Recent data from the Financial Conduct Authority (FCA) sheds light on whistleblowing reports that the regulator has received about firms' anti-money laundering (AML) controls.
UK Whistleblowing Reports
The data, obtained by consultancy firm Accuracy via a Freedom of Information request, reportedly shows that over the past five years, employees at finance firms have submitted 141 whistleblowing reports relating to AML to the FCA. The data also shows that, during this period, the number of AML whistleblowing reports has declined. In the 2021 to 2022 period, which is the most recent period reported on, nine reports were made; down from 25 reports made the previous year and the peak of 45 reports in the 2018 to 2019 period.
Notwithstanding this decline, the total number of reports over this period remains significant and shows that the regulator's concerns about how firms are handling AML risks are being echoed by those closest to the action.
What we do not know from this data is how many of these reports resulted in investigations by the FCA, the specific nature of the tips, or whether whistleblowers had first taken their concerns to the relevant firms before reporting to the regulator.
But, with the additional pressures of a U.S. whistleblower law that provides monetary incentive to tipsters, including UK-based employees, we anticipate that more AML whistleblower reports will be made in the coming years. To address this emerging risk, firms should consider reviewing their policies and procedures to, among other things, ensure that they have proper internal processes in place to encourage, receive, and act quickly on internal reports.
AML as a Priority for the FCA
The decline in AML whistleblowing reports made to the FCA does not appear to be representative of a significantly improved culture of AML compliance or a lighter touch from the regulator on AML issues.
In May 2021, the FCA published a "Dear CEO" letter in which it set out a number of common AML failings it had identified and made clear that it would pursue enforcement action where appropriate. Since that letter was published, the FCA has made good on its promise. In 2022, the FCA issued its largest fine for these alleged failings when it imposed a penalty of £107.8 million on Santander UK PLC for "serious and persistent" gaps in AML controls across its banking operations. This was followed by a £7.6 million fine assessed on Guaranty Trust Bank (UK) Ltd and a £4 million fine assessed on Al Rayan Bank PLC, both resulting from AML failings.
There are no signs of the FCA slowing down in terms of enforcement. In its 2023/2024 business plan the FCA said it intends to lower incidences of money laundering by increasing proactive assessments of AML controls. Alongside this, the FCA is also enhancing its enforcement capabilities across the board. As such, it seems that the FCA has an increased appetite, and soon will have an enhanced ability, to take enforcement action against firms whose AML controls are found to be lacking.
Firms should also be aware of potential changes on the horizon in the whistleblowing space. The UK government recently announced a review of the country's whistleblowing framework, and it is anticipated that reforms may be implemented to bring UK legislation more in line with the new EU Whistleblowing Directive, which offers enhanced protections to whistleblowers. Additionally, an Office of the Whistleblower is being mooted, to bring the UK in line with other jurisdictions, such as the U.S. (as described below). The outcome of the review is due later this year and, if these reforms are implemented, more employees who are uncomfortable with the way in which their employers are handing AML compliance may be encouraged and empowered (and in the case of U.S. regulators, monetarily incentivized) to speak out.
Lessons to Be Learned
The combination of the newly published whistleblowing figures, the FCA's restated focus on AML, and the looming prospect of whistleblowing reforms should serve as a cue for firms to review their AML policies and controls to ensure compliance with relevant regulations.
As a starting point, firms may wish to consider some of the areas of concern noted in the FCA's "Dear CEO" letter, which included generic customer risk assessments, inadequate customer due diligence measures, and improper implementation of processes for handing Suspicious Activity Reports. The two fines issued by the FCA this year also highlight areas for consideration. The FCA found that Guaranty Trust Bank (UK) had failed to act on numerous internal and external reviews which showed continued weaknesses in the bank's AML controls. For example, the FCA found that Guaranty Trust Bank (UK) failed to adequately document customer risk assessments, resulting in a lack of transparency as to how specific customer risk ratings had been determined. This was despite the fact that this issue had been raised previously, including by the FCA, an external consultant, and the bank's compliance function. Al Rayan Bank PLC's breaches included the failure to implement appropriate procedures for handling cash deposits and the failure to train staff on whether cash transactions should be accepted if source-of-funds information was not provided, despite the bank identifying that cash transactions presented a high risk of financial crime. For onboarding purposes, Al Rayan Bank PLC also relied on due diligence carried out by financial institutions based in the Gulf states, where the bank was aware that such due diligence would not meet the standards required under UK regulations. It is notable that a common factor in both cases was that the issues had been flagged previously, by people both inside and outside the organization, but the banks had not taken appropriate remedial action.
Not only should firms be reviewing their AML obligations and best practices, but they should also ensure that they have in place appropriate whistleblowing procedures to handle and address any concerns raised, from either internal or external sources. Training should be given to ensure that managers know how to approach disclosures and that retaliation against whistleblowers is unacceptable. The aim of any firm should be that a whistleblower can report their concerns to the firm and that these are adequately dealt with, without the tipster feeling the need to refer the matter to the regulator.
Developments for AML Compliance and Whistleblowing in the U.S.
For many companies, whistleblowing developments in the UK will not be their only concern, as the U.S. has also been making strides with respect to establishing its own AML whistleblower program. In 2021, Congress passed the Anti-Money Laundering Act (AMLA), which increased financial rewards for individuals who blow the whistle on potential anti-money laundering and sanctions violations and made numerous other enhancements to the U.S. AML laws. Specifically, the whistleblower provisions of the AMLA provide that any person who reports original information relating to a violation of anti-money laundering laws to: (1) an employer; (2) the Secretary of the Treasury; or (3) the Attorney General, which results in a monetary sanction of over US$1 million, may be eligible for a financial reward. The amount of the financial reward will be between 10% and 30% of the monetary sanction collected and will depend on a number of factors, including the significance of the information and the degree of assistance provided. The U.S. Congress then further enhanced this new program by establishing a fund to pay awards and, significantly, expanding the program to cover violations of U.S. sanctions laws and regulations.
In addition to these specific AML provisions, recent years have seen the U.S. Securities and Exchange Commission (SEC) make changes intended to provide greater incentives for whistleblowers. For example, in 2020 the SEC implemented a presumption of awarding the statutory maximum for whistleblowers who provide information that results in a sanction of US$5 million or less and broadened the scenarios in which whistleblowers may receive financial rewards to include deferred prosecution agreements, non-prosecution agreements, and settlement agreements.
In its most recent Annual Report, the SEC reported that it has paid whistleblower awards to individuals on six different continents, and the UK is always in the top three countries from which it receives whistleblower tips. The SEC recently made a record-breaking award of US$279 million to a single whistleblower, news of which will surely cause a wider international awareness of this U.S. program. The SEC has increased its supervision and enforcement in the AML arena bringing several settled actions in recent years. Because of the industry attention to the AMLA whistleblower program, we suspect that the SEC and other U.S. agencies will continue receiving AML-related tips this year, which could bolster their enforcement efforts.
U.S. regulators have been quick to point out the significance of these whistleblower programs. In April of this year, the Acting Director of the Financial Crimes Enforcement Network (FinCEN), who is charged with establishing the AML whistleblower program, testified that the new whistleblower program could be "a force-multiplier" for the entire federal government — most notably, the DOJ and the Department of the Treasury's Office of Foreign Assets Control (OFAC) — and a powerful tool for holding financial institutions accountable for violations of the BSA and economic sanctions.
The supervisory and enforcement focus on AML compliance in the financial services arena continues in both the UK and U.S., and the success of and attention given to the various whistleblower programs will likely lead to an increase in potential investigative and enforcement activity. With further developments on the horizon in both the UK and the U.S., firms should take the opportunity to ensure they are well placed to comply with relevant regulations and manage any risks appropriately.
Arnold & Porter has extensive experience in advising on AML compliance and whistleblower matters in the U.S. and UK. In the U.S., Arnold & Porter has a leading Securities Enforcement Defense and Whistleblower Mitigation & Defense team, which includes Jane Norberg, who is the former SEC Chief of the Office of the Whistleblower. Arnold & Porter represents clients in defending against whistleblower actions, conducts internal investigations, and defends clients to the SEC, the FCA, and other regulatory and criminal authorities in both the U.S. and the UK.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.