In June, the Court of Appeal expanded the scope of a bank’s duty of care to protect its customers from fraud to encompass instructions from persons other than agents of a bank customer. However, the English courts have once again examined the scope of this Quincecare obligation and this latest judgment sheds light on how the courts deal with the expanded obligation. The court felt that the focus was on the particular instruction that might have warned the bank, rather than broader concerns. A clear distinction has been made between what may be termed money laundering compliance issues and financial crime prevention best practices, and the evidence needed to establish that the bank is aware of an attempt to embezzle funds. Taken at face value, the decision means that, for an action against a bank by its customer to be possible, there must be proof that there was a serious or real possibility that its customer would be the victim of a fraud in connection with the transaction for which the instructions were given.
A copy of the judgment is available here.
2. More UK companies will provide confirmation of beneficiary services
In line with ongoing efforts to prevent fraudulent and accidental payments, the UK Payment Services Regulator (“PSR”) has outlined plans to require approximately 400 additional companies to provide Payee Confirmation (“CoP”) services ). CoP is designed to reduce erroneous and fraudulent transactions by providing a name verification service. In recent years, it has become an extremely important tool in the fight against authorized push payment (“APP”) fraud by notifying consumers about to make a payment when the name and account number do not match. This proposal is currently at the consultation stage, with a response deadline set for July 8, 2022. However, it is likely that the regulator’s plans could be implemented quickly. Companies that are not yet using CoP should consider getting ahead of the regulator, especially since those that have not yet implemented CoP have seen an increase in APP fraud activity. Companies should also consider the regulatory and reputational benefits of implementation, particularly in the context of APP fraud. Customers who are more aware of the risk of fraudulent transactions are likely to be more cautious, which will reduce the number of fraudulent payments and, by extension, potential negligent breach of duty claims that might otherwise be made against them.
A link to the press release is available here.
3. The UK will bring critical third-party providers into the remit of financial regulators
The UK government has announced its intention to bring third-party providers deemed essential to the financial sector into the scope of UK financial regulators. The increased reliance within the banking and financial services industry on third-party vendors has, while beneficial, brought increased risk from an operational resilience perspective. As part of these proposals, the UK government intends to introduce primary legislation giving the Treasury and regulators the power to jointly designate specific providers as essential to the sector via secondary legislation. Regulators will then be empowered to take action to reduce the risk of systemic disruption. Although there is no timeline at this time, the government intends to have this regime legislated by the current Parliament. Companies should consider engaging with their third-party vendors as soon as possible to avoid any disruptions and to discuss any future working relationships in the future.
A link to the policy statement is here.
4. ARP outlines operational resilience mapping
On 25 May 2022, the Executive Director of the UK Prudential Regulator’s Supervisory Risk Specialists discussed his expectations for operational resilience, i.e. where the Regulator prudential expects businesses to be by March 2025 and requirements to provide assurances of their resilience in the face of business service disruptions. The speech focused on what companies should be doing by March 2025. Key objectives included:
- Scenario testing – these should include data integrity scenarios and factors beyond the companies control.
- Build resilience – companies may need to build additional facilities, review and adapt outsourcing arrangements, or revamp or replace existing systems.
- Integrate operational resilience – companies can leverage existing frameworks to implement an operational resilience policy, but should ensure that the expectations of all relevant policies are fully met.
The need to be able to promote and demonstrate operational resilience is global: many regulators take a keen interest in it. Companies that are not yet reviewing their policies and engaging in stress testing should start doing so. Those ahead of the curve will be in the best position to show resilience.
5. The EU announces sixth package of russian sanctions
The EU has announced its sixth package of economic sanctions against Russia. This package has just been published in the EU Journal Official newspaper and entered into force on June 3, 2022. Key points include:
- A gradual ban (subject to certain temporary exceptions) on the purchase, import or transfer of crude oil and certain petroleum products from Russia to the EU.
- A prohibition on providing technical assistance, brokerage services, financing or financial assistance or any other service, directly or indirectly, related to the foregoing.
- The expulsion of several other banks from SWIFT.
- Suspension of broadcasting activities of state-controlled media.
- Prohibition on providing accounting, public relations and consulting services.
- Expand the list of goods subject to export restrictions; and
- List of additional individuals and entities.
A number of these restrictions will take effect immediately. However, the oil import ban will not be fully operational for 8 months to phase out imports. In addition, the European Commission has proposed measures to oblige Member States to establish criminal penalties for violation of sanctions and to create the possibility of confiscating the proceeds of such violations.
6. Changes to UK Sanctions Enforcement Powers
As of June 15, 2022, the UK’s Office of Financial Sanctions Implementation (“OFSI”) has the power to impose civil monetary penalties for breaches of sanctions regimes on the basis of strict liability and publish the details. violations of financial sanctions, even when no sanction has been imposed. In addition, monetary penalty reviews can be undertaken by someone other than a Minister, allowing for greater flexibility and allocation of resources. The OFSI has already published an updated version of its guidelines on financial penalties here, ready to reflect these changes. This is an important development for anyone subject to UK sanctions regulations and, among other things, it will potentially lead to an increase in the number of civil penalties for breaches of sanctions that we see imposed in the UK Uni and the reputational risk associated with compliance with sanctions. If not already done, internal policies should be reviewed as soon as possible and additional training provided if necessary to ensure that all relevant staff are aware of the changes. It is important to note that the changes are not retroactive and therefore will not apply to violations prior to June 15, 2022.
7. The Law Commission of England and Wales releases paper on corporate criminal liability reform
On June 10, 2022, the Law Commission published its paper outlining options for amending corporate criminal liability law in England and Wales. The review was triggered following a number of high-profile criminal cases against large corporations and widespread concern about the effectiveness of the ‘identification principle’ as a means of allocating criminal liability to businesses in the UK; making it difficult to effectively prosecute large companies and organizations for crimes such as fraud, theft, false accounting and money laundering. The Law Commission has suggested a number of reforms, including:
- extend the scope of application of the principle of identification to senior executives as well as directors;
- expanding the types of “failure to prevent” offenses to cover fraud, human rights abuses, abuse or negligence, and computer misuse; and
- increase the use of publicity orders when a corporation is convicted.
It is highly likely that a number of other recommendations will be enacted through primary or even secondary legislation, posing a significant challenge for compliance professionals tasked with limiting a company’s exposure to a potential criminal liability. A link to the document is available here.
8. UK Climate Biennale 2021 Exploratory Scenario Results
On May 24, 2022, the UK’s central bank, the Bank of England, published the outcome of its first climate risk exploratory scenario exercise, Climate Biennial Exploratory Scenario (“CBES”). It was essentially a stress test of sectors’ resilience to climate-related financial risks as the UK moves towards a carbon-neutral economy. The CBES found that good progress has been made, but much more needs to be done to truly understand and manage exposure to climate risks. The financial effect of the failure to effectively manage risk (in terms of annual earnings slowdown) was material in each of the scenarios covered and could have a significant impact on the financial system as a whole. It is clearly expected that the results will be used to inform companies’ approaches to climate risk management capability. Companies should note the importance of investing in risk assessment capabilities so that they can improve their estimates of climate risk given the significant data gaps identified in the results. Special attention should also be paid to internal modeling and data capabilities, as this will allow companies to predict risks with greater accuracy and act accordingly. Banks and insurers will need to put in place interim measures to inform risk management until the data issues are resolved. Expect further engagement with companies individually and collectively to help them focus their efforts. CBES will also inform ongoing work around policy tools.
A link to the CBES results can be found here.