Fraud in the UK: Financial Misconduct, the FCA and Coronavirus

In view of the potential new financial risks posed by the Coronavirus pandemic, Cameron Brown KC (Associate tenant) at St Pauls Chambers and Sam Smart (Pupil Barrister) from Red Lion Chambers review the work of the Financial Conduct Authority (FCA) in tackling financial crime and the new challenges it may face.

This article will explore:

• The recent landscape of fraud in the UK
• The FCA, including recent FCA penalties and prosecutions
• The threats posed by Coronavirus and Coronavirus scams

Fraud in the UK

In 2019, before the onset of a global pandemic that may present new opportunities for those engaged in financial misconduct, the ‘Financial Cost of Fraud’ report estimated the cost of fraud to the UK was between £130bn – £190bn a year. The Office for National Statistics stated that people were more likely to fall victim to fraud or cyber offences above any other crime.

Between April 2018 – March 2019, over a year ago, there were 741,123 crimes reported to Action Fraud. £2.2bn was lost by victims of fraud in the UK. 65% were reports by businesses, and 35% were from individuals.

One of the bodies tasked with tackling fraud cases in the UK, in respect of the financial sector, is the FCA. In recent times the FCA has conceded that it needed ‘stronger and faster intervention’, following some criticism in light of the events surrounding Beaufort Securities, Paul Flower and Woodford Investment Management.

Financial crime in the financial sector clearly remains significant – in its annual reporting survey, firms reported to the FCA handling some 923,000 reports of suspected money laundering and employing some 11,500 full-time staff in financial crime related roles.

The FCA – An Overview

By way of overview, the FCA is independent of Government and takes the form of a company limited by guarantee. The FCA does not act on behalf of the Crown. Its members, officers and staff are not Crown servants.

The FCA has a strategic objective and three operational objectives. The strategic objective is ‘to ensure that the relevant markets function well.’

The operational objectives are:

1. To secure an appropriate degree of protection for consumers (the ‘Consumer Protection objective’);
2. To protect and enhance the integrity of the UK financial system (the ‘Integrity objective’);
3. To promote effective competition in the interests of consumers in the markets for regulated financial services and services provided by recognised investment exchanges (RIEs) (the ‘Competition objective’).

The FCA’s approach to financial wrongdoing appears to be characterised by use of three different types of tools:

1. First, their extensive powers to impose sanctions and controls, which they seek to use in a way that is ‘transparent, proportionate, responsive to the issues and consistent with their policies’;
   
2. Second, the opening of investigation on a ‘dual-track’ basis, investigating on both a regulatory and criminal basis, and use of civil / criminal sanctions for similar conduct;
3. Third, criminal prosecution for cases of ‘exceptional’ financial misconduct.

FCA Criminal Prosecutions

Under s401 FSMA 2000, the FCA is the ‘appropriate regulator’ to institute proceedings for offences identified in FSMA and the Financial Services Act 2012 (‘FS Act 2012’).

The case of Rollins [2010] UKSC 39 confirmed that the FSA’s powers to prosecute criminal offences are not limited to those set out in s401 and s402 of FSMA (which includes offences related to carrying on regulated unauthorised activity, insider dealing and money laundering).

The FSA may also prosecute crimes under section 53 of the Criminal Justice Act 1993 (Insider dealing), Section 89 and 90 of the Financials Services Act 2012 (making a false or misleading statement / creating a false or misleading impression), s327 (concealment) and 328 (arrangements) of the Proceeds of Crime Act 2002 (POCA).

Perhaps the real bar to the FCA prosecuting cases in the criminal courts is the cost and time of doing so. In its 2018/2019 annual performance report, the FCA reported that the average length of criminal FCA cases in 2018/2019 was 74.9 months, or just over six years. That position, of course, will not be improved by the current significant delay to all jury trials being experienced in Crown Courts due to Coronavirus.

Furthermore, the average cost of a criminal case was £7.232m – again, it is anticipated that figure will rise due to the increased length of trials due to Coronavirus restrictions. The overall number of cases continue to increase (up by some 31%), against an overall budget increase of just 2.7%.

Notwithstanding the above, the FCA has had some considerable success in the criminal sphere in recent years.

Operation Tabernula, the FCA’s largest ever investigation, resulted in a large number of convictions and lengthy custodial sentences following the processing of 200,000 lines of trading data, 485 RIPA applications and a review of 10 million digital items. However, the cost was comparatively high – some £14m.

Other recent successes included the prosecution of boiler room frauds in 201710 and insider dealing.

In April 2019, in a speech by FCA Director of Enforcement and Market Oversight, Mark Steward, it was confirmed that the FCA has a large number of investigations underway, tackling “some very serious issues” which include “suspected financial crime in our markets, suspected false or misleading statements by listed issuers, and suspected significant AML system and control issues under the Money Laundering Regulations”.

However, while he stated that firms and individuals need to be ready for the increased scrutiny and risk of criminal prosecution in this area and the FCA’s willingness to take action, he confirmed that “criminal prosecutions, as opposed to civil or regulatory action, will be exceptional”.

Therefore, whilst the FCA has a number of criminal cases on its books, prosecuting in the criminal courts appears to be out of the ordinary as opposed to the norm.

Regulatory Enforcement

In view of the cost and time of such FCA cases, and a limited budget, it is perhaps not entirely surprising that the FCA has made use of its extensive range of disciplinary and enforcement powers, derived from FSMA 2000 as amended by the Services Act 2012.

2018/19 saw FCA penalties imposed totalling £227.3m, a nearly three-fold increase on the £69.9m handed out in 2017/18, and nearly double the £181m imposed in 2016/17. 16 penalties in total were in imposed in 2018/2019, eight against firms and eight against individuals.

A key theme for corporate fines has been foreseeability: headline FCA penalties such as those handed to Tesco Bank (£16.4m for cyber breaches) and Carphone Warehouse (£29m for insurance mis-selling) represent situations which the FCA deemed to have been avoidable.

The cases appear to show a focus on holding corporates accountable for harm which could have been prevented had appropriate systems, controls and escalation procedures been in place.

Recent, Notable FCA Cases

In 2017 Deutsche Bank was fined £163 million for serious anti-money laundering controls failings. The FCA found that Deutsche Bank exposed the UK financial system to the risks of financial crime by failing to properly oversee the formation of new customer relationships and the booking of global business in the UK. As a consequence of its inadequate AML control framework, Deutsche Bank was used by unidentified customers to transfer approximately $10 billion, of unknown origin, from Russia to offshore bank accounts in a manner that was highly suggestive of financial crime.

In another high-profile example, in April 2019 Standard Chartered Bank (Standard Chartered) was fined £102,163,200 for Anti-Money Laundering (AML) breaches in two higher risk areas of its business. The fine followed investigations into two areas of Standard Chartered’s business identified by the bank as higher risk: its UK Wholesale Bank Correspondent Banking business and its branches in the United Arab Emirates (UAE).

The FCA found serious and sustained shortcomings in Standard Chartered’s AML controls relating to customer due diligence and ongoing monitoring. Standard Chartered had, according to the FCA, failed to establish and maintain risk-sensitive policies and procedures, and failed to ensure its UAE branches applied UK equivalent AML and counter-terrorist financing controls.

Data Breaches and Cybercrime

Data breaches involving cybercrime have been increasing exponentially. Whilst technologies such as open banking, distributed ledgers, cloud storage, crypto assets and the emergence of BigTechs open up new opportunities for legitimate business, they also offer new ways to steal, defraud and launder money.

Illicit digital activity such as phishing, hacking and ID theft is on the rise. The number of data breaches reported by UK financial services firms to the Financial Conduct Authority increased 480% in 2018 to 145, up from just 25 in 2017. The retail banking sector saw the largest percentage increase in the number of data breach reports, rising to 25 in 2018 from only one in 2017.

Cybercrime, encompassing any crime that involves a computer or network, is of primary concern. The FCA plans to use data analytics and AI to target crime. They have called for ‘firms of all sizes to develop a security culture’ and develop ‘cyber resilience’. Those who fail to develop the necessary resilience run the risk of regulatory sanction.

Case Study: FCA Tesco Cyber Attack

In October 2018, Tesco Bank was fined £16.4m for failures in a 2016 cyberattack. Cyber attackers exploited deficiencies in Tesco Bank’s operations and procedures, leaving customers vulnerable to an avoidable attack. In 48 hours, the attackers made £2.26m. The FCA said the fine reflected the fact that ‘FCA had no tolerance for banks that failed to protect customers from foreseeable risks’. The bank granted 30% reduction for mitigation and 30% reduction for early settlement. Without those reductions, the penalty for the Tesco cyber attack would have been £33m.

Individual Responsibility, Culture and Governance

In March 2016, the Senior Managers and Certification Regime (‘SMCR’) replaced the Approved Persons Regime. This was in response, in part, to the financial crisis of 2008. At the time, it was commented upon that this reflected a change in the FCA’s approach to enforcement, moving towards tackling bigger targets and engaging in more complex litigation. Moreover, it demonstrated the FCA’s desire to hold individuals to account and prevent managers engaging in what Martin Wheatley, former Chief Executive of the FCA, called the ‘Murder on the Orient Express’ defence.

The regime was extended to all FSMA-authorised firms in December 2019. For those falling under the regime for the first time (Deloitte calculate this as over 47,000 firms), early engagement is the key. Those holding senior management functions will need to be approved by the FCA and complete a statement of responsibilities explaining what they are responsible for and how. This includes having a senior manager responsible for financial crime compliance.

The Link between Culture, Governance and Enforcement

Documents such as the FCA’s 2017/18 Business Plan and the March 2018 FCA paper entitled ‘Transforming Culture in Financial Services’ highlight the FCA’s approach. Culture ‘drives compliance’ and ‘behavioural levers are essential in the measurement and management of culture.’ The latter cited Wells Fargo as ‘one example in a long line of cross-industry organisations where culture is mooted as the root cause of scandals, crises and liquidations’ asking why ‘the financial services industry … has demonstrated instances of rate-rigging, rogue trading and mis-selling in the last ten years since the global financial crisis … despite record fines, increasing investigations and an expanding compliance industry’. It is an interesting question, and the FCA has clearly made the link between culture and compliance.

The FCA’s focus on culture follows the approach of other prosecuting authorities. The SFO has placed a focus on a culture of compliance as part of their Deferred Prosecution Agreements. In the US, the US Dept. of Justice has released guidance on evaluation of corporate compliance programmes.

The New Threats Posed by the Pandemic

It’s undeniable that there has been a rise in Coronavirus scams – fraudulent activity directly linked with the pandemic. In response to the challenges posed by the Coronavirus pandemic, Interim Chief Executive Christopher Woolard commented:

 “In a matter of weeks, Coronavirus has altered the UK’s financial landscape dramatically. At times like this it is more important than ever that the FCA leads the way on the protections of consumers, firms and the markets.”

The FCA appears to be alive to three areas of threat – that of panic pension buying in particular, financial scams generally, and the availability of cheap loans, following the Government’s quick release of funds to businesses during Covid-19.

1. On 1st April 2020, the Pensions Regulator and the FCA released a statement alerting pension holders to the need to ‘stay calm’ over fears over the impact of the pandemic on markets and personal finances. It was felt that panic may lead pension holders vulnerable to scams or decisions that could damage their long term interests.

2. The risk of new Coronavirus scams following the ‘initial shock of a major event.’ Such scams could vary:-

• Frauds relating to the sale of face masks / hand sanitiser;
• Exploiting those with short term financial concerns – usually requiring the payment of an upfront fee and transfers to new firms with high-risk investments;
• Good cause scams, i.e. the production of PPE equipment;
• Cloning of firms who are genuine or claims that your bank is in trouble and needs new banking details.

3. On 4th May 2020, the FCA acknowledged that while the risks of fraud and money was ‘essential to a well-functioning financial services system’, that these risks should be balanced against the need for fast and efficient release of funds to businesses under the Governments CBILS (Coronavirus Business Interruption Loan Scheme23) and BBLS (bounce back loan scheme) schemes. Critically, for existing customers where an authorised firm had already carried out appropriate Customer Due Diligence before an application under the scheme, it does not need to carry out any further checks, unless the firm has information suggesting it poses a higher risk. New customers would be scrutinised under the MLR normal CDD process, unless the authorised firm decided simplified due diligence was appropriate.

The FCA’s Response Going Forward

On 7th April 2020, the FCA released its 2020/2021 business plan. It acknowledged that the Coronavirus was ‘profoundly affecting the financial lives of customers and the working of the markets’, in part due to the rise of Coronavirus scams.

As ever, AML remains a key area of focus. AML is highlighted as a ‘cross-sector’ priority: a reiteration of their commitment to the UK’s 2019 National Economic Crime Plan. In order to achieve this, the FCA aims to continue to work and share data with the Government, the private sector, law enforcement agencies and other regulators. This will be facilitated, in part, by the National Economic Crime Centre (NECC) and the Economic Crime Strategic Board (ECSB).

In addressing its intended objectives, the FCA commented:

‘we recognise it may be weeks or months before we are in a more stable position and can turn ourselves fully to the activities in this plan.’

 One realistic acknowledgement is that the extent of the financial damage caused by Coronavirus is unknown:

‘This shock is not like previous economic downturns, but nor will it follow the pattern of a natural catastrophe, where the damage can be sized relatively quickly. Here, there is enormous uncertainty about the size and nature of potential damage.‘

To date, their response has been based on the following: –

1. Keeping markets functioning and orderly during a major ‘repricing’ event.
2. Issuing emergency guidance so that government schemes, for example, to help small firms and mortgage holders can work.
3. Supporting consumers with the immediate shocks created by the crisis.
4. Keeping public access to essential banking services.
5. Protecting the most vulnerable in society.

A warning to those involved in financial misconduct is sounded, as is the desire to work with its partner agencies to tackle crime:

‘We will remain vigilant to potential misconduct. There may be some who see these times as an opportunity for poor behaviour – including market abuse, capitalising on investors’ concerns or reneging on commitments to consumers. Where we find poor practice, we will clamp down with all relevant force. We are working with a range of partners, including other regulators, law enforcement agencies and firms and consumer groups, to raise awareness of the increased risk of scams in the current uncertain context and help consumers protect themselves’.

Even before the onset of Coronavirus, as set out above, the FCA faced challenges on a number of fronts in regards to fraud in the UK. The increase in FCA cases and costs is likely to inspire both expectation and potential criticism. The pressure on the FCA to produce results, as with all the larger agencies, will remain in an uncertain landscape. Whatever the future holds, one thing is for certain: the FCA is a regulator with a lot to do.

For more information on fraud in the UK and the Financial Conduct Authority, please explore the rest of our blog posts.