Navigating financial crime risks: The regulator's approach to suspicious activity reporting and the consequences of getting it wrong

Introduction

The risk of crypto-assets being used to further criminal activity is well recognised and considered a priority by authorities and industry alike. Various efforts are underway in a number of jurisdictions to address these risks. These efforts are important, not only to combat financial crime, but also to support the safe development of fintech and regtech initiatives and innovation.

In this four-part series the authors look at different jurisdictions' approaches to anti-money laundering (AML) and counter-terrorist financing (CTF) in the crypto sector to include insights on a number of areas, including:

• The triggers to the AML/CTF regime for crypto-asset businesses and what this involves, see part 1
• How financial institutions are approaching clients in the crypto sector, see part 2
• The regulator's approach to suspicious activity reporting and the consequences of getting it wrong
• The future crypto landscape including opportunities and challenges, see part 4

The series is aimed at both financial institutions that are interested in the future development of crypto businesses, those aiming to operate a crypto business, and existing providers of crypto products and services to navigate and manage financial crime risks.

Part 3: The regulator's approach to suspicious activity reporting and the consequences of getting it wrong

Suspicious activity reporting (SARs) should be a main area of focus for crypto-asset businesses when assessing the effectiveness of their AML/CTF systems and controls. The risks of crypto-assets being used to further criminal activity are well known and financial intelligence units (FIUs), regulators and government agencies continue to scrutinise SAR arrangements.

Given the ever-increasing regulatory focus on financial institutions in this area, this is often a core component which is used to assess the robustness of monitoring systems, the level of understanding of staff members, the thoroughness of the training provided as well as the overall culture and conduct of front office individuals.

The SAR requirement, however, differs across jurisdictions, which creates an interesting dynamic for crypto-asset businesses thatoperate cross border. One thing that is agreed, regardless of jurisdiction, the penalties can be severe if financial institutions get it wrong.

1. UK

In the UK, crypto-asset businesses are required to make SARs directly to the UK FIU, in this case the National Crime Agency (NCA), where they identify suspicious activity and there is reasonable ground to suspect that such activity is connected to the proceeds of crime. SARs are an important tool as a defence against committing a money laundering offence under the Proceeds of Crime Act 2002. However, over the last few years, questions have arisen around whether the SARs system is effective, specifically whether the system is being driven by firms conducting a defensive reporting strategy, especially when they are anxious about the possibility of enforcement from the regulators.

In particular, the nominated officers/money laundering reporting officers (MLROs) can find themselves criminally liable for money laundering offences and the fear of being criminalised is likely to encourage them to report defensively. This causes both the institution to take an extremely conservative and cautious approach when submitting SARs and the FIU being inundated with SARs and investigating them respectively. There is also a "tipping off" penalty for disclosing that a SAR was made or disclosing the contents of the SAR with the intent to prejudice a criminal investigation.

In May 2021, the Financial Conduct Authority's (FCA) " Dear CEO" letter, issued to retail banks in response to common control failings identified in AML frameworks, found instances where the process by which firms' employees can raise internal SARs to the nominated officer is either unclear, not well documented or not fully understood by staff. The FCA found that firms were often unable to adequately demonstrate this in their investigation and decision-making processes, and rationale for either reporting or not reporting SARs to the NCA. Firms were expected to complete a gap analysis against each of the common weaknesses the FCA had outlined in its letter.

2. Germany

In Germany, one of the main requirements of obliged entities under the German Money Laundering Act (GwG) is the reporting of suspicious transactions. An obliged entity must report its suspicions without undue delay if, inter alia, it discovers facts indicating thatan asset related to a business relationship or transaction originates from certain criminal acts. The reports must be submitted to the German FIU in electronic form. For this purpose, obliged entities have to register with the "goAML" portal set up by this authority. Violations of the reporting obligations may result in fines and, in certain cases, may even be punishable under the criminal offences relating to money laundering or terrorist financing.

3. United States

In the United States, SARs are of growing importance to the regulators. There has been a trend toward regulators having an expectancy on firms to provide detailed procedures around their processes of monitoring for red flags and conducting detailed and through reviews when red flags are found. The regulators are also interested in how firms determine when they should make a SAR and the level of detail and scope of the SARs that are actually filed. Regulators are also showing signs of expanding the scope of activities that could be considered to be red flags which therefore require review and monitoring. They are also increasing the use of enforcement actions for perceived failures with respect to a SARs process and the corresponding fines are becoming larger.

There is a requirement to submit SARs across the globe, albeit the reporting mechanism is triggered in different ways and to different extents. There is little indication that there will be any kind of uniformity in the way financial institutions are required to submit SARs to the FIUs across different jurisdictions. Yet there is a general consensus for FIUs to learn and improve the SAR reporting arrangements by adopting good practices established by FIUs in other countries, particularly where online and semi-automated reporting mechanisms are well established and effective in that country.

Perhaps the biggest hurdle that needs to be overcome is defensive reporting by firms, but given that in most cases this is driven by what may happen and the potentially severe consequences in the event something is missed, it is difficult to see this strategy changing anytime soon.

Irrespective of the way SARs are reported, the consequences of not submitting a SAR to the FIU are significant, as regulators have a wide range of tools at their disposal, including commencing an investigation, which is costly, time consuming and intrusive and can lead to the exercise of enforcement powers such as imposing significant fines and public censure.

In the next article, the authors will continue to look at cross jurisdictional perspectives, specifically looking at the future of the crypto-asset sector and the opportunities and challenges that could be faced by this sector. Please keep an eye out for the final part in this series, "Part 4: The future crypto landscape including opportunities and challenges".

Produced by Thomson Reuters Accelus Regulatory Intelligence