Show Summary Details
Banking Law and Regulation

Banking Law and Regulation (1st edn)

Iris H-Y Chiu and Joanna Wilson
Page of

Printed from Oxford Law Trove. Under the terms of the licence agreement, an individual user may print out a single article for personal use (for details see Privacy Policy and Legal Notice).

Subscriber: null; date: 05 June 2023

p. 67914. Combatting financial crimelocked

p. 67914. Combatting financial crimelocked

  • Iris ChiuIris ChiuProfessor of Company Law and Financial Regulation, University College London
  •  and Joanna WilsonJoanna WilsonLecturer in Commercial Law, University of Sussex


This concluding chapter studies the regulation compelling banks and financial institutions to play an active part in combatting financial crime. Regulation takes two approaches: one is to enforce anti-money laundering law through banks and financial situations; and the other approach is to enforce anti-money laundering law against them if they should be found to be complicit in transferring proceeds of crime. Under the first approach, regulation imposes duties on banks and financial institutions to act as gatekeepers to prevent money laundering from taking place and to identify such incidents so as to help regulators carry out enforcement. Under the second approach, banks and financial institutions may be punished for sometimes inadvertently becoming complicit in money laundering, and this provides a strong incentive for them to treat their gatekeeper roles seriously. The chapter then considers the regulatory duty of due diligence, financial intelligence reporting, and internal control and governance.

14.1 Introduction to regulation in anti-money laundering and terrorist financing

Banks and financial institutions are at the heart of money transmission. They process transactions for perfectly legitimate purposes, such as my purchase of a sofa using a debit card, or the payment of salary from employers’ accounts to their employees’ accounts. However, banks and financial institutions are also used by criminals to transfer illegally obtained monies or proceeds of crime. Further, the financing of terrorism also involves banks and financial institutions, as monies are transmitted, oftentimes internationally, for organising terrorist activities. Hence, regulation now compels banks and financial institutions to play an active part in combatting financial crime.

Regulation takes two approaches, one is to enforce anti-money laundering laws through banks and financial institutions; and the other approach is to enforce anti-money laundering laws against them if they should be found to be complicit in transferring proceeds of crime. Under the first approach, regulation imposes duties on banks and financial institutions to act as gatekeepers to prevent money laundering from taking place and to identify such incidents so as to help regulators carry out enforcement. Under the second approach, banks and financial institutions may be punished for sometimes inadvertently becoming complicit in money laundering, and this provides a strong incentive for them to treat their gatekeeper roles seriously.

Money laundering is a process by which monies of an illegal origin (either they have been obtained illegally or are the proceeds of other criminal activity, also known as ‘dirty money’) are made to appear legitimate or ‘clean’. Leong1 describes how money laundering is carried out in three stages: placing, layering and integration. ‘Placing’ involves putting monies of an illegal origin into the financial system, for example, by depositing into a bank account, by investment in financial instruments etc. Thereafter, such monies are ‘layered’, that is, moved, usually through a series of transactions involving different entities, different assets, and different jurisdictions, so as to sever any audit trail and hence make tracing their origins harder. Finally, the criminal is able to resume control of the monies free from any link to their criminal source, arriving at the point p. 680of ‘integration’. If dirty money is successfully placed and layered through the financial system, its legitimacy is considerably strengthened at the point of integration.

Anti-money laundering legislation is targeted at the processes of ‘placing’ and ‘layering’ in order to disrupt the money laundering process and apprehend the criminals concerned. It may be appreciated that the criminals involved in laundering dirty money may not be the same as the criminals involved in the crimes that give rise to the dirty money. However, money laundering is itself an offence, predicated upon the money or ‘proceeds’ involved being ‘proceeds of crime’. The crime of money laundering is set out in the UK Proceeds of Crime Act 2002.

14.1.1 The criminal offence of money laundering

It is stipulated to be a criminal offence for a person to conceal, have control of or facilitate another to have control of ‘criminal property’.2 If a person acquires, uses, or has possession of criminal property,3 such a person would commit the offence of money laundering. The above actus reus relates to control of criminal property and corresponds to the ‘placement’ stage above. Any person who facilitates the placement stage would commit the money laundering offence, that is, if a person becomes involved in or makes an arrangement to facilitate another to acquire, use, control or retain criminal property.4 The actus reus of ‘concealing’ includes all forms of attempt to hide the nature, source, location of or rights to the criminal property, such as disguising, converting, transferring and removing,5 which correspond to the layering stage.

First, for money laundering to be proved, one needs to establish that the property subject to the alleged actus reus above is indeed ‘criminal property’. In R v Loizou,6 the police descended on a group exchanging money in the sum of £80,000 in a car park. The individuals involved were charged with the offence of money laundering under s327 of the Proceeds of Crime Act involving the ‘transfer’ of criminal property. The defendants argued that the offence could only be proved if the property was indeed criminal property, which meant that the property was either illegally obtained or constituted the proceeds of crime. It turned out that the money was to be used for payment for illegally imported cigarettes, but the illegal importation had not happened when the police disrupted the exchange in the car park. Hence there was no primary offence of illegal importation of cigarettes for the relevant money laundering offence to be based upon. The defendants were found not guilty as at the point of exchange, no criminal property was transferred.

However, this does not mean that a money laundering offence can only be made out if it were incontrovertibly proved that the property involved is ‘criminal property’. This is because s328 can be used to impose liability upon a person for being involved in the p. 681actus reus despite having a ‘suspicion’ of money laundering. In other words, a person can become criminally liable for failing to deal with ‘suspicion’ of money laundering (in the manner permitted under law as will be elaborated upon below) and becoming involved in the actus reus. This position may be attributed to the public interest in preventing and dis-incentivising people from assisting the processes of money laundering. Further, the need to prove that a crime in relation to the property has already occurred may be unduly onerous. Hence, the Terrorism Act 2000 takes a wider approach towards criminalising individuals involved in arrangements that facilitate the control or retention of terrorist property by concealment, transfer, removal, or other forms of transactions.7 ‘Terrorist property’ includes monies or property likely to be used for acts of terrorism.8 In this manner, terrorist financing is criminalised whether or not acts of terrorism are indeed carried out.

The raison d’etre for combatting money laundering lies in ‘taking the profit out of the crime’. If criminal activity is penalised in terms of the removal of profits associated with it, the incentives to commit crimes, especially organised crimes such as illegal drug dealing or systemic corruption, may be reduced. Targeting the proceeds of crime may also reduce the financing of further crimes, especially terrorist activities. Besides its deterrent purposes, policymakers support anti-money laundering laws as they contribute to the perception of integrity in financial systems and markets, that they are not used for the purposes of placement and layering by criminals. The maintenance of sound reputation in a country’s financial systems and markets helps to promote genuine financial flows for economic activity. Further, the reduction of money laundering activity in an economy helps to reduce distortions in an economy. If dirty money is used to finance activities such as the purchase of residential property, then property prices may inflate to the disadvantage of genuine buyers due to the flooding in and purchasing power of ‘dirty money’. Stemming ‘dirty money’ reduces distortions in the prices of real estate and luxury goods, and sustains an economy for legitimate activities that can be properly financed.

Although the Act targets all persons involved in money laundering, such as criminal associates of the predicate offender, the width of the actus reus scope captures banks and financial institutions if they become involved in the placement or layering processes. Banks’ potential liability is dealt with under section 14.4.

We turn next to regulatory development. Money laundering and terrorist financing spans many jurisdictions as the cross-border nature of financial transfers assists in the layering process and makes it more difficult to track the trail of ‘dirty money’. Hence, regulation can only be effective if it is applied to the international banking and financial system and achieves a level of standardisation and universal application. Section 14.2 discusses the development of international standards and how these have been adopted in EU and UK legislation. In sections 14.3 and 14.4, we consider the substantive regulation applied to banks and financial institutions, which largely deal with preventing p. 682money laundering. Banks treat this area of regulation very seriously, and ‘anti-money laundering’ compliance has become a recognised professional practice.

Key takeaways

This section introduces the legal definitions of the offence of money laundering found in the UK Proceeds of Crime Act 2002.

The offence of money laundering can include the financing of yet-to-be-committed crimes such as terrorist financing.

Banks and financial institutions are highly exposed to money laundering risk due to the inherent processes needed to make ‘dirty’ money appear ‘clean’.

Key bibliography


Proceeds of Crime Act 2002 (including subsequent amendments)

Terrorism Act 2000 (including subsequent amendments)

Additional Reading

Alexander, RCH, Insider Dealing and Money Laundering in the EU: Law and Regulation (Ashgate 2007)

Leong, AVM, ‘Anti-money Laundering Measures in the UK’ (2007) Company Lawyer 35

Ryder, N, Money Laundering—An Endless Cycle?: A Comparative Analysis of the Anti-Money Laundering Policies in the United States of America, the United Kingdom, Australia and Canada (Oxford: Routledge 2012)

14.2 Development of anti-money laundering regulation internationally, in the EU, and nationally

Anti-money laundering laws have been developed at an international level before percolating down to national governments. This is largely due to international concerns for organised illegal drug trafficking, which is highly profitable, resulting in the need to launder the proceeds of crime. A Global Programme led by the United Nations (UN) Office on Drugs and Crime was established since 1997 after the introduction of the UN Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances of 1988. This Programme has initially focused on combatting money laundering of the proceeds of drug crime, but has now extended to wider money laundering issues such as corruption, human trafficking, and terrorist financing. These extensions are as a result of international agreement secured in the International Convention for the Suppression of the Financing of Terrorism (1999), the UN Convention against Transnational Organized p. 683Crime (2000) and the UN Convention against Corruption (2003). The Financial Action Task Force was established in 1989 to support the Programme by taking leadership in developing principles to fight money laundering, terrorist financing and financial crime. These have largely been implemented in the UK. EU legislation has also been introduced to harmonise anti-money laundering regimes across the EEA and to lift standards across the bloc, also transposed in the UK.

14.2.1 International standards and the Financial Action Task Force

The Financial Action Task Force (FATF) is an international body formed by ministerial representatives in various countries in 1989, in order to explore international standards, as well as secure international cooperation in combatting money laundering, terrorist financing and other related threats to the integrity of the international financial system.9 The FATF currently has 36 member countries and is chaired by a rotating presidency amongst its members. Each presidency has a tenure of a year. FATF meetings occur twice yearly in order to determine strategic directions pursuant to its objectives above.

The FATF introduced its pioneering 40 recommendations for combatting money laundering in 1990. These have since become the starting point for many countries’ anti-money laundering laws, including the UK. The recommendations include the setting up of new institutions and regulatory regimes, and the imposition of new regulatory responsibilities, duties, and obligations on entities likely to come into contact with ‘dirty money’. They include:10 (a) criminalising the offence of money laundering; (b) establishing enforcement agencies in member states to investigate and enforce against criminal property; (c) establishing financial intelligence units in all member countries that may receive reports on transactions and monitor money laundering; (d) imposing on businesses, financial institutions and professional services that may risk coming into contact with laundered money the obligations to detect signs of money laundering; (e) imposing on financial institutions extensive duties in relation to preventing money laundering or reporting suspicious transactions; and (f) compelling all member countries to render to each other mutual legal assistance and other forms of international cooperation such as information assistance in enforcement against money launderers.

The 40 recommendations form the backbones of an anti-money laundering regime that includes prevention and enforcement. Preventive monitoring is carried out by gatekeepers of ‘placement’ and ‘layering’ activities, now designated under regulation. These are banks, financial institutions, professional services, and other businesses such as casinos and real estate agencies. In particular banks and financial institutions are imposed with the most extensive gatekeeping obligations that involve customer due diligence, monitoring and reporting, all of which will be discussed in sections 14.3 and 14.4. In terms of enforcement, specialist agencies are required to be set up in member countries to have extensive powers of intelligence, investigations, and enforcement, p. 684and to render each other mutual legal assistance where cross-border elements are involved.

In 2001, the FATF supplemented the 40 recommendations with nine special recommendations on terrorist financing.11 These require member countries to ratify and to implement fully the 1999 UN International Convention for the Suppression of the Financing of Terrorism, to criminalise the financing of terrorist activities, to introduce a suite of extensive investigative and enforcement powers against terrorist finance and assets, and to impose on banks and financial institutions, as well as other businesses involved in transferring money (such as cash couriers, wire transfer services etc) monitoring and reporting obligations in order to perform a gatekeeping role in disrupting terrorist financing.

The FATF standards have since been revised and updated12 and the consolidated version of the standards is set out in Box 14.1. There are now 40 standards that deal with both anti-money laundering and countermeasures to terrorist financing.

p. 685

Box 14.1 FATF Standards (Consolidated) as of 2012


Member countries should assess their exposure to money laundering and terrorist financing risks and adopt a risk-based approach in designing policies and dedicating resources to combat these.


Member countries should ensure that their national agencies in intelligence and enforcement are able to coordinate with each other in combatting money laundering and terrorist financing.


Member countries should criminalise money laundering.


Member countries should introduce extensive enforcement powers to freeze, seize and confiscate criminal property.


Member countries should criminalise terrorist financing, whether directed at acts, individuals, or terrorist organisations.


Member countries should apply financial sanctions in order to prevent or suppress terrorism and terrorist financing.


Financial sanctions should be extended to the proliferation of weapons of mass destruction and its financing.


Member countries should apply proportionate but targeted measures at non-profit organisations that may be vulnerable to terrorist financing. (This may include enforcement against assets directed at or transferred via organisations such as charities and religious organisations).


Member countries should ensure that financial institution secrecy laws do not inhibit implementation of anti-money laundering and counter-terrorist financing regulations.


Financial institutions must undertake customer due diligence including the identities of beneficial owners of interests, in the establishment of business relationships and on an ongoing basis.


Financial institutions must maintain customer and transaction records for at least 5 years.


Financial institutions must conduct enhanced due diligence and ongoing monitoring of politically exposed persons.


Financial institutions should ensure that correspondent banks are able to perform customer due diligence and institute adequate internal controls to combat money laundering.


Member countries should ensure that all money transfer services operating in their jurisdictions are licensed and subject to regulatory compliance and supervision in relation to anti-money laundering.


Member countries should constantly assess money laundering or terrorist financing risks that may arise due to the development of new products, services, and technology.


Member countries must implement common standards to ensure that all wire transfers are carried out based on accurate originator and beneficiary information.


Financial institutions may outsource their customer due diligence processes but must monitor and ensure that such outsourcees are able to comply with regulatory requirements.


Financial institutions are to apply internal control programmes in anti-money laundering and terrorist financing across the entire international financial group.


Financial institutions are to apply enhanced due diligence measures in all business relationships with countries identified as ‘higher risk’ by the FATF.


Financial institutions must report suspicious transactions.


Financial institutions and their employees are protected in civil immunity in relation to the reporting above but must not disclose such reporting (‘tipping off’).

22 and 23.

Designated customer due diligence and reporting obligations are imposed on other businesses exposed to money laundering and terrorist financing risk such as casinos, real estate agents and professional services.

24 and 25.

Legal and beneficial ownership of legal persons and other legal arrangements such as trusts are to be made available to authorities in a timely fashion.


Financial institutions are to be subject to adequate regulation and supervision in anti-money laundering and counter-terrorist financing.

27, 31 and 35.

National supervisors and enforcement agencies should have extensive investigative and supervisory powers, and a range of sanctions should be available in enforcement.


Designated non-financial businesses exposed to money laundering and terrorist financing risks should be authorised, regulated, and supervised.


Member countries should establish financial intelligence units to receive and analyse suspicious transaction reports and other information relating to money laundering.


Law enforcement agencies should act in a pro-active manner in investigations and render assistance as well as cooperate with each other across member countries.


Member countries should establish a system for declarations by cash couriers and have the powers to stop and detain the transportation of such cash.


Member countries must maintain statistical records of the efficiency and efficacy of their anti-money laundering and counter-terrorist-financing systems.


Member country intelligence, regulatory and enforcement agencies should establish guidelines and feedback channels to assist financial institutions and designated non-financial businesses in their regulatory compliance.


Member countries should ratify and fully implement the listed international conventions on corruption, money laundering, terrorism, and cybercrime.

37 and 38.

Member countries should render each other mutual legal assistance in investigations and enforcement.


Member countries should constructively and effectively execute extradition requests in relation to money laundering and terrorist financing, without undue delay to avoid providing a safe haven for indicted persons.


Member countries should engage in other forms of international cooperation in relation to anti-money laundering and counter-terrorist-financing including formalising such arrangements in Memoranda of Understanding.

p. 686The FATF carries out ‘mutual evaluations’ that are peer reviews of member countries’ anti-money laundering and counter-terrorist financing systems. Such evaluations are a form of internationally persuasive peer pressure for member countries in order to ensure that they effectively implement the Recommendations. Mutual evaluations are carried out on the basis of the latest standards (in this case the 2012 standards in Box 14.1) and clearly communicated to the relevant member countries. Such evaluations are carried out after on-site visits and inspections by the FATF. The procedures that the FATF will apply in relation to its on-site visits and inspections are detailed in its evaluation template.13 The results of each mutual evaluation are published for public transparency.

The FATF also carries out reviews of all countries whether member countries or otherwise three times a year in order to highlight ‘high-risk’ jurisdictions where anti-money laundering and counter-terrorist financing laws and compliance are weak.14 Such reviews are carried out by examining publicly available information in terms of published laws, institutional architecture, and enforcement information. As ‘high-risk’ jurisdictions can be subject to member countries’ financial sanctions according to the FATF standards, identified jurisdictions may be incentivised to improve on their anti-money laundering and counter-terrorist financing measures.

p. 687The FATF’s ‘soft law’ has largely achieved success in the legalisation of anti-money laundering and counter-terrorist financing regulations in member countries and around the world. Further, its ‘soft supervision’ in mutual and high-risk evaluations has created pressures and incentives for national governments to take legalisation and enforcement seriously.

Further, where countries are in receipt of aid from the International Monetary Fund, these countries are subject to a yearly Financial Sector Assessment Plan, which includes a peer review of the countries’ implementation of the Recommendations. The effective implementation of these Recommendations often forms a basis for eligibility in continuing to receive aid.

Other international organisations also support the FATF’s efforts at anti-money laundering and counter-terrorist financing. For example, the Financial Stability Board (FSB) has led efforts to develop a common standard in the form of the ‘Unique Transaction Identifier15’ for all financial transactions so that financial transaction records can be standardised. The Identifier contains information on the identities and interests of transacting parties and facilitates tracing of financial transactions trails, so as to disrupt the layering processes in money laundering. Although the development of the Identifier is aimed at a variety of regulatory objectives including surveillance for macro-prudential regulation (see Chapters 6 and 7), it can be used for surveillance in relation to financial crime. Further, international agencies such as Interpol and the OECD carry out leadership in developing standards for combatting various forms of financial crime such as cybercrime, bribery/corruption, and tax evasion.16

14.2.2 Harmonising legislation in the EU

The international standards issued by the FATF were promptly implemented in the European Economic Area (EEA) in the first Anti-money Laundering Directive in 1991. This has since been superseded by the second and third Anti-money Laundering Directives in 2001 and 2005 respectively that incorporated counter-terrorist financing standards and standards of gatekeeping imposed on a wider scope of businesses and services exposed to money laundering risk. The 2005 Directive also dealt specifically with the making of payments or carrying of cash as these can be made by entities that are not regulated banks and financial institutions.17

p. 688Following the revision of the FATF standards in 2012, the EU introduced the fourth Anti-money Laundering Directive 2015, consolidating the 2005 Directive and secondary legislation.18 In recognition of the payment services industry that may be different from the banking and finance sector, a regulation19 is also introduced to accompany the 2015 Directive that now consolidates and adds to the previous requirements in secondary legislation relating to wire transfers. The 2015 Directive provides harmonising principles for all member states in relation to the institutional architecture, policies and regulatory frameworks against money laundering and terrorist financing. The 2015 Directive has since been amended20 by policymakers to include new payment services providers such as virtual currency exchange providers within the scope of anti-money laundering regulation, so that loopholes can be closed in relation to the migration of money laundering activities through unregulated virtual currency (such as bitcoin) transactions.

Further, European authorities perform the role of assessing their member states’ implementation of anti-money laundering regulations in order to adhere to the FATF’s Recommendations. Member States are asked to assess the effectiveness of their policies, regulation, and implementation according to a risk-based approach, that is, to show that the highest risks are given emphasis and that regulatory efforts are proportionate to the level of money laundering risk posed. National assessments are reported to EU authorities who may conduct separate EU-wide risk assessments. The EU-wide assessment is carried out by the Joint Committee of the European Banking Authority (EBA), European Securities and Markets Authority and European Insurance and Occupational Pensions Authority (discussed in Chapter 7). The Joint Committee has produced a template of issues to consider and reflective questions for regulators in order to help them develop risk assessment frameworks and the development of policies in response.21 The Joint Committee further surveys the EU’s financial sector regularly in order to highlight key risks.22

p. 689The EBA has a specific role in providing technical standards23 and guidelines24 to banks and financial institutions so that they can effectively comply with regulations in anti-money laundering and counter-terrorist financing. National authorities are to regularly review their supervisory plans and these are subject to guidance from the EBA so as to achieve convergent supervisory approaches across the EU (see Chapter 7, section 7.2).

14.2.3 Implementation in the UK

The key piece of UK legislation that implements the relevant FATF standards and EU legislation is the Proceeds of Crime Act 2002, which has been amended in 2005, 2007, 2009, 2011, 2013, 2014, 2015, and 2017. It is supported by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which implements the EU’s 2015 Directive. The Terrorism Act 2000 deals with counter-terrorist financing measures and liability, and the Act has been amended by subsidiary legislation introduced in 2010, 2012, 2013, 2014, and 2016. As sections 14.314.5 highlight, this chapter will focus on the substantive issues relating to the banks and financial institutions’ gatekeeping duties and liabilities. Institutions whose financial activities are limited or ancillary, such as amounting to less than £100,000 on a yearly basis or less than 5 per cent of their annual turnover (as long as they are not carrying out payment or remittance services) are exempted from the scope of these obligations.25 A financial transaction that is less than €1,000 in value is also exempted from the regulatory regime.26

The institutional architecture in the UK for combatting money laundering and terrorist financing comprises of government and statutory agencies. At the government level, the Home Office and Treasury have led policy making in anti-money laundering and counter-terrorist financing.27 The key regulatory, supervisory and enforcement authorities are the National Crime Agency (NCA), Financial Conduct Authority (FCA) in supervising banks and financial institutions’ gatekeeping roles and other regulators. The Proceeds of Crime Act 2002 initially set up an Assets Recovery Agency to be p. 690dedicated to investigations, enforcement, and confiscation of criminal property. The Agency, however, failed to achieve its recovery targets, and its underperformance was highlighted in the National Audit Office report in 2007, which warned that the Agency would unlikely become self-financing.28 The Agency suffered from various problems including inefficiencies in case management and high expenditures in training. It was closed and merged with the agency in the UK responsible for serious organised crime, the Serious Organised Crime Agency. However, the Serious Organised Crime Agency itself was dissolved to form the NCA in 2013, absorbing a number of units for combatting various crimes including child exploitation, wildlife crime, cybercrime etc. We now turn to the architecture of the regulatory, supervisory and enforcement authorities in the UK. National Crime Agency

The NCA is the UK’s primary agency in assessing money laundering and terrorist financing risks overall.29 The NCA is the authority envisaged in the FATF standards to undertake risk assessments and to take a risk-based approach to combatting money laundering and terrorist financing. The EBA has issued a guidance on how national authorities should undertake risk assessments in their jurisdictions of money laundering and terrorist financing risks, promoting a convergent approach in the EU overall.30

The NCA is tasked with investigatory and enforcement powers over serious organised crime in the UK. For the purposes of this chapter, the NCA has responsibilities for pursuing money launderers and those involved in terrorist financing, asset recovery of criminal property, and receiving suspicious transaction reports as the Financial Intelligence Unit (in accordance with the FATF standards). It has other responsibilities in relation to pursuing organised crime such as drug dealing, corruption cases and cybercrime.

The NCA coordinates with police forces across the UK and intelligence units in order to discharge its responsibilities in combatting serious organised crime.31 The NCA’s intelligence and enforcement powers are significantly enhanced in the Criminal Finances Act 2017 amending the Proceeds of Crime Act 2002. In particular, the NCA is able to request the court to make ‘unexplained wealth orders’ against persons in relation to suspect property valued at least £100,000 in order to gather more intelligence p. 691on potential criminal property. The NCA’s enhanced enforcement powers include the seeking of interim freezing orders for unexplained wealth, account freezing orders against accounts in banks and financial institutions, and longer periods for the completion of investigations where customers’ payment transactions have been interrupted (to be discussed below in section 14.5).

It may be curious to note that it is the American Department of Justice and not the NCA that has levied significant fines upon key UK bank groups in relation to money laundering offences. HSBC was fined $2 billion for the part played by its Mexico outfit in facilitating money laundering by customers involved in drug dealing offences and in significant sums.32 Standard Chartered was accused of facilitating money laundering in relation to Iran and settled with the Department of Justice at $340 million. It was required to establish anti-money laundering controls and be monitored by the Department for 2 years at least.33 In addition the US Department of Justice meted out a $630 million fine to Deutsche Bank for money laundering failings in relation to its Russian and London offices,34 and continues to remain on the offensive in policing money laundering with global implications.35 Financial Conduct Authority

The FCA regulates banks and financial institutions in terms of duties imposed on them for preventing and detecting money laundering and terrorist financing. These duties in relation to anti-money laundering compliance are discussed in sections 14.3 and 14.5. The FCA’s supervisory remit includes banks’ and financial institutions’ customer due diligence and procedures, and banks’ and financial institutions’ systems and controls for combatting money laundering and terrorist financing and the governance of such systems (see later).36 The FCA regularly surveys its regulated entities in order to build up perspectives of the risk factors in various parts of the financial sector, such as in trade finance,37 asset management38 and banks.39

p. 692Further, the FCA is also designated the Payment Services Regulator, and performs the role of authorising payment services providers (consistent with the requirements of EU legislation discussed above)40 as well as supervising their compliance with similar duties in anti-money laundering compliance.41

The FCA is able to take enforcement action against its regulated entities if it is of the view that banks and financial institutions have failed to conduct procedures or maintain systems and controls appropriate for monitoring money laundering and terrorist financing. These enforcement actions can take place even if the money laundering or terrorist financing offences have not been established as such against banks, financial institutions, or their customers. Individuals responsible for anti-money laundering control under the Senior Managers Regime (discussed in section 14.5) can also be held personally responsible for breach of duties. Enforcement can be carried out by public censure, fine of the institution as well as public censure, fine and/or disqualification of the individual concerned.42

It is queried why the FCA is not given a share of the NCA’s intelligence role in receiving and analysing suspicious transaction reports (see section 14.4). This would potentially spread the workload in monitoring suspicious transactions and ‘giving consent’ (discussed in section 14.4) so that the NCA is not overwhelmed.43

Box 14.2 provides two examples of the FCA’s enforcement actions against banks in the UK for failing to implement adequate customer due diligence procedures and anti-money laundering controls therefore in breach of regulatory duties. These incidents are themselves enforceable even if the money laundering offence has not been established against the banks concerned or their customers. The regulatory enforcement therefore provides a deterrent signal to banks to take their regulatory duties seriously as part of their gatekeeping roles against financial crime.

Box 14.2 FCA enforcement examples

Enforcement Action by the FCA, 15 May 2012: Habib Bank AG Zurich was fined £525,000 for generally failing to put in place adequate policies for carrying out a duty of enhanced due diligence (see section 14.3) for customers that warranted that treatment. The Money Laundering Reporting Officer (MLRO) of the bank was also individually fined £17,500.

Enforcement Action by the FCA, 23 January 2014: Standard Bank was fined £7.6 million for failing to conduct enhanced due diligence for customers that are connected to politically-exposed persons (see section 14.3), exposing the bank to serious risk of money laundering in high-risk African jurisdictions. 693 Other regulators

Other regulators within the scope of anti-money laundering and counter-terrorist financing regulation are also expected to regulate and oversee their regulated entities’ compliance with the regulatory duties to gate-keep money laundering and terrorist financing. For example, the Gambling Commission, which licenses gambling services providers (such as casinos), makes the prevention of financial crime a condition of licensing. Further a code of practice is issued for adherence by all licensed gambling providers to gate-keep against financial crime.44

In light of the 2016 Action Plan45 that is intended to strengthen supervisory endeavours and coordination across various sectors in order to foster an intolerant and hostile environment for financial crime, the Treasury has established a new regulatory body for membership associations or bodies for professional services, the Office for Professional Body Anti-Money Laundering Supervision (OPBAS).

This Office, established in January 2018, oversees membership associations or bodies for professional services providers such as lawyers, accountants, tax advisors, insolvency practitioners and book-keepers. Professional services providers may in the course of business come across signals or information of money laundering or terrorist financing, and it is the duty of their membership associations or bodies to provide guidance and supervision on how professional services providers should gate-keep money laundering and terrorist financing activities. OPBAS requires professional services membership associations or bodies to provide industry-wide as well as specific guidance to firms based on a risk-based approach, and to effectively supervise their members by carrying out inspections, audits, thematic reviews, interviews with senior management, surveys, and questionnaires. Professional services membership associations or bodies must also be prepared to share information and intelligence with the authorities.46

The OPBAS functions as a meta-regulator as it does not directly regulate professional services providers. These remain overseen by their membership associations and bodies, but OPBAS’ role is to ensure that these membership associations and bodies are robustly assisting and overseeing their members in gatekeeping money laundering and terrorist financing. Membership associations and bodies are respected by their members, but they may also be beholden to their members as they are funded by their members. For example, accountants’ audit conduct is no longer subject to the membership body’s supervision as a regulatory body, the Financial Reporting Council is regarded p. 694as more effectual and credible. Perhaps the meta-regulatory role of OPBAS is a signal that more direct supervision can be introduced for professional services firms if their membership associations or bodies fail to undertake supervision effectively.

Key takeaways

The FATF provides leadership at the international level for the development of anti-money laundering and counter-terrorist financing architecture, standards, and powers in member countries and the rest of the world.

The FATF issues Standards by which to evaluate member countries. It also evaluates non-member countries in order to identify ‘high-risk’ countries. ‘High-risk’ countries are pressured to elevate their anti-money laundering standards in order not to suffer from constraints in dealings with member countries.

EU legislation has comprehensively implemented the FATF standards.

The Joint Committee of EU agencies (EBA, ESMA, and EIOPA) is tasked with the responsibility of evaluating EU-wide money laundering and terrorist financing risks on a regular basis.

The UK has also implemented the FATF standards in transposing EU legislation in its Proceeds of Crime Act 2002 and in subsequent amendments, and the Terrorism Act 2000 with subsequent amendments.

EU legislation has been implemented in the Money Laundering Regulations 2017 in the UK.

The UK government takes leadership on anti-money laundering and counter-terrorist financing policies.

The architecture of regulatory, supervisory and enforcement agencies comprises the NCA, the FCA and other regulators such as the Gambling Commission, Office of Professional Body Anti-Money Laundering Supervision.

Key bibliography


Proceeds of Crime Act 2002

Terrorism Act 2000

Money Laundering Regulations 2017

Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC

Amending Directive 2018 TBC

Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006

p. 695Reports and official papers

FATF, International Standards on Combatting Money Laundering and the Financing of Terrorism and Profliferation (2012) at

Joint Committee, Preliminary Report on Anti-Money Laundering and Counter Financing of Terrorism Risk Based Supervision (October 2013) at

EBA, On the Characteristics of a Risk-Based Approach to Anti-Money Laundering and Terrorist Financing Supervision, and the Steps to be Taken When Conducting Supervision on a Risk-Sensitive Basis (16 November 2016) at

NCA, The NCA Commitment to Working in Partnership with UK Operational Partners (August 2015) at

14.3 Due diligence

The regulatory duty of due diligence imposed on banks, financial institutions, and other entities within the scope of the Money Laundering Regulations 2017 is key to preventing and identifying potential money laundering. In essence due diligence refers to banks gaining adequate knowledge about their customers in order to ascertain that their transactions do not infringe anti-money laundering laws. What this entails will be explored below. The EU 2015 Directive, transposed in the UK Money Laundering Regulations 2017, imposes due diligence obligations for a range of businesses including payment services providers such as pre-paid electronic money instruments, money remitters, trade finance providers, real estate agents, casinos, and of course, banks and financial institutions. The standards of due diligence in the UK are also further extrapolated by a voluntary association established by UK banks, the Joint Money Laundering Steering Group (JMLSG).

The Steering Group is a trade body comprising of industry representatives working with the Bank of England to produce guidance for the industry to comply with anti-money laundering and counter-terrorist financing regulation.47 The Guidance is endorsed as part of the regulatory framework as it is recognised as guidance issued by a trade body capable of being used to determine if a bank has breached its anti-money laundering obligations.48 Such guidance needs to be approved by the Treasury and published in order to be used as the basis for enforcement.49 The Guidance is aimed

Box 14.3 When banks need to conduct customer due diligence (Article 11, AML Directive 2015, s27, Money Laundering Regulations 2017)


establishing a business relationship;


carrying out an occasional transaction that:


amounts to EUR 15 000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or


constitutes a transfer of funds exceeding EUR 1 000;


in the case of persons trading in goods, when carrying out occasional transactions in cash amounting to EUR 10 000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;


for providers of gambling services, upon the collection of winnings, the wagering of a stake, or both, when carrying out transactions amounting to EUR 2 000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;


upon suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;


when there are doubts about the veracity or adequacy of previously obtained customer identification data.

p. 696at giving banks concrete directions for compliance, a prescriptive task that, if not delegated successfully to the JMLSG, would have to be undertaken by the FCA.

Banks are required to conduct customer due diligence in the circumstances listed in Box 14.3. These in essence prevent banks from servicing anonymous accounts.50

A ‘business relationship’ is defined as a business, professional or commercial relationship that arises in the course of business of the bank or financial institution, and is expected to have an element of duration after contact is established.51 An ‘occasional transaction’ is defined as a transaction that is not part of a ‘business relationship’ as defined above.52 A ‘beneficial owner’ in relation to a body corporate (including a limited liability partnership), is defined as an individual who ultimately controls the body corporate or who holds at least 25 per cent of the shares or voting rights in the body corporate.53 A beneficial owner in relation to a trust refers to an individual who is able to control the trust (to exercise specified powers in the Money Laundering Regulations 2017) or benefits from the trust, including the settlor, trustees, beneficiaries and any other individual able to control the trust.54

p. 697Customer due diligence applies to the establishment of a business relationship as well as ongoing business carried on in that relationship as long as any of the thresholds above are met. Banks are prohibited from carrying out any transaction for the customer until due diligence is completed,55 but in certain cases this prohibition is qualified.

A bank account can be opened pending the completion of customer due diligence as long as transactions are not carried out on the account.56 In cases of ‘low risk’ (to be discussed shortly), the customer’s transaction can be uninterrupted ‘for the purposes of the normal course of business’ as due diligence is being completed.57 Where payment service providers issue a customer with electronic money instruments, they can be exempted from customer due diligence at very low thresholds, such as where the payment instrument is not loaded beyond €250 or cannot be made to make payments above €250 per month, and where the instrument is not anonymous and subject to adequate safeguards and conditions.58 The UK will apply the higher permitted threshold of €500 instead.59 Banks need to monitor and review their customer relationships generally, especially if any changes are detected to the customer’s risk profile.60

14.3.1 What is required in customer due diligence?

Banks are required to carry out several key tasks in customer due diligence in order to assess the risk of money laundering. The key tasks are:


Identifying and verifying the customer’s identity on the basis of information or documentation from an independent and reliable source.


Identifying and verifying a body corporate’s identity and ley information such as the identities of senior management.


Identifying and verifying the identity of any beneficial owner.


Establishing the intended nature and purpose of the business relationship or occasional transaction.


Construct a risk profile for each customer by assessing the level of risk posed by each customer, such as in relation to the intended purpose or nature of the business relationship, the level of assets deposited by the customer or size of p. 698transactions the customer wishes to carry out, and the regularity and duration of the business relationship.


Conducting ongoing monitoring of the business relationship to ensure that transactions are consistent with the bank’s knowledge of the customer’s risk profile.


Reviewing the existing records of customer due diligence and ensure that they are kept up-to-date.61 Identity establishment and verification

First, in terms of verifying an individual’s identity, the bank must use ‘reliable’ and ‘independent’ sources of information, such as passports and driving licences issued by public authorities.62 Increasingly as customers’ identity information may be held by electronic sources of information, banks may have to verify with such sources. The above information should as far as is possible be obtained from public sector, governmental or regulated bodies,63 but commercial sources may also be used as long as banks are satisfied of the extensiveness, reliability, and credibility of such commercial sources. Even social media sources may be used for corroborating effect. The public and reliable sources of information that banks are encouraged to consult by the EBA include the European Commission’s supranational risk assessment, information from governments, regulators, intelligence and enforcement agencies, information from professionals and experts, trade and industry bodies, international standard-setting bodies, civil society, media sources, commercial organisations that provide risk and intelligence information, statistical organisations and academia.64 The lack of provision of relevant expected documentation may not necessarily stop banks from conducting business with the customer if a risk-based approach is taken in assessing particular customers such as financially excluded customers, young customers, customers whose gender assignment is non-standard, customers lacking in capacity to manage own financial affairs, and international students.65

In relation to a body corporate, a bank must verify identity information in relation to the name and registration number of the body corporate, its registered office, the law to which the body corporate is subject (or the law of its incorporation), the body corporate’s constitution, the full names of its Board of directors and senior management.66

In relation to verifying the identity of a beneficial owner, the bank must establish the identity of the natural person who is the beneficial owner, or where the beneficial owner is a legal person, to establish the structure involving the beneficial owner. Such verification goes beyond checking the register of persons with significant control in company or partnership registers.67 It is envisaged that banks may use commercial sources that p. 699provide electronic means of verification, but banks need to understand the sources of information checked by such commercial providers and the basis for any scoring or rating system used by such commercial providers in order to rely on their verification.68 Constructing a risk profile of each customer

Next, banks need to construct a risk profile for each customer. The risk factors are in relation to ‘customer risk factors’, ‘geographical risk factors’, ‘product and services risk factors’, ‘transaction risk factors’ and ‘delivery channel risk factors’.69 The EBA has developed detailed guidelines to elaborate on elements of each risk factor,70 and to assist banks to ‘risk-weight’ elements in each risk factor in order to arrive at an appropriate risk profile for the customer.71 This approach is methodical and compels the bank to give an informed and intelligent consideration to each customer.

Customer risk factors include the customer’s or beneficial owner’s business or professional activities, reputation, and behaviour. These are ascertained against a non-exhaustive checklist of questions that banks should obtain satisfaction, such as whether any previous media report or suspicious reporting activities affects the customer’s reputation, whether the customer has complex business structures or behaviour in secrecy that may give an indication of the customer’s behaviour, and so on. Banks may wish to gather information on the following:72

nature and details of the business/occupation/employment;

record of changes of address;

the expected source and origin of the funds to be used in the relationship;

the origin of the initial and ongoing source(s) of wealth and funds (particularly within a private banking or wealth management relationship);

copies of recent and current financial statements;

the various relationships between signatories and with underlying beneficial owners; and

the anticipated level and nature of the activity that is to be undertaken through the relationship.

Box 14.4 sums up the categories of risk factors banks need to consider in assessing customers and will be elaborated further.

Customer risk factors include the customer’s or beneficial owner’s business or professional activities, reputation, and behaviour. These are ascertained against a non-exhaustive checklist of questions that banks should obtain satisfaction, such as whether any previous media report or suspicious reporting activities affects the customer’s

Box 14.4 Categories of risk factors



Products and services


Delivery channels

p. 700reputation, whether the customer has complex business structures or behaviour in secrecy that may give an indication of the customer’s behaviour, and so on.

‘Geographical risk factors’ relate to the customer’s main locations of business and locations with which the customer has personal links. Banks need to ascertain whether the customer is associated with ‘high-risk’ countries. A Commission Regulation73 flanks the 2015 Directive by setting out ‘high-risk’ countries where anti-money laundering and counter-terrorist financing controls and regulation are weak. There are currently 11 countries on the list. Banks also need to assess whether customers’ identified geographical links are in jurisdictions of equivalent anti-money laundering regulation comparable to the EU, and whether these jurisdictions may be of dubious reputation, such as in relation to providing tax or secrecy havens, or are politically unstable.

‘Product, services and transactions risk factors’ include the transparency, complexity and value/size of the financial product, service or transaction to be undertaken by the customer. Banks may ascertain these risk factors by finding out about the structures involved, whether multiple parties or jurisdictions are involved, whether there are high value and/or cash intensive components, and whether there are innovative aspects such as involving new technology.

‘Delivery channel risk factors’ refer to whether the bank’s relationship is conducted on a face-to-face basis or otherwise, and whether other intermediaries or third parties may interpose in the relationship. Banks need to ascertain if the customer is physically present for identification purposes and whether the customer has been introduced via intermediary or regulated channels.

Where banks conduct business with their customers in specific contexts, additional elements of risk factors may be prescribed. The following provides some examples but these are not exhaustive.

p. 701Issuing electronic money

Where banks issue electronic money, for example, in pre-paid cards, specific elements in risk factors are further prescribed by the EBA. For example, banks need to consider the number of transactions that can be carried out and limits on transactions (under ‘product, services or transactions risk factors’) and whether the customer’s address or online IP address has changed (in relation to ‘customer risk factors’).

Remittance or wire transfer

In terms of money remittance or transfer services, banks are subject to an EU Regulation that supports the 2015 Directive. The Regulation applies more widely to all payment transfer intermediaries, recognising that not only banks and financial institutions are payment service providers.74 The Regulation deals with standardising the information needed for payment transfers to be made within and from any member state, and the right of payment intermediaries to reject or suspend payments in the event of missing information, such as related to the payee.75 Standardised information goes some way to assisting banks in their due diligence compliance. The EBA has identified that in funds transfers where payment information is incomplete, higher risk entails and banks need to carry out real-time monitoring and robust back-testing of samples of transactions.76 Moreover, the EBA prescribes that banks need to pay attention to specific elements in risk factors, such as the reputation and nature of receiving agents (under ‘delivery channel risk’) and the reputation of the receiving jurisdiction in relation to organised crime levels and the establishment of formal banking systems (under geographical risk factors).

Private wealth management

For private wealth management, banks are asked to ascertain specific elements of ‘customer risk factors’ in relation to source of wealth in particular whether any connection is made to arms or extractive industries and whether the customer has connections with secrecy havens.

Trade finance

Where banks conduct trade finance, specific elements of customer risk factors include whether the buyer and seller of purported goods are the same legal or beneficial person. Banks need to ascertain whether any unusual features exist in the proposed transaction compared to the customer’s previous ones (under product, service, or transactions risk factors).

p. 702Asset management

Where banks carry out investment or asset management, particular elements of customer risk factors include whether the customer is an unregulated or offshore entity. Banks should also be mindful of the size and purported redemption by the customer (in relation to ‘product, services or transaction risk factors’).

The requirements of due diligence in terms of information gathering and assessing information against risk factors may be an arduous task, and in pursuing efficiency, technological systems can be deployed in facilitating or carrying out customer due diligence. Technological or automated systems can engage in rapid data collection, efficient alert management and prioritisation, advanced case management, ad hoc investigation, integrated research tools, and comprehensive centralised audit trails and reporting.77 Although much importance is placed on banks complying with their customer due diligence obligations, exceptional policies are to be put in place for possibly financially excluded customers who may be unreasonably denied access to financial services.78

14.3.2 Simplified due diligence

Banks may conduct simplified due diligence in areas of ‘lower risk’ but subject to ongoing monitoring.79 Simplified due diligence means that banks may be able to adjust the extent, timing or type of due diligence carried out,80 while maintaining the normal standards of due diligence as a starting point. This may mean that banks may be able to carry out due diligence less intensely or at later points in time, although no specific guidance is prescribed. Banks may treat the existence of certain elements of risk factors (as discussed above) as indicating the appropriateness of applying simplified due diligence. These elements are set out in Table 14.1.

Where banks consider it appropriate to carry out simplified due diligence for customers, based on one or more of the elements above, banks should recognise that the existence of such elements are not conclusive evidence of ‘low risk’ and should exercise their discretion with care. The elements listed above are also not comprehensive.81 Further, banks should keep under review the use of simplified due diligence measures and continue to monitor the customer’s activities for any unusual signs. Where banks doubt the veracity of any information supplied by the customer, or the risk assessment of the customer changes, or the conditions for enhanced due diligence (below) are met or money laundering or terrorist financing is suspected, banks must cease to apply simplified due diligence.

Table 14.1 p. 703 Risk Factors for ‘Lower Risk’ Areas Qualifying for Simplified Due Diligence

Customer risk factors

public companies listed on a stock exchange and subject to adequate rules of the exchange, such as disclosure requirements that ensure adequate transparency of beneficial ownership

a credit or financial institution subject to the EU 2015 Directive and supervised for compliance with the Directive’s requirements

public administration, or a publicly-owned enterprise

individual resident in a geographical area of lower risk (read with geographical risk factors below)

Product, Service, Transaction or Delivery Channel risk factors:

life insurance policies for which the premium is low (for example small regular premiums paid by direct debit or for policies with no investment value)

insurance policies for pension schemes if there is no early surrender option and the policy cannot be used as collateral

a pension, superannuation or similar scheme that provides retirement benefits to employees, where contributions are made by way of deduction from wages, and the scheme rules do not permit the assignment of a member’s interest under the scheme

financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes

products where the risks of money laundering and terrorist financing are managed by other factors such as purse limits or transparency of ownership

Child trust funds and junior ISAs as defined under relevant legislation

Geographical risk factors

An EEA member state

third countries that have effective anti-money laundering and counter-terrorist financing systems

third countries identified by credible sources as having a low level of corruption or other criminal activity such as terrorism (within the meaning of s1 of the Terrorism Act 2000(94)), money laundering, and the production and supply of illicit drugs

third countries that, on the basis of credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the FATF, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations, have in place effective systems to implement the requirements of the FATF Recommendations of 2012 updated as of 2016

14.3.3 Enhanced due diligence

In some cases, banks are obliged to carry out enhanced due diligence. These are situations where a relatively higher risk of money laundering or terrorist financing may be involved. The FCA is in particular keen on monitoring banks’ compliance p. 704with enhanced due diligence obligations as the enforcement examples we discussed in section 14.2 show. In these cases, banks had failed to ensure that systems were established for identifying cases for enhanced due diligence and to carry out such due diligence.

Enhanced due diligence is to be carried out by banks in the following situations:82


where high risk is identified after the bank has constructed a risk profile in normal due diligence procedures already discussed;


a business relationship or transaction involves a person established in a high-risk jurisdiction;83


where the transaction is unusually large, complex or has no apparent legal or economic purpose;


where correspondent banking relationships are established in non-EEA countries;


where politically exposed persons84 are involved (see definition in Box 14.5);85


where the customer has provided false or stolen identification; or


where the transaction by its nature gives rise to a higher risk of money laundering or terrorist financing.

Box 14.5 PEPs (Article 3, AML Directive 2015)

heads of state, heads of government, ministers, and deputy or assistant ministers;

members of parliament or of similar legislative bodies;

members of the governing bodies of political parties;

members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;

members of courts of auditors or of the boards of central banks;

ambassadors, chargés d’affaires, and high-ranking officers in the armed forces;

members of the administrative, management or supervisory bodies of state-owned enterprises;

directors, deputy directors and members of the Board or equivalent function of an international organisation.

p. 705Table 14.2 sets out the indicative elements in risk factors that give rise to one of the above seven thresholds for conducting enhanced due diligence.

Table 14.2 Risk Factors for Higher Risk Triggering Obligations to Conduct Enhanced Due Diligence

Customer risk factors

the business relationship is conducted in unusual circumstances

the customer is resident in a geographical area of high risk

the customer is a legal person or legal arrangement that is a vehicle for holding personal assets

the customer is a company that has nominee shareholders or shares in bearer form

the customer is a business that is cash intensive

the corporate structure of the customer is unusual or excessively complex given the nature of the company’s business

Geographical risk factors

countries identified by credible sources as not having effective systems to counter money laundering or terrorist financing

countries identified by credible sources as having significant levels of corruption or other criminal activity, such as terrorism (within the meaning of s1 of the Terrorism Act 2000), money laundering, and the production and supply of illicit drugs

countries subject to sanctions, embargos or similar measures issued by, for example, the EU or the UN

countries providing funding or support for terrorism

countries that have organisations operating within their territory that are designated as proscribed under the UK Terrorism Act, or as terrorist organisations by the EU or UN

countries identified by credible sources as not implementing requirements to counter money laundering and terrorist financing that are consistent with the recommendations published by the FATF’s most recent recommendations.

NOTE in all cases credible sources refer to official evaluations and assessments such as by the EU, UN, OECD, IMF, World Bank

Product, services, and delivery channel risk factors

product involves private banking

the product or transaction is one which might favour anonymity

the situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures

payments will be received from unknown or unassociated third parties

new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products

the service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in a third country

p. 706In relation to points above, enhanced due diligence involves:86


Taking additional steps to obtain independent and reliable sources to verify the customer and/or beneficial owner’s identity.87


Taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction, as well as the intended purpose and nature of the business relationship and/or transaction.


Taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship. For example, banks are required to put in place mechanisms to detect unusual transactions compared to the customer’s normal profile, and to require more information on the purpose of the transaction, the nature of the customer’s business.88


To subject the business relationship to greater degree and nature of monitoring, including greater scrutiny over transactions and to detect suspicious transactions.

Special steps in enhanced due diligence are applicable to (d) where correspondent banking relationships are established in third countries outside the EEA. Banks are prohibited from establishing correspondent relationships with ‘shell’ banks, that is, an institution carrying out banking services that is incorporated in a jurisdiction in which it has no physical presence, nor involving meaningful mind and management, and that is unaffiliated with a regulated financial group.89

In terms of the steps for enhanced due diligence, banks are required to gather sufficient information, such as from publicly available and credible sources, about the correspondent institution to understand fully the nature of the respondent’s business, reputation, and quality of supervision in relation to the correspondent institution. Banks also need to assess the correspondent institution’s controls in anti-money laundering and counter-terrorist financing. In particular, banks need to ascertain that if customers have direct access to the correspondent institution’s accounts (‘payable-through accounts’), that the correspondent institution has put in place customer due diligence and ongoing monitoring, and is able to supply the bank with such information if requested. The bank is required to obtain approval from senior management before establishing a new correspondent relationship, and to document clearly the respective responsibilities of each institution.90

Senior management is defined as ‘officer or employee with sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the Board of directors.’91 The relevant person could be the designated MLRO (discussed in section 14.5) or a senior employee of equivalent stature.

p. 707The implementation of enhanced due diligence for correspondent banks has over the years resulted in many banks from Western jurisdictions terminating their correspondent relationships on risk-averse grounds, therefore making it difficult to facilitate even legitimate international flows of finance.92 This can result in practical impossibility for individuals working in the UK for example to send money home to a country that is listed as high-risk in the Commission Regulation mentioned above. The FATF and FSB are both concerned with regard to the overall decline in correspondent banking relationships. The FATF has now provided guidance to assist banks in more intelligently assessing correspondent banking risks and to manage risks by clear lines of responsibility and ongoing dialogue and monitoring.93 The FSB further undertakes to provide clearer regulatory guidance for correspondent relationships, supports public and private sector initiatives to build up the capacity of correspondent banks to meet anti-money laundering and counter-terrorist financing regulation.94 Such initiatives include standardisation of the due diligence items for banks.95

In relation to (e), enhanced due diligence is needed whenever a business relationship or transaction is carried out with a politically exposed person (PEP). PEPs are defined in Box 14.5.96 The family and known associates of PEPs are defined in Box 14.6.

Box 14.6

Family members of politically exposed persons (Article 3, AML Directive 2015)


the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person;


the children and their spouses, or persons considered to be equivalent to a spouse, of a politically exposed person;


the parents of a politically exposed person.

Persons known to be close associates of a politically exposed person


natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person;


natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.

p. 708No public function referred to in points (a)–(h) shall be understood as covering middle-ranking or more junior officials.

If a person has ceased to be a PEP, banks are to continue to apply enhanced due diligence to such a person for up to 12 months of the cessation of the person’s PEP functions or role.

Banks are required to adopt appropriate risk management procedures and systems to ascertain whether a customer or beneficial owner is a PEP, including whether the beneficiary of a life insurance policy or investment-related insurance policy is a PEP or a legal person whose beneficial owner is a PEP.97 Enhanced due diligence in relation to such persons includes the determination of the risk profile of such persons upon the conduct of normal due diligence procedures as discussed above, and taking appropriate enhanced due diligence procedures in accordance with such risk profile. Enhanced due diligence steps include the taking of adequate measures to establish the source of wealth and funds and carrying out of enhanced ongoing monitoring of the business relationship.98 Further, the establishment of any business relationship with a PEP must be subject to obtaining the approval of senior management. The UK will also institute a redress procedure for PEPs who wish to complain against their financial institutions by allowing them to access the services of the Financial Ombudsman’s Office.99

Key takeaways

Banks are required to carry out customer due diligence at the establishment of business relationships with customers or for the carrying out of transactions.

Customer due diligence involves the verification of customers’ identities, including those of a beneficial owner, from reliable and credible sources of information that may be public or commercial, or even on social media.

Due diligence also involves the construction of a risk profile for customers based on the five-fold categories of customer risk, geographical risk, product or services risk, transactions risk, and delivery channels risk.

Due diligence is an ongoing obligation for banks as they are required to keep customers’ risk profiles under review and respond to changes in the risk profile.

Simplified customer due diligence may be warranted in specified situations.

Enhanced customer due diligence is required in areas of higher risk such as where a high-risk jurisdiction, as defined by an EU Commission Regulation, is involved, or where the nature of the transaction or the customer, such as being a politically-exposed person indicates signals of relatively higher risk.

p. 709 Non-exhaustive elements of risk factors under the five-fold categories are introduced to guide banks as to when simplified or enhanced due diligence may be appropriate. However, the determination of whether to apply such due diligence procedures remains to an extent discretionary, depending on the bank’s construction of the customer’s risk profile.

Key bibliography


Anti-Money Laundering Directive (EU) 2015/849

Money Laundering Regulations 2017

Other reports or papers

EBA, Joint Guidelines Under Article 17 And 18(4) of Directive (EU) 2015/849 on Simplified and Enhanced Customer Due Diligence and the Factors Credit and Financial Institutions Should Consider When Assessing the Money Laundering and Terrorist Financing Risk Associated with Individual Business Relationships and Occasional Transactions (The Risk Factors Guidelines) (21 Oct 2015) at

Joint Money Laundering Steering Group Guidance (January 2018) at


Philip J Ruce, ‘Anti-Money Laundering: The Challenges of Know Your Customer Legislation for Private Bankers and the Hidden Benefits for Relationship Management (“The Bright Side of Knowing Your Customer”)’ (2011) 128 Banking Law Journal 548

14.4 Financial intelligence reporting

The UK has established the NCA to be the Financial Intelligence Unit responsible for receiving reports from banks, financial institutions and other designated businesses of suspicious transactions in relation to money laundering and terrorist financing.100 The UK Proceeds of Crime Act 2002 (and subsequent amendments) provide for the obligation to report suspicious transactions, on pain of criminal liability.101 This is discussed shortly in this section and in section 14.4.1.

The EU 2015 Directive clearly provides that persons who make a suspicious transaction report should not be exposed to liability in contract or under law, nor be treated in a hostile, adverse, or discriminatory manner.102 Persons who make such reports are p. 710protected under the Public Interest Disclosure and Employment Rights Acts. Such reporting can also be contrary to the bank’s duty of confidentiality to its customers (discussed in Chapter 2, section 2.4), and the Proceeds of Crime Act expressly provides for such disclosures not to be treated as in breach of restrictions, however, imposed on such information, as long as the disclosure adheres the Act’s suspicious transaction reporting regime.103

In K v National Westminster Bank Plc,104 the customer instructed the bank to pay £235,000 to its supplier for mobile phones. The mobile phones were to be sold to a Swiss company after which the customer would reclaim VAT that represented £20,000, his business profit. The bank made a suspicious transaction report to the Serious Organised Crime Agency and thus was suspended from carrying out the payment, which caused the customer losses. The customer challenged the bank’s action but the bank could not be made liable for failing to make the customer’s payment under contractual mandate, as the bank had acted lawfully in compliance with anti-money laundering regulation.

In Shah v HSBC Plc,105 Shah was a private bank customer of HSBC who was subject to significant delays in his payment instructions on at least four occasions, including paying into his own Swiss bank account in a sum over £28 million and paying his former employee in Zimbabwe in a sum of over $7 million. Shah was not aware that the bank had raised suspicious transaction reports in relation to those payment instructions. Nevertheless, the transactions were allowed to proceed after investigations by the Serious Organised Crime Agency, and hence there was no implication of money laundering liability. However, the former employee reported to Zimbabwean police suspicions that Shah was involved in money laundering that led to Shah being questioned by the Reserve Bank of Zimbabwe. Subsequently the anti-money laundering authorities froze Shah’s assets in Zimbabwe, causing him a loss of over $300 million. At first instance, the High Court dismissed Shah’s challenge against the bank’s failure to execute his transactions, holding that the bank was protected in complying with anti-money laundering regulation. Shah appealed against the summary judgment and the Court of Appeal106 then overturned the summary judgment and allowed a full trial on whether the bank would still have owed contractual duties in informing Shah of the suspicious transaction report and Serious Organised Crime Agency investigations.

In the full trial before the High Court, Shah argued that the bank owed him duties to account for the bank’s conduct in suspicious transaction reporting and their procedures. He argued that contractual terms should be implied to provide him with a wide range of information relating to the suspicious transaction reporting thresholds, procedures, and identities of officers, as well as investigation information. Shah argued that such information was owed to him as customer and would be relevant to clearing his name in Zimbabwe towards the release of his assets by authorities there. The High Court, however, dismissed Shah’s case and stated that such terms regarding disclosure p. 711of information cannot be implied as the Serious Organised Crime Agency and police would not have allowed it, being likely prejudicial to the exercise of their investigative powers.107 Indeed, implied terms should be inserted in banking contracts that allow banks to suspend their contractual duties to perform transactions when complying with anti-money laundering regulations. Shah’s case may have been looked at unfavourably due to the widely framed duty of accountability sought, and his demonstrated hostility against several named employees in HSBC plc. Further, the non-disclosure of information by the bank was judged not to have caused Shah’s losses as the losses were directly caused by the Zimbabwean authorities’ actions that were unrelated to the bank’s conduct. It is queried whether disclosure duties of a narrower nature could find favour with courts.

In sum, the protection of bank employees for raising a suspicious transaction report is comprehensive as compliance with regulation overrode contractual duties and the court has not been willing to imply duties of disclosure to the customer afterward. We now turn to the nature of the obligation to make suspicious transaction reports.

14.4.1 Suspicious transactions reports/authorised disclosures

Persons in the regulated sector (banks, financial institutions, payment services providers) who come across information or any matter within the course of business that raises knowledge, suspicion or reasonable grounds for knowledge or suspicion of money laundering, must make disclosure to a nominated officer or directly to the NCA.108 The nominated officer refers to the MLRO discussed in section 14.5.

Upon receipt of a suspicious transaction report made internally, the nominated officer must consider each report, the grounds for the report, and access all relevant information within the bank or financial institution in order to make a judgment of whether the transaction is reportable to the NCA. To this end a bank or financial institution must ensure that the nominated officer has such access. Where the nominated officer is of the view that a suspicious transaction has occurred, an external report should be made to the NCA109 via a prescribed online system.110 The external report should contain as much useful information relating to the identity of the potential money launderer and the suspected laundered proceeds as far as is possible.111 Where the nominated officer decides not to make the external report, the decision must be documented with reasons.112 Failure to make such reports as soon as is practicable may render the persons above liable for a criminal offence under s330-332 of the Proceeds of Crime Act regime.

Further, any person who may be involved in ‘concealing’ or ‘acquiring, retaining, using or controlling’ criminal property, or involved in arrangements that facilitate the above could avoid liability if such a person made an ‘authorised disclosure’.113 p. 712Authorised disclosures are made to a constable, customs officer, NCA or nominated officer in a regulated institution.114 Meaning of knowledge and suspicion

As suspicious transaction reports and authorised disclosures are made on the basis of ‘knowledge’, ‘suspicion’ or ‘reasonable grounds for raising suspicion’, it is queried whether the bank’s exercise of discretion to report can be challenged.

‘Knowledge’ is explained as actual knowledge of facts or inferred from facts that bank or financial institutions staff come across in the course of business.115 Suspicion is more subjective in quality and falls short of firm evidence.116 However, suspicion is not mere speculation and needs to be founded on some basis, but such basis need not be objectively required to be reasonable or firm.

In K v National Westminster Bank Plc above, the aggrieved customer challenged the bank’s basis for ‘suspicion’ but the court held that suspicion is a subjective state of mind, and that the bank’s suspicion, as long as it is more than a fanciful supposition, is a valid one and cannot be questioned. This position was affirmed in Shah v HSBC Plc,117 adding that any previous case law that demanded that ‘suspicion’ had to be ‘settled’ is undue.

Certain persons are exempted from the obligation to make suspicious transaction reports, largely due to their obligations as professionals or circumstances of privilege. These are lawyers, accountants, auditors, and tax advisers.118

14.4.2 The need for NCA’s ‘consent’ to proceed if a suspicious transaction report is made

After a suspicious transaction report has been made, the bank is unable to proceed with the customer’s transaction unless ‘appropriate consent’ under ss335 and 336 of the Proceeds of Crime Act 2002 has been obtained. ‘Appropriate consent’ can be obtained expressly, or be presumed after the lapse of 7 working days from the date of the report, and the NCA has not refused consent. If the NCA refuses consent within the 7 working days from the date of report, then the transaction is held for a moratorium period of 31 working days. The moratorium period is the period in which the NCA carries out its investigations. Before the expiry of the period, the NCA may raise the need to extend the moratorium if the preceding 31 days have not provided sufficient time for the NCA to complete its investigations. The Criminal Finances Act 2017119 now permits a senior officer from the NCA to request the court for an extension of the moratorium period. The court may make multiple extension orders, but each one should only be for 31 working days from when the moratorium period ought to have ended. The court’s power to extend the moratorium periods is, however, capped at a total of 186 working p. 713days for the moratorium period. In the absence of the NCA’s request for extension and at the lapse of a 31-day period, the bank may presume that ‘appropriate consent’ is achieved and proceed with the transaction.

Where the NCA refuses consent for the customer’s transaction to proceed, it can be envisaged that the customer is held in suspense, and such situations can cause the customer great inconvenience as personal or business accounts may be frozen. In UMBS Online v SOCA,120 UMBS carried on a money remittance business through a number of international currency transfer institutions one of which was the now defunct Laiki Bank of Cyprus. Laiki Bank made a suspicious transaction report against UMBS that caused UMBS’ transfers to be suspended. Within 7 working days, SOCA refused consent to proceed, which was very damaging to UMBS’ business. UMBS requested SOCA to review the decision but SOCA refused, citing that the moratorium period would last 31 days. UMBS then challenged SOCA’s refusal to review under judicial review proceedings. These failed as the High Court held that SOCA’s decision was not reviewable under legislation. On appeal, the Court of Appeal disagreed that SOCA’s decision was not reviewable and remitted back to the High Court to hear the review. It, however, opined that SOCA needed to keep records of their reasons in refusing consent and should give consent where there is no longer any good reason to hold the transaction.121

Now that the moratorium period is raised in favour of the NCA, it is hoped that the NCA would also put in place formal complaint and review mechanisms for individuals and businesses affected. The Court of Appeal’s stance in holding that the agency’s decisions have to be reasoned and documented and may be subject to review, is a welcome safeguard against the vast powers of the NCA.

14.4.3 Tipping off offence

The NCA’s powers to effectively investigate suspicious transactions is further protected by secrecy duties imposed under the Proceeds of Crime Act 2002. If a bank is unable to carry out a transaction within its normal promptness, this may highlight to the customer concerned that a suspicious transaction report has been made. If customers have such knowledge and take steps to re-arrange their financial affairs in such a way as to obstruct the NCA’s investigations, the NCA’s investigations would be prejudiced. Hence, the UK and EU have maintained a regime that prohibits ‘tipping off’ by persons where suspicious transaction reports have been made.122 The Proceeds of Crime Act 2002 makes it an offence for any person to disclose to another that either a suspicious transaction report has been made or that investigations into money laundering are contemplated or underway,123 if the information is obtained in the course of business in the regulated sector and disclosure is likely to prejudice any investigation into the matter.

p. 714The tipping off offence often puts banks in a difficult position after they have initiated a suspicious transaction report. This is because the bank’s client would presumably be anxious as to the delay in the execution of the transaction, but the bank is unable to inform the client what the cause is for the delay. In Squirrell Ltd v National Westminster Bank Plc and HM Customs & Excise (Intervenor),124 a case related to the same facts in K v National Westminster Bank Plc discussed earlier, the customer whose account was frozen while the bank waited for the lapse of 7 working days or for SOCA to refuse consent challenged the bank for failure to explain why the transactions were being held. The court held that the bank had to comply with the reporting obligations upon suspicion of money laundering and were also prohibited from disclosing to their client the state of affairs. The bank was in an unenviable position but such conduct could not be impeached.

However, the 2007 amendments to the UK regime provided for a white list of disclosures that would not be regarded as tipping off. The provisions clarified that disclosures within the same firm or group are not to be treated as tipping off.125 This is necessary to enable different personnel in the firm to deal with internal control, advice, or training. Further, disclosures made between financial institutions and between professional advisers are also protected from the tipping off offence126 if made for the purpose of preventing a money laundering or terrorist financing offence, and the relevant institution or adviser is situated in an EEA country and is subject to equivalent duties in confidentiality and personal data protection. Disclosures made to authorities for the purposes of assisting investigation or enforcement are also protected.127

Key takeaways

Banks are required to carry out suspicious transactions reports if there is knowledge, suspicion, or reasonable grounds to suspect money laundering.

Knowledge refers to actual knowledge of facts or knowledge inferred from facts but suspicion is more subjective in nature and requires some form of a basis although such basis need not be objectively ascertained.

Suspicious transaction reports are first carried out internally to the MLRO discussed in section 14.5. The Officer may then externally report this to the NCA.

If a suspicious transaction report is made, the transaction may proceed after a lapse of 7 working days if the NCA does not refuse consent to its proceeding.

The NCA may refuse consent within 7 working days in which case a moratorium period of up to 31 days applies for the NCA to carry out investigations while the transaction is suspended.

p. 715 The moratorium period can be extended upon request made to the court by the NCA for further periods of 31 days up to a maximum of 186 days, during which time a customer’s account would be frozen.

Customers are unlikely to successfully seek redress from banks for failing to carry out transactions.

Further, banks are prohibited from disclosing to customers the nature of the delay in their executions in order not to prejudice NCA investigations. This is the essence of the offence of ‘tipping off’.

Judicial review may be sought for the NCA’s decisions.

Key bibliography


Criminal Finances Act 2017 amending the Proceeds of Crime Act 2002

Additional reading

Issacs, M, ‘Money Laundering: Further Guidance for Banks on What to Do When Faced with Conflicting Duties Following a Suspicious Transaction Report: The N2J Case’ (2006) Journal of International Banking Law and Regulation 431

Ryder, N, Money Laundering—An Endless Cycle?: A Comparative Analysis of the Anti-Money Laundering Policies in the United States of America, the United Kingdom, Australia and Canada (Oxford: Routledge 2012)

14.5 Internal control and governance

Banks and financial institutions need to ensure that they have in place systems and procedures to consistently and effectively implement the duties of due diligence and suspicious transaction reporting discussed above. Overall, banks and financial institutions are required to install and maintain an organisational framework or architecture for such compliance. To this end, the FCA128 has established procedural and governance rules for banks. In general, banks and financial institutions are to put in place adequate policies and systems proportionate to the nature, scale, size, and complexity of their businesses and in accordance with the nature and range of financial products and services it engages in.129 We turn first to the governance requirements imposed by the FCA, followed by the procedural requirements. The governance requirements relate to the organisation of responsibility for implementing, overseeing, and reviewing compliance policies and procedures within the bank or financial institution.

14.5.1p. 716 Governance

The FCA mandates that a director or senior manager of the bank or financial institution130 has overall responsibility for maintaining the policies and systems for compliance with anti-money laundering and counter-terrorist financing regulation. Where a bank or financial institution group is concerned, anti-money laundering and counter-terrorist financing policies are to be maintained on a group-wide basis. The policies must be documented, as this will ensure due dissemination to the rest of the firm for effective and consistent implementation, and for training and awareness purposes.131

Reposing the ultimate responsibility for maintaining compliance systems and procedures in a director or senior manager ensures that the need for compliance and its implementation is directed at the highest levels of authority in the bank or financial institution, and that oversight is carried out at such levels. As putting in place compliance systems and procedures are necessarily costly and they would inevitably interfere with business, banks and financial institutions may not be motivated to implement such systems and procedures effectively. The imposition of potential personal liability on a director or senior manager for failure to implement effective systems and procedures is arguably a compelling incentive for directors and senior managers tasked with this responsibility. The personal liability regime for senior managers is discussed in Chapter 12, and the earlier example of FCA enforcement against Bank Habib AG Zurich mentioned in section 14.2 shows that the FCA is willing to punish individuals, in that case the Money Laundering Reporting Officer, for failures to effectively implement compliance systems and procedures.

Further, a specific MLRO must be designated in the bank or financial institution unless the firm is a sole trader. The MLRO acts as a focal point for the anti-money laundering and counter-terrorist financing compliance in the firm and has oversight for effective implementation of systems and procedures.132 The MLRO is also likely to be the one carrying out the functions of ‘nominated officer’ discussed above in relation to receiving internal suspicious transaction reports and to making the judgment call of whether to make an external report to the NCA or otherwise. This person may be the same as or different from the responsible ‘director or senior manager’ mentioned above, and where the MLRO is a different person, there would likely be a line of accountability to the director or senior manager so that the MLRO’s roles and functions can be overseen.

The MLRO is to be given sufficient stature in the firm, and protected in his/her independence. S/he is also to be adequately resourced.133 Further, the MLRO is responsible for preparing an annual report of the oversight of compliance to senior management, in order for review and improvement to be implemented.134 We turn to discuss the regulatory requirements for systems and procedures for compliance and their effectiveness.

14.5.2p. 717 Systems and procedures

Compliance systems and procedures in relation to anti-money laundering and counter-terrorist financing involve data collection, analysis and processing systems, alerting for action, reporting and review. Banks and financial institutions are imposed with extensive record-keeping duties, the information in records forming the basis for compliance systems and procedures. Banks and financial institutions are required to maintain the following records:


Information for conducting customer due diligence including deviations from normal due diligence procedures such as for financially excluded customers.135


Supporting information for customer transactions that are the subject of customer due diligence or ongoing monitoring.136


All actions taken to identify beneficial owners of bodies corporate.137


All internal reports made to the MLRO whether or not acted upon to be reported to the NCA, with reasons documented for not acting upon the internal report.138


All external reports made to the NCA.139


All MLRO annual reports on oversight of compliance systems and procedures.140


All internal records of training for compliance with systems and procedures for staff.141

Due diligence and transaction records are to be maintained for 5 years from the completion of transaction or end of business relationship.142 Other records such as internal and external reports or internal records of annual reports or training records should be maintained for 5 years from the date of each record.143 Records can be kept in paper copies or in electronic form,144 but the overriding factor that may assist in determining how and where records are to be kept is whether such records can be accessed without undue delay in order for banks and financial institutions to perform due diligence, ongoing review, or transaction reporting.145

The use of automated systems may to an extent be important in assisting banks and financial institutions in meeting their compliance requirements.

First, banks and financial institutions are required to keep customer information up-to-date as part of ongoing customer due diligence. The use of automation can assist banks and financial institutions in identifying significant points in time for seeking new customer information or evidence, such as the establishment of a new business relationship or opening of new accounts.146

p. 718Next, banks and financial institutions are to maintain systems and procedures for monitoring customers. Such monitoring is for the purpose of ensuring that transactions fit the risk profiles of customers, and for detecting unusual or suspicious transactions so that appropriate determination can be made as to internal and external reporting. Monitoring systems should be capable of both real-time monitoring as well as periodic reviews after customer transactions have taken place. Both types of monitoring should be capable of leading to the flagging up of suspicious transactions.147 Monitoring should not be a mechanical process and banks should adopt indicators for review that are based on customers’ risk profiles, up-to-date information and adopting a risk-based approach.

Further, banks and financial institutions should explore both manual and automated systems in different combinations in order to carry out monitoring. Where banks and financial institutions process a significant volume of transactions, some extent of automation in applying monitoring procedures would likely be necessary.148 Automated systems may be simple or sophisticated along a spectrum of artificial intelligence, and they may be input with parameters for the bank’s needs in order to flag up suspicions or unusual transactions. Banks and financial institutions need to ensure that where they purchase such automated systems from commercial suppliers, the suppliers are able to calibrate the systems according to the bank’s needs. Banks and financial institutions that procure and use automated systems should also understand how the systems work in terms of the assumptions and parameters they implement and whether they may be intelligent enough to learn from past experience.149 Manual processes can be more effective when human judgment is needed such as ‘staff intuition, direct exposure to a customer face-to-face or on the telephone, and the ability, through practical experience, to recognise transactions that do not seem to make sense for that customer.’150 Hence it is important for banks and financial institutions to maintain appropriate compliance training151 for relevant staff in order to sustain staff alertness to suspicious transactions. Such compliance training should also be subject to a systematic approach to ensure that all relevant staff are adequately equipped to manage money laundering and terrorist financing risks and comply with the duties imposed on banks and financial institutions.

Systems and procedures in relation to anti-money laundering and counter-terrorist financing are subject to review by internal audit according to the latter’s role and responsibility discussed in Chapter 12, as well as by senior management, as earlier discussed.

14.5.3 FCA enforcement

Although the requirements in relation to systems and procedures sound highly procedural, they have formed the basis of much of the FCA’s enforcement against banks and financial institutions. The FCA can carry out enforcement against banks and financial p. 719institutions for failing to put in place adequate governance, systems, or procedures even if there is no substantive finding of money laundering or support for terrorist financing. This is because the failure to maintain adequate systems and procedures could result in significantly increased risk that money laundering is facilitated and undetected. The failure to maintain such systems and procedures often entails a breach of the duty to conduct customer due diligence or to make a transaction report, as the ability to conduct customer due diligence or make transaction reports is highly dependent on the effectiveness of systems and procedures.

The FCA has fined several banks in relation to adequate systems and controls in relation to customer due diligence, especially in relation to enhanced due diligence, identification, and risk-monitoring of high-risk customers and PEPs. The private bank Coutts was fined £8.75 million152 in 2010 for failings in this regard, and Standard Bank Plc153 was fined in 2014 in the sum of £7.6 million for similar types of failings. Lesser fines of over £500,000 were levied on Habib Bank AG Zurich154 in 2012 and Guaranty Trust Bank (UK) in 2013155 for similar failings. In 2016, the FCA levied a £3.2 million fine on Sonali Bank (UK) for failures in governance such as adequate senior management oversight, failings in the MLRO’s functions and overall weak systems for customer due diligence and monitoring.156 The MLRO was personally fined in the sum of £17,900 under the personal liability regime discussed in Chapter 11. The largest fine to date was, however, levied on Deutsche Bank in 2017 in the sum of £163 million.157 Box 14.7 encapsulates the enforcement case.

Box 14.7 FCA fine against Deutsche Bank for failings in anti-money laundering compliance

The Deutsche Bank’s Corporate Banking and Securities division (CB&S) in the UK were alleged to have:


performed inadequate customer due diligence;


failed to ensure that its front office took responsibility for the due diligence obligations;


p. 720 used flawed customer and country risk rating methodologies in assessing money laundering risk;


deficient anti-money laundering policies and procedures;


an inadequate anti-money laundering IT infrastructure;


lacked automated anti-money laundering systems for detecting suspicious trades; and


failed to provide adequate oversight of trades booked in the UK by traders in non-UK jurisdictions.

As a result of these failings the FCA took the view that:

Deutsche Bank failed to obtain sufficient information about its customers to inform the risk assessment process and to provide a basis for transaction monitoring. The failings allowed the front office of Deutsche Bank’s Russia-based subsidiary (DB Moscow) to execute more than 2,400 pairs of trades that mirrored each other (mirror trades) between April 2012 and October 2014. The mirror trades were used by customers of Deutsche Bank and DB Moscow to transfer more than $6 billion from Russia, through Deutsche Bank in the UK, to overseas bank accounts, including in Cyprus, Estonia, and Latvia. The customers on the Moscow and London sides of the mirror trades were connected to each other and the volume and value of the securities was the same on both sides. The purpose of the mirror trades was the conversion of Roubles into US Dollars and the covert transfer of those funds out of Russia, which is highly suggestive of financial crime.

Key takeaways

Banks are to ensure that anti-money laundering and counter-terrorist financing policies are maintained at the level of a director or senior manager who has personal responsibility in the terms discussed in Chapter 11.

Banks are to appoint a MLRO for oversight of the implementation of effective anti-money laundering and counter-terrorist financing systems and procedures.

Banks must put in place adequate systems and procedures for dealing with the duties in customer due diligence, monitoring and review, transaction reporting, training, and education of staff, generating reports to senior management, record retention, and day-to-day operations where money laundering risks feature.

These systems and procedures should be able to perform both real-time and periodic post-transactions review, and should be a combination of automated and manual systems and procedures where appropriate. The fine against Deutsche Bank seems to suggest that where automated systems may be useful, not installing them can be regarded as a failure to implement effective systems and procedures, attracting FCA enforcement.

The FCA is the principal enforcer of breaches of duties in customer due diligence, monitoring and review, and transaction reporting, as well as failures to implement and maintain adequate systems and procedures. The FCA has fined a number of banks, including Deutsche Bank to date.

p. 721Key bibliography


FCA Handbook SYSC 6

Additional reading

Angela SM Irwin and Kim-Kwang Raymond Choo, ‘The Future of Technology in Customer Identification & Relationship Risk’ (2014) at



Critically evaluate the obligations imposed on banks in respect of their role in financial intelligence relating to money laundering. Are bank customers adequately protected when a bank makes a suspicious transaction report?

Answer tips You may wish to discuss the obligations for a bank under ss330–2 and the effect of suspension of customer transactions pending appropriate consent under ss335–6 Proceeds of Crime Act 2002. You should discuss to what extent customers can challenge bank decisions or call banks to accountability, in light of the s333 tipping off offence. You should also assess if judicial review is available against the NCA. You should refer to key case law in this area.


Should banks be fined heavily for breaches of procedural requirements that are preventive in nature, whether or not money laundering has indeed occurred?

Answer tips You may wish to provide an overview of the procedural requirements in due diligence, reporting of suspicious transactions and the implementation of systems and procedures. While bearing in mind the high-level nature of this question and the need to be succinct with selective detail, you should discuss what you consider to be the spirit of such preventive measures and how they relate to disrupting the money laundering process. You may also discuss key enforcement cases such as the Deutsche Bank fine.p. 722


© Oxford University Press 2019