides an opportunity to look at our answer again, and compare it with current thinking in the EU (which remains the source of our system, notwithstanding our exit from it), and our markedly different answers for bribery and sanctions offences. Whether we choose to call this case a ‘failure to prevent’ or not, perhaps the better question is whether we ought to see it more straightforwardly as a corporate money laundering offence – and if not, is there a good reason why not?