Wait, so the FCA's first AML MLRs corporate criminal conviction and record fine is … boring?

On first glance the story is full of firsts and of salacious details.  Hundreds of millions of pounds laundered over several years through a single bank account of a gold dealing business.  Musty-smelling cash in deteriorating bin bags brought in to bank branches.  A substantial police operation.  A bank that delayed in taking countermeasures, then committed to spending well over £1bn on AML controls.  The FCA's first AML corporate criminal prosecution under the MLRs, culminating in guilty pleas and a record financial penalty.  One need not imagine the headlines.  Nor can one avoid an initial apprehension that this prosecution may be the first of many.

But what matters, really?

If you have AML responsibilities in a financial services firm, what you really want to know is: does this conviction tell me I need to do anything new, more or differently to manage my regulatory risk?

We've seen it all before

The sentencing remarks in this case paint a picture that's almost boringly familiar to those that follow the FCA's AML enforcement actions.

Failures in appropriate escalation, management scrutiny and challenge by the second and third lines of defence?  Yep, we've had that message before.  Adequate resourcing of financial crime teams?  Message already delivered.  The need for centralised and complete visibility of customer information and AML risk-based decisions?  Check.  Appropriate calibration of automated transaction monitoring systems and sense-checking of rules that those systems apply?  Yep.

None of this is to minimise the AML enforcement risk to firms.  It's significant and will remain so.  The fact that the same mistakes are identified again and again in cases underlines this.  Firms really must devote all necessary resource to mitigating their AML regulatory risks.  It's just that, reading the sentencing remarks, you can't help but get the feeling that there aren't really any new lessons to be learned here and perhaps even that the FCA's purposes could have been just as effectively served by civil enforcement action.

HMT vs FCA: a tit for tat?

So what's going on in the background?  In July 2021 HMT published a call for evidence in its review of the UK's AML/CFT regulatory and supervisory regime.  In that call for evidence it noted that "there have been very few criminal prosecutions under the MLRs to date, though the FCA recently announced it has launched its first criminal proceedings under the MLRs".  And it said (almost as if it was said rhetorically) that it "would welcome views … on if the relatively low number of prosecutions represents a failing of the current enforcement [regime], in the context of alternative civil regulatory powers".

Is HMT thinking about decriminalising the MLRs?  Or shifting criminal prosecution powers away from the FCA and towards a different agency?  Did the FCA decide to make a criminal prosecution in an effort to make the opposing case?  If so, this suggests we may not actually see many more high-profile AML criminal prosecutions once the immediate risk recedes.

Instead, beware the supervisory intervention

In which case, rather than being captivated by the criminal risk, firms should turn their attention to the potentially more likely outcome that the FCA starts to use its formal supervisory powers more often in the AML space, following recent RDC reforms.  In other words, be prepared to face not a criminal investigation, but restrictions of the type imposed in the Deutsche Bank/Sonali/Canara/Bank of Beirut cases (whether via the FCA's enforcement power to impose business restrictions, the FCA's supervisory OIREQ/OIVOP powers, or the procurement of a voluntary undertaking from a firm). This may also be accompanied by supervisory or enforcement action against selected senior managers.  After all, business restrictions can have a more rapid and profound impact on a firm's operations and revenue than a criminal conviction and penalty.