In June, the Court of Appeal expanded the scope of a bank’s duty of care to protect its customers from fraud to encompass instructions by those other than agents of the customer of a bank. Now, the English courts have, once again, considered the scope of this Quincecare duty and this latest judgment sheds light on how the courts are treating the expanded duty. The court held that the focus is on the particular instruction which might have put the bank on notice, rather than wider concerns. A clear distinction was drawn between what may be called matters of money laundering compliance and financial crime prevention best practice, and the evidence necessary to establish that the bank is on notice of an attempt to misappropriate funds. Taken at face value, the decision means that, for a claim to be made possible against a bank by its customer, there needs to be evidence that there was a serious or real possibility that its customer might be being defrauded in relation to the transaction for which the instructions have been given.
A copy of the judgment is available here.
2. More UK firms to provide confirmation of payee services
In line with continuing efforts to prevent fraudulent and accidental payments, the UK’s Payment Services Regulator (“PSR”) has outlined plans to require around 400 more firms to provide confirmation of payee (“CoP”) services. CoP is designed to reduce mistaken and fraudulent transactions by providing a name-checking service. In recent years it has become an incredibly important tool in combatting authorised push payment (“APP”) fraud by informing consumers about to proceed with a payment when the name and account number do not match. This proposal is currently at consultation stage, with the deadline for responses on 8 July 2022. However, it is likely that the regulator’s plans could be implemented swiftly. Firms who are not yet utilising CoP should consider getting ahead of the regulator, particularly given those who have not yet implemented CoP have seen increased APP fraud activity. Firms should also consider the regulatory and reputational benefits of implementation, particularly in the context of APP fraud. Customers who are on greater notice of the risk of fraudulent transactions will likely take more care, which in turn will reduce the number of fraudulent payments and by extension potential claims of negligent breach duty that may otherwise be made against them.
A link to the press release can be found here.
3. UK to bring critical third party providers within the financial regulators’ remit
The UK Government has announced plans to bring third party providers who are deemed critical to the financial sector within scope of the UK’s financial regulators. Increased reliance within the banking and financial services sector on third party providers has, although beneficial, led to increased risk from an operational resilience perspective. Under the proposals, the UK Government intends to introduce primary legislation providing the power for the Treasury and the regulators to designate jointly specific providers as critical to the sector via secondary legislation. The regulators will then be empowered to take steps to reduce the risk of systemic disruption. While there are no timelines at present, the Government intends for this regime to be legislated in the existing Parliament. Firms should consider engaging with their third party providers as soon as possible to avoid any disruption and to discuss any future working relationships moving forward.
A link to the policy statement is here.
4. PRA provides insight on operational resilience mapping
On 25 May 2022, the Executive Director for Supervisory Risk Specialists at the UK’s prudential regulator discussed its expectation for operational resilience i.e. where the Prudential Regulation Authority expects firms to be by March 2025 and the requirements to provide assurances of their resilience in the face of business services disruptions. The speech focussed on what firms should be doing from now until March 2025. Key focuses included:
- Scenario testing – these should include data integrity scenarios and factors beyond the firms’ control.
- Building resilience – firms may need to build additional facilities, review and adapt outsourcing arrangements, or re-architect or replace legacy systems.
- Embedding operational resilience – firms may leverage existing frameworks to implement an operational resilience policy but must ensure the expectations of all relevant policies are met in full.
The need to be able to foster and demonstrate operational resilience is a global one: many regulators are taking a keen interest. Firms that are not already reviewing policies and engaging in stress testing should begin doing so. Those ahead of the curve will be best placed to demonstrate resilience.
5. EU announces sixth package of Russian sanctions
The EU has announced its sixth package of economic sanctions against Russia. This package has now been published in the EU’s Official Journal and took effect from 3 June 2022. Key points include:
- A phased ban (which is subject to some temporary exceptions) on the purchase, import or transfer of crude oil and some petroleum products from Russia into the EU.
- A prohibition on providing technical assistance, brokering services, financing or financial assistance or any other services, directly or indirectly, related to the above.
- The expulsion of several more banks from SWIFT.
- The suspension of broadcasting activities from state-controlled outlets.
- Prohibiting the provision of accounting, public relations and consultancy services.
- Expanding the list of goods subject to export restrictions; and
- Listing additional individuals and entities.
A number of these restrictions will take effect immediately. However the ban on oil importations will not be fully operational until 8 months’ time to phase out imports. In addition, the European Commission has proposed measures to require Member States to establish criminal penalties for sanctions breaches and to create the possibility to confiscate the proceeds of such breaches.
6. Changes to UK’s sanctions enforcement powers
From 15 June 2022, the UK’s Office of Financial Sanctions Implementation (“OFSI”) has the power to impose civil monetary penalties for breaches of sanctions regimes on a strict liability basis and to publish details of financial sanctions breaches, even where no penalty has been imposed. Furthermore, reviews of monetary penalties may be undertaken by someone other than a minister, allowing for greater flexibility and resource allocation. OFSI has already issued an updated version of its monetary penalty guidance here, ready to reflect these changes. This is a significant development for all those who are subject to UK sanctions regulation and, among other things, will potentially lead to an increase in the number of civil penalties for sanctions breaches we see imposed in the UK and in reputational risk around sanctions compliance. If not already undertaken, internal policies should be reviewed as soon as possible and further training given as necessary to ensure all affected staff are aware of the changes. Importantly, the changes are not retrospective and will therefore not apply to any breaches pre-dating 15 June 2022.
7. England and Wales’ Law Commission publishes paper on corporate criminal liability reform
On 10 June 2022, the Law Commission published its paper setting out options for changing the law on corporate criminal liability in England and Wales. The review was prompted as a result of a number of high profile criminal cases against large corporations and general concern over the effectiveness of the ‘identification principle’ as a means of attributing criminal liability to companies in the UK; making it difficult to effectively prosecute large companies and organisations for crimes such as fraud, theft, false accounting and money laundering. The Law Commission suggested a number of reforms including:
- broadening the scope of the identification principle to cover senior management as well as directors;
- extending the types of ‘failure to prevent’ offences to cover fraud, human rights abuses, ill-treatment or neglect and computer misuse; and
- increasing the use of publicity orders where a corporate entity is convicted.
It is highly likely a number of the other recommendations will be adopted by means of primary or even secondary legislation meaning a significant challenge for compliance professionals who are tasked with limiting a firm’s exposure to potential criminal liability. A link to the paper can be found here.
8. Results from UK’s 2021 Climate Biennial Exploratory Scenario
On 24 May 2022, the UK’s central bank, the Bank of England, published the result of its first exploratory scenario exercise on climate risk, Climate Biennial Exploratory Scenario (“CBES”). Essentially, this was a stress test of the sectors’ resilience to climate-related financial risks as the UK moves towards a carbon neutral economy. The CBES found good progress is being made but there is more to be done to truly understand and manage climate risk exposure. The financial effect of failing to manage risks effectively (in terms of annual drag on profits) was significant under each of the scenarios covered and could have wide-reaching impacts for the financial system as a whole. There is clearly an expectation that the results will be used to inform firms’ approaches to climate risk management capability. Firms should note the importance of investing in risk assessment capabilities so that they can improve their estimates of climate risk given the significant data gaps identified in the results. Attention should also be given to internal modelling and data capabilities as this will enable firms to predict risk with greater accuracy and act upon it. Banks and insurers will need to put in place interim measures to inform risk management until any data challenges are resolved. Further engagement with firms individually and collectively to help them target their efforts is to be expected. The CBES will also inform ongoing work around policy tools.
A link to the CBES results can be found here.