Lonsdale v National Westminster Bank [2018] EWHC 1843 (QB) (18 July 2018)
A bank was ordered to disclose, to a customer, suspicious activity reports (SARs) that the bank had sent to the National Crime Agency (NCA) at the time of freezing the customer’s bank accounts. The bank’s arguments concerning confidentiality, tipping-off and prejudicing an investigation were unsuccessful. The court’s observations on the interplay between the SARs regime and the law on data protection, defamation and breach of contract will be of interest to all banks.
Suspicious Activity Reports – a reminder
The UK’s substantive money laundering offences and associated defences are contained in the Proceeds of Crime Act 2002 (POCA). Under POCA, entities operating in the regulated sector (essentially, those offering financial services) may seek a defence to a substantive money laundering offence by making a Suspicious Activity Report (a SAR) to the National Crime Agency (NCA) prior to taking any steps in relation to the funds it suspects to constitute the proceeds of crime. When a SAR has been submitted a bank will freeze the suspicious accounts. If it has not received a ‘notice of refusal’ in relation to its proposed steps from the NCA within seven working days it may unfreeze the account. The level of suspicion required to attach criminal liability for money laundering is low – and, in part, is a subjective test.
Bank submits SARs and freezes accounts
The bank froze a joint account belonging to one of its customers, a barrister, for eight days. Nine months later, it went on to freeze seven other accounts held by the same customer – a personal account, another joint account and four business accounts. Upon a request from the customer to access documents relating to the freezing of his accounts, the bank provided limited documentary evidence, and did not disclose copies of the SARs it had made to the NCA.
Customer does not believe bank held genuine suspicion
The customer launched a multi-pronged attack on the bank’s actions, including claims for breach of contract, defamation, breach of the Data Protection Act 1998 (the acts took place prior to the entry into force of the General Data Protection Regulation) and also an application for disclosure of the SARs.
Implicit in all these claims was the customer’s belief that the bank did not hold a genuine suspicion that the money in his accounts constituted the proceeds of crime, that his accounts had been unnecessarily frozen and his reputation damaged. The customer wanted to see the SARs and information held by the bank, which was relevant to its decision to make the SARs and freeze (and unfreeze) his accounts. He sought summary judgment on his claims (summarised below).
|
Breach of contract: the bank was in breach of contract by failing to follow the accountholder’s instructions and by failing to evidence that it had a genuine suspicion that the account held criminal proceeds. |
Express contractual provisions allowed bank to freeze accounts if not to do so would expose it to criminal liability. |
Not a matter for summary judgment since it involved questions of fact – the bank must show that it held the relevant suspicion. |
|
Breach of DPA 1998: the bank (1) had not provided in time (or at all) all personal data in response to the data subject access request and (2) the data provided was not in intelligible form and it included inaccurate information. |
The decision to freeze accounts did not concern ‘personal data’. The information sought contained that of other individuals (so it was mixed data) and there was an exemption for the prevention and detection of crime. |
The customer’s claim was not a matter for summary judgment. However, the bank’s approach to determining whether information was the customer’s personal data was “clearly flawed” and the customer had a “strong claim” that the bank’s deliberations and decision to submit SARs and freeze and unfreeze accounts was his personal data. Accordingly the banks application for strike out/summary dismissal was rejected. |
|
Defamation: the bank had defamed the customer by suggesting that it had suspicions that his account contained criminal proceeds. Defamatory statements were published in the SARs and in internal bank employee communications concerning the decision to make the SARs and freeze the accounts. |
The statements were not defamatory, not published, did not cause harm and in any case were protected by qualified privilege. |
Not a matter for summary judgment: statements were capable of being defamatory and they were published. However qualified privilege was likely to apply, subject to malice. |
Impact of decision
This was a summary judgment/strike out application, so is of limited precedent value. The case has settled, so we will not see the issues that arose fully resolved. We are not expecting this decision to cause a rush by customers to bring claims of this sort against banks:
– The English courts have historically provided banks with considerable protection and discretion relating to SARs due to the fact that banks are merely seeking to help law enforcement and avoid criminal liability. The courts would not want to encourage civil claims of this sort.
– It is hard to imagine a situation where a bank would file a SAR without a genuinely held suspicion (even if that suspicion turns out to be unfounded).
– Many customers would be deterred by the potential cost and the risks of litigation. The claimant in this case was a barrister, who represented himself, so these concerns may have been less of an issue for him.
– The ruling does however provide a reminder that should a bank be faced with a similar claim, it is very unlikely to be able easily and quickly to defeat it (by way of strike out). The ruling makes clear that the question of whether a bank has a genuine suspicion that money in an account was criminal property is a primary fact for the bank to prove at trial.
– Banks may start receiving data subject access requests for personal data relating to SARs. The judge’s view on this summary judgment application was that there was a “strong case” that a bank’s deliberations and decision to submit SARs and freeze accounts constituted personal data, and that the bank had demonstrated “a flawed understanding of the scope of that concept”. Since it was a summary judgment application, the judge felt unable to address whether the exemption relating to the prevention or detection of crime was available stating “[t]here is no evidence before me regarding the likelihood of the provision of further personal data to Mr Lonsdale prejudicing the prevention and detection of crime.” It is difficult to imagine that the rules relating to tipping-off would not prevail since it seems to be a paradigm example of what the crime exemption was aimed at (provided the bank held a genuine suspicion). It is a shame that the judge did not feel able to make this finding even on a summary basis.
Looking ahead
There is a call for reform to the UK’s SARs regime. The OECD has criticised the UK for the low level of corruption enforcement activity from the current regime.
A UK Law Commission consultation states that there are on average 2000 SARs filed per day with the NCA, many of ‘low quality’, making it hard for investigation authorities to detect where the real risks are.
The low level test for suspicion for the substantive money laundering offences in the UK has also been criticised in the consultation. “A majority of stakeholders expressed the view that suspicion remains ill-defined, unclear and inconsistently applied by banks and businesses.” This leads to defensive reporting where reports are made more because of concerns regarding a failure to comply with POCA than because of genuine suspicion.
The Law Commission recommends improvements to the SARs regime in particular suggesting that better guidance on ‘suspicion’ would lead to better quality SARs.
