Financial Crime Outlook: 2023 and beyond

Anti-Money Laundering

AML remains a key regulatory priority for the FCA and the Russian invasion of Ukraine last year brought the need to stymie the flow of illicit finance through the UK’s financial system to the forefront of the government’s and regulators’ minds even further. Firms must dedicate adequate resources to combatting money laundering to ensure they can meet their regulatory obligations in this area.

1. MLR update 

In our last outlook briefing, we noted that the proposed amendments to The Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) were due in 2022, which were aimed at taking into account the responses to HM Treasury’s Call for Evidence and consultation of 2021. In line with this, in June 2022, HM Treasury issued its response document to its consultation and the proposed changes to the MLRs set out in the response document were made through The Money Laundering, Terrorist Financing (Amendment) (No.2) Regulations 2022 (2022 Regulations) which were published in July 2022. The main changes are designed to ensure that the UK continues to meet international standards on AML and counter-terrorist financing (CTF), whilst also strengthening and clarifying how the UK’s AML regime operates. The 2022 Regulations come into force in stages, with the majority of the amendments having come into force on 1 September 2022. 

The key changes include: 

• The scope of the MLRs: The government has excluded Account Information Service Providers (AISPs) from the scope of the MLRs at this time. Bill Payment Service Providers (BPSPs), Telecom, Digital, and IT Payment Service Providers (TDITPSPs) and Payment Initiation Service Providers (PISPs) remain within the scope of the MLRs. 
• Suspicious Activity Reports (SARs): The MLRs are amended to include a provision which grants AML / CTF supervisors’ legal permission to directly access and view the content of SARs submitted by their supervised firms upon request.
• Proliferation Financing Risk Assessment: To align with international standards, the MLRs are amended to require financial institutions and designated non-financial businesses and professions (Relevant Persons) to perform a risk assessment which identifies, and assesses the risks of potential breaches, non-implementation or evasion of the targeted financial sanctions related to proliferation financing (PF). In addition, the Relevant Persons will be required to take appropriate steps to identify, assess and take effective action to mitigate the risks posed by PF. This would include requiring the Relevant Persons to establish and maintain policies, controls and procedures to mitigate and manage such risks effectively. HM Treasury have also included the Financial Action Task Force (FATF) definition of PF within the MLRs.
• Reporting Discrepancies: To further enhance the accuracy and reliability of company registers, the government has expanded the scope of the discrepancy reporting requirement by introducing an ongoing requirement to report ‘material’ discrepancies in beneficial ownership information that a Relevant Person becomes aware of. Material discrepancies include incorrect names, correspondence address, date of birth, nationality and incomplete or incorrect entries for a beneficial owner, person of significant control or an entity listed on the new public ‘Register of Overseas Entities’. These obligations come into force on the 1 April 2023 to take into account the wider Companies House reforms taking place.  
• Information Sharing & Gathering: The MLRs are amended to:
  • make minor changes to improve the effectiveness of the intelligence and information sharing gateway to allow for reciprocal sharing between relevant authorities and supervisors; 
  • expand the list of ‘relevant authorities’ recognised in the MLRs to explicitly include other government agencies, such as Companies House; and
  • give further supervisory powers to the FCA to enable them to better supervise Annex 1 financial institutions.
• Transfers of cryptoassets: The MLRs are extended to include FAFT Recommendation 16, also known as the “travel rule”, which requires that countries ensure that financial institutions send and record information on the originator and beneficiary of a wire transfer exceeding GBP 1,000, and that this information remains with the transfer or related message throughout the payment chain. The FATF has confirmed that this would also apply to cryptoasset exchange providers and custodian wallet providers. The travel rule can be found in a new Part 7A of the MLRs.  
  
  There have been concerns on the practical implications of applying the travel rule to cryptoasset providers. The main concerns are in relation to the suitability of the terminology used in FATF Recommendation 16, and the process of transferring cryptoassets being significantly different to the transfer of funds thereby increasing costs for cryptoasset firms to do business. HM Treasury made efforts to address these concerns by amending the MLRs to include provisions specific to cryptoasset providers and by granting a 12-month grace period for such providers to implement technological solutions to ensure compliance with the new requirements. The grace period runs from the 1 September 2022 and therefore it is imperative that relevant firms are in full compliance with the travel rule by 1 September 2023. 
• Unhosted wallets: The MLRs include a requirement for cryptoasset businesses to collect beneficiary and originator information for unhosted wallet transfers on a risk sensitive basis only. This would require a cryptoasset business to make a determination on whether there is an elevated risk of illicit finance in each transaction (with guidance on the minimum factors that firms should consider when making such a determination set out in the MLRs). 
• Acquirers of cryptoasset firms: The MLRs are amended to require proposed acquirers of cryptoasset firms to notify the FCA ahead of such acquisitions. This would enable the FCA to undertake a fit and proper assessment of the acquirer and allow it to object to such acquisition before it takes place and cancel registration of the firm being acquired (if required).

2. Proceeds of Crime Act 2002

From 5 January 2023 the threshold amount in section 339A of the Proceeds of Crime Act 2002 (POCA), which sets out the threshold for a bank or similar firm to be able to carry out a transaction in operating an account for its customer without committing a money laundering offence, has been increased from £250 to £1,000. The government states in its explanatory memorandum that the change aims to improve the SAR regime and “free up law enforcement resource to focus on opportunities that lead to asset seizure and deliver cost savings to the regulated sector”.   

3. Economic Crime and Corporate Transparency Bill 

The Economic Crime (Transparency and Enforcement) Act 2022 (ECA) received Royal Assent on 15 March 2022. The ECA made a number of reforms including establishing a Register of Overseas Entities to help crack down on foreign criminals using UK property to launder money and reforming and strengthening the UK’s Unexplained Wealth Order regime to better support law enforcement and investigations. Our note on the key components of the ECA can be found here.

Following on from the ECA, further enhancements targeting financial crime are expected through the Economic Crime and Corporate Transparency Bill (ECTB). Amongst other things, the ECTB includes provisions for: 

• Inter-firm information sharing: The ECTB proposes further exemptions to the MLRs to allow firms to make direct disclosures to other firms regarding existing or former customers for the purpose of preventing, detecting and investigating financial crime. 
• New powers for law enforcement: The ECTB proposes to amend POCA to allow for law enforcement to obtain information before the submission of a SAR to tackle money laundering and terrorist financing from persons carrying on business in the regulated sector. Additionally, the Bill provides powers for law enforcement to seize, freeze and recover cryptoassets which are found or suspected to be the proceeds of criminal activity. 
• Wider powers for the Serious Fraud Office (SFO): The ECTB proposes to grant the SFO new pre-investigation powers to be used in all potential SFO cases before a formal investigation has been opened. This would go beyond the current pre-investigation powers already granted to the SFO in the Criminal Justice Act 1988 for cases related to international bribery and corruption. 
• Further revisions to the Companies House framework: the ECTB proposals in relation to the wider Companies House reforms include, amongst other things: 
  • an identity-verification process for persons delivering information to the Registrar, including company directors, secretaries and persons with significant control; 
  • enhanced investigation and enforcement powers for the Registrar to reject or remove information and cross check data with other public and private sector bodies;
  • proactive information sharing with law enforcement where suspicious filings are detected; and 
  • enhanced protection of personal information provided to Companies House to protect individuals from becoming victims of financial crime. 

Currently, the above are proposals and the ECTB is being considered in Parliament. Until finalised, we will not know which elements will come into force and which will not.

4. Register of Overseas Entities

The Register of Overseas Entities (Verification and Provision of Information) (Amendment) Regulations 2022 (Amendment Regulations) came into force on 12 January 2023. The Amendment Regulations address practical difficulties that were identified in the verification regime set out in section 16 ECA. 

The Amendment Regulations provide for, amongst other things: 

• an exemption for certain information being verified which include government or public authorities, beneficiaries of certain pension trusts and in relation to updating entries and applications for removal, where the information has already been verified; 
• a different process of verification for beneficial ownership information compared to other information; and 
• expanding the scope of the information which must be retained by a ‘relevant person’ (as defined in section 3 of the Amendment Regulations). 

5. Second Economic Crime Plan

The UK government’s second Economic Crime Plan was scheduled for publication in September 2022 but is now expected to be available in spring 2023. The plan is anticipated to include an enhanced policing response to guard against the threat of economic crime amid growing concern on the escalating levels of fraud and money laundering in 2022. 

6. Sanctions 

Sanctions compliance continues to be a key priority for firms. As highlighted in our blog, in February 2022, the FCA published a new webpage concerning its expectations of firms in light of the UK’s sanctions on Russia. This has since been updated to include additional measures being taken against Belarus. The key message from the FCA remains that it expects firms to have established systems and controls to counter the risk that they might be used to further financial crime and this includes compliance with financial sanctions obligations. 

Firms need to understand their sanctions exposure by considering what sectoral sanctions might be relevant, screening clients/ counterparties against the Office of Financial Sanctions Implementation’s Consolidated List and understanding if there are any sanctioned entities in the holding structure which may impact the sanctioned status of their clients/ counterparties. Firms need systems and controls to carry out this assessment on an ongoing basis. The introduction of the ECA adds further complexity for firms when assessing their sanctions compliance and exposure which is covered in more detail here. 

For further updates in this area please see our Beyond Sanctions resource hub. 

7. Continuing enforcement focus on AML systems and controls

In terms of enforcement action, there have been a number of notable FCA enforcement decisions relating to AML over the last 12 months and we expect this to remain a key area of enforcement focus for the FCA for the rest of this year. AML investigations by a regulator are often complex because they are rarely transactional and require a systemic understanding of how a firm operates, its governance controls, cultural habits and the nuts and bolts of sometimes opaque systems. As a result, any AML investigation by the FCA is likely to be intrusive, not to mention costly, and so firms should look to learn lessons from previous enforcement actions to improve their own systems and controls. Some of the lessons learned from the cases include:  

• firms should not only comply with the requirements for combating AML and financial crime more broadly, including in relation to monitoring, but also be able to evidence this compliance with proper records – for example, maintaining evidence of consideration and discussion of financial crime and AML matters by management;
• firms must adequately train their compliance function, allowing sufficient time for training. The cases highlight the risks of using “off the shelf” AML e-learning courses that are not specific to a firm’s business, systems or processes; and
• there must be sufficient challenge, scrutiny and investigation in the face of warning signs of AML issues. For example, internal investigators must resist over-relying on explanations provided, including by relationship managers, and should instead look to probe these explanations, for example by seeking further information from internal or open sources about a client. In addition, any weaknesses identified in AML systems and controls must be promptly and comprehensively addressed. 

Market Abuse

Preventing, detecting and punishing market abuse remains a high priority for the FCA, which it sees as important in fulfilling its statutory objectives of protecting consumers, enhancing market integrity and promoting competition. As noted in its June 2022 update in this area, the aggregate picture from the FCA in relation to market abuse is one of increasing intensity, in which criminal prosecution is one of several strategies being used.

1. Surveillance

There has been a continued focus by the FCA on market abuse surveillance arrangements and it remains crucial that firms have effective arrangements, systems and procedures in place to detect and report suspicious activity, which should be appropriate and proportionate to the scale, size and nature of their business activities. In May 2022, the FCA published Market Watch 69 which discusses firms’ arrangements for market abuse surveillance, drawing on its observations from engaging with small and medium-sized firms. In it the FCA states that while the topics covered apply to all firms subject to surveillance requirements under Article 16(2) of the UK Market Abuse Regulation (UK MAR), they may also be particularly relevant for firms with less complex business models. Some of the key observations made by the FCA for firms to take into account include:  

• Market abuse risk assessments: Some firms consider market abuse as a single risk, whilst others conduct combined assessments to take into account other risks including market abuse.  Where firms do not consider the different types of market abuse risk applicable to their business models they are at risk of not being able to adequately identify or monitor market abuse. Firms should ensure they review and update their current arrangements as required to effectively capture and monitor potential market abuse situations. 
• Order and trade surveillance: Some firms use a common threshold in their alerts for order and trade surveillance and others were found to not monitor all trades and orders including cancelled and amended orders. Firms who use a common threshold are at risk of not effectively monitoring orders and trades due to differing thresholds across different asset classes. Firms are encouraged to utilise tailored calibration across asset classes to better improve their surveillance monitoring for orders and trades and to review their arrangements periodically to ensure such systems remain effective in spotting potential market abuse situations. 
• Policies and procedures: Some firms have policies and procedures that are vague or have limited detail on identifying and reviewing surveillance alerts to look for signs of market abuse. As a result of this, alerts may be closed rather than escalated. Firms should consider whether their current policies and procedures on surveillance alerts are adequate, and if not adequate, create more detailed guidance on how market abuse alerts should be dealt with. 
• Outsourcing: Firms are reminded to retain oversight of market abuse surveillance where such surveillance is outsourced. Adequate oversight over outsourced surveillance and governance arrangements is critical in ensuring compliance with the UK MAR. 
• Overreliance on front office staff: Some firms place reliance on front office staff to identify potential market abuse. This can lead to risks where suspicious activity may not be consistently identified and escalated. Firms should regularly review whether their market abuse training and escalation policies are effective and tailored to the risks different departments may face in regard to identifying market abuse situations. The FCA expects such training to include, amongst other things, guidance on the execution of trades where a client discloses pre-trade that they are in receipt of inside information and appropriate circumstances when to submit a STOR. 

2. Unlawful disclosure - areas of risk for issuers

In Primary Market Bulletin 42 (Bulletin), published in December 2022, the FCA looks at a number of points in relation to UK MAR that issuers and directors should be aware of. We have published a briefing covering the FCA’s discussion of areas that repeatedly crop up in enquiries by the Primary Market Oversight department and which it considers to present a particular risk of unlawful disclosure of inside information as well as its comments on shareholder engagement and on written policies and procedures for handling inside information. As noted in our briefing, the themes highlighted by the FCA are unsurprising, but they serve as an important reminder of areas in which to exercise particular vigilance in relation to disclosures.

3. EU regulatory framework for crypto-assets

Formal adoption of a first EU-wide legislation introducing a comprehensive anti-market abuse framework for the crypto-asset markets is expected later in 2023. The relevant rules are contained in a regulation on markets in crypto-assets (MiCA), which was agreed by European co-legislators in June 2022, and its formal approval and publication in the EU Official Journal is expected in Q2 2023. MiCA’s market abuse framework for crypto-assets will only apply to those crypto-assets that are admitted to trading on a trading platform for crypto-assets, or for which admission to trading on such trading platform has been made. That said, the relevant prohibitions will also apply to any transaction order or behaviours in relation to the crypto-assets in scope of the market abuse regime, taking place either in the EU or in a third-country, regardless whether or not such transaction, order or behaviour takes place on a trading platform. 

The basic structure of the MiCA regime for the prevention and prohibition of market abuse involving crypto-assets is not dissimilar to the regime applicable to financial instruments and as set out in Regulation (EU) 596/2014 on market abuse (MAR). Accordingly, MiCA defines “inside information” as it relates to crypto-assets, as well as introduces rules governing disclosure of inside information and prohibition of insider dealing. MiCA also prohibits market participants from engaging or attempting to engage in market manipulation and sets out examples of practices that would be considered market manipulation. Operators of MiCA-authorised trading venues for crypto-assets will have to have in place market surveillance systems and procedures to prevent and detect market abuse or attempted market abuse. MiCA will also require any person professionally arranging or executing transactions in crypto-assets to have in place effective systems, procedures and arrangements to monitor and detect market abuse, as well as to report suspicious orders and transactions to competent authorities. Further details regarding the relevant arrangements, systems and procedures, together with the reporting templates, will be set out in a secondary legislation. 

Once formally approved and published in the EU Official Journal, the framework will apply 18 months later, which is expected to be Q4 2024. It is worth noting that with recent market developments, the European regulators – both at national and EU level – are likely to apply closer scrutiny to activities in crypto-assets markets, with a particular focus on potential market abuse. 

In the UK, firms carrying activities in crypto-assets must be registered with the FCA and they must have in place appropriate systems and controls to prevent financial crime. On 1 February 2023, the government published its consultation on a broader set of regulations for the crypto-asset sector, which includes proposals for a cryptoassets market abuse regime based on elements of MAR. For further information regarding the consultation, please see our briefing here.

4. Continuing enforcement focus on market abuse

As with AML enforcement, there have been a number of enforcement actions by the FCA in relation to market abuse over the past year, including in relation to systems and controls failures in this area, as well as market manipulation and insider trading cases. We expect this area to continue to be an enforcement focus throughout 2023. Lessons learned from the cases in relation to market abuse systems and controls include:

• as important as having market abuse policies in place in the first instance, these need to be effectively communicated and monitored;
•  if as a firm you are changing your business, for example, expanding into new areas, an adequate risk assessment is key. That risk assessment needs to be sufficient to enable the firms’ directors to review and understand the regulatory requirements and market conduct risks associated with the new business activities, and to prepare accordingly; and
• effective board governance in relation to market abuse systems and controls is essential. For example, proper board minutes of meetings must be kept and should record, amongst other things, attendees, the matters discussed, and importantly - the nature of any challenges made and decisions reached, to demonstrate effective oversight of the relevant business by directors.

With regards to inside information, we have published a briefing in relation to the FCA Final Notice concerning Sir Christopher Gent, the former non-executive Chairman of a global medical products and technologies company who was fined £80,000 for unlawful disclosure of inside information in August 2022. As set out in our briefing, the FCA’s decision in this case contains a number of key takeaways that will be of interest to issuers, those who regularly have access to inside information and those who advise on the circumstances in which disclosures should be made by listed companies.

Artificial Intelligence and Machine Learning solutions for Financial Crime Compliance

Finally, artificial intelligence and machine learning (AI/ML) is increasingly being used by firms to improve the effectiveness of their financial crime compliance and risk management arrangements. In December 2022, the Wolfsberg Group (WG) published its guidance for firms using AI/ML in their financial crime compliance programmes. The guidance sets out five elements for firms to consider that would promote the ethical and responsible use of AI/ML. These are as follows: 

• Legitimate purpose: Firms should have a legitimate purpose for integrating AI/ML in their financial crime and risk management arrangements. They should understand and guard against the potential misuse or misrepresentation of data arising from such implementation. 
• Proportionate use: Firms should ensure that the data produced from AI/ML is proportionate to their legitimate financial crime compliance purpose. This includes assessing whether any potential financial crime risk outweighs any potential errors that may arise from implementing AI/ML into their financial crime and risk management arrangements. 
• Design and technical expertise: Firms should ensure they understand the design, implications, limitations and consequences of the AI/ML solution implemented into their financial crime and risk management arrangements. Senior managers should possess the requisite knowledge to be able to make an informed decision as to whether such technology should be used. Additionally, firms should ensure control of the AI/ML solution rests with those who possess the appropriate skills and knowledge and such solution is regularly tested, validated and re-configured as appropriate. 
• Accountability and oversight: Firms should train staff on the use of the AI/ML solution and retain oversight of the teams responsible for the design and technical implementation. A process should be established to allow teams to be challenged whenever necessary on the data arising from the AI/ML solution. 
• Openness and transparency: Firms should be transparent and open on their use of AI/ML in line with regulatory requirements. Additional precautions should be taken to ensure that implementation of the AI/ML solution does not facilitate evasion of a firm's financial crime regulatory responsibilities. 

Next steps for firms

Firms should consider any potential impact of the above developments on their business and adapt their risk and compliance frameworks as required to meet their legal and regulatory obligations. To assist with this, firms should continue to:

• conduct open communications with relevant regulators to ensure a clear understanding of any changes; 
• seek independent assurance where necessary to ensure an appropriate gap analysis has been carried out to effectively identify and act upon any new regulatory requirements; 
• allocate sufficient time and resources to properly understand any new money laundering or sanctions risks or market abuse threats on their business;
• re-educate staff on the changes and provide case studies and tailored examples; 
• assess if business wide and customer re-assessments require adjustment;
• ensure any communications regarding any material changes to the policies and procedures and systems and controls travel through the appropriate committee and governance structure so that senior management are attune to these changes; and
• ensure that their money laundering reporting officers and compliance officers keep pace with the changes by listening to podcasts, signing up to relevant briefings, attending seminars and webinars, and regularly speaking with advisors and industry bodies.