Seema Malhotra (Feltham and Heston) (Lab/Co-op)

- Hansard -

Copy Link

-

Q I will put one brief question to each of the witnesses, as I know colleagues have other questions.

First, thank you for giving evidence. Nick, I am conscious of your perspective for the whole of the financial services sector and I want to ask a question specifically about data and information sharing: is enough happening in the Bill to deal with what has been described to me as the chilling factor of sharing information? What might come back in the consequences of promoting sharing?

Ms Manku, you gave evidence in which you described the “unintended consequences” of requiring limited partnerships to have a registered office. I am not sure that we would necessarily agree with that, so I am interested in your argument.

Nick Van Benschoten: We welcome the provisions in the Bill for private sector information sharing. We are very glad to see that they apply across the AML regulated sector—not just banking, but payments, crypto, e-money and so on—which allows us to follow the money and the data as criminals move across sectors to obscure their tracks. That is very welcome.

We also welcome the protection from breach of confidence. That can be in common law and, typically, in terms and conditions. It is important to be able to encourage people to do the right thing without the fear that they might be subject to litigation. However, we note that the Bill falls short in the way in which we can share information with the National Crime Agency, which is a disapplication of all civil litigation. We would like to explore whether we could go further in the Bill, but those provisions are very welcome.

I will not say too much. An expert colleagues from one of our member banks is speaking to you later, but I stress the fact that we want to encourage the use of information sharing as much as possible. It is not just where customers are exited, but where a restriction is placed on them, such as additional monitoring or thresholds—there are a lot of ways in which the banks put each other on notice. We want to encourage that use as much as possible in true cases of economic crime.

Gurpreet Manku: We welcome the provisions in the Bill to ensure that limited partnerships are not abused by criminals—I want to make that clear. On the point about having a registered office, we agree that there needs to be a service address in the UK for the delivery of documents and for the registrar to contact the organisation, but our concern is actually in reference to the legal meaning of “registered office” in the Companies Act 2006 when it comes to standard companies. We know that the term means something else in that context, so it is actually quite a knotty legal point rather than an objection to the principle of having a link to the UK.

It is just about ensuring that any existing arrangements that have been set up for legal and regulatory purposes for international funds structures remain intact. We will need to work through the process of what this means in practice. We were speaking to BEIS officials as soon as yesterday to talk through what it means in practice. This is more of an implementation point, and we have suggested edits that will come through to officials.

Seema Malhotra

- Hansard -

Copy Link

-

Quite a lot of people want to ask questions, so I will make further remarks later.

Seema Malhotra

- Hansard -

Copy Link

-

Q I want to come back to where I started and to pick up on the evidence given about regulated and unregulated sectors. Obviously, there are issues in banks and the financial sector, but we have not talked much about cryptocurrency or other areas such as gambling, where there may be flows of illicit finance—cash and so on. Do you think that more needs to be done about unregulated sectors? Does the perimeter need to be extended? What relationships are there between economic crime in the financial sector and that in other sectors?

Nick Van Benschoten: From a financial sector point of view, it is important to look at this as an ecosystem; that is definitely how the criminals look at it. They look for weak points. Sometimes the problems are upstream of the financial sector, but it crystallises in our sector because that is when people realise that the money has gone out of their accounts.

We are very supportive of the fraud provisions in the Online Safety Bill—we think they are critical. We also think it critical that everyone be incentivised to play their part. That includes potential issues around the scope of the economic crime levy, which applied only to the AML regulated sector. The Bill levels up powers for the cryptoasset seizures and freezing orders. That is welcome; it simplifies things. We work with crypto sector associations. They are now trying to realise that they are part of a regulated sector, and they want to be part of the gatekeeper community.

On what the Bill does, it is important, as I mentioned, that there be information sharing across sectors. That is key, because then we can see whether we all have a different piece of the puzzle to put together. A systems approach is definitely needed; that is maybe the context for our point that Companies House should really be an enabling hub. That includes giving access to information that may not be on the public register.

Seema Malhotra

- Hansard -

Copy Link

-

Q If this legislation is to be as effective as it needs to be, will there need to be dependencies on other legislation?

Nick Van Benschoten: That is a very good point, yes. There are also the information processing provisions on the identification, prevention and detection of economic crime in the Data Protection and Digital Information Bill, as well as the Online Safety Bill. Obviously, consultation is ongoing about a statutory APP or authorised push payments code. There may also be other vehicles in one of those bits of legislation, or this one, for other measures that we are currently discussing with the Government. I think the Minister made reference to our difficulty with having to process payments within a set period—there is a hard regulatory obligation, even when we have identified economic crime risks. We are still exploring whether that needs guidance or legislation. All these things need to come together if we are to design the right ecosystem. That then raises the question of who is leading the system. We are working on that with the Government.

Seema Malhotra

- Hansard -

Copy Link

-

Q It is good to have you here, Mr Kirby. Could you give us a little flavour of the kinds of trends and patterns of economic crime that you are seeing? How are criminals behaving? Are you seeing new trends domestically and internationally?

Nigel Kirby: Perhaps I can give a couple of the examples that we used when we were speaking with the Home Office for the formation of the Bill. In one case that involved money laundering, Lloyds identified seven customers that were receiving cash payments into their accounts. We linked those seven customers because they used the same fraudulent documentation—a gas bill—to set up their accounts. They had all been linked using fraudulent IDs. They were sending money to one individual in another bank.

At the moment, we act on such cases by meeting our statutory obligations—we exited those customers—but from the criminal’s perspective, the second bank is not aware of the fact that they are receiving those funds, because we do not have the capability to share that information with them. Secondly, it is highly likely that those seven customers moved on to other banks and continued that activity because, again, at the moment we have no capability to share the information about our economic crime concerns in that space.

That is a fairly simple example, but to build on it, the same kinds of techniques were used to launder criminal funds in another case involving three companies that were banking with us. We recognised that they were receiving cash money from the same post office source. They were also receiving money from other companies in banks. That money all got consolidated and was sent out to, if you like, a fifth bank. I do not know what happened to it after that—we cannot see.

Seema Malhotra

- Hansard -

Copy Link

-

Q A fifth bank domestically or internationally?

Nigel Kirby: It was, at that particular point, a UK domestic bank, yes. We have this sort of complexity of companies that are linked using different identities and are moving money around, layering it in the system, and sending it to other parts of the system. We are currently limited in what we are able to do.

On those three companies that we at Lloyds could see were receiving money from five other banks, at the time we could not inform those banks of our concerns or explore with them whether that money was legitimate—it is not all illegitimate; it could, of course be legitimate funding. Furthermore, when that money was consolidated and sent to another bank, we were unable to inform that bank.

Whatever the predicate crime—there are all sorts of predicate crimes—the layering is not that complex but it uses the banking system, across the banking system, to obfuscate and layer the funds, and then the criminals move on. The big challenge at the moment is that we can report those entities and companies, but they will just go and open up in another high street bank, and when they have exhausted the five major high street banks, they will go to the challenger banks, and when they have exhausted those, they will go to the fintechs. We are not aware of that in the way that other industries such as the motor industry might well be.

Seema Malhotra

- Hansard -

Copy Link

-

Q That is extremely helpful. To follow up, will the measures in the Bill go far enough to enable the critical data sharing and the ability to inform other banks of what you think is important? In doing that and in going as far as you feel is needed, are appropriate safeguards in place for some things that may be legitimate finance and able to be explained by visitors or customers?

Nigel Kirby: To take the first question first—about whether the Bill goes far enough—I commend and compliment the Home Office. It worked with us on the Bill. This piece of legislation was, fortunately, done by the Home Office but using our case examples. The Home Office explored whether the Bill would work with the scenarios we gave them. That helped the information provisions to be pretty much in the right place. There is one key omission from our perspective; I can come back to that, if helpful. There is also one key dependency in another Bill—

Seema Malhotra

- Hansard -

Copy Link

-

Q Sorry, what is the omission?

Nigel Kirby: The omission was referred to by Nick Van Benschoten: the civil liability protection. In the UK, we have real trust and confidence built up in voluntary information sharing with the National Crime Agency under section 7 of the Crime and Courts Act 2013. That has been the basis of our voluntary sharing, and we have built confidence in it over seven years.

The legislation has two limbs to civil liability protection—I will have to read my notes to make sure I do not make a mistake. The first limb is

“an obligation of confidence owed by the person making the disclosure”—

that limb is also included in this Bill. The second limb that we rely on is

“any other restriction on the disclosure of information (however imposed)”—

that limb is not included in the Bill.

Our position is that the Bill should align with the existing legislation that we are comfortable with. We would have more comfort in sharing and be more incentivised to share if we had the same protections as we have when we share with the National Crime Agency. The further observation is that there is not just one precedent; another piece of legislation, the Criminal Finances Act 2017—under section 11, I think—had sharing provisions with the purpose, in effect, of bringing better disclosures to the NCA. It had exactly the same two civil liability limbs, written in the same way. We believe that the second limb would be hugely helpful in doing things.

You might want to come back, but the other dependency that is key for us is that the Bill is drafted as an interlink with the GDPR, as you well know. That is wise, and one of the protections—that it has that link with the GDPR—but because the Bill has that interlink, the provisions in the GDPR are really important. I am aware that there is a draft Bill that has not yet been laid before Parliament and, again, we—my colleagues in UK Finance—have worked on that Bill. Absolutely key for us in the draft Bill is a legitimate interest for sharing, because that Bill sets out legitimate interests.

At the moment, the GDPR cites only fraud as a legitimate interest, and no other crimes. To be able to make the measure in this Bill work, we need the revised GDPR to have the “prevention, investigation” and “detection” of crime—what the GDPR says at the moment—to be for all crime as a key part, so we can make the interlink. Otherwise, we are restricted only to fraud, but do not include wider economic crime.

Seema Malhotra

- Hansard -

Copy Link

-

Q I have a question about automatic strike-off procedures for companies that may have bank accounts with you and where that company may have been involved in economic crime and then is automatically struck off. Do you have concerns about that process and whether there should be reform?

Nigel Kirby: I think, with respect, that “automatic strike-off procedures” are your words, not mine. I used the fact of us taking an approach and considering whether to exit—that might be a similar thing—a customer. We take this really seriously. We look to understand whether we have economic crime concerns about those consumers. There is a range of things that we can do in that space. The ultimate one is about exit. We would exit that relationship, which is contractual, so we are able to do that. But there are other things that we do, and one is actually to speak to the customer and understand that transaction. We see some unusual transactions, but we have a conversation.

Seema Malhotra

- Hansard -

Copy Link

-

It is more about Companies House automatic strike-off—but they might be your customers.

Seema Malhotra

- Hansard -

Copy Link

-

Q I want to follow up on what you were saying about how you can follow the flows, but you do not always know who is sending and who is receiving. I want to understand a bit more about crypto accounts. I understand that you do not need an account in order to make a transaction, but if you do have an account you can see who is making transactions. Is there more that can—or needs to—be done to say that everybody must have an account? Is that practical and how could it happen? Secondly, what is the current level of identification and verification checks when setting up a crypto account, and what level should there be?

Andy Gould: The average member of the public using cryptocurrency will probably be using an account through one of the legitimate exchanges. They will go through the whole “know your customer” process that they would go through for a bank. Regulation pretty much covers that; I think we are in a good place with it. It is the criminal exchanges and criminal service providers that regulation would not affect. You would not be able to build an infrastructure that stops them being able to create their own wallets, as you could for those accounts with what are effectively crypto banks.

Arianna Trozze: There has been research that some of the KYC processes, especially in some of the higher-risk exchanges, are quite easy to fool with fake documents and other such things. There are companies serving UK customers that are still not registered with the FCA and do not meet its KYC or AML requirements, despite its best efforts. For example, none of the Bitcoin ATMs operating in the UK is registered with the FCA, even though they are supposed to be, and they tend to have quite lax KYC requirements. They may require you to put in a phone number. Some of them have more requirements, but whether it is a rigorous process remains in question.

Seema Malhotra

- Hansard -

Copy Link

-

Q What more could be done about that?

Arianna Trozze: In my view, the only thing would be more enforcement efforts against non-compliant companies. I do not know how practical that is, or what kinds of resources there are to address the problem, but to me the only way forward is to make sure that those companies and operators know that it is not acceptable to be working and serving UK customers without a licence.

Seema Malhotra

- Hansard -

Copy Link

-

Q What are the consequences for them if they do that?

Andy Gould: I think the FCA has prosecution powers and enforcement and regulatory options, but I could not say what it is doing about that.

Seema Malhotra

- Hansard -

Copy Link

-

Q Do you know if there are cases where it has used those powers?

Andy Gould: I do not know. They only came in earlier this year, so I would be surprised if the FCA has got to the stage where it is able to exercise them in terms of investigation.

Seema Malhotra

- Hansard -

Copy Link

-

Q I will be brief in asking this question, and then I have to leave. Do you think the NCA has sufficient resources to make use of the new recovery powers in the Bill, and do those powers go far enough?

Jonathan Hall: I do not know about the resources of the NCA, but in terms of whether the powers go far enough, I think there are some areas where they perhaps go too far, or at least where I think, from a fundamental rights and individual rights perspective, some attention may need to be drawn. There is the simple question whether you should be able to seize cryptoassets on the basis of the fact that they might be used by terrorists. Of course you should. Then you have the complicated question of how you bring about a seizure regime where assets are not physical. It is one thing if you seize a jewel or some cash, but it is another thing if you are effectively seizing information. What you have here is a very lengthy set of provisions to allow you to do that.

Generally speaking, I think it works, but there are one or two areas I want to draw to your attention. The first, which I think is acceptable but worth thinking about, is that the power is a power to seize not just cryptoassets but crypto-related items. In practice, you are not seizing a thing; you are seizing a code and that can be written down on a bit of paper or on a computer. What these provisions do, unlike all the other seizure powers that say you can seize the jewel, the cash or the contents of a bank account, is that they allow the police to seize any item, which could be a computer, or a piece of paper. So, it is quite a wide seizure power. I think it is kept effectively within bounds, but it is something that is worth drawing attention to, which is different from other aspects of seizure in this field.

The next point is that you have to be able to convert crypto and there are several reasons for that; one is because the prices may go massively up or down. Individuals whose assets are the subject of seizures may never be prosecuted—and this is a civil remedy—and, in fact, no final application for forfeiture may ever be brought. That is particularly true in the context of terrorism, because often what counter-terrorism police will want to do is disrupt the transfer, but they will not necessarily want to go on and apply to forfeit. The figures from last year show that there is a disparity between the number of accounts that are frozen and the amount of money that is finally the subject of forfeiture.

The Government did listen to my views on this issue. It is important that the Bill has provisions such that both the police can apply to convert the cryptocurrency into, say, pounds sterling, and that it is also open to the individual from whom it is seized, who might say, “Look, I bought this crypto. It’s gone massively up in value. You’re never going to apply to forfeit this. I don’t want to lose out on the rise of value.” There is provision in the Bill for the individual to go to court and say, “I’m a person from whom the crypto has been seized. Please can you convert it?” That will be decided by the court, but it is good that that provision is in the Bill; I think it works.

Is this too boring and long? I mean, there is a third bit, which I think is the most difficult bit. It is the power of a magistrates court to require a UK-connected wallet provider to freeze the cryptoassets and, even more significantly, to require that the UK-connected crypto wallet provider should actually pay the money over to the court. It is slightly in the weeds, but what the Government have done—and I understand it—is to try to be quite novel. They are really trying to push the law here, because they realise that many of crypto wallet providers will not be based in the UK, but this comes with a consequence regarding how the Bill is currently worded. I will just give you the bit that I think may need a bit of attention; it is clause 10Z7B—