Navigating Issues in Global Financial Crime Compliance: an In-House UK and US Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Introduction

This chapter examines global financial crime compliance from an in-house perspective. It addresses some of the many challenges the pursuit of such compliance can present through an examination of both UK and US financial crime laws and regulatory expectations,[2] with a focus on how these laws affect global financial services.

What does compliance mean for financial organisations?

Compliance is a straightforward concept, defined by the Cambridge Dictionary as ‘the act of obeying a law or rule, especially one that controls a particular industry or type of work’.[3] In practice, its pursuit is both complex and challenging for organisations. This chapter explores why.

Regardless of whether organisations operate internationally or only domestically, they are expected to comply with a myriad of overlapping financial crime laws, regulations and regulatory guidance and expectations, among other relevant laws and rules. To achieve compliance, organisations must understand and document all their global activities and all applicable financial crime laws, regulations and regulatory expectations. They must then map their global activities against all identified requirements, while being aware that some may conflict with each other or have extraterritorial effect. While the chapters on ‘UK Compliance Requirements’ and ‘US Compliance Requirements’ examine the various financial crime compliance requirements in the United Kingdom and the United States, respectively, an organisation’s (likely unique) risk map will also need to reflect factors such as its customer base, the nature of the products or services it provides and the jurisdictions in which it operates. The risk map will also need to take into account the laws, regulations and compliance expectations of other jurisdictions in which they operate.

Second, organisations must decide on some form of compliance programme to decrease their risk of non-compliance with these laws, regulations and regulatory expectations. While compliance efforts often focus on written policies and procedures designed to meet applicable legal and regulatory requirements and expectations and reflect an organisation’s risk appetite, these elements should be accompanied by an appropriate corporate compliance culture, governance mechanisms and clear risk ownership in order for a compliance programme to be functional and effective. For many organisations, compliance sits at the heart of their approach to good corporate citizenship – forming the bedrock of their approach to both reputational risk and ethical decision-making.

Third, organisations must maintain their compliance programme, ensuring that any changes to applicable laws, regulations and regulatory expectations are accounted for and decisions made under it are sensible. Controls, monitoring and assessments of these items are key to this. Such maintenance requires the continual assessment of any changes to applicable laws or business activities and such other factors as emerging enforcement trends. Since early 2022, the pace and extent of change to US and UK sanctions law following Russia’s invasion of Ukraine has been a material challenge the financial services industry has had to meet in this context.

Challenges of compliance for organisations

Mapping applicable legal and regulatory risk

The chapters on ‘UK Compliance Requirements’ and ‘US Compliance Requirements’ delineate certain compliance requirements of the United Kingdom and the United States, respectively, which pertain to sanctions, money laundering, terrorist financing, bribery and tax evasion. Rather than rehash those chapters here, this section will address some of the specific challenges that certain compliance requirements may present to organisations operating in the international financial services market.

Sanctions

United Kingdom

After the United Kingdom’s departure from the European Union at the end of 2020, EU sanctions no longer applied in the United Kingdom. To arm the United Kingdom with the legislative capacity to both implement UN sanctions and issue its own sanctions post Brexit, the UK parliament passed the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). SAMLA allows the UK government to issue such sanctions as asset freezes, various other forms of financial sanctions, travel bans, immigration restrictions and trade restrictions through the passing of secondary legislation. Those laws are enforceable against not only persons within the United Kingdom, the United Kingdom’s territorial waters and, in certain instances, the airspace over the United Kingdom, but also to all UK persons, wherever they may be in the world. With UK persons defined as UK nationals or bodies incorporated or constituted under the law of any part of the United Kingdom, UK entities and their non-UK branches must comply with UK sanctions law, even where their activities take place abroad.

United States

US sanctions have an even more expansive jurisdictional reach and generally apply to individuals physically present in the United States, corporations organised under the laws of the United States or any jurisdiction within the United States, foreign branches of US corporations, US citizens and permanent resident aliens. These compliance obligations apply to US citizens, permanent resident aliens and US corporations and their foreign branches, even where their activities take place entirely outside the United States.

In addition, regardless of citizenship or incorporation, in 2005, US regulators began applying and enforcing US sanctions laws against non-US persons and corporations conducting business in or through the United States.

Finally, US sanctions on Iran, Cuba and North Korea apply to certain foreign incorporated subsidiaries of US corporations.

Specific challenges for organisations

Such extraterritorial application, coupled with the maintenance by the United Kingdom and the United States of 30 plus sanctions regimes each, means that any such applicable sanctions must be carefully accounted for in the organisation’s risk map and addressed through documented policies and procedures designed to mitigate those risks.

The sanctions law of any given jurisdiction is a reflection of its government’s foreign policy stance: just as the foreign policy stances of different countries rarely (if ever) perfectly align, the same can be said for their sanctions regimes. Even where two countries are ostensibly in agreement on a particular foreign policy stance, the sanctions they each pass would still likely differ in either substance or form. For a global organisation operating in multiple jurisdictions, this can present substantial challenges to its compliance programme.

For example, with UK sanctions applying to non-UK branches of UK entities, a US branch of a UK organisation must comply with UK sanctions. That same US branch of a UK organisation must, however, also comply with US sanctions. This can present challenges where US and UK sanctions differ or, in some circumstances, even directly conflict.

To add further complexity, while EU sanctions may no longer apply in the United Kingdom post-Brexit, they still apply to EU persons working in the United Kingdom and the United States. Organisations must, therefore, ensure that they are acutely aware of these challenges and complexities and have appropriate controls (including recusal requirements, where necessary, and seeking independent legal advice on a case-by-case a basis) and escalation paths in place to ensure the right people are involved in the development of a policy position and subsequent decision-making.

Money laundering

United Kingdom

The United Kingdom’s principal laws on money laundering are set out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) and the Proceeds of Crime Act 2002 (POCA). The purpose of the former was stated in its explanatory memorandum as being to make the financial system a hostile environment for illicit finance by obliging not only financial institutions but also other sectors considered ‘gatekeepers’ to the financial system to minimise the risk of allowing the proceeds of criminal activity into the financial system.

In short, organisations are expected to have in place certain measures to mitigate against the risks of money laundering and terrorist financing. This includes a requirement to know who they are dealing with to limit the chances of dealing with bad actors. ‘Knowing your customer’ is critical to this. The MLRs apply to firms operating in the UK financial services industry, as well as other industries.

POCA sets out not only the substantive money laundering offences of concealing, arrangement and acquisition, and use and possession of criminal property but also various reporting obligations, such as suspicious activity reporting. Both individuals and organisations may commit certain offences laid out therein, regardless of whether they are part of the regulated sector.

United States

The US legal framework for money laundering is primarily governed by the Bank Secrecy Act (BSA) and the Patriot Act. US money laundering laws and regulations are aimed at preventing the illegal processing of illicitly obtained funds through financial institutions, thereby concealing their criminal origins. The BSA requires financial institutions to establish robust anti-money laundering (AML) programmes, implement customer due diligence measures, report suspicious activity to the Financial Crimes Enforcement Network and maintain extensive records to facilitate law enforcement’s ability to trace and prosecute criminal money laundering activities.

Specific challenges for organisations

One challenge for organisations operating in the transatlantic financial services market is that US and UK money laundering laws define criminal conduct (capable of generating criminal property) in contrasting ways. Taking the example of Canadian cannabis, to which transatlantic financial institutions are likely to be exposed in some form, this differing approach can generate complications; POCA defines criminal property as the proceeds of any conduct that either constitutes an offence in England and Wales or would have constituted an offence were it to have occurred in England and Wales. This means that the proceeds of certain retail cannabis sales in Canada, even if legal in Canada under Canadian law, will represent criminal property as soon as they hit the United Kingdom.

The US federal Money Laundering Control Act (MLCA)[4] takes a different approach: the MLCA criminalises engaging in certain financial transactions and monetary transactions, including the transfer of money across US borders, involving the proceeds of a ‘specified unlawful activity’ with the requisite criminal intent. In contrast to the UK approach, US-specified unlawful cannabis-related activities generally fall into three categories, namely activities that violate US federal law, US state laws or foreign laws. This means that a non-US cannabis business engaging in the manufacture, importation, sale or distribution of cannabis in compliance with applicable foreign laws would not be engaged in a specified unlawful activity under the MLCA, assuming that the non-US cannabis business did not intend, know or have reasonable cause to believe that the marijuana would be unlawfully imported into the United States. This means that if there is no intent, knowledge or reasonable cause to believe that the cannabis would be unlawfully imported into the United States, the proceeds of certain retail cannabis sales in Canada, if legal in Canada, would not violate the MLCA.

In contrast to UK financial institutions, in this scenario, US financial institutions could participate in converting direct or indirect proceeds of a non-US cannabis business to US dollars.

Financial services organisations with operations in both the United States and the United Kingdom must, therefore, address these attaching risks on a jurisdiction-by-jurisdiction basis, perhaps in part by requiring customers and counterparties to contractually ring-fence any Canadian cannabis-related business to ensure UK parties do not lend to or receive any funds from it.

Owing to the differing legal and regulatory requirements, organisations should conduct a case-by-case analysis of the facts in each matter, which could result in either (1) applying the highest common standard and potentially declining a transaction owing to risk appetite or (2) taking a bespoke approach to risk and structuring a transaction in a manner that complies with all applicable laws, which may involve ring-fencing certain activities or personnel to avoid certain jurisdictions.

Bribery and corruption

United Kingdom

The Bribery Act 2010 (BA) sets out offences ranging from bribery of a foreign public official to commercial bribery, with both the bribe payer and the recipient capable of committing an offence. Under section 7 of the BA, a corporate may also commit the strict liability offence of failure to prevent bribery if (1) a bribery offence is committed by someone performing services for or on its behalf and (2) the corporate does not have in place adequate procedures to prevent such bribery. While the jurisdictional scope of each offence may differ, they variously apply to UK citizens, residents and corporates that are either incorporated in the United Kingdom or carry on a part of their business in the United Kingdom, as well as to non-UK individuals whose offending conduct takes place in the United Kingdom.

United States

The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits individuals and companies, including those based in the United States or subject to US jurisdiction, from offering or providing bribes, kickbacks or anything of value to foreign government officials or foreign political parties and officials for the purpose of obtaining or retaining business. It also imposes stringent record-keeping and internal control requirements on covered entities to promote transparency and accountability. It is a significant tool in the global fight against corruption and has led to numerous enforcement actions and penalties against entities found in violation of its provisions, both in the United States and abroad.

Comparing the US and UK approaches: specific challenges for organisations
US FCPAUK BA
Bribery of foreign government officials, including state enterprise employees, political parties, party officials, political candidates and public international organisation employeesBribery of public and private sector individuals (includes a discrete offence of bribing a public official); an offence for failure to prevent bribery by associated persons
Only penalises those making bribesAccepting bribes is also punishable
Prosecutes active participation in bribery, although the requirement for internal controls is independent of any bribery activityNo accounting offence in the BA, but Companies Act 2006 includes an offence of failing to keep adequate accounting records
Consideration of compliance programmes at prosecution and sentencing stages‘Adequate procedures’ is the only potential defence available against failing to prevent bribery
Statutory exception for ‘facilitation payments’ narrowly definedFacilitation payments only permitted in certain circumstances if local written law permits them
Reasonable and bona fide expenditure on travel, lodging and entertainment expenses permitted if directly related to promotion of product or service or to performance of government contractNo express exception for corporate hospitality, but guidance advises that ‘reasonable and proportionate’ hospitality is permissible

As the table shows, the UK BA is broader than the US FCPA insofar as it lays out offences of not only bribery of foreign public officials but also public bribery and commercial bribery, as well as failure to prevent bribery. Organisations operating in both the United Kingdom and the United States should try to ensure that their anti-bribery and corruption policies and procedures meet the higher standard and apply globally, to reduce the risk of offences with extraterritorial application being committed.

Regulatory requirements and expectations

United Kingdom

The Financial Conduct Authority (FCA) is empowered by the Financial Services and Markets Act 2000 (FSMA) to regulate the conduct of financial services firms and financial markets in the United Kingdom. To this end, the FSMA permits the FCA to make its own rules, which tend to be very broad and based on conduct or principles. The FCA Handbook sets out not only broad principles, such as ‘[a] firm must conduct its business with integrity’,[5] but also more specific requirements such as the requirement that firms have in place financial crime-related systems and controls that address specific risks, such as money laundering, bribery, corruption and fraud.[6]

United States

There are more regulators in the United States than the United Kingdom[7] with jurisdiction to regulate the conduct of financial institutions. For banks, there are at least five federal regulators: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the National Credit Union Administration, the Federal Deposit Insurance Corporation and the Consumer Financial Protection Bureau.

To promote uniformity and consistency in the supervision and examination of financial institutions, the Federal Financial Institutions Examination Council (FFIEC) was established in the United States. The FFIEC in turn publishes the BSA/AML Examination Manual, which provides guidance and uniform standards by which institutions are assessed by regulators for BSA/AML and Office of Foreign Assets Control compliance.

Specific challenges for organisations

Organisations should adopt the higher standard and apply it globally through its compliance programme, as US and UK regulators will judge an organisation’s compliance programme against the locally applicable regulatory requirements and expectations. The compliance programme should, therefore, be capable of holding up to scrutiny in both jurisdictions (and all jurisdictions in which it is regulated).

Designing a compliance programme

Once an organisation has mapped its financial crime compliance risks, it must design a compliance programme to address and mitigate those risks. While larger organisations may tend to create financial crime compliance departments to help achieve this goal, the overall success of a programme often hinges on the extent to which an organisation as a whole embraces the importance of compliance. To achieve the latter, organisations must get at least three key interrelated components right, namely risk appetite, governance and culture.

An organisation must decide on and act in accordance with its risk appetite. Its risk appetite often requires adherence to higher standards than those set out in applicable law or explicit regulatory requirements, to build in a risk buffer or reflect an organisation’s core values. For example, an organisation may not be prohibited by law or regulatory expectation from dealing with certain parties, but it may choose not to do so from an ethical or reputational risk perspective.

An organisation’s risk appetite must also consider a potentially global myriad of overlapping financial crime laws, regulations and regulatory expectations; for example, in certain circumstances, US regulators may require higher standards than their overseas counterparts, so organisations with operations falling under the jurisdiction of both must decide whether their non-US operations will also be subject to those higher standards and reflect the same in their compliance programme.

An organisation’s risk appetite must then be reflected in some form of framework if it is to be applied appropriately. Many organisations in the financial services sector choose to implement a framework of policies and procedures to achieve the same, which will need to set out and operate in lockstep with the assignment of appropriate risk ownership and governance structures. Roles and responsibilities should be clearly articulated, understood and assigned, with training administered and its impact measured.

From a governance and risk ownership perspective, organisations often adopt the three lines of defence model. In broad terms, this involves empowering a front line to take (and own) various risks that attach to doing business, a second line providing an oversight, advisory and challenge function, and a third line providing an independent audit function to ensure compliance.

UK and US regulators each have their own risk ownership-related requirements for the financial services industry. In the United Kingdom, for example, the Senior Managers and Certification Regime requires financial institutions to assign particular risks to named individuals, with those individuals then being accountable for their particular area. In the United States, BSA officers can be held personally liable for their organisations’ AML failures.

Finally, the importance of compliance should be central to an organisation’s culture, with the right ‘tone from top’ being a much-cited key component from both US and UK regulators. While senior management should be championing the critical importance of compliance and demonstrating their commitment to it, staff of all levels in an organisation should be doing the same and must be familiar with its framework of policies and procedures. Non-adherence with the same should also be dealt with appropriately. A culture of compliance and speaking up will not achieve the desired compliance results without a corresponding framework of policies and procedures governing the mechanics of doing so, and vice versa. Staff must not only be engaged with and aware of compliance issues but also know where to look for the appropriate actions escalation channels. Training helps with this.

Maintaining a compliance programme

Each change to applicable law, regulatory expectation or business activity will likely require an organisation to review its risk map and recalibrate it in some form. While the frequency and scope of change on these three fronts will determine just how difficult an ongoing obligation this will be, organisations still need a process in place to monitor change and address it. On the law change front, organisations often employ some form of horizon scanning, which in the United Kingdom may include the tracking of draft legislation as it journeys through UK parliament. In the United States, this involves the ongoing daunting task of identifying all applicable federal and state laws and regulations, as well as any changes.

Once changes to applicable law, regulatory expectation or business activity are accounted for in an organisation’s risk map, its compliance framework may also need to be amended accordingly. The compliance framework must, therefore, be agile and dynamic to operate effectively on an ongoing basis, with changes to it rolled out quickly and communicated clearly. It must also hold up to legitimate challenge, whether that challenge is internal from the third line of defence or external from regulators. Ultimately, it should be able to address risk, regardless of from where that risk arises.

For example, breaches of internal policy or procedure will generate risk and likely require some form of internal investigation. Regardless of how simple or complicated that investigation may appear to be, its conduct should still be governed by some form of process, which will need to account for the same kind of potentially differing legal requirements and regulatory expectations as the wider risk-mapping exercise. One example is that organisations operating under the jurisdiction of both the United Kingdom and the United States will need to account for those jurisdictions’ differing positions and regulatory expectations regarding privilege.

While many organisations will have their own in-house legal function, they may also consider engaging external counsel to address either an unusual volume or complexity of issues, whether it is during the risk mapping, design of a compliance framework or maintenance stage.

Conclusion

Global financial crime compliance remains an ongoing challenge for all organisations operating in the transatlantic financial services market owing to (1) the ever-changing landscape of potentially applicable financial crime laws, regulations and regulatory expectations and (2) the inevitable evolution of their business activities, which must be continually mapped against one another. Organisations wishing to develop and maintain an effective compliance programme must ensure that it reflects an appropriate risk appetite, is underpinned by effective governance and is championed throughout the organisation through a positive culture of compliance. While an ever challenging task, organisations that seek to reap to the rewards of operating globally must meet this challenge head on.


Footnotes

[1] Tom Littlechild is a lead counsel and Logan Perel is a senior lead counsel at Wells Fargo. The authors wish to highlight that the views and opinions expressed herein are solely those of the authors and not Wells Fargo.

[2] But note that other jurisdictions also have robust financial crime laws and regulatory expectations.

[3] ‘Compliance’, Cambridge Dictionary, www.dictionary.cambridge.org/dictionary/english/compliance (accessed 5 September 2023).

[4] 18 U.S.C. §§ 1956 and 1957.

[5] FCA Handbook, PRIN 2.1.1, Principle 1.

[6] ibid., SYSC 3.

[7] Namely, the FCA and the Prudential Regulation Authority, the latter of which has responsibility for the prudential regulation of certain financial institutions.

Unlock unlimited access to all Global Investigations Review content