In 2022, we issued a legal update on the case of
Tam Sze Leung & Anor v Commissioner of Police [2021] HKCFI 3118 (the
CFI Decision), where the Court of First instance (
CFI) held that the longstanding practice of the use of “Letters of No Consent” (
LNCs) by the Police to informally “freeze” suspicious bank accounts (the
No Consent Regime) is unlawful (see
here). As we predicted, the CFI Decision has been challenged by the Commissioner of the Police (the
Commissioner) and has now been overturned by the Court of Appeal in [2023] HKCA 537.
Background
The No Consent Regime has long been relied on by cybercrime victims such that they can have the relevant bank accounts suspended while seeking recourse for recovery of the lost funds. The basis of the No Consent Regime lies in section 25 and section 25A of the Organized and Serious Crimes Ordinance (Cap.455) (OSCO), and has been helpful to cybercrime victims, especially where the sums involved may be relatively modest and civil recovery routes may not be cost-effective.
Such a regime was held to be unconstitutional in the CFI Decision, where the CFI held that the No Consent Regime is ultra vires, not prescribed by law, and amounts to disproportionate interference with property rights as enshrined under the Basic Law, as no effective safeguards or limitations are in place against possible abuse of the regime despite its legitimate aim of deterring criminal activity1.
The Appeal
The CA disagreed with the CFI Decision and held in favour of the Commissioner on the following grounds:
Not ultra vires
Looking at sections 25 and 25A of OSCO, the CA came to the view that it is incorrect to assume that the Police have an enforceable asset-freezing power under these provisions. To determine whether the Commissioner has acted ultra vires, the correct approach would be to focus on what powers exist for the Commissioner, and whether the steps taken by the Commissioner fell within or outside these powers.
In Tam Sze Leung, the Police (i) sent emails to the three banks (out of four) to alert them of potential money laundering offences, (ii) requested suspicious transaction reports (STRs) to be filed by the banks, and (iii) issued LNCs following the banks’ submission of STRs:
(a) Sending emails to the banks and requesting STRs to be filed: As it is the Police’s duty to take all steps necessary for crime prevention, it must have “power to alert financial institutions to potential money laundering offences by informing them of suspicions arising from the police’s own investigations” (§63) and to “request or recommend compliance with these provisions” (§69), provided that these powers are not exercised in bad faith or irrationally.
(b) Issuance of LNCs: Since sections 25 and 25A expressly provide for an authorized officer to give consent, the statutes must “necessarily [imply] a power to withhold or refuse consent” (§64). Accordingly, it cannot be ultra vires for the Police to inform the bank via LNCs that they do not have the Police’s consent to deal further with the funds in the concerned accounts, regardless of whether it was the Police who alerted the banks of the suspicious circumstances in the first place.
If no consent is given by an authorized officer for the banks to deal with the accounts, the banks lose protection under sections 25 and 25A and are potentially exposed to criminal liability should they decide to deal with the funds in the accounts. The banks, who have “immediate control of its [customers’] funds” (§54), therefore make a conscious decision not to comply with its customer’s instructions to avoid violation of sections 25 and 25A of the OSCO, and in such case, the “freeze” is initiated and maintained by the banks instead of as a result of compulsion by the Police.
No improper purpose
Adopting the same reasons, the CA dismissed the Applicant’s alternative argument that the LNCs were issued for the improper purpose of securing an “informal, unregulated asset freeze” (§73) such that the issuance was ultra vires. Instead, the issuing of the LNCs was to prevent dissipation of property when police investigation was ongoing, and it was not suggested by the Applicant that there was no reasonable suspicion for the Police to exercise its power to refuse consent in the present case.
Prescribed by law
As to the contention that section 25A does not adequately indicate the scope of power of the Police to issue LNCs or the manner in which it is to be exercised, the CA observed that there are principles laid down in the Police’s Force Procedure Manual (Manual) (§10 and §87):
(a) LNCs are issued where it is necessary, proportionate and reasonable;
(b) Best endeavours are to be made to obtain a restraint order or confiscation order as soon as practicable;
(c) Monthly reviews are to be conducted by the Superintendent of the Joint Financial Intelligence Unit and after 3 months, by the Formation Commander; and
(d) The LNC should normally last no more than 6 months unless there are exceptional circumstances.
“[S]ufficient constraints” are also in place “to guard against arbitrary or capricious refusal”, for example, by way of judicial review of the Police’s decision, civil action against the banks, together with the court’s power to award compensation in certain circumstances under sections 29(4) – (6) of OSCO (§91 – §96).
Not disproportionate
The CA also revisited the case of Interush Ltd v. Commission of Police [2019] HKCA 70, where sections 25 and 25A OSCO and the No Consent Regime were held to be “no more than necessary for the legitimate purpose and societal benefit of anti-money laundering”, as they are “part and parcel of the measures used to combat organized crime in money laundering” (§6.50), with the objective to “[deter] criminal activity by restricting access to the process of crime” (§6.39). In light of doctrine of precedent, the CA is of the view that Interush is binding authority and sees no reason to depart from the authority in this case.
Significance for cybercrime victims
With the Court of Appeal’s judgment, cybercrime victims can again take comfort from the No Consent Regime while exploring other possible recourses for recovery of funds with their legal representatives, for example, obtaining injunction orders and/or commencing civil proceedings against the fraudsters. That said, in light of the general principle in the Manual that an LNC should normally last no more than 6 months unless there are exceptional circumstances, cybercrime victims should take immediate actions without delay to ensure that the transferred funds are not dissipated following the lifting of LNCs.
Implications for banks
Since the CA has repeatedly clarified in this judgment that any “freeze” or suspension over accounts is maintained by banks in exercising their contractual rights (pursuant to terms and conditions provided under the relevant banking contracts with their customers), banks should review their terms and conditions to ensure that they are entitled to suspend accounts contractually. In addition, banks should also be reminded to carry out their own investigations when they suspect that any funds in the account may represent proceeds of crime, instead of solely relying on the LNCs issued by the Police. Ultimately, whether to suspend an account is a decision for the bank itself as confirmed in this CA judgment, and failure to do so might expose banks to potential claims by account holders for wrongfully freezing the accounts.