Case Number: TC08505
By remote video hearing
Appeal references: TC/2021/02763;TC/2021/02909
TC/2021/02908;TC/2021/02768
TC/2021/02767;TC/2021/02766
TC/2021/02816;TC/2022/01046
MONEY LAUNDERING – cancellation of registration of the corporate appellant – decisions that six of the individual appellants not fit and proper persons – prohibition notices issued to three appellants – whether a breach of Reg 18, Reg 19, Reg 28, Reg 33, Reg 35, Reg 57 and/or Reg 58 – reliability of HMRC’s evidence – jurisdiction of the Tribunal – meaning of “officer” – all appeals allowed
Heard on: 1-14 April 2022
Judgment date: 09 June 2022
Before
TRIBUNAL JUDGE ANNE REDSTON
Between
BRAC SAAJAN EXCHANGE LTD
ABDUS SALAM
RAIS AHMAD
IVAN CASTILLO GARCIA
CYPRIAN GOMES
TIM CURRAN
SYED HASHMI
SIMON FURNIVAL
Appellants
and
THE COMMISSIONERS FOR HER MAJESTY’S REVENUE AND CUSTOMS
Respondents
Representation:
For the Appellants: Abbas Lakha QC and Gary Pons of Counsel , instructed by CLK Legal Services Ltd
For the Respondents: Cristín Toman and Adam White, both of Counsel, instructed by the General Counsel and Solicitor to HM Revenue and Customs
CONTENTS | Para |
Part 1: Introduction and Summary | 3 |
Structure and drafting points | 13 |
Summary of the case | 14 |
The jurisdiction of the Tribunal | 82 |
Part 2: Evidence | 90 |
The documents | 91 |
The Appellants’ witness evidence | 93 |
HMRC’s witness evidence | 102 |
Privacy and anonymity | 165 |
Part 3: Overall Findings Of Fact | 175 |
Part 4: Legislation, Regulations & Guidance | 312 |
Part 5: Suspension And Reinstatement | 343 |
Reg 57(4) | 345 |
Reg 19(1) and Reg 33 | 390 |
Part 6: The Cancellation Decision | 451 |
Reg 18 | 457 |
Reg18(2)(a): information made available | 459 |
Reg18(2)(b): risk factors | 483 |
Reg 19: Policies, Controls and Procedures | 515 |
Reg 19(3)(a): Risk Management | 516 |
Reg 19(4)(d): Suspicious Activity Reports | 584 |
Reg 19(3)(c): Many-to-one transactions | 600 |
Reg 19(3)(c): One-to-many transactions | 641 |
Reg 19(3)(c): Other points | 654 |
Reg 19(4)(e)(i): Agents and the fit and proper test | 704 |
Reg 19(4)(e)(ii): Agents’ risk assessments | 739 |
Reg 19(1): Risk management overall | 757 |
Reg 28: CDD measures | 760 |
Reg 28(2)(b): verification of customers identity | 761 |
Reg 28(16)(b) and Reg 28(11)(a) | 773 |
Reg 35: Politically Exposed Persons (PEPs) | 834 |
Reg 57(4): BSEL and its agents | 865 |
Other points in the Cancellation Decision | 871 |
Part 7: The Personal Decisions | 887 |
Personal Decisions: overall conclusion | 958 |
Cancellation Decision: overall conclusion | 959 |
Part 8: The Prohibition Decisions | 960 |
Overall Conclusion And Appeal Rights | 998 |
DECISION
This appeal was brought jointly by a company, Brac Saajan Exchange Limited (“BSEL”) and by seven individuals, Mr Salam, Mr Ahmad, Mr Garcia, Mr Gomes, Mr Curran, Mr Hashmi and Mr Furnival (“the Individual Appellants”).
The hearing of this appeal took place by video. Notice of the hearing had been published on the gov.uk website, with information about how representatives of the media or members of the public could apply to join the hearing remotely to observe the proceedings. The hearing was in public, other than one afternoon which was held in private for reasons explained at §169ff below; for the same reasons, the names of some of BSEL’s customers and agents have been anonymised in this judgment.
PART 1: INTRODUCTION AND SUMMARY
BSEL operates a money services business (“MSB”) for individuals of Bangladeshi and Pakistani origin or heritage who were sending money back to those countries. The business was founded in 2004 by Mr Salam, himself a migrant from Bangladesh. In 2011 a majority shareholding in the business was purchased by Brac Bank Ltd, the second biggest bank in Bangladesh. Brac Bank’s largest shareholder is Brac, an NGO and international development organisation.
On 26 May 2021, Ms Sarah Chapman, an Officer of HM Revenue and Customs (“HMRC”) made the following decisions:
to cancel with immediate effect BSEL’s registration under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR”) (“the Cancellation Decision”) on the basis that BSEL had “consistently failed to comply” with the MLR and was not a “fit and proper person” due to the risk that it would be used for Money Laundering and/or Terrorist Financing (“MLTF”); and
to impose permanent prohibitions (“the Prohibition Decisions”) on Mr Salam, Mr Garcia and Mr Furnival, preventing them from holding any management position in a business which was within the scope of the MLR or the Payment Services Regulations 2017 (“PSR”). The Prohibition Decisions were made on the basis that each of those three Individual Appellants was “knowingly concerned” in BSEL’s contraventions of the MLR.
On the same day, another HMRC Officer, Mr Dillan McLean, issued decisions that each Individual Appellant (with the exception of Mr Furnival) was not a fit and proper person for the purpose of the MLR and could not be an officer or manager of BSEL (“the Personal Decisions”).
The direct consequences of the Cancellation Decision, the Prohibition Decisions and the Personal Decisions (together, “the Decisions”) were that:
BSEL ceased trading overnight;
Mr Salam, Mr Garcia and Mr Furnival were prohibited for life from working in a management role for any business which had to comply with the MLR and/or the PSR (“a regulated business”);
the other Individual Appellants were unable to work for BSEL in the future and would find it difficult to get another job commensurate with their qualifications and experience.
At the time of the Cancellation Decision, BSEL had around 62 employees and a network of around 270 agents; they were also adversely affected by the Decisions, as were BSEL’s 80,000 regular customers.
The Appellants appealed on the basis that there had been no failures in compliance sufficient to warrant the Decisions, and applied for the hearing to be expedited because of the consequences set out in the previous two paragraphs. I issued directions on that basis.
The burden of proof in relation to each Decision was on HMRC, and the standard of proof was the civil standard, namely the balance of probabilities. In this judgment, any legislation or case law is cited only to the extent relevant to the issue in dispute. Any reference to Regulation, Reg or Regs is to the MLR, unless otherwise stated.
The Tribunal’s conclusions
For the reasons explained in the rest of this judgment, I allowed all the appeals. There is a summary of my reasons at §14, but in a nutshell I found there had been the following minor compliance failures:
Reg 57(4) required BSEL to notify HMRC of “the full name and address of any agent it uses for the purposes of its business” within 30 days. The purpose of the notification is to allow HMRC to check whether the agent is a “fit and proper” person for the purposes of the MLR. BSEL had notified seven of its agents after that 30 day deadline; six of those late notifications occurred during the pandemic (four during lockdown).
BSEL was also required to ensure that the “officers” of its agents had been tested to ensure that they were “fit and proper” persons for the purposes of the MLR. BSEL had extensive and detailed requirements relating to the fit and proper testing of agents, but by oversight had failed to test five company secretaries of agent firms. None of those five individuals had transacted any business on behalf of BSEL.
There were two other compliance failures, but on 12 November 2020 Ms Chapman had confirmed that they had been remedied and that she was satisfied BSEL was a fit and proper person.
Neither of the failures relating to agents came anywhere close to justifying the Decisions, and the other two had been remedied well before the Decisions were issued. Although Ms Chapman decided BSEL had committed numerous other alleged breaches, I upheld none of those allegations.
STRUCTURE AND DRAFTING POINTS
This Part 1 of the judgment summarises the case and the reasons for the outcome; it also explains the nature of the Tribunal’s jurisdiction. Part 2 considers the evidence and the extent to which it can be relied upon. Part 3 makes overall findings of fact relevant to the appeals. Part 4 sets out the relevant legislation and guidance, and Part 5 considers HMRC’s earlier Suspension Decision. Part 6 makes findings about the Cancellation Decision; Part 7 makes findings about the Personal Decisions and Part 8 makes findings about the Prohibition Decisions. A list of abbreviations has been added as an Appendix.
SUMMARY OF THE CASE
I begin with the background about BSEL, and then move on to Ms Chapman’s review and the Decisions, together with some points of difficulty raised by HMRC’s evidence.
The business and its MLR compliance structures
BSEL was founded by Mr Salam in 2004. It defines its customer base as “an adult immigrant worker, who sends money back to his hometown for savings or family support”.
BSEL has around 80,000 regular customers, almost of whom are Bangladeshi or Pakistani migrants living in the UK. BSEL’s reputation within these communities is one of trust, honesty and integrity. Around 95% of BSEL’s business is conducted via a network of agents or through other MSBs, known as “aggregators”.
BSEL transfers its customers’ money from the UK to banks in Bangladesh and Pakistan, where it is received into the beneficiaries’ bank accounts, or collected over the counter. In the two year period from 1 September 2018 to 31 August 2020, BSEL transferred funds of almost £924m.
As an MSB, BSEL is required to comply with the MLR, and is thus a “relevant person” for the purposes of those regulations. BSEL is also required to comply with the PSR, which is regulated by the Financial Conduct Authority (“FCA”).
BSEL is well aware of the risk of MLTF relating to transacting with Bangladesh and Pakistan, and has a sophisticated many-layered risk-management system. This includes:
a complex web-based payment and monitoring application called “Remit ERP”, which checks compliance with the MLR in numerous different ways, and which is constantly being reviewed and improved. All transactions, including those made via agents and aggregators, are reviewed for MLR compliance by the Remit ERP system;
the application of Customer Due Diligence (“CDD”) requirements to all transactions and of Enhanced Due Diligence (“EDD”), above certain thresholds. CDD requires the MSB to carry out one or more checks on customers, including their identity. EDD requires one or more further checks, such as the provision of bank statements or payslips to show that the funds being transferred belong to the customer;
the appointment of a Money Laundering Reporting Officer (“MLRO”) to act as the focal point for all activity related to anti-money laundering/counter-terrorist financing (“AML/CTF”) requirements. At BSEL, the MLRO is also the “Nominated Officer” with statutory responsibility for making suspicious activity reports (“SARs”) to the National Crime Agency (“NCA”);
a Risk and Audit Committee (“RAC”) to provide oversight of the AML/CTF compliance function. The MLRO is a member of the RAC; it also has three independent members with extensive AML/CTF experience;
a three-tier compliance framework, consisting of (a) operational staff such as cashiers and agents; (b) compliance staff who are responsible for ongoing monitoring, and (c) a Risk and Internal Control (“RAIC”) Department, which includes internal audit;
documented policies, controls and procedures (“PCPs”) which are regularly updated for changes to law, regulations, guidance, BSEL’s own risk management experience and a range of other factors;
independent reviews of those PCPs carried out by Exiger LLC (“Exiger”), a global firm specialising in risk and compliance, and audits of BSEL’s MLTF compliance carried out by Eversheds Sutherland (“Eversheds”), another well-known specialist international firm;
annual (or more frequent) Enterprise Wide Risk Assessments (“EWRAs”) which evaluated BSEL’s PCPs in the context of the regulatory requirements, in accordance with a methodology designed by Exiger and Eversheds;
detailed and demanding agent and aggregator policies which had to be satisfied before an agent/aggregator was “on-boarded” by BSEL, and on a continuing basis thereafter; and
AML/CTF training of staff and agents.
In 2019 around 10% of BSEL’s annual expenditure was on compliance and 20% of its staff were engaged in compliance activities; in 2020 those figures increased to 12% and 22% respectively.
BSEL was regularly visited by specialist HMRC officers to check compliance with the MLR; those officers visited the premises, discussed procedures with directors and staff; reviewed documents and tested the operation of the Remit ERP system. Until the events with which this judgment is concerned, no HMRC Officer had identified any issues in relation to MLTF or in any other respect.
5MLD, Mr Kirby and Dr Naheem
The Fifth Money Laundering Directive (“5MLD”) was implemented in the UK with effect from 10 January 2020 by amending the MLR. Mr David McAllen Kirby was BSEL’s MLRO at that time. He amended BSEL’s PCPs, including changing its CDD/EDD requirements, and he signed a formal statement that the PCPs were compliant with 5MLD.
In or around August 2020, Dr Mohammed Ahmed Naheem, the head of RAIC, was dismissed; the departure was acrimonious. Around the same time, Mr Kirby also left. He retained his laptop and used it to access BSEL’s data and he deleted certain files. Mr Furnival was tasked with reporting the breach to the FCA and persuading Mr Kirby to return the laptop. Mr Kirby and Dr Naheem subsequently made reports to the FCA, but the contents of those reports were not disclosed for the purposes of these proceedings.
Ms Chapman begins her enquiries
In August 2020, Ms Chapman began her review At least some of the Individual Appellants considered that there was a link between (a) the departure of Mr Kirby and/or Dr Naheem, and (b) the approach taken by Ms Chapman to BSEL However, for the reasons explained at §264ff, I was unable to make a finding of fact on that point.
Unlike her predecessors, Ms Chapman did not visit BSEL’s premises, or see the Remit ERP system in operation, even by way of an online demonstration. She also did not read Exiger’s report on the methodology used by BSEL in assessing its MLTF risks. On 9 September 2020, she emailed BSEL and asked for extensive documentation, including detailed transactional data for agents and aggregators for the period 1 September 2018 to 31 August 2020.
The Suspension Decision
On 22 October 2020, Ms Chapman issued a letter suspending BSEL’s registration (“the Suspension Decision”), on the basis that there had been a “consistent failure” to comply with the MLR in the two respects summarised below. Although the Suspension Decision itself was not under appeal, Ms Chapman included the same failures on her list of reasons for the Cancellation Decision and they are therefore issues I have to consider.
Reg 57
Reg 57 requires a business such as BSEL to inform HMRC of certain information before it is registered for AML/CTF purposes. HMRC then determine whether the business, its Nominated Officer and “senior managers who are engaged directly in the provision of regulated activity” are “fit and proper persons”. Reg 57(4) requires the business to notify HMRC of any changes to that information within 30 days. At BSEL, responsibility for complying with that obligation rested with the MLRO.
Ms Chapman decided that BSEL had failed to notify HMRC about the appointments of four individuals: Mr Garcia, Mr Ahmad, Mr Furnival and Ms Dhillon, within the required 30 days and had “consistently failed to comply” with the notification requirement. She subsequently accepted that Mr Ahmad had in fact been notified.
I found that BSEL had breached Reg 57(4) by failing to notify Mr Garcia and Mr Furnival. However, Mr Garcia’s fit and proper status had already been confirmed by the FCA, and he reasonably believed that any further relevant checks had been carried out by the MLRO. Mr Furnival was required to be registered because of his role on the RAC, and not because of his day-to-day responsibilities.
Ms Dhillon had stepped into the MLRO role on a temporary basis after Mr Kirby’s unexpected departure from BSEL. She tried to notify HMRC of her new role within the 30 day time limit, but was denied access to the relevant part of HMRC’s system. When she emailed BSEL’s contact in HMRC’s Large Traders Team for assistance, she received no reply until Ms Chapman intervened. The form was submitted on 29 September 2020, three weeks late. HMRC had the power under the MLR to extend the time limit to take into account their own failure to reply to Ms Dhillon’s email, but no extension was given. As a result, the late notification was a breach of Reg 57(4), but it was minor in nature
It follows from the above that there were three breaches of the 30 day notification requirement in Reg 57(4), with one of those breaches being minor. There was no “consistent” breach.
Breach of Reg 19 by reference to Reg 33
Reg 19 contains provisions relating to PCPs, and Reg 33 sets out when EDD must be applied (as noted earlier, if EDD applies, more information must be obtained about the customer and/or the transaction). Ms Chapman decided that since “at least” February 2018 BSEL’s PCPs had failed to treat all transactions with Pakistan and Bangladesh as requiring EDD.
I found that EDD was required for all transactions with Pakistan for the period from 10 January 2020, when 5MLD was implemented in the UK, until 10 November 2020, when BSEL required evidence about the sender’s occupation and about the source of funds (such as a bank statement or payslip); it was common ground that the provision of this information satisfied the EDD requirements in Reg 33. I therefore agreed with Ms Chapman that there had been a breach of Reg 19 by reference to Reg 33, but for a shorter period, only in relation to Pakistan, and under a different subparagraph of Reg 33.
The Reinstatement Decision
On 12 November 2020, Ms Chapman reinstated BSEL’s registration (“the Reinstatement Decision”) in which she confirmed that the two issues which had triggered the Suspension Decision had been addressed, and that she was satisfied that BSEL was a fit and proper person to operate as an MSB. She made the Reinstatement Decision because:
on 29 September 2020, BSEL had sent HMRC the notification forms for Mr Garcia, Ms Dhillon and Mr Furnival, and Ms Chapman accepted that the breach of Reg 57(4) had been remedied; and
from 10 November 2020, BSEL required EDD for all transactions to Pakistan. Ms Chapman accepted that EDD was no longer required for transactions with Bangladesh.
The Cancellation Decision
After the Reinstatement Decision, Ms Chapman continued to discuss numerous issues with BSEL: she asked for and obtained a great deal of further information. On 26 May 2021, she issued the Cancellation Decision under Reg 60. This allows HMRC to cancel a person’s registration if they are satisfied that person is not a “fit and proper person” within the meaning of Reg 58. When deciding whether or not a person is “fit and proper”, HMRC must have regard to (a) whether the person has “consistently failed to comply” with the MLR; (b) the risk that the business may be used for MLTF, and (c) whether the business, and any of its officers, managers or beneficial owners, has “adequate skills and experience and has acted and may be expected to act with probity”.
The Cancellation Decision was made on the basis that:
BSEL was not a “fit and proper person” within the meaning of Reg 58, and HMRC suspected, on reasonable grounds, that BSEL would fail to comply with the MLR; and
Mr Salam, Mr Ahmad, Mr Garcia, Mr Gomez, Mr Curran and Mr Hashmi were not fit and proper persons, and HMRC suspected, on reasonable grounds, that they would fail to comply with the MLR s.
Ms Chapman attached to the Cancellation Decision a “Table of Failures” (“ToF”) running to seventeen pages of closely typed text. As already noted, the ToF included the matters which had given rise to the Suspension Decision, although those failures had already been remedied before the Reinstatement Decision.
Having considered all the further alleged breaches set out in the ToF, I found that there had been the following failures:
Reg 57(4) required BSEL to notify HMRC of any changes to the names and addresses of its agents within 30 days. Seven agents were notified to HMRC after that 30 day time limit. Six of these late notifications occurred during the pandemic (four during lockdown). Notification of the seventh agent was late because it had been accidentally overlooked. These late notifications breached Reg 57(4), but they were minor and not deliberate.
In July 2020, BSEL had 306 agents, and in March 2021 it had 272 agents; the majority operated as limited companies. Reg 19(4)(e) requires that BSEL’s PCPs ensure “that appropriate measures are taken…to assess whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58”. HMRC checked each incorporated agent against the Companies House register and identified five agents whose company secretaries had not been F&P tested. None of those five individuals had played any role in transacting business with BSEL.
The breaches rectified by the time of the Reinstatement Decision plainly did not justify the Cancellation Decision: Ms Chapman accepted at the time, and HMRC confirmed at the hearing, that those breaches had been remedied such that BSEL was “fit and proper”. There was also a minor breach of Reg 57(4) in relation to agent notification and a failure to apply the PCPs in relation to five company secretaries, but neither came anywhere close to justifying the cancellation of BSEL’s registration on the basis that the business would, as a result of those failures, be used for MLTF, and BSEL did not “consistently” fail to comply with the MLR.
The Personal Decisions
As noted above, when considering whether to register (or deregister) a business, Reg 58 requires HMRC to decide whether that business, and any of its officers, managers or beneficial owners, are “fit and proper persons to carry on that business” and have “adequate skills and experience” and have “acted and may be expected to act with probity”.
Mr McLean issued the Personal Decisions to Mr Salam, Mr Ahmad, Mr Garcia, Mr Gomez, Mr Curran and Mr Hashmi. Each Personal Decision opened by saying that Mr McLean had “undertaken a review to consider whether you are a fit and proper person”, and having undertaken that review, was “satisfied” that each of those individuals was “not a fit and proper person for the purposes of Regulation 58”.
However, in coming to those conclusions, Mr McLean did not conduct a review of the evidence. Instead he relied only on (a) the ToF which had been drawn up by Ms Chapman; (b) a document setting out BSEL’s corporate governance structure, and (c) the notes of one meeting between Ms Chapman and some of the Individual Appellants in December 2020, and (possibly, although Mr McLean was not sure) the notes of a second meeting in March 2021. He considered no other documents. His oral evidence was that:
he “relied on the evidence of Ms Chapman”, which “satisfied” him that the six Individual Appellants “weren’t fit and proper”;
he “had to find” that those Appellants were not compliant with the MLR so as to be “consistent” with Ms Chapman’s conclusions; and
in stating that there had been “fundamental failures” in complying with the MLR, he had “entirely relied on Ms Chapman in identifying these”.
Mr McLean had therefore simply rubber-stamped Ms Chapman’s conclusions. Mr Lakha submitted that as a result of Mr McLean’s failure to exercise any independent judgment, the Personal Decisions did not comply with the basic principles of natural justice and so were “wholly invalid”. However, I agreed with Ms Toman that given the Tribunal’s jurisdiction (see §82ff), I should consider for myself whether to uphold or cancel the Personal Decisions.
Having done so, I found that the Personal Decisions were based on the alleged breaches set out in the ToF, and as summarised above, two of those breaches had been remedied by the time of the Reinstatement Decision, and the other two were minor oversights. HMRC were therefore wrong to decide that these six Individual Appellants did not have the skills, experience and/or probity necessary to run an MSB.
The Prohibition Decisions
HMRC issued the Prohibition Decisions to Mr Salam, Mr Garcia and Mr Furnival on the basis that they were “officers” of BSEL and were “knowingly concerned” in the contravention of a “relevant requirement” of the MLR. Compliance with a “relevant requirement” includes compliance with Regs 19, 28, 33(1), and 35.
As set out above, I decided that apart from the two breaches remedied by the time of the Suspension Decision, the other failures were minor. None came close to justifying the threshold for imposing this extremely harsh lifetime ban on these three Appellants.
In addition, I found that Mr Furnival and Mr Garcia were not “officers” of BSEL within the meaning of the MLR, and that the Prohibition Decisions issued to them were invalid for that additional reason.
Overall conclusion
For the reasons summarised above, I allowed all the appeals. In the rest of this summary, I set out some issues with HMRC’s evidence, followed by some examples of the alleged breaches on which the Decisions rested.
The evidence
Each Individual Appellant (other than Mr Ahmad) gave witness evidence, and they were all entirely honest and credible. For HMRC, Ms Chapman and Mr McLean gave witness evidence, as did Mr Allington-Jones, an HMRC data specialist. Several aspects of HMRC’s evidence were problematic, as summarised below.
The spreadsheets
As noted above, at the beginning of her enquiries Ms Chapman asked for and received BSEL’s detailed transactional data for the period 1 September 2018 to 31 August 2020. She gave that data to Mr Allington-Jones, who produced around 150 spreadsheets, about three per topic, of which around 50 summarised the results of his work.
Ms Chapman relied on some of Mr Allington-Jones’s spreadsheets in her ToF, but there were a number of difficulties:
Although Mr Allington-Jones had produced around 50 summary spreadsheets, only 16 were attached as exhibits to his witness statement.
HMRC accepted in the course of the hearing that one of those 16 spreadsheets contained “material errors”.
The spreadsheets (around 34 in total) which had not been exhibited to Mr Allington-Jones’s witness statement were only provided to BSEL after Mr Allington-Jones disclosed their existence in the course of his oral evidence on Day 4 of the hearing. For the reasons explained at §128ff, those other spreadsheets did not form part of the evidence which I considered in coming to this judgment.
Mr Lakha submitted that, given the existence of material errors in one of the spreadsheets, the remaining 15 could not be relied on. I decided reliance could be placed on some of those spreadsheets. However, where Ms Chapman had cited figures which could not be traced to any of those 16 spreadsheets, I decided it was not in the interests of justice to place any reliance on those figures, because the underlying data had not been exhibited and it was not possible to test whether it was reliable.
Duty of candour
Mr Lakha also submitted that HMRC had breached their duty of candour by failing to disclose the majority of the spreadsheets. Ms Toman said that HMRC accepted they had that duty, but it had not been breached because the other spreadsheets were not relevant; she said the Decisions rested on specific identified breaches, and the 16 spreadsheets related to those breaches.
I agreed with Mr Lakha. The MLR is, for the most part, not prescriptive; instead it requires “a proportionate and effective risk based approach”. The Appellants’ case was that they had adopted such an approach, and the Decisions were largely founded on Ms Chapman’s view that BSEL should have incorporated different or additional elements in its PCPs. BSEL’s overall approach to its PCPs is therefore relevant. HMRC had carried out some 34 other tests to see whether BSEL was compliant with the MLR, but failed to disclose the results. The reasonable inference is that at least some were favourable to BSEL.
However, whether or not I am right that HMRC failed to comply with their duty of candour makes no difference to the outcome of this judgment. The appeals were decided on the basis of the evidence before the Tribunal, without any reliance on an inference that HMRC held other evidence helpful to the Appellants.
Ms Chapman’s evidence
In the witness box, Ms Chapman answered questions in a straightforward manner. However, I had the following concerns about her evidence:
it was underpinned and supported by analysis carried out by Mr Allington-Jones. As explained above, some of the related spreadsheets were not reliable, and some others were not disclosed; and
she failed to include some facts favourable to the Appellants; when those facts were taken into account, the picture changed, see §150ff.
Some of the alleged breaches relied on by Ms Chapman
For the purposes of this summary, I have focused on the some of the main reasons why Ms Chapman considered BSEL had breached the MLR, and why I decided she was wrong in her conclusions. The detailed analysis of each of these alleged breaches can be found in the main body of this judgment, along with the others on which she based her Decisions.
Alleged failures to assess risk correctly
Reg 18 required BSEL to carry out an assessment to identify the risk of MLTF. It is clear from the EU Directives, from the MLR, from the National Risk Assessment (“the NRA”) published by the Treasury and the Home Office, from the HMRC guidance to MSBs (“the HMRC Guidance”) and from the “Risk Factor Guidelines” published by the EU (“the EU Guidelines”), that it is the “relevant person” which must assess its overall risk, and use its informed judgement to focus its efforts on the highest-risk areas.
BSEL instructed Exiger, a market leading firm of international repute, to design its risk assessment methodology; that methodology was slightly amended by Eversheds, itself another global firm with excellent credentials. BSEL followed that methodology, and carried out complex and sophisticated risk assessments, which were audited by Eversheds.
In its May 2019 audit report, Eversheds expressly confirmed that it had reviewed BSEL’s PCPs against the legal requirements and the relevant guidance, including that given by HMRC, the FCA and the Treasury, and having done so, had concluded that “BSEL has sufficient controls in place to ensure that it complies with legal requirements imposed upon it from an AML/CTF and sanctions perspective”. Eversheds continued by saying “we are of the opinion that BSEL is complying with its legal and regulatory obligations pursuant to the MLR 2017”. The firm came to the same conclusion in its 2020 audit, with the single exception of the EDD threshold issue for Pakistan already discussed at §30ff.
Although Ms Chapman did not read Exiger’s report which formed the basis of BSEL’s risk assessment methodology, she criticised the risk weightings given in BSEL’s risk assessment and decided that, as a result, BSEL had breached Reg 18. I agreed with Mr Lakha that Ms Chapman had failed to understand that it is for the business to decide on its risk assessment in the light of the legislation and the guidance. BSEL had done precisely that, guided by Exiger and by Eversheds. There was no breach of Reg 18.
Appropriate PCPs generally
Reg 19 requires a relevant person to have appropriate PCPs. Ms Chapman decided that BSEL’s PCPs breached that regulation in numerous ways. Mr Lakha submitted that she approached her task on the basis that a failure to include a PCP to mitigate one of the risks she had identified meant that Reg 19 had been breached.
Plainly, neither the MLR nor the HMRC Guidance, nor indeed any other guidance, require a business to include flags and controls for every possible risk. Instead, the regulations are designed to provide “flexibility” and “a proportionate and effective risk based approach”, see the Explanatory Memorandum to the MLR at §320. Even the risk factors identified in the HMRC Guidance are “not an exhaustive list, and neither are these signs always suspicious. It depends on the circumstances of each case”.
To give one example of Ms Chapman’s overall approach, she decided BSEL had breached Reg 19 because it did not prevent agents from logging into the Remit ERP system from outside their registered premises, and she went on to hold that BSEL had “deliberately” failed to address that risk. She came to these conclusions despite being aware of the following:
None of the guidance identifies logging on from outside the registered premises as a risk factor.
The Remit ERP system has numerous other controls on agents, including:
blocking access to the Remit ERP system between midnight and 8am;
carrying out a detailed real-time risk assessment on agents (see §742ff);
using a third party provider, Experian, to check the agent’s own ID documents;
uploading and storing copies of signed money transfer receipts;
triggering an automatic alert when several transactions are made below limits in a short period of time by the same agent; and
tracking cumulative agent transactions.
BSEL’s PCPs include regular compliance visits to agents, depending on their risk ratings.
It is technically difficult to implement a control to monitor the exact location of an agent, because that type of monitoring would be based on IP addresses, which are imprecise and change frequently.
BSEL had considered implementing this control, but decided it was neither technically feasible nor necessary given the other measures already in place.
As set out above, the MLR requires businesses to apply a “proportionate and effective risk based approach” and to use its informed judgement to focus its efforts on the highest-risk areas. That is exactly what BSEL had done when it decided not to implement a further control to track the location from which an agent accessed the Remit ERP system. There was no breach of Reg 19.
Many-to-one transactions
Ms Chapman also decided that until April 2021 BSEL did not have appropriate PCPs to address the risk of MLTF where more than one person in the UK sends money to the same beneficiary overseas: these are known as “many-to-one” transactions.
Many-to-one transactions can be entirely innocent: for instance, if a number of family members in the UK are supporting the same elderly relative, they will all separately send money to that same person; similarly, several individuals may send money to the same person for Eid or on a birthday.
BSEL recognised, however, that several senders could deliberately split a larger sum destined for the same beneficiary in order to avoid the extra requirements of EDD, and that there was therefore a risk of many-to-one transactions being used for MLTF. The practical difficulty was that the beneficiaries were not BSEL’s customers, and it had no relationship with them. Nowhere in the MLR; the HMRC Guidance or in other MLTF guidance is a relevant person required to identify the beneficiaries so as to track many-to-one transactions.
However, in November 2018 BSEL decided for itself to introduce an automatic alert in its Remit ERP System to identify when many senders were making remittances to a single beneficiary. It quickly became clear that this was hopeless, because many unrelated beneficiaries had the same name: for example, as BSEL now knows (as the result of the further work set out below) over 4,370 different beneficiaries were called Habibur Rahman.
BSEL did not give up, but contracted with an external IT partner to create a unique beneficiary identifier using key information about each of the beneficiaries, including in particular their mobile number. This was a mammoth task, in part because BSEL’s database had over 2.5m beneficiary names.
In November 2019, BSEL began to implement this “Virtual Beneficiary Profile” (“VBP”), but the pandemic and an unusually severe cyclone season in South Asia delayed its development. By August 2020, before Ms Chapman became involved, BSEL implemented an algorithm which it hoped would allow the identification of each individual beneficiary by creating a VBP. However, problems with the algorithm emerged. BSEL thought these had been sorted out by November 2020, but they proved more intractable than anticipated. All issues were however resolved by early 2021 when BSEL implemented the VBP.
During the intervening period, BSEL’s compliance department used the Remit ERP system in other ways to identify and review many-to-one cases, but Ms Chapman decided that BSEL was not compliant with Reg 19 until it had installed the automatic VBP.
I agreed with Mr Lakha that BSEL had taken a proportionate approach to dealing with this risk, taking into account that:
its client base would be expected to make a lot of entirely innocent many-to-one transactions;
the lack of any relationship between BSEL and the beneficiary;
the scale of the VBP project;
pending the development of the VBP, the Remit ERP system flagged many-to-one cases. Reviewing those cases was a significant task: a report issued by Mr Kirby, the MLRO, said that when the VBP was implemented, it would “free up many hours spent by compliance analysing daily transactions”; and
the absence of any obligation in either the MLR or the guidance that many-to-one transactions be monitored by tracking the beneficiary.
It would be contrary to the proportionate approach prescribed by the MLR, and to its recognition that systems and approaches will change over time, for BSEL to be held in breach of Reg 19 until it had perfected an automated solution.
One-to-many
Ms Chapman also decided that until April 2021, BSEL did not have appropriate PCPs in relation to “one-to-many” transactions, in other words, where a customer in the UK sends money to more than one beneficiary overseas.
One-to-many transactions could be entirely innocent: for instance one person sending money at Eid to several different relatives overseas. However, it was also possible that a sender might split a large payment to avoid an EDD requirement, with the different beneficiaries colluding to recombine the funds.
On 2 November 2018, BSEL implemented another transaction monitoring alert in the Remit ERP system to identify cases where a person had sent money to more than 10 different beneficiaries. However, this produced too many false positives, in other words cases where, on review by compliance, there was no risk of MLTF. This was because it was not unusual for a customer with a South Asian background to be sending money to more than 10 beneficiaries, because of the size of their family network and because religious practices and cultural traditions meant that it was normal practice to give money widely, especially during Ramadan.
On reconsideration BSEL decided the alert was not necessary, given that:
the Remit ERP system automatically accumulates transaction amounts in real time for all customers, irrespective of the number of beneficiaries. As a result separate payments by the same person are added together by the system, whether the same agent or a different agent is used; if the cumulative amount is above the EDD threshold, the sender must provide evidence of his source of funds. In other words, BSEL already had a control which significantly reduced the risk of transaction splitting by the one-to-many route;
the HMRC Guidance required that businesses take a risk-based approach which “should balance the costs to your business and customers with a realistic assessment of the risk” of MLTF;
BSEL knows that its customer base generally had a network of friends and family overseas, and had religious and cultural traditions of giving money to a wider network; and
BSEL carries out a risk assessment on all customers which takes into account nationality, age, type of transaction, frequency of transactions and the destination country to which funds are sent. From September 2019, BSEL introduced real-time automated customer risk assessments into the Remit ERP system, and calculates the customer’s risk score in real time. Taking into account that risk score, the ERP system flags transactions for review by the compliance team.
I agreed with Mr Lakha that BSEL did not breach Reg 19 in relation to one-to-many transactions, but instead had taken a proportionate approach to dealing with this risk, given the factors set out above.
Additional PCPs for many-to-one and one-to-many
Because of the degree of concern expressed by Ms Chapman about many-to-one and one-to-many transactions, BSEL nevertheless agreed to set a limit of six senders per beneficiary, and six beneficiaries per sender.
By this BSEL meant that after the sixth transaction, the system would flag the seventh for review by the compliance team, to see whether the transactions were genuine or suspicious. However, Ms Chapman understood that six was to be “an absolute limit”, so that a customer who had already sent funds to six separate people would be prevented from sending to a seventh. Similarly, if a beneficiary had already received funds from six people, BSEL would prevent future transfers to that beneficiary from any other customers.
It takes only a moment to recognise that Ms Chapman had obviously misunderstood. An absolute limit would mean that a customer who already sent Eid gifts to six relatives in Pakistan would be prevented from sending money to a seventh, and an elderly person in Bangladesh who had already received gifts from six family members would be barred from receiving funds from anyone else.
Ms Chapman not only continued to insist she was correct, but accused the relevant Individual Appellants of deliberately presenting her with false information, and of lacking integrity. Those accusations were groundless.
The jurisdiction of the Tribunal
The Cancellation Decision was made under Reg 60; the Prohibition Decisions under Reg 78(2) and the Personal Decisions under Reg 58. The jurisdiction of the Tribunal in relation to those appeals is set out in Reg 99, which is headed “appeals against decisions of the Commissioners” and it reads:
“(1) A person may appeal to the tribunal in accordance with regulation 100 if the person is the subject of a decision by the Commissioners under—
(a) …;
(b) regulation 58, to the effect that a person is not a fit and proper person (unless the decision is required by virtue of paragraph (3) of that regulation);
(c) …
(d) regulation 60, to suspend or cancel the registration of a registered person;
(e) …
(f) regulation 78(2), to impose a prohibition.
(2) The provisions of Part 5 of the Value Added Tax Act 1994 (appeals), subject to the modifications set out in paragraph (3), apply in respect of appeals to the tribunal made under this regulation as they apply in respect of appeals made to the tribunal under section 83 of that Act (appeals).
(3) Part 5 of the Value Added Tax Act 1994 has effect as if sections 83A to 84, 85A and 85B (appeals and reviews) were omitted.
(4) The tribunal hearing an appeal under paragraph (1) has the power to—
(a) quash or vary any decision of the Commissioners, including the power to reduce any penalty to such amount (including nil) as the tribunal thinks appropriate; and
(b) substitute the tribunal's own decision for any decision quashed on appeal.
(5) For the purpose of an appeal under this regulation, the meaning of ‘tribunal’ is as defined in section 82 of the Value Added Tax Act 1994 (meaning of tribunal).”
The FTT (Judge Herrington and Miss O’Neill) in Hunt v HMRC [2014] UKFTT 1094 (TC) at [24] considered the identically worded provision of the previous version of the MLR in the context of an appeal against an HMRC decision that Mr Hunt was not a fit and proper person, and decided at [24] that the FTT had an appellate jurisdiction. In Munatsi Logistics Ltd v HMRC [2017] UKFTT 617 (TC), the appellant had appealed against HMRC’s decision that the owner of that business, Mr Munatsi, was not a fit and proper person and Judge Raghavan and Mr Woodman adopted the same approach, see [12] and [13] of that judgment.
In the instant appeals it was common ground that Reg 99, read with the relevant parts of VATA, gave the Tribunal an appellate jurisdiction in relation to the Cancellation Decision (made under Reg 60) and in relation to the Personal Decisions (made under Reg 58).
Ms Toman submitted, albeit somewhat tentatively, that in relation to the Prohibition Decisions, the Tribunal had an appellate jurisdiction when deciding the question as to whether the Individual Appellants were officers and/or knowingly concerned in a contravention by BSEL (“the threshold condition”), but that if the Tribunal decided HMRC succeeded on that threshold condition, it had a supervisory jurisdiction, and so could “overturn the decision to impose a permanent prohibition if it were shown that HMRC had acted in a way which no reasonable HMRC Commissioner could have acted or if they had taken into account some irrelevant matter or had disregarded something to which they should have given weight”. That submission was based on the wording of Reg 78, which begins:
“(1) Paragraph (2) applies if a designated supervisory authority considers that another person who was at the material time an officer of P was knowingly concerned in a contravention of a relevant requirement by P.
(2) The designated supervisory authority may impose one of the following measures on the person concerned—
(a) a temporary prohibition on the individual concerned holding an office or position involving responsibility for taking decisions about the management of a relevant person or a payment service provider (“having a management role”);
(b) a permanent prohibition on the individual concerned having a management role.”
Ms Toman submitted that the use of the word “may” in Reg 78(2) meant that HMRC had a discretion as to whether to impose a temporary or a permanent prohibition, and that the Tribunal therefore had a supervisory jurisdiction over the exercise of that discretion.
I was unconvinced by this reasoning. Reg 99(4) gives the Tribunal power to “quash or vary any decision of the Commissioners” and “substitute the tribunal's own decision for any decision quashed on appeal”. It follows that the Tribunal has an appellate jurisdiction in relation to appeals against decisions made under Reg 78(2), just as it does in relation to HMRC decisions made under Regs 58 and 60.
I note that in FA 1994, s 16, which gives the Tribunal (a) an appellate jurisdiction in relation to some types of excise decisions, and (b) a supervisory jurisdiction in others, the difference between the jurisdictions is plain from the wording of the provision. Here, Ms Toman’s submission rests only on an inference derived from the word “may”. In my judgment, if Parliament intended the Tribunal to have a supervisory jurisdiction in relation to the type of sanction imposed by Reg 78(2), it would have said so explicitly.
In any event, as I have decided that none of the Appellants was “knowingly concerned in a contravention of a relevant requirement” and thus HMRC have not met the threshold condition in relation to any of the Prohibition Decisions, so the point is academic.
PART 2: EVIDENCE
In this Part, I summarise the evidence provided to the Tribunal and make findings about whether the witnesses were reliable. I also explain why part of the hearing was in private, and why some names and related details have been anonymised.
THE DOCUMENTS
I was provided with large core bundle of 6,724 pages and a supplementary bundle of 565 pages (together “the Bundle”), which included:
the Decisions, and the appeals to the Tribunal against the Decisions;
the Suspension Decision and the Reinstatement Decision;
other correspondence between the parties and between the parties and the Tribunal;
minutes of the RAC and the RAIC;
BSEL’s PCPs dated February 2018, April 2019, May 2019, September 2020, October 2020 and November 2020;
spreadsheets of BSEL’s aggregators and agents dated October 2018, December 2019 and September 2020;
BSEL’s CDD and EDD thresholds, dated 2018, 2019, January 2020 and November 2020;
BSEL’s EWRAs dated April 2019, March 2020 and October 2020;
BSEL’s corporate governance document dated October 2020 and 29 January 2021;
a “list of IT implementations to assist compliance functions”, prepared by the Appellants. In the course of the hearing, HMRC supplied a further copy of that document which included their comments, and the Appellants subsequently provided their responses to HMRC’s comments;
reports issued by Exiger dated July and November 2018, and Exiger’s risk assessment methodology report dated 12 December 2018;
audit reports issued by Eversheds dated May 2019 and November 2020;
an audit report issued by JW Risk Management Ltd on 25 May 2021; and
the AML policies of various competitor businesses.
With the agreement of the Appellants, HMRC applied to admit further correspondence between the parties, and I allowed that application. The Appellants applied for a report drafted by Eversheds dated 26 November 2020, entitled “AML advice – EDD Requirements in relation to HR3Cs” to be admitted into evidence. HMRC did not object and I allowed the application.
THE APPELLANTS’ WITNESS EVIDENCE
Each of the Individual Appellants, other than Mr Ahmad, gave witness evidence as set out below. Witness evidence was also provided by Mr Jeff Wall. I found each of these witnesses to be entirely honest and credible, and Ms Toman did not suggest otherwise.
Mr Salam
Mr Salam established the predecessor business to BSEL in 2004, and is BSEL’s Managing Director and Chief Executive Officer. He provided three witness statements, was cross-examined by Ms Toman, answered a question put by the Tribunal and was re-examined by Mr Lakha.
Mr Curran
Mr Curran joined BSEL as the Head of Financial Crime Compliance on 28 September 2020, and is its Nominated Officer and MLRO. He provided three witness statements, was cross-examined by Ms Toman and re-examined by Mr Lakha.
Mr Garcia
Mr Garcia is the Head of Global Compliance and the Chief Information Officer at BSEL, and has worked there since 2017. English was not his first language but he has worked in the UK for some time and he speaks and understands the language well, albeit not like a native speaker. He provided three witness statements, was cross-examined by Ms Toman, answered questions from the Tribunal and was re-examined by Mr Lakha.
At the end of his re-examination, Mr Garcia asked to “make a statement” to the Tribunal about the role played by Mr Kirby, BSEL’s MLRO until August 2020. I decided that it was not in the interests of justice for Mr Garcia to give new oral evidence after the conclusion of his re-examination. The parties had exchanged witness evidence before the hearing; Mr Garcia had filed three witness statements, and so had had every opportunity to set out his evidence in writing, and he had not said when he entered the witness box that he wanted to amend any of those statements.
Mr Furnival
Mr Furnival was BSEL’s Chief Operating Officer (“COO”) from July 2018 to March 2021. He provided two witness statements, was cross-examined by Ms Toman and re-examined by Mr Lakha.
Mr Gomes
Mr Gomes joined BSEL in 2011. Since 2019 he has been the company’s Business System Manager, responsible for managing and developing BSEL’s IT systems. He provided two witness statements, was cross-examined by Ms Toman, answered questions from the Tribunal and re-examined by Mr Lakha.
Mr Hashmi
Mr Hashmi joined BSEL as its Head of Risk and Internal Control on 1 September 2020. He provided two witness statements, was cross-examined by Ms Toman and re-examined by Mr Lakha.
Mr Wall
Mr Wall had a thirty-year career in the Metropolitan Police, specialising in combatting financial crime and money laundering. He retired in 2016 with the rank of Detective Sergeant, after which he set up a company called JW Risk Management Limited (“JW Risk”) through which he provides consultancy services. In May 2021, he was instructed by one of his clients, the Choice Group, to carry out an audit of BSEL. He provided a witness statement, was cross-examined by Ms Toman and re-examined by Mr Lakha.
HMRC’S WITNESS EVIDENCE
Three HMRC Officers gave witness evidence, but there were significant issues with that evidence, as explained below.
Ms Chapman
Ms Chapman issued the Cancellation Decision and the Prohibition Decisions and produced the ToF. She works in the Economic Crime Supervision team, previously known as AML Supervision. She provided two witness statements; gave evidence in chief led by Ms Toman; was cross-examined by Mr Lakha and re-examined by Ms Toman. She answered all questions in a straightforward manner, but there were problems with her evidence taken as a whole, as I explain at §143ff below.
Mr McLean
Mr McLean also works in HMRC’s Economic Crime Supervision team. He issued the Personal Decisions. He provided a witness statement and was cross-examined by Mr Lakha. As explained at §163ff, there were difficulties with his witness statement, but his responses when cross-examined were entirely frank and honest.
Mr Allington-Jones
Mr Allington-Jones has been a data-handling specialist within HMRC’s Fraud Investigation Service since 2015. His duties include extracting data from various computer systems and producing it in a suitable format for further analysis by case teams. He provided a witness statement and exhibited 16 spreadsheets; where these are referred to in this judgment I have included the spreadsheet number; they run from SAJ01 to SAJ16. Unhelpfully, none of the ToF, Ms Chapman’s witness statement or HMRC’s skeleton argument was cross-referenced to Mr Allington-Jones’s spreadsheets; the only link was that provided by Mr Allington-Jones’s witness statement, which cited extracts from the ToF.
Mr Allington-Jones was cross-examined by Mr Lakha, answered questions from the Tribunal and was re-examined by Ms Toman. He was an entirely honest and credible witness.
The process followed by Mr Allington-Jones and Ms Chapman
Ms Chapman was provided with transactional data by BSEL. She gave this data to Mr Allington-Jones along with a “brief” which specified the issues she wanted him to address: for instance, how many customers sent money to the same recipient, or “beneficiary”.
Mr Allington-Jones ran tests on the data and produced spreadsheets for Ms Chapman to consider. These included “pivot tables”, which allow manipulation of the data to display it in a more user-friendly way based on various criteria; in essence, the pivot tables allow the data to be filtered and re-organised. Ms Chapman and Mr Allington-Jones then discussed the spreadsheets in various telephone conversations.
The ToF makes frequent references to “the transactional data for the period 1 September 2018 to 31 August 2020” as providing evidence to support Ms Chapman’s conclusions and the text of the Decisions similarly refers to “the transactional data”. Neither the ToF nor the Decisions refer to the existence of the spreadsheets.
The Appellants’ Schedule
On 16 July 2021, Mr Salam and most of the other Individual Appellants filed and served witness statements. Exhibited to Mr Salam’s witness statement was a schedule (“the Appellants’ Schedule” or “the Schedule”) which he described as BSEL’s “collective comments to the allegations in the Table of Failures”.
At the time the Schedule was filed and served, the Appellants did not know about, and had not seen, Mr Allington-Jones’s spreadsheets. They had only seen the ToF.
The Schedule consists of two columns. The first contains numbered summarised extracts from the ToF, and the second set out BSEL’s responses to each of those numbered extracts. Some of BSEL’s responses included comments on Ms Chapman’s references to the transaction data, including that “the transaction data is agreed”, and “the transaction data is not agreed”.
It was common ground that, before making those comments, BSEL had re-run the transaction data previously provided to HMRC in order to see if they were able to replicate the same outcomes as those referred to by Ms Chapman in the ToF. I consider below what reliance can be placed on the Appellants’ comments in the second column of the Schedule.
Spreadsheet SAJ04
Spreadsheet number SAJ04 compared the postcodes of customers with those of their agents: Ms Chapman relied on this spreadsheet to show whether “the customer was not local to the MSB” and for her conclusion in the ToF that the transactional data “identified transactions totalling £4,189,281 where the first two digits of the customer postcode and agent postcode did not match”; this was repeated in the witness statements of Ms Chapman and Mr Allington-Jones.
Spreadsheet SAJ04 was opened during the hearing so that Mr Allington-Jones could answer questions put by Mr Lakha, but the total of the spreadsheet was just over £2m rather than the figure of over £4m referred to in the ToF. Mr Allington-Jones adjusted some of the fields and produced the number relied on by Ms Chapman. The hearing was adjourned over the weekend, during which I revisited some of the evidence, including SAJ04. I was unable to reperform the exercise carried out by Mr Allington-Jones, so it was not possible for me to access all the data on which HMRC placed reliance.
When the hearing reconvened on Monday 11 April, I asked Ms Toman to provide me with instructions as to how to adjust the spreadsheet so that I could access the underlying data relied on by HMRC in the ToF; she said she would ask Mr Allington-Jones. Later the same day, Ms Toman said Mr Allington-Jones had established that there were errors in SAJ04, and that HMRC would be asking the Appellants to agree that Mr Allington-Jones should give further evidence to explain the nature and extent of those errors.
After proceedings had closed for the day, I received an email stating that the parties agreed a “joint position”. It read:
“We are agreed that:
1) There are material errors in SAJ04;
2) As a result of those material errors, HMRC cannot and do not rely on SAJ04 or the alleged failures within the Table of Failures based on SAJ04; and
3) The Appellants have not had an opportunity to recheck the remaining schedules/spreadsheets produced by SAJ to see if similar failures permeate those spreadsheets.”
After the Appellants concluded their witness evidence at lunchtime on Wednesday 13 April, Ms Toman applied for Mr Allington-Jones’s further witness statement to be admitted into evidence. She said it would explain the nature and extent of the errors, and this would be helpful to the Tribunal in assessing what reliance to place on the other spreadsheets. She added that Mr Allington-Jones could be called to the witness box on the Thursday 14 April (the last day of the hearing) to be cross-examined by Mr Lakha on both SAJ04 and the other spreadsheets, with any further points arising being dealt with in post-hearing submissions.
Mr Lakha objected, and I agreed with him that Mr Allington-Jones’s further witness evidence should not be admitted. This was for the following reasons:
The Appellants had only become aware of the existence of unspecified errors in SAJ04 on Monday 11 April, and had only been provided with Mr Allington-Jones’s draft witness statement explaining the error just before the hearing was due to commence on Tuesday 12 April.
HMRC’s position was that the Appellants could and should have checked the other 15 spreadsheets between then and Mr Allington-Jones entering the witness box on the morning of Thursday 14 April. That proposal was entirely unrealistic and unfair because:
The Appellants had not identified the error in SAJ04 themselves, and so it was reasonable to infer that they would be unable to check the other 15 spreadsheets, but would instead need the assistance of an expert data analyst, which was plainly impossible in the time frame.
Mr Gomes, BSEL’s IT specialist, had been unable to assist in checking the spreadsheets because:
When HMRC admitted the error on Monday 11 April, he was in the witness box, where he remained until part way through Tuesday morning;
He was an Individual Appellant and as such a participant in the rest of the hearing and it was not reasonable to expect him to withdraw from the hearing to work on the spreadsheets; and
he was in any event not a specialist data analyst.
Without that technical information, Mr Lakha would not be in a position to be able properly to cross-examine Mr Allington-Jones.
Since Mr Allington-Jones’s evidence could not be tested in cross-examination, the Tribunal could not treat that evidence as reliable.
Thursday was the final day of the hearing, the following day being a bank holiday (Good Friday). There had been many days of witness evidence, and the parties were to make their closing submissions on that final day. If Mr Allington-Jones gave evidence and was cross-examined on the morning, it would reduce the time for the parties to set out their case by taking into account the oral evidence, and that too was not in the interests of justice.
This hearing had been expedited because HMRC had closed BSEL’s business, and it was plainly not in the interests of justice to adjourn the hearing to allow HMRC to provide late witness evidence, or so that the Appellants could have time to instruct a data analyst to consider the extra spreadsheets. It was similarly not in the interests of justice for there to be further written submissions about this issue after the hearing, even if such submissions could sensibly be made, given the limitations that would affect Mr Lakha’s cross-examination without the Appellants having had the benefit of further expertise.
I gave my decision orally, refusing HMRC’s application to admit Mr Allington-Jones’s witness evidence, and SAJ04 was then withdrawn. As noted above, the joint statement provided to me by email on Monday evening said (my emphasis) “HMRC cannot and do not rely on SAJ04 or the alleged failures within the Table of Failures based on SAJ04”. However, Ms Toman later said HMRC were still relying on the alleged breach of the MLR for which that spreadsheet had provided supporting evidence. I return to the alleged breach at §484ff.
The other 15 spreadsheets
There were two issues under this heading: one relating to the Appellants’ Schedule and one about reliance generally.
The Appellants’ Schedule
Ms Toman submitted that the Tribunal could place reliance on the other 15 spreadsheets because the Appellants had re-run the data provided to HMRC on which Mr Allington-Jones’s spreadsheets were based, and on a number of points had said that “the transactional data was agreed”; the Tribunal was therefore entitled to rely on the Appellants’ agreement in relation to any spreadsheet which considered the same transactional data.
Mr Lakha asked the Tribunal to place no reliance on the other 15 spreadsheets because:
there were “material errors” in SAJ04;
although the Appellants had re-run the transactional data and had referred to the outcome of that work in the Schedule, they had not identified those material errors, so it was plain that the statement that “the transactional data is agreed” could not be read as meaning that there were no errors in a related spreadsheet;
HMRC have the burden of proof in these appeals; and
it would be unfair and unjust to allow HMRC to rely on the Appellants’ Schedule effectively to “prove” Mr Allington-Jones’s exhibits.
I first considered whether to treat the statements in the Schedule that “the transaction data is agreed” as endorsing Mr Allington-Jones’s spreadsheets on the same issues. On review of the numbered boxes on the Schedule I noted as follows (the numbers are by way of example):
there are a very small number of issues where it is clear exactly what is being agreed, see #2 and #14;
more frequently, it is unclear exactly what is being agreed or not agreed, see #12 and #20;
the Schedule includes responses to points in the ToF which are unrelated to the transactional data, such as those derived from EWRAs. Despite there being no related transactional data, the Appellants still said that “the transactional data is agreed”, see #4 and #8; and
in relation to the data underlying SAJ04, which it is now accepted contained material errors, the Schedule said that “the transactional data is agreed” (see #10).
I decided that the phrase “the transactional data is agreed” in the Schedule could not be taken as an endorsement by the Appellants of the related spreadsheet, unless it was explicitly clear that Schedule provided that confirmation, and then only to that extent.
Other submissions on reliance
Mr Lakha also submitted that because SAJ04 contained material errors, the Tribunal could not safely assume that the same was not true of the others. Ms Toman said that that it would be unfair and unjust to exclude the other spreadsheets, because:
the Tribunal had decided not to admit Mr Allington-Jones’s further witness evidence, and HMRC had therefore been unable to explain the nature and the extent of the errors in SAJ04; his evidence would have allowed the Tribunal to come to an informed view as to whether the errors were likely to have infected the other spreadsheets; and
the Appellants had had the spreadsheets (and not jut the ToF) for some considerable time before the hearing, but had not identified any errors; it was Mr Allington-Jones himself who had found the mistakes in SAJ04.
I agreed with Ms Toman that it was not fair to exclude all the other spreadsheets only on the basis that Mr Allington-Jones had identified errors in one of them, but it was also true that the errors in that spreadsheet were “material”. I decided that:
less weight would be placed on spreadsheets where, having re-run the transactional data, the Appellants’ Schedule explicitly challenged statements in the ToF which derived from a related spreadsheet. To put that another way, the fact that SAJ04 was incorrect adds weight to the Appellants’ challenges;
little or no weight would be placed on a spreadsheet where Mr Allington-Jones himself accepted that:
“if the test was summarised in a different way…it would likely give different results”, see SAJ02;
the figure cited in the ToF “was likely to be an over-estimate” as he was relying on limited data, see SAJ15; or
because the spreadsheet did not analyse transactions by date, this affected the conclusions which could be drawn, see for example SAJ08;
no weight would be placed on a spreadsheet where Ms Chapman herself identified that the figures she had relied on in the ToF were wrong, but without explaining her reasons, see for example SAJ03; and
no weight would be placed on a spreadsheet, or part of the spreadsheet, where I found from my own review that it did not support Ms Chapman’s conclusions, see for example SAJ10.
Spreadsheets provided to the Appellants in the course of the hearing
Ms Chapman’s witness statement said (my emphasis):
“Officer Simon Allington-Jones carried out analysis of the transactional data from 1 September 2018 to 31 August 2020 for both the agent and aggregator data provided by BSEL. The purpose of this was to assess whether BSEL had established and maintained PCPs to effectively mitigate and manage the risks of MLTF as required by regulation 19(1)(a). Full details of the testing carried out can be found in the witness statement of Officer Allington-Jones.”
Mr Allington-Jones’s witness statement begins by saying (again, my emphasis) that he was engaged by Ms Chapman “to run some tests on transactional data provided”.
When Mr Allington-Jones gave evidence on Wednesday, 6 April 2022, he said Ms Chapman had instructed him to run many other tests which are not referred to in his witness statement or attached as exhibits. He told the Tribunal that he had run over 150 tests/programs, of which around one-third were summaries similar to those which had been exhibited.
Until that point the Appellants had been unaware of these extra tests. As is plain from the citations above, there is no reference to them in Ms Chapman’s or Mr Allington-Jones’s witness statements and they were not included on HMRC’s documents list. Although it is true that some parts of the ToF refer to transactional data not exhibited to Mr Allington-Jones’s witness statement, Ms Toman did not seek to argue that the Appellants should have inferred from the ToF that there were other spreadsheets in existence which had not been disclosed. In my judgment she was right not to make that submission, because:
as noted above, Ms Chapman’s witness statement said that “Full details of the testing carried out can be found in the witness statement of Officer Allington-Jones”;
the spreadsheets are complicated, with numerous columns and hundreds of lines, and can be manipulated using the pivot tables to produce other outcomes (as happened during the hearing in relation to SAJ04); and
it would therefore have been reasonable to assume from Ms Chapman’s witness evidence and the spreadsheets that Ms Chapman had relied only on the 16 spreadsheets which had been disclosed.
HMRC served all the hitherto undisclosed schedules on the evening of 6 April, after Mr Allington-Jones had left the witness stand, but they were not filed with the Tribunal and I was unaware until the penultimate day of the hearing that they had been provided to the Appellants. Neither party made an application for those schedules to be admitted in evidence.
Transactional data referred to by Ms Chapman but not cited by Mr Allington-Jones
As already explained, Mr Allington-Jones structured his witness statement around 16 citations from the ToF, and in relation to each citation, exhibited a related spreadsheet and summarised his work. He gave each of the spreadsheets a name as well as a number: for example, SAJ04 was entitled “customers using out of area agents/remote customers”, followed by the following citation from the ToF:
“No PCPs in place to mitigate the risks surrounding customers using agents not local to their residential address. Analysis of the transactional data for the period 1 September 2019 to 31 August 2020 identified transactions totalling £4,189,281 where even the first two digits of the customer postcode and agent postcode did not match.”
It was Mr Allington-Jones’s evidence that any references to the transactional data in the ToF (other than that which had been specifically cited by him with an attached exhibit) related to other work he had carried out which had not been exhibited. It follows that the 16 spreadsheets provide supporting evidence only for the parts of the ToF to which he has referred in Mr Allington-Jones’s witness statement.
However, the ToF also contains extracts from transactional data which are not referenced in Mr Allington-Jones’s witness statement. Where Ms Chapman has put forward conclusions from the transactional data, and Mr Allington-Jones has not cited those parts of the ToF, it follows that the Tribunal has not been provided with any supporting evidence for Ms Chapman’s conclusion.
Since (a) SAJ04 contained material errors; (b) Mr Allington-Jones and Ms Chapman both accepted that some of the other 16 spreadsheets were not reliable, and (c) HMRC has the burden of proof, it is not in the interests of justice for the Tribunal to place any reliance on spreadsheet data which has not been exhibited, unless it were to be clear from the Appellants’ Schedule that they had re-run the transactional data and obtained identical results, and then only to that extent.
Duty of candour
On Wednesday 12 April 2022, after all the witnesses had given evidence, Mr Lakha submitted that:
HMRC had a duty of candour, which required them to ensure that all relevant information was disclosed, including that which was adverse to their own case but might assist the Appellants.
HMRC had breached that duty for the following reasons:
It was part of the Appellants’ case that they were each “fit and proper persons” and that BSEL had “robust policies and procedures in place at all relevant times”.
HMRC had run some 50 tests to check BSEL’s compliance, and had not disclosed the results of some 34 tests. It was, he said, reasonable to infer that at least some of those tests showed no failures in BSEL’s PCPs, and it was plainly relevant to have disclosed that material.
Ms Chapman and Mr Allington-Jones had a duty to give the full picture in their witness statements but had failed to do so.
Ms Toman said HMRC accepted they had a duty of candour, but submitted that there had been no breach of that duty. She said the other spreadsheets had not been disclosed because they were not relevant: the Decisions rested on specific identified breaches, and the absence of further breaches was not a relevant factor when the Tribunal had to decide whether to uphold the Decisions. She added that HMRC had served these extra schedules on the Appellants as soon as they had been referred to by Mr Allington-Jones, and Mr Lakha had had time to particularise why they were relevant and had not done so.
The Tribunal’s view
In my judgment, Mr Lakha is right that HMRC had a duty to disclose these documents to the Appellants at the beginning of the Tribunal process and had failed in that duty. As he submitted, it is part of the Appellants’ case that they have acted in compliance with the MLR at all times. Ms Chapman herself said that “the purpose” of Mr Allington-Jones’s analysis of the transactional data was “to assess whether BSEL had established and maintained PCPs to effectively mitigate and manage the risks of MLTF as required by regulation 19(1)(a)”.
The MLR is, for the most part, not prescriptive. As the Explanatory Memorandum to those Regulations says (see §320), it provides “flexibility in order to promote a proportionate and effective risk based approach to combating money laundering and terrorist financing”. The Appellants’ position is that they adopted such an approach, and that Ms Chapman’s Decisions were largely founded on her view that BSEL should have incorporated different or additional elements in their PCPs. BSEL’s overall approach to PCPs in addressing the risk of MLTF is therefore relevant. HMRC ran some 34 other tests to see if BSEL was compliant with the MLR, but failed to exhibit the related spreadsheets. The reasonable inference is that at least some were favourable to BSEL.
I reject Ms Toman’s submission that Mr Lakha should have particularised his submission on relevance by reference to the other spreadsheets. These were served at the end of the fourth day of a very demanding ten day hearing, and without any witness evidence or explanations. I make the reasonable assumption, based on the 16 spreadsheets which were exhibited, that these further spreadsheets were also complicated, with numerous columns and lines, and that at least some contained pivot tables. When these spreadsheets were provided, Mr Lakha was in the middle of the hearing; each day began at 9.30 and usually lasted until after 5pm; and it was entirely reasonable and proper that his attention and that of his junior Mr Pons was focused on the hearing itself, not on attempting to carry out an analysis of complicated mathematical spreadsheets provided very late and without any explanations.
However, whether or not I am right that HMRC failed to comply with their duty of candour makes no difference to the outcome of this judgment. The appeals were decided on the basis of the evidence provided to the Tribunal, without any reliance on an inference that HMRC held other evidence helpful to the Appellants.
Ms Chapman’s reliance on Mr Allington-Jones’s work
As noted above, when in the witness box, Ms Chapman answered questions in a straightforward manner. However, the confidence which I could place on her evidence was reduced by issues relating to the work carried out by Mr Allington-Jones.
Issues with the 16 exhibited spreadsheets
The ToF and Ms Chapman’s witness evidence was underpinned and supported by the 16 spreadsheets exhibited by Mr Allington-Jones. However:
SAJ04 contained material errors;
Ms Allington-Jones accepted that if the data underlying SAJ02 had been summarised in a different way “it would likely give different results”;
he also accepted that the figures from SAJ15 which had been cited in the ToF was “likely to be an overestimate”;
Ms Chapman herself identified in her witness statement that the figures she had cited from SAJ03 were incorrect; and
the Appellants re-ran the transaction data and could not replicate many of the figures relied on by Ms Chapman.
Reliance in the ToF on work which was not disclosed.
As is now clear following Mr Allington-Jones’ evidence during the hearing, that when drafting the ToF Ms Chapman relied on other spreadsheets which had been created by Mr Allington-Jones (at her direction) carried out by Mr Allington-Jones but she failed to disclose that this was the case.
Unexplained changes to the figures in the ToF
In reliance on SAJ03, the ToF stated that there were “163 occasions totalling £166,396 where a cashier has carried out two transactions for two different customers in less than a minute”. In her witness statement, Ms Chapman said she accepted these figures were incorrect, and she now considered the correct figures were “131 occasions totalling £131,876”. She failed to explain the reasons why she had decided the original figures were wrong, or why she now considered that the lower numbers were correct.
Moreover, the difference between the two figures is 26%, but Ms Chapman said that “given that the difference in the figures is minimal, this inaccuracy has not affected my decision”. A difference of 26% is not minimal.
Citations in the Cancellation Decision
Ms Chapman gave as one of the reasons for issuing the Cancellation Decision that (my emphasis) “Analysis of the transactional data highlighted that in the period 1 September 2018 to 31 August 2020 approximately £22 million was transmitted to beneficiaries”. That statement was based on SAJ05, but I was unable to identify the £22m figure from Mr Allington-Jones’s spreadsheet; it instead showed a figure of £20,111,766.71, a difference of some £2m, and the lower figure is also given in the ToF.
Ms Chapman’s witness statement refers to a figure of “over £20m” but does not correct the £22m relied on in the Cancellation Decision.
Ms Chapman’s presentation of the facts
Another issue which affected the reliability of Ms Chapman’s evidence was that, instead of presenting the facts in an impartial, straightforward way, she sometimes selected from the available evidence those points which she thought would support her conclusions, omitting other facts. I set out below some examples; there are others in the main body of the text (see §784ff; §609; §801 and §806ff).
The telephone call on 23 October 2020
On 23 October 2020, a telephone call took place between Mr Salam, Mr Furnival and Ms Chapman. Ms Chapman’s notes of that call record that:
“[Mr Furnival] said that he needs to consider the needs of the business alongside the regulatory requirements and needs to be on an equal footing with similar businesses in the market.”
In her witness statement, Ms Chapman said that as a result of that conversation, she “was concerned that BSEL was reluctant to comply with its obligations in respect of the Regulations and that it’s overriding concern was its competitors and market position”.
That passage prompted Mr Salam to file a further witness statement, because the call had been recorded, and the transcript shows that Mr Furnival said:
“[BSEL] is very very keen to be super compliant, but we are also concerned that where we are in the market we are on an equal playing field with our competitors if you like. So there's a level playing field in terms of the way the regulations are applied in the way they are interpreted etcetera.”
Thus, Mr Furnival did not say BSEL was reluctant to comply with its regulatory obligations, or that it needed to consider business needs “alongside” the regulatory requirements. Instead, he stated that BSEL was “very very keen to be super compliant” but was concerned that HMRC were not applying the MLR in the same way to their competitors. Ms Chapman’s evidence does not fairly reflect what Mr Furnival said, and her inference is unwarranted.
Audit recommendation
Ms Chapman cited an extract from Eversheds’ audit report which referred to the classification of “transaction risk” as supporting her decision that BSEL had breached Reg 18, but she did not add that Eversheds had expressly stated that BSEL had not breached the MLR and had instead made a “low priority” recommendation about transaction risk “to reflect best practice”.
Examples of one-to-many transactions via aggregators
As already explained in outline at §73, one of the issues in dispute concerned “one-to-many” transactions. Ms Chapman selected four individuals who had made payments via aggregators to more than one beneficiary over the two years from 1 September 2018 to 30 August 2020, and asked BSEL for more information. BSEL provided details of all four customers; confirmed that each transaction was below the CDD threshold; set out the ID the customers had provided; added information about the frequency of the transactions, reminded Ms Chapman that the Remit ERP system had has a specific field to monitor the number of transactions by each customer in a rolling twelve month period, as well as checking CDD/EDD thresholds and ID validity. BSEL explained that investigations had not been carried out because they were unnecessary given the other checks in the Remit ERP system.
In the ToF Ms Chapman did not refer to the first customer, about whom BSEL had provided most information. In relation to the other three, she said that BSEL’s failure to carry out further investigations was an example of its breach of Reg 28, which required “scrutiny of transactions undertaken throughout the course of the relationship…to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile”. She did not refer, either in the ToF or in her witness statement, to any of the further information provided by BSEL, which showed that BSEL was monitoring the transactions: it had checked the customers’ ID; it had applied CDD thresholds to the amounts being transferred, and it was monitoring the number, amount and frequency of transactions, and cumulating them irrespective of whether they were to the same or a different beneficiary. In other words, the ToF contained Ms Chapman’s edited version of BSEL’s response to her questions, omitting one sender, and failing to take into account the information provided about the other three or the controls which were applied to the transactions by the Remit ERP system.
The telephone calls on 1 and 3 December 2020
Ms Chapman decided BSEL had breached Reg 19 of the MLR because the Remit ERP system did not flag when transactions took place so fast that they were “not credible”. She relied in part on the notes of a conference call which took place on 1 December 2020 and continued on 3 December 2020. In relation to that conference call. In the ToF that:
Ms Chapman stated that Mr Curran had said “BSEL does not monitor the speed of transactions carried out by agents in order to ensure that they are credible”. However, HMRC’s notes of meeting record that Mr Curran also “highlighted that if an agent completed too many transactions in one day it would be flagged up by the system”.
Ms Chapman stated that Mr Furnival had confirmed that “a transaction for an existing customer would take a couple of minutes”. The meeting notes record that Mr Furnival had added that the Remit ERP system was programmed to flag up when there were “four or five transactions to the same country, which are of the same value with[in] the same agent”.
In other words, Mr Curran and Mr Furnival both identified controls within the Remit ERP system which would be triggered if an agent was carrying out frequent repeated transactions, but those facts do not form part of the ToF and are not included in Ms Chapman’s witness evidence. Instead, she cites only part of what Mr Curran and Mr Furnival said, omitting key points.
Percentage of cash transactions
BSEL’s EWRA for March 2020 stated that 96% of senders paid cash to BSEL and 61% of amounts credited to the receiving bank were paid out in cash, with the balance of 39% paid into the beneficiary’s bank account. Towards the end of 2019, BSEL began to use card readers, and around February 2020 introduced a web-based application to facilitate online card transactions. The October 2020 EWRA records that the percentage of funds being paid by customers in cash had reduced from 96% to 81%, and the percentage of funds paid directly into a beneficiary’s bank account had increased from 39% to 44.5%. From November 2020, all aggregator transactions were to beneficiaries’ bank accounts, so no money transmitted from aggregators was paid out by banks in Pakistan or Bangladesh to beneficiaries over the counter.
However, Ms Chapman only ever refers to the 96% figure: this appears in the ToF, the Cancellation Decision, the Prohibition Decisions and her witness statement. The full picture is not only patently clear from the EWRA, but was also set out in the Appellants’ Schedule, which was filed and served four months before Ms Chapman signed her witness statement.
Conclusion on Ms Chapman’s evidence
Parts of Ms Chapman’s evidence depended on Mr Allington-Jones’s spreadsheets; to the extent that those figures are unreliable, the same is true of her related evidence. In addition, as is clear from the above examples, Ms Chapman misrepresented some of the factual matters relevant to the Decisions, mostly by omission.
Reliance to be placed on Mr McLean’s evidence?
As I have already recorded, Mr McLean gave honest and credible oral evidence in an entirely straightforward manner. However, his witness statement effectively repeated the Personal Decisions: he said he had “undertaken a review” of each Individual Appellant (except Mr Furnival), and he listed specific alleged failures before concluding that those Appellants did not have the skills, competence or capability to ensure compliance with the Regulations; that they had failed to act with probity and could not be expected to act with probity in the future.
Mr McLean freely accepted in cross-examination that he had not reviewed any of the Appellants’ documents or spoken to any of the Individual Appellants before making his Decisions. Instead, he had relied only on a final draft of the ToF, his conversations with Ms Chapman and one (possibly two) sets of meeting notes. In other words, his witness statement, like the Personal Decisions, simply rubber-stamped the conclusions to which Ms Chapman had already come, and cannot be relied on as evidence of his own independent findings.
PRIVACY AND ANONYMITY
Some of the evidence provided to the Tribunal included the names of customers, beneficiaries and agents, none of whom was a party to the appeals. In particular Mr Allington-Jones’s spreadsheets, which were based on BSEL’s transactional data, contained long lists of names and other personal details.
On 6 April 2022, shortly before Mr Allington-Jones was due to take the witness stand, the parties jointly applied for the part of the hearing in which he gave evidence to be held in private and for the related exhibits to be protected from subsequent disclosure. In deciding the application, I took into account the principle of open justice and the exceptions thereto, and the to Tribunal Rules, as set out below.
The principle of open justice
It is a well-established general principle of our constitutional law that justice is administered by courts and tribunals in public, and that this is to enable public scrutiny of the way cases are decided, see A v BBC [2014] UKSC 25 and Cape Intermediate Holdings v Dring [2019] UKSC 38.
However, in A v BBC, Lord Reed said at [41] that there were nevertheless exceptions to the open justice principle, as he explained:
“Whether a departure from the principle of open justice was justified in any particular case would depend on the facts of that case…the court has to carry out a balancing exercise which will be fact-specific. Central to the court’s evaluation will be the purpose of the open justice principle, the potential value of the information in question in advancing that purpose and, conversely, any risk of harm which its disclosure may cause to the maintenance of an effective judicial process or to the legitimate interests of others.”
In Hastings v HMRC [2018] UKFTT 478 (TC), by reference to R (Guardian News and Media) v City of Westminster Magistrates’ Court [2012] EWCA Civ 420, Judge Sinfield held that the FTT has (a) an inherent jurisdiction founded on the fundamental constitutional principle of open justice to allow a member of the public to have access to and inspect documents relating to FTT proceedings, and (b) an inherent jurisdiction to determine how the principle of open justice should be applied in relation to specific FTT proceedings. I respectfully agree with those conclusions.
The Tribunal Rules
Rule 14 of the Tribunal Procedure (First-tier Tribunal) (Tax Chamber) Rules 2009 (“the Tribunal Rules” provides that:
“The Tribunal may make an order prohibiting the disclosure or publication of—
(a) specified documents or information relating to the proceedings; or
(b) any matter likely to lead members of the public to identify any person whom the Tribunal considers should not be identified.”
Rule 32 provides:
“(1) Subject to the following paragraphs, all hearings must be held in public.
(2) The Tribunal may give a direction that a hearing, or part of it, is to be held in private if the Tribunal considers that restricting access to the hearing is justified—
(a) in the interests of public order or national security;
(b) in order to protect a person's right to respect for their private and family life;
(c) in order to maintain the confidentiality of sensitive information;
(d) in order to avoid serious harm to the public interest; or
(e) because not to do so would prejudice the interests of justice.
(3) Where a hearing, or part of it, is to be held in private, the Tribunal may determine who is permitted to attend the hearing or part of it.
…
(6) If the Tribunal publishes a report of a decision resulting from a hearing which was held wholly or partly in private, the Tribunal must, so far as practicable, ensure that the report does not disclose information which was referred to only in a part of the hearing that was held in private (including such information which enables the identification of any person whose affairs were dealt with in the part of the hearing that was held in private) if to do so would undermine the purpose of holding the hearing in private.”
The Direction and the Order
I decided to allow the application because the customers, beneficiaries and agents were not parties to the appeals and their names and other identification details were not relevant to the issues I had to decide. Instead, the details about their transactions and other activities were being cited by the parties as evidence of what had, or had not, been done by BSEL and by the Individual Appellants. Publicising the details of customers’ financial transactions with BSEL via agents, and/or details of payments made to beneficiaries, would breach those individuals’ right to respect for their private and family life. It was not in the interests of justice for those details to be made public.
Before Mr Allington-Jones gave evidence, I therefore issued an oral Direction under Rule 32(2)(b) prohibiting any third party from joining the hearing for the duration of his evidence; that Direction therefore related to the afternoon of 6 April 2022. The appeal was being heard by video with no observers, and no person notified the Tribunals Service in the course of that afternoon that he or she wanted to join the hearing to observe the proceedings. At the same time as giving that Direction, I issued an Order under Rule 14(a), prohibiting the disclosure and/or publication of Mr Allington-Jones’s spreadsheets to any third party. I subsequently confirmed the Direction and the Order in writing to the parties.
Anonymisation of parts of this judgment
In accordance with Rule 32(6), I have anonymised references to individuals whose names (or other information enabling identification) were included in the spreadsheets. In addition, and for the same reasons, I have anonymised the parts of this judgment which refer to customers, beneficiaries or agents by name, whether that information has come from the witness evidence or from documents in the Bundle.
PART 3: OVERALL FINDINGS OF FACT
In this Part 3, I make findings of fact about the individuals in receipt of Personal and Prohibition Decisions; about BSEL’s business and its operations, and about the enquiries carried out by Ms Chapman. There are further findings of fact later in this judgment.
BSEL and Mr Salam
Mr Salam was born in Bangladesh, and he moved to England in 1978. In 2004 he established an MSB under the trading name Saajan Worldwide Money Transfer, and registered the business with HMRC.
In 2005, his business began to work with Brac Bank Ltd in Bangladesh, which in 2011 purchased 75% of BSEL’s business, with Mr Salam and his wife retaining ownership of 22% of the shares and the remaining 3% being owned by two other individuals. The company was subsequently rebranded as BSEL. Brac Bank is a private commercial bank and its parent organisation BRAC is an international development organisation and the largest NGO in the world. Until Brexit, BSEL used to operate in certain EU countries, but those operations were not considered by HMRC and are not relevant to this judgment.
At all relevant times, Mr Salam has been BSEL’s Managing Director and its Chief Executive Officer. As such he had overall responsibility for ensuring the effective functioning of BSEL’s corporate governance structure. BSEL’s Board of Directors was made up of Mr Salam; Mr Ahmad the Company Secretary, and two non-executive directors, Mr Kazi Mahmood Sattar and Mr Selim Reza Farsad Hussain. BSEL’s Corporate Governance document states that the Board was:
“ultimately accountable for the management of compliance and risk in BSEL and is responsible for ensuring adequate and effective compliance
practices and internal controls exist. The Board shall, under the direction of the Chairperson of the Board, be responsible for:• Oversight on the general conduct of the operations of BSEL
• Oversight on the maintenance of compliance and internal controls.”
The other individual Appellants
Mr Curran
Mr Curran began his career in 1978 working for HM Customs and Excise as an Executive Officer, and in 1986 he moved to the Investigation Division as a Drugs and Financial Crime Investigator. In 1997 he joined the National Criminal Intelligence Service (“NCIS”), now the NCA, where he was a Senior Intelligence Officer dealing with suspicious activity reports from UK financial institutions. In that role he designed the NCIS Financial Investigations Course and the Financial Intelligence Development Course and was a senior instructor on both.
From 2001 to 2004, Mr Curran was the global MLRO for Travelex Holdings, a MSB, where he was responsible for the design and implementation of a global compliance structure and the design and review of AML training materials on a worldwide basis. From 2004 to 2008 he was Vice Crime Officer and MLRO for the Bank of New York Mellon, where he was responsible for oversight of anti-money laundering policies. From 2008 to 2020, he worked as a consultant, and as such held the MLRO position for variety of financial institutions including DBS Bank and HSBC. He joined BSEL as the Head of Financial Crime Compliance on 28 September 2020, and was appointed as the Nominated Officer and MLRO.
Mr Furnival
Mr Furnival was BSEL’s COO from July 2018 to March 2021. He was previously the chief executive of a company providing loans, and before that the managing director of another; neither were MSBs or otherwise within the scope of the MLR.
As COO he reported to Mr Salam. He was responsible for overseeing BSEL’s administration and its business operations. The role included designing and implementing business strategies, plans and procedures; overseeing the daily work of executives including the Heads of Operations, Business Development, Marketing and HR; evaluating BSEL’s performance, and managing relationships with partners and agents/aggregators. On 1 February 2021, he was placed on furlough and he subsequently left the company by mutual agreement.
Mr Garcia
Mr Garcia joined BSEL in 2017 as the Head of Global Compliance and Chief Information Officer. He had previously founded a company in Spain which provided consultancy advice on tax and money laundering compliance; he assisted as an expert in the drafting of the Spanish AML regulations in 2014, and in 2019 he completed the advanced AML course (ACAMS).
Mr Gomes
Mr Gomes joined BSEL in 2011, and was its MLRO between September 2011 and May 2015. From November 2016 to October 2019 he was BSEL’s Business Development Manager, responsible for identifying new business opportunities to generate revenue, improve profitability, establish relationships with potential clients and help the business grow. Since October 2019 he has been the Business System Manager, responsible for managing and developing BSEL’s IT systems.
Mr Hashmi
Mr Hashmi joined BSEL as its Head of Risk and Internal Control on 1 September 2020. He is a member of the Institute of Chartered Accountants in England and Wales; the Institute of Chartered Accountants of Pakistan and the Institute of Financial Accounts. He has over 20 years of experience in banking and internal audit, including five years as the senior internal auditor at the Banque Saudi Fransi in Saudi Arabia, after which he was Senior Vice President and Head of Corporate & Group Audits at Noor Bank PJSC, of which he was a founding member.
Mr Ahmad
Mr Ahmad was BSEL’s Company Secretary from 2011 to March 2021; he was also the Company Secretary and Head of Regulatory Affairs for Brac Bank. His specific responsibilities were:
convening and servicing AGMs and Board meetings, producing agendas, taking minutes, conveying decisions, handling meeting correspondence and similar;
keeping up to date with any regulatory or statutory changes and policies that might affect the company; and
providing support to the Board or other committees on specific projects, as and when required.
BSEL’s business
The focus of BSEL’s business is the remitting of money to Bangladesh and Pakistan from UK individuals of Bangladeshi and Pakistani origin or heritage. BSEL defines its customer base as “an adult immigrant worker, who sends money back to his/her hometown for
savings or family support”.
BSEL has around 80,000 regular customers, many of whom live in communities populated by others with the same ethnic origin or roots, such as Whitechapel in London. They typically work in low-paid jobs in retail or as taxi drivers, and share accommodation, not just on a family basis but also in flats above shops and restaurants. BSEL’s reputation within these communities is one of trust, honesty and integrity.
BSEL remits the customers’ money to the beneficiaries’ bank account in Bangladesh or Pakistan, or to a bank in those countries for collection by the beneficiaries on presentation of the requisite ID documents. It has always been part of BSEL’s risk-mitigation policy to transfer funds only to banks; it does not transfer funds to other MSBs.
As an MSB, BSEL is required to comply not only with the MLR but also with the Payment Services Regulations 2017 (“the PSR”). The PSR is overseen by the FCA, which registered BSEL as an Authorised Payment Institution (“API”). The FCA requires that each director and others responsible for payment services complete a form of notification, so that the FCA can check whether that person is “fit and proper”; the FCA must also be informed if any of those persons change.
The majority of transactions carried out by BSEL are in cash, but the percentage has been declining over time. In March 2020, 96% of senders paid cash to BSEL, and once transferred, 61% were paid out by the receiving bank in cash, with the balance paid into the beneficiary’s bank account. Around the end of 2019, BSEL introduced card readers; this was followed in around February 2020 by a web-based application called REMITnGO to facilitate online card transactions. By October 2020, the percentage of funds being paid in cash by senders had reduced from 96% to 81%, and the percentage of funds paid directly into a beneficiary’s bank account had increased from 39% to 44.5%.
BSEL has some individual customers who transact at its branch office, by telephone, or by using REMITnGO, but around 95% of its customers transact using agents or aggregators. In July 2020, it had 306 agents and 13 aggregators, and in March 2021 there were 272 agents but only one aggregator, for the reasons explained at §272ff below.
In reliance on the figures in the ToF, which were agreed by the Appellants’ Schedule, I find that £417,988,591 was transmitted through BSEL’s agents in the period from 1 September 2018 to 31 August 2020, of which 81% was remitted to Bangladesh and 18% to Pakistan, and the remaining 1% to other jurisdictions. In the same period, £505,876,637 was transmitted through BSEL by its aggregators, of which 88% was to Pakistan and the remaining 12% to Bangladesh. The total was therefore £923,865,228.
Agents
Agents are recruited in accordance with a defined policy, which includes requiring the agent to be on the Financial Services Register, see §462. Agents have their own customers, and process transactions through BSEL’s Remit ERP System (see §214). The overwhelming majority of agents operate as small companies, and their directors and employees are almost all from the Bangladeshi or Pakistani communities, as is also the case with the minority of agents which operate as sole traders or partnerships. Like their customers, agents transferred funds overseas to friends and family.
Aggregators
All aggregators are registered with HMRC as MSBs in their own right, not as agents of BSEL. They are also APIs or Small Payment Institutions (“SPI”), so are also registered with the FCA. Each aggregator had entered into an agreement with BSEL for the provision of cross border payment services. The aggregators transfer the money from their customers to BSEL, which acts as an Intermediary Payment Service Provider (“IPSP”), transferring the money to its destination in Pakistan or Bangladesh via its account with Barclays.
Aggregators conduct their own risk assessments of their individual customers as they are required to do by HMRC, and BSEL will not accept an MSB as an aggregator unless it has first approved its risk assessment methodology.
BSEL has a formal “Aggregator Policy” document, which was initiated in October 2017 and has been regularly updated in response to changes to regulations and guidance. It was explicitly drafted with reference to guidance provided by the Financial Action Task Force (“FATF”), the global money laundering and terrorist financing watchdog. There is more about this policy at §570.
Setting up customers and monitoring transactions
BSEL is not authorised to open accounts for customers in the way (for example) a bank would. Instead, BSEL registers customers on the Remit ERP system in accordance with its PCPs. Customers are not given a registration number, account book or other unique identifier, but their details are stored and can be accessed if the customer makes a repeat visit.
BSEL monitors each and every transaction a customer undertakes, regardless of amount or whether the money has been sent via an aggregator or an agent. Part of the transaction monitoring is carried out by BSEL’s automated Remit ERP system and part by manual review of print-outs usually triggered by system alerts/flags.
CDD and EDD
Before BSEL transacts any business, it applies Customer Due Diligence (“CDD”). Above certain thresholds, it applies Enhanced Due Diligence (“EDD”). All agents and aggregators are required to apply the same CDD/EDD thresholds.
The thresholds and related requirements.
The CDD/EDD position until January 2020 is set out below. The requirement column is cumulative, so that a person transmitting £2,400 was required to provide proof of ID and proof of address. In all cases, the documents were scanned and uploaded into the Remit ERP system.
Value | Frequency | Type | Requirement |
< £2,000 | One off or 90 day total | CDD | Proof of ID |
<£2,500 | One off or 90 day total | CDD | + proof of address |
> £2,499 | One off or 1 day total | CDD | + declaration of purpose and source of funds, valid for single transaction |
£5,000+ | One off or 1 day total | EDD | + proof of source of funds + electronic transfer from sender’s personal bank account |
£8,500 + | 30 day total | ||
£10,000 + | 6 month total | ||
£12,500 | 1 year total |
As can be seen from the above table, a key difference between CDD and EDD was that EDD required the sender to prove the source of the funds being transferred. BSEL accepted the following documents for that purpose: the customer’s bank statement showing that the money to be transferred had been in his account at least two clear days before the transaction date; a payslip issued within the last 60 days; an employment contract or a letter from the employer; a loan confirmation letter/agreement dated within the last 30 days; property mortgage/sale documents also dated within the last 30 days; a tax return or P60; proof of the receipt of state benefits or a letter from the customer’s accountant.
BSEL’s compliance framework
BSEL operates a three-tier compliance model, which is structured as follows:
Operations: responsible for day-to-day implementation of compliance policies and made up of those who conduct operational functions, such as relationship managers, cashiers and agents.
Compliance: responsible for ongoing monitoring of compliance policies and for examining the implementation of risk assessments via BSEL’s PCPs. Officers in the Compliance Department receive annual AML/CTF training, plus additional training in specific areas such as SARs.
Risk, Audit and Internal Control (“RAIC”): From May 2019 the RAIC was headed by Mr Kirby; when he became the MLRO later that year the role passed to Dr Naheem until August 2020; Mr Hashmi took over in September 2020. The RAIC operated as follows:
It was independent of the management structure in order to provide an independent and objective assessment of BSEL’s risk management position to the Board and senior management.
It did not take part in any operational processes or sign off any PCPs.
It undertook internal auditing and risk management and oversaw the compliance officers. This included transaction monitoring, review/audit of agent and aggregator files, running the agent site visit programme; monitoring training activities and AML/CTF risk management.
Eversheds reported in May 2019 that internal audit had “a documented and organised work programme” and added that from “interviews with other compliance analysts, it was clear that the internal audit function plays an important role, as their work is continually reviewed and monitored”.
RAIC produced a monthly report which was shared with the RAC, the Board, and the heads of each department. Issues identified by the RAIC were incorporated in a “tracker”, with each issue having a target delivery date for implementation which was kept up to date.
BSEL also had two AML specialists who had passed the Certified Anti-Money Laundering Specialist exams and so held ACAMS certification. BSEL’s annual accounts show that it spent £388,447 on compliance in 2019 and £538,497 in 2020; this was 10% and 12% respectively of the company’s total operating costs. In both years, eighteen BSEL employees were engaged in compliance activities; this was 20% of the total workforce in 2019 and 22% in 2020.
The Nominated Officer, the MLRO and the Risk and Audit Committee
The Nominated Officer/MLRO and the Risk and Audit Committee (“RAC”) both played key roles in BSEL’s approach to AML/CTF
The Nominated Officer/MLRO
Reg 21 of the MLR requires a firm within its scope to appoint a “Nominated Officer” with statutory responsibility for filing SARs. At BSEL, the Nominated Officer was also the MLRO. BSEL’s MLROs operated in a manner which met the description of the role given by the FCA:
“The job of the MLRO is to act as the focal point within the relevant firm for the oversight of all activity relating to anti-money laundering. He needs to be senior, to be free to act on his own authority and to be informed of any relevant knowledge or suspicion in the relevant firm. In turn he has to pass on issues to NCIS as he thinks appropriate.”
The RAC
The purpose of the RAC was as follows:
“to provide assurance on the adequacy and effectiveness of the company’s
system of internal controls…RAC is responsible for understanding BSEL’s major risk areas and ensuring that appropriate internal controls are in place to manage the risk exposures. Additionally, the RAC is responsible for the monitoring of control process and the adequacy of the system of internal control and compliance framework by reviewing internal and external audit reports.”
The RAC had a direct reporting line to the Board and it was chaired by Mr Garcia. It considered the whole range of risk and regulatory requirements to which BSEL was subject, including regulatory reporting, SARs, agents and aggregators, IT requirements and improvements, anti-MLR requirements and compliance; risk assessments and new initiatives.
It held its first meeting on 7 February 2018; it was attended by Mr Ahmad, Mr Olayinka, who at that time was the MLRO; Mr Brian Strathie, who had previously been the MLRO, and Mr Omar Siddiqui, the audit, ethics and training partner for the firm of Reddy Siddiqui LLP, a firm of Chartered Accountants in London; he sat on the RAC as an independent member.
The RAC’s second meeting took place on 21 November 2018, with Mr Salam observing. The attendees were the same (other than Mr Strathie); new members were Mr Furnival and Mr Morris, the Senior Compliance Officer, and Mr Graeme Ashley-Fenn, an additional independent member. Mr Ashley-Fenn had over 36 years of experience in financial regulation: he previously had a lead role at the FSA/FCA; he was a board member of both Lloyds Bank and NatWest Bank and a senior partner at Alvarez & Marsal, where he had established a regulatory consultancy business.
Following a recommendation from Exiger, it was decided that the RAC should hold three meetings a year. In fact, there were four meetings in 2019 and two in 2020, none of these were attended by Mr Ahmad. The third meeting took place on 9 April 2019; it was additionally attended by Mr Richard Atkin, a director of Exiger.
Mr Atkin stepped down before the July 2019 meeting, and a third independent member, Mr Trevor Barrett, was added. He had more than 25 years experience as a senior executive in governance and risk management, including being head of strategic risk for Lloyds Bank and Chief Risk Officer for the Charities Aid Foundation Bank; he also chairs the Risk Committee of a UK building society.
The PCPs
BSEL has had documented compliance PCPs since at least 2012; these have been regularly updated for changes to law, regulations, guidance, BSEL’s own risk management experience and a range of other factors. The PCPs issued in February 2018 run to 78 detailed pages of closely typed text. They include the definitions of CDD and EDD, and set out the thresholds for the application of each. They were revised and reissued in April 2019, May 2019 and October 2020. I return to the PCPs later in this judgment.
Remit ERP
BSEL uses Remit ERP, a web based remittance application, as both its payments system and its transaction monitoring system. Remit ERP checks every transaction to ensure that customer ID and validation requirements are satisfied; it also checks the CDD/EDD thresholds and requirements. The system also has other inbuilt transaction validation triggers which are continually reviewed and updated; these check transactions for other risks. The screening process carried out by Remit ERP can result in a transaction receiving the following characterisation:
No screening hit: the transaction has not triggered any of the compliance rules and therefore does not require review.
A soft hit: the transaction has triggered at least one of the transaction monitoring rules, and requires investigation by the transaction monitoring team. The transaction will be processed, but could be investigated after the transaction is fully completed.
A hard hit: the transaction has triggered at least one of the compliance rules which require immediate review by compliance team; these transactions cannot be processed. They are instead sent to the Security Queue for manual review by a compliance officer. That officer can escalate the case to a senior compliance officer, who in turn can refer it for review by the MLRO. Any one-off transaction above £15,000 is always subject to review by the MLRO. The Security Queue log is retained for review by internal or external auditors, and is also subject to random quality control checks by the RAIC.
The compliance staff not only review the transactions identified by the Remit ERP system as set out above, but also carry out pre-transaction checks; review samples of released transactions and report on any relevant findings to the MLRO, and they randomly check sample transactions which have been released, and report on any exceptions.
MLP Dashboard
In 2017, BSEL implemented eleven Money Laundering Prevention Dashboards (“MLP Dashboards”); these were automated in November 2018. They provide a real time picture of BSEL’s transactions by comparing them with those for the previous month, and for the year to date, and are reviewed by the transaction monitoring team on a daily basis. They have a drill down capability that allows compliance officers to select transactions for checking, and are also used by senior compliance officers to identify trends and abnormalities.
Sanctions and derisking
BSEL has a range of sanctions and other actions which it exercises if an agent, aggregator or customer was identified as having attempted to bypass the money laundering requirements. These include:
removal from the agent/aggregator network, known as “off-boarding”;
submitting a SAR; and/or
blacklisting the customer.
For example, the December 2019 RAIC report noted that:
“An agent for [named aggregator] attempted to fraudulently bypass our controlling measures by employing multiple IDs in an attempt to remit to a large number of beneficiaries. This matter is being investigated by the Compliance department, which will provide further information at an appropriate stage. The fraud attempt was averted, which did NOT allow
the funds to leave the country. Subsequently, the aggregator [name] has offboarded the agent.”
The external reviews and the EWRAs
In the three year period before the Cancellation Decision, BSEL engaged Exiger and Eversheds to carry out MLR related reviews and audits, and the business was additionally audited by JW Risk. All these firms visited the premises, held face-to-face discussions with key personnel, carried out random samples of the files and interrogated the Remit ERP system in order to assess BSEL’s compliance.
The first Exiger report
Exiger is a global specialist firm specialising in risk and compliance, particularly in the context of financial crime. In July 2018, BSEL engaged Exiger to perform an independent review of its AML/CTF compliance program and its governance framework. Exiger described the methodology it used as follows
“The Exiger team developed a test plan to support the assessment of BSEL’s AML and sanctions Compliance Program and governance framework against industry standards, regulatory expectations and internationally accepted good practices for AML and sanctions risk management. The review considered both local market regulatory requirements and, where applicable, the following industry standards which specifically target AML and sanctions risk management for money service businesses:
• HMRC – Anti-Money Laundering Supervision: Money Service Businesses
• FATF Guidance on the Risk-Based Approach for Money Services Businesses.”
Exiger tested twenty-four different areas of BSEL’s compliance, by reviewing processes and documents, by interviewing staff and by sampling. The sampling covered CDD profiles for customers and agents; SARs and transaction monitoring alerts. Exiger recorded that “Throughout the course of the review, we noted management’s desire to respond immediately to issues identified by Exiger”. In relation to the PCPs the report said:
“Overall, BSEL maintains adequate CDD procedures that align with UK regulatory requirements and facilitate the identification of all customers and agents at the time of entering into a business relationship or undertaking an occasional transaction. The ‘Comprehensive Policies and Procedures to Mitigate Compliance and Operational Risks’ document (“Comprehensive P&Ps”) provides clear guidance on the CDD requirements for both standard and enhanced due diligence of customers…Every transaction is risk rated according to the CDD thresholds outlined in the Comprehensive P&Ps. The CDD thresholds are clearly defined, and the documentation required for each category (Low, Medium and High) is commensurate with the level of risk associated with that particular transaction…
BSEL has appropriate EDD requirements for high risk transactions that ensure that additional work is done to verify the identity of the customer and scrutinise the nature of the transaction. In addition, all transactions are screened for the involvement of PEPs (sender and beneficiary) by Remit ERP, BSEL’s core transaction processing system, and EDD measures are applied accordingly where there is a positive hit.”
Exiger specifically recorded and approved both the categorisation of transactions below £2,000 as “low risk”, as well as the CDD checks BSEL carried out on those transactions.
Exiger also recommended that BSEL use its Remit ERP system to track MLTF risks in a “more considered and focused way”. BSEL accepted the recommendation and appointed Exiger to design and implement new Management Information Dashboards (“MI Dashboards”). Exiger gave BSEL an expected delivery date of December 2018, but did not complete the project until November 2019. Ms Toman submitted that this delay showed BSEL’s lack of commitment to dealing with MLTF. The Appellants robustly rejected this and I agree: there is no evidence that BSEL was responsible for the delay and no adverse inference can be drawn. Instead, Exiger had contracted to deliver the project in December 2018, but did not meet that date.
The MI Dashboards contain 32 dashboards under the following categories:
Remittance information.
Escalations.
Agent Escalations.
Employee Training.
Agent Oversight.
Transaction Monitoring, including by destination, country, distribution channel and over time.
Ms Toman submitted that BSEL did not have an adequate management information system until the introduction of the MI Dashboards, but I disagree. It is instead clear from the evidence that the Remit ERP system previously provided BSEL with the same information; the role of the Dashboards was to pull the information together so it was all in one place.
The Exiger Risk Assessment Methodology Report
Following the introduction of the EU’s Fourth AML Directive (“4MLD” or “4AMLD”)) in 2015, and its transposition into UK law by the MLR in December 2018, BSEL appointed Exiger to provide a Risk Assessment Methodology Report in relation to AML/CTF. This was issued on 12 December 2018, and it begins by saying:
“The EU’s Fourth Anti-Money Laundering Directive (4AMLD) was introduced on June 25th 2015 and introduced an explicit legislative requirement to perform an AML/CTF risk assessment. 4AMLD was
transposed into UK law by the Money Laundering Regulations 2017 s.18, which requires firms to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject. Such risk assessments must also be in writing and kept up to date.The main purpose of an Enterprise-Wide Risk Assessment (EWRA) is to drive improvements in risk management by identifying the financial crime risks faced by BSEL. This is completed by determining how these risks are mitigated by controls; establishing the residual risk that remains; and defining the further actions that are required to mitigate unacceptable risk exposures.
The risk assessment process detailed below has been tailored to fit the BSEL’s specific business model and FCC risk exposure, specifically acknowledging the high-risk nature of remitting cross border transactions to beneficiaries situated in high-risk jurisdictions.
From an inherent risk perspective, BSEL’s FCC risk assessment process and scoring methodology are focused on developing a granular understanding of specific areas of risk exposure within the customer base, as well as developing understanding of the geographical risks and product / service risks posed by the financial activities/transactions of this customer base.”
Exiger designed a risk methodology approach for BSEL which had the following separate stages:
Identification of risks specific to BSEL’s operating model.
Assessment of inherent risk, including:
customer risk;
product and delivery risk;
distribution channel (agent) risk;
geography (trading or transacting).
Assessment of BSEL’s mitigating controls.
Assessment of residual risk.
Under the heading “inherent risk”, Exiger said “All risks identified are initially assessed on an inherent risk basis. Inherent risk is the level of risk that presents when controls are not factored into the assessment”.
The methodology classified inherent risks as low, medium, or high; these were determined according to the methodology set out in the table, and then takes into account BSEL’s controls. In relation to “customers”, Exiger said that the inherent risk level was “low” where:
“Over the last 12 months, less than 5% of customer transactions were rated
High risk (transaction value over £8500 or cumulative transaction value over a six month period is higher than £8500) and were therefore subject to EDD.”
When assessing BSEL’s risk exposure, Exiger said:
“BSEL’s geographical risk exposure is more significant, as it provides payment services to the following countries: Bangladesh, Pakistan, Sri Lanka, and India. In October 2018, HMT published two statements identifying jurisdictions with strategic deficiencies in their AML/CTF regimes. These countries included both Pakistan and Sri Lanka, so both countries are considered as high risk. While Bangladesh is no longer on the FATF AML deficient countries list, it is exposed to significant terrorist financing risk, predominantly from domestic terrorist groups, with a number of attacks occurring in recent years, and is therefore considered as a high-risk country from a CTF perspective. In general to assess country risk BSEL should take into account the HMT Advisory Notice on higher risk jurisdictions, FATF guidance on AML deficient countries, whether the country is sanctioned or is in close proximity to sanctioned countries, and Transparency International’s Corruption Perception Index (CPI).
For distribution risk, BSEL operates a large agent network that requires significant oversight through CDD, ongoing RM visits and the completion of annual training.
To demonstrate that BSEL faces a higher level of geographic and distribution risk, more weighting has been applied to these risk categories. If the weightings are adjusted at any point in the future, the responsible individual (i.e. MLRO) will provide and document sufficient justification for the amendment, which must be approved by the Risk and Audit Committee.”
In relation to the final two stages, Exiger said:
“Where control assessment reviews indicate that the controls are operating effectively and do not identify any findings, the residual risk rating should be lower than the inherent risk rating. Where reviews identify substantive findings on specific controls, and the findings remain open any reduction to the residual risk rating due to those controls are not applicable.”
Control effectiveness was measured as follows:
Element | Weight | Description |
Governance, Resources and Organisation | 10% | A strong, Board- and Senior Management-supported AML governance framework, with clearly-defined roles/responsibilities |
Internal Audit/ Independent Testing | 10% | Regular, independent testing of BSEL’s control environment |
CDD- Retail Customers | 15% | CDD to control the types of clients it will accept; determines the level of risk attributed to each transaction |
CDD- Agents | 20% | CDD processes and ongoing monitoring of agent relationships to mitigate the AML risks posed by its agent network. |
SAR | 5% | Internal controls and business processes that allow for the appropriate identification, escalation, investigation and reporting of unusual and potentially suspicious customer activity. |
FCC training | 10% | Appropriate and ongoing staff training for experienced professional staff, particularly with respect to training for critical control processes such as client onboarding and transaction monitoring alert investigations |
Transaction Monitoring | 10% | Effective systems that monitor financial activities for unusual and potentially suspicious activity |
Risk Assessment | 5% | Periodic assessments of AML/sanctions risk exposure against risk control framework and its relative effectiveness, to determine whether controls are mitigating risk exposure effectively. |
Sanctions Screening | 15% | Effective systems that screen all transactions for involvement of sanctioned individuals or countries. |
The matrix also set out what criteria were to be applied in order to score each of the above as “strong”, “effective”, “needs improvement” or “deficient”. The “residual risk scoring matrix” was set out as follows:
Control Effectiveness | |||||
Strong | Effective | Needs Improvement | Deficient | ||
Inherent Risk | Low | Low | Low | Medium | Medium-High |
Medium | Low | Medium | Medium-High | High | |
High | Medium | Medium | High | High |
The Exiger Follow-up Report
After further meetings and visits to BSEL’s premises, Exiger issued a “Financial Crime Compliance Follow-up Review” on 22 November 2018. This review did not recommend any change to the CDD or EDD thresholds, but highlighted the many improvements which had been made to the Remit ERP system, adding:
“These system enhancements demonstrate BSEL’s commitment to investment in their technology and continued refinement of their financial crime compliance framework. As evidenced in the Business Requirements document 2017, BSEL have been proactive in analysing their systems and controls requirements to identify enhancements and new functionality such as the risk matrix that has delivered additional automation, which has increased the effectiveness and sustainability of the financial crime controls within their core processing platform.”
The report also noted that Reg 18 of the MLR separated out a fifth risk element to their risk assessment matrix, namely transactions, but did not recommend a change to the matrix, instead saying with approval:
“In the last five months, BSEL has continued to develop its Risk
Assessment Matrix by classifying the risk of various transaction scenarios and
configuring these scenarios to trigger alerts in the Remit ERP system...The current iteration of the Risk Assessment Matrix contains specific details on how the scenarios are configured, and what controls are in place to mitigate high risk scenarios and alerts.”
Decision to appoint Eversheds as auditor
In March 2019 BSEL appointed Eversheds as its AML/CTF auditor. In initial discussions with BSEL, Eversheds recommended that the fifth risk factor identified in Reg 18 of the MLR, namely transactions, should be explicitly separated out in the risk matrix, and BSEL adopted that approach.
The April 2019 EWRA
In accordance with the methodology in the Exiger model, but with the addition of “transactions” as a separate category, BSEL carried out an AML/CTF EWRA. It was issued in April 2019 and covered the year to March 2019; it opened by setting out Reg 18 and adding that it “requires all UK businesses and other regulated firms to assess their money laundering/terrorist financing risks and determine how they will be managed”. That was followed by a summary of BSEL’s risk-based strategy, as follows:
Assessing BSEL’s vulnerabilities to money laundering and terrorist financing.
Assessing the risk that is posed by the business's products and services, including their characteristics, the way they are delivered and how they are used.
Assessing what risk is posed by the business's customers, including the means by which the customer is acquired, who the business's customers are, where they are located, their organisational structure, where applicable and what they do.
Designing and implementing controls and procedures to manage and mitigate the money laundering and terrorist financing risks that have been determined, paying particular attention to the factors that have been assessed as presenting higher levels of risk.
Applying increased levels of customer due diligence and monitoring to reflect increasing levels of risk
Monitoring a customer's instructions, transactions and activity in their accounts against known and expected behaviour and characteristics.
Monitoring transactions against HMT Consolidated Financial Sanctions List, OFAC and EU Sanctions lists.
Recording the results of the risk assessment and the controls that have been put in place.
Regularly monitoring and reviewing the business's risks and keeping this information relevant and up to date.
The EWRA used the Exiger framework to divide inherent risk into customer type; product and delivery risk; distribution risk and geographic risk, and it additionally separated out the transaction type as a separate category, as recommended by Eversheds. It then identified “the inherent risk score” for each of the risk elements; the controls which BSEL exercised, and the residual risk after those controls had been applied.
The “assumptions underlying scoring methodologies” were then set out:
“The scoring methodologies underlying BSEL’s FCC risk assessment process reflect that it is exposed to its highest levels of inherent AML risk through its agent network and the jurisdictions to which it remits funds (Bangladesh, Pakistan, Sri Lanka and Nepal).
For the inherent risk categories, additional weighting has therefore been applied to Distribution Risk and Geographic Risk. These risks need to be managed through a rigorous client due diligence process (especially for agents), and robust transaction monitoring systems and investigations processes. For control effectiveness, additional weighting has been applied to the controls required to mitigate the distribution and geographic risks posed by BSEL’s business operations (CDD for agents, CDD for retail customers, transaction monitoring and sanctions screening). These underlying assumptions will need to be reassessed as part of the planning process for the next iteration of the FCC risk assessment process, when BSEL’s business activities during the intervening period can be analysed to determine whether revisions to this methodology are required”
BSEL then assessed each risk category for the last twelve months as follows:
Customers: low because less than 5% of customer transactions were rated “high risk” and subject to EDD.
Geography: high because more than 30% of transactions were to Bangladesh, Pakistan and Sri Lanka, all of which were high risk.
Transaction type: medium risk taking into account payment method, cumulative transactions, collection method and both the countries from which the transactions were initiated and the destination countries.
Products/services: high because BSEL’s only product is cross-border money remittance, which is high risk.
Distribution: medium. This category was contingent on the risk rating of the agents. The risk scoring allocated a “low” risk where less than 5% of agents were risk-rated as ‘high’ in Remit ERP; “medium” where between 5-10% were risk-rated as high, and “high” where more than 10% of agents were risk-rated as high.
The EWRA contained further detail about each of these risk assessments. In relation to customers, it took into account the following:
Agents: every new agent is automatically considered high risk for the first six months of operations. During this time BSEL conducts compulsory EDD, after which the agent may be reclassified as either medium or low risk, based on the prevailing risk assessment.
Aggregators: BSEL automatically considers aggregators as presenting a higher risk as aggregators may have a network of agents conducting business on BSEL’s behalf and BSEL does not have full visibility of the due diligence performed on these agents. BSEL performs enhanced due diligence on all its aggregators, including AML/CTF compliance.
Retail Customers: most of BSEL’s retail customers are from the non-resident Bangladeshi community in the UK and other countries. Over the assessment period, approximately 98% were rated as low risk (transaction value less than £8,500) and were therefore subject to CDD, and approximately 2% of customer transactions were rated high risk (transaction value over £8,500) and were therefore subject to EDD.
In relation to transactions, the risk assessment weighed the following factors:
the payment method (cash, bank transfer, on-line transfer and card payment); as 96% were under the EDD threshold with an average of £516, this was classified as low risk;
cumulative transfers, taking into account that there had been only1,526 examples of the EDD threshold being exceeded using the cumulation rules within the CDD/EDD thresholds; all other cases were under the EDD threshold, and this factor was therefore also categorised as low risk;
the collection method, taking into account that 34% were transferred to the beneficiaries’ bank account or by direct credit (low risk) but 67% were collected in cash (high risk), but given that the transaction size averaged £516, the risk was low;
the countries from where the transactions had been initiated, all of which were in the EU and so low risk; and
the countries to which the money was sent, which were high risk.
In relation to distribution, the risk assessment took into account that all retail customers interacted on a face-to-face basis with BSEL either in branches or agencies; in addition, BSEL relationship managers also made regular visits to the agents. The aggregators were classified as not face-to-face. Delivery channel risk was therefore assessed as “medium” because:
98% of BSEL’s customers are face-to-face customers, but
the remaining 2% were aggregators, and they delivered between 40-50% of total transaction volume.
Taking into account the rating for each of the categories, and using the residual risk scoring matrix provided by Exiger, BSEL rated its overall risk assessment as “medium”. This was calculated by giving customers and products each a 15% rating; distribution and geography each a 25% rating, and transaction type a 20% rating. The higher weighting given to distribution and geography reflects the recommendations in the Exiger report.
BSEL also assessed the mitigating controls using the framework in the Exiger report, and the overall score was “effective”. BSEL concluded the EWRA by saying:
“Given the control framework in place, BSEL has assessed its residual risk of facilitating money laundering and CTF as MEDIUM.
This is based on the overall inherent risk posed by its customer type, jurisdiction, transaction type, products and services and delivery channel risks having been assessed as MEDIUM and the effectiveness of its control framework having been assessed as averaging 'EFFECTIVE'.”
Eversheds 2019 audit
Having carried out their AML/CTF audit (which included reviewing the EWRA), Eversheds issued their report on 24 May 2019. They classified their recommendations as follows:
High priority/breach of relevant legislation.
Medium priority/compliance is in progress/arguably compliance with legislation but fails to comply with guidance.
Low priority/no breach but recommended action to reflect best practice.
The executive summary opens by saying:
“This audit focused on BRAC Saajan Exchange Limited’s (‘BSEL’) AML, CTF and sanctions control framework. We conducted a review of relevant policies and procedures in order to assess the effectiveness of the controls which BSEL has implemented to mitigate its risk of money laundering and/or terrorist financing. In order to determine whether BSEL is compliant with its legal and regulatory requirements, we conducted a review of relevant policies, procedures and systems against legal requirements set out in the legislation and guidance, detailed at page 8 of this report.
In our opinion, BSEL has sufficient controls in place to ensure that it complies with legal requirements imposed upon it from an AML/CTF and sanctions perspective. We are of the opinion that BSEL is complying with its legal and regulatory obligations pursuant to the MLR 2017 and the majority of the recommendations made in this report are generally to reflect best practice. We identified four recommendations of medium priority, and in our opinion these recommendations should be implementable by BSEL within a relatively short timeframe.”
As is clear from the above summary, Eversheds identified no high priority issues and no breaches of the MLR. The four medium priority issues related to recording NCA acknowledgments of SARs, and to training. Of the “low priority” issues, one was “consider reclassifying transaction risk in the EWRA”. The related text in the main body of the report reads:
“In accordance with Regulation 18 MLR 2017, the EWRA addresses customer, geographical, product, delivery channel and transaction risks. Risk areas have been identified for each risk type and a scoring methodology is clearly illustrated in respect of inherent risk, control effectiveness and the overall residual risk. The EWRA also details other risks which the business faces to include (but not limited to) fraud, regulatory risk, business disruption,
data security, IT security, currency risk, market risk, liquidity risk and reputation risk.Upon considering the EWRA, we would recommend re-classifying transaction risk given that the majority of transactions are conducted in cash and this presents a higher risk of money laundering, irrespective of the average transaction amount.”
Eversheds also concluded that “the CDD and EDD thresholds are appropriate and in compliance with BSEL’s legal and regulatory obligations”.
Mr Kirby and 5MLD
As noted above, Mr Kirby joined BSEL shortly before May 2019 as Head of RAIC, but by November 2019 he had replaced Mr Olayinka as the Nominated Officer and MLRO. There is no suggestion in any of the external reports from Exiger or Eversheds that Mr Kirby did not have the training or experience to undertake that role, and neither party suggested this was the position. I therefore make the inference that Mr Kirby had the training and experience required to fill the role.
In his role as Nominated Officer and MLRO, Mr Kirby’s responsibilities included providing reactive and proactive advice to business areas on all aspects of AML; ensuring that the AML/CTF PCPs were up to date at all times, and providing “effective strategic and operational oversight and management of the compliance, Financial Crime Control and Data Protection functions across the company”.
The Fifth Anti-Money Laundering Directive (“5MLD”) was implemented in the UK with effect from 10 January 2020 by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019, which introduced various amendments to the MLR. The “update” page for BSEL’s detailed PCP document records that Mr Kirby updated the company’s PCPs for 5MLD on implementation day, 10 January 2020.
On 22 January 2020, Mr Kirby issued a document entitled “MLRO Approval - CDD and EDD threshold conditions 5th MLD”; it states that “the threshold conditions for high risk third countries - ie Pakistan and Sri Lanka” has “been completed in Jan 2020”. The detailed attachment to that document shows that the threshold at which EDD was required for transactions with Pakistan had been lowered from £5,000 to £2,000 for cash, and to £3,000 for electronic bank transfers; the thresholds applied whether there had been a single transaction or a cumulative total over 30 days. The EDD threshold for Bangladesh had been lowered to £3,000 for cash and £5,000 for bank transfers, whether as a single transaction or a cumulative total. For transactions under those thresholds, customers were subject to CDD, which required proof of identity.
Mr Kirby initialled each page of the document, and above his signature on the final page is the following formal statement under the heading “MLRO Approval”:
“I, David M Kirby acting as the UK MLRO and approved by HMRC as the appointed person under the Money Laundering Regulations 2017 is exercising my authority to act honestly, reasonably and with independent judgment in assessing and determine the risks presented to BSEL.
I have determined that the measures detailed above have been implemented by applying additional elements of due diligence to mitigate the risks in relation to high risk third countries. The measures have been determined as adequate and proportionate to meet the new requirements and obligations, as provided under Part 3: customer due diligence of ‘The Money Laundering and Terrorist Financing (Amendment) Regulations 2019’.”
The other officers and employees of the company relied on Mr Kirby’s review and on his conclusions. In particular, none of the Individual Appellants had detailed knowledge of 5MLD. BSEL’s new CDD and EDD levels were also broadly comparable with those of other MSBs.
The pandemic
The coronavirus pandemic began in early 2020 and formed the backdrop to the rest of the events with which this case is concerned. The pandemic and the associated lockdowns had a significant effect on BSEL: Mr Garcia said it affected “everything” and Mr Furnival said it had been “a struggle organising staff” following the introduction of a work-from-home policy and furlough. Despite the pandemic, BSEL continued to conduct its transaction monitoring and other controls, although it had to delay some onsite agent visits.
The April 2020 EWRA
A further EWRA was carried out in April 2020. In it, BSEL noted the implementation of 5MLD, and recorded that it included a “black list” of high risk third countries, which included Pakistan. Although Bangladesh was not so classified, BSEL continued to treat it as a high risk jurisdiction. The EWRA also noted that BSEL had reduced the threshold for EDD; this followed from Mr Kirby’s changes. The risk assessment for each category remained the same as the previous year, as did the overall assessment as being “medium”.
Contact with other regulators, and with HMRC before August 2020
From the date the business began operations in 2004 until the events with which this appeal is concerned, BSEL maintained a clean record with all regulators, never receiving any adverse notifications, penalties or sanctions. Between 2004 and 2018, four HMRC AML Supervision Officers visited BSEL’s premises, many of them on more than one occasion; during those visits the Officers discussed BSEL’s PCPs with the directors and staff; reviewed files and documents and interrogated the Remit ERP system. None identified any issues in relation to the operation of BSEL’s PCPs; the Remit ERP system or indeed in any other respect.
On 20 December 2018, Officer Stuart Marlor informed BSEL that he would be visiting its premises on 10 January 2019 to check BSEL’s MLR compliance. On that day, he spent five and a half hours on the premises, meeting Mr Garcia and Mr Olayinka, the MLRO.
After Mr Marlor’s visit there was regular communication between him and BSEL’s MLRO until September 2019. BSEL provided Mr Marlor with over thirty types of data and information, including monthly summaries of agent transactions for 2018; aggregator transactional data; risk assessments and BSEL’s PCPs dated October 2018. After September 2019, BSEL heard nothing more from HMRC for nearly a year. BSEL was later informed that Mr Marlor had passed away in the summer of 2020.
Dr Naheem and Mr Kirby leave BSEL
In August 2020, Dr Naheem was dismissed after a lengthy investigatory meeting with Mr Furnival. I make no finding as to whether his dismissal was justified.
Mr Kirby left the company unexpectedly but voluntarily in early August 2020. He retained his company laptop and used it to access BSEL’s network and attempted to delete a large volume of data. Although BSEL recovered that data, it was unable to access other files which had been stored on Mr Kirby’s hard drive. Mr Furnival was asked to notify the FCA and the Information Commissioner’s Office of Mr Kirby’s activity, and did so. Mr Salam also asked Mr Furnival to persuade Mr Kirby to return his laptop.
Subsequently, Dr Naheem and Mr Kirby submitted reports to the FCA. The Tribunal was not provided with any information as to the contents of these reports or whether they were shared with HMRC.
In August 2020, Ms Chapman was “allocated” to BSEL. At least some of the Individual Appellants considered that there was a link between the departure of Mr Kirby and/or Dr Naheem, and the approach taken by Ms Chapman to her review of BSEL. During the hearing of these appeals, a series of exchanges took place between Mr Lakha and Ms Toman about whether or not there had been contact between HMRC and Mr Kirby. After taking instructions, Ms Toman said:
there had been no contact between Ms Chapman and Mr Kirby;
there had been no contact between HMRC and Mr Kirby “in the context of this enquiry”, but
she was unable to confirm or deny whether there had been any contact between HMRC and Mr Kirby “in the context of BSEL”.
On the basis of the evidence before the Tribunal, and taking into account Ms Toman’s statements, I am unable to make any finding of fact as to whether there is a link between (a) HMRC’s subsequent actions in relation to BSEL and the Individual Appellants and (b) Mr Kirby himself and/or the material he had filed with the FCA.
Ms Chapman begins her review
Ms Chapman decided not to consider the material which BSEL had previously provided to HMRC at Mr Marlor’s request. She did not see the Remit ERP system in operation; when BSEL offered a demonstration, the offer was declined. BSEL also suggested that Ms Chapman would find it helpful to visit a branch to talk to those operating the Remit ERP system, but that offer too was declined. Ms Chapman also did not read Exiger’s Risk Assessment Methodology Report, the earlier Exiger report or that firm’s Follow-up Review. When Ms Chapman was asked in cross-examination why she hadn’t looked at the Exiger Methodology Report, she said “I can’t answer why I didn’t look at that”. It was common ground that, despite the pandemic, during at least some part of that period it would have been possible for Ms Chapman to visit BSEL’s premises, but she not do so: all contact was by email or conference call until March 2021, when she asked BSEL if they were happy with a video meeting, adding that if not she would “consider gaining authorisation” for a face to face visit. The meeting went ahead by video.
On 9 September 2020, Ms Chapman contacted Ms Dhillon, who was covering the MLRO role given Mr Kirby’s unexpected departure. Ms Chapman sent Ms Dhillon a long and detailed list of information which she required BSEL to provide by 1 October 2020: the list included BSEL’s organisational chart; details of its directors, company secretary and senior management; its Risk Assessments; PCPs for the period September 2018 to September 2020; a list of current aggregators; detailed transactional data for aggregators and agents for the period 1 September 2018 to 31 August 2020, and data about BSEL’s agents. Ms Dhillon complied. In October Ms Chapman requested more information about agents and aggregators, and this was also provided.
The fit and proper test
Reg 57(4) of the MLR required BSEL to notify HMRC within 30 days if it appointed certain “responsible persons”, so HMRC could check whether they met the “fit and proper” (“F&P”) requirements in Reg 58.
On 24 September 2020 Ms Chapman contacted Ms Dhillon to say that four such individuals “had not been notified to HMRC” for the purpose of F&P testing, namely Mr Garcia, Mr Ahmad, Mr Furnival and Ms Dhillon herself. Ms Chapman subsequently acknowledged that Mr Ahmad had in fact been notified to HMRC many years previously and that his F&P status had been accepted. I make further findings about the other three individuals at §345.
Ms Dhillon provided Ms Chapman with the relevant notification forms on 29 September 2020. On the same date, she also provided forms for Mr Curran, who had been appointed as MLRO on 28 September 2020, and for Mr Hashmi, who had been appointed as head of RAIC on 1 September 2020 after Dr Naheem’s departure Both of these latter notifications were made within 30 days. HMRC subsequently confirmed that all these individuals were “fit and proper” persons.
On 12 October 2020, Ms Chapman emailed Ms Dhillon, saying “I notice from Companies House that there is an additional director for whom an MLR101 has not been submitted, Selim Raza Farhad Hussein”. By return Ms Dhillon send Ms Chapman the MLR101 which Mr Hussein had previously submitted, and on 13 October 2020, Ms Chapman confirmed the form was valid. BSEL had therefore not failed to comply with Reg 57(4) in relation to Mr Hussein.
The closure of the Barclays account, and the aggregators
In early October 2020, Barclays terminated BSEL’s UK bank account; BSEL endeavoured to find out the cause of this, but Barclays would not provide its reasons. As a result BSEL had no viable facility to act as IPSP for cash aggregators.
As a result. on 12 October 2020 BSEL terminated its arrangements with all aggregators other than Visa. As a result, its business reduced by 55%. In November 2020, BSEL established an aggregator relationship with MoneyGram. All the transfers from Visa and MoneyGram were to beneficiaries’ bank accounts; no money was paid out by banks in Pakistan or Bangladesh to beneficiaries over the counter.
The Suspension Decision
On 22 October 2020, Ms Chapman issued a letter suspending BSEL’s registration for a period of up to 45 days (“the Suspension Decision”), on the basis that there had been a “consistent failure” to comply with the following regulations:
Reg 57(4), on the basis that BSEL had not notified HMRC within the statutory 30 day period that Mr Garcia, Mr Ahmad; Mr Furnival and Ms Dhillon had been appointed as responsible persons; she added that although BSEL had notified Mr Curran and Mr Hashmi within 30 days, this was “only after being prompted in an email from HMRC”; and
Reg 19(1)(a) by reference to Reg 33(1)(a), because since “at least” February 2018 BSEL’s PCPs had failed to treat all transactions with a high risk jurisdiction (“HRJ”) as requiring EDD. She stated that BSEL had recognised that both Pakistan and Bangladesh were HRJs, and so BSEL should also have recognised that there was no threshold below which cash could be transferred to those countries without EDD, and should have incorporated that zero threshold in its PCPs. Instead, BSEL required EDD for cash transfers of £2,000 to Pakistan; the EDD threshold for Bangladesh was £3,000.
BSEL responded the same day, informing Ms Chapman that they had reduced the EDD threshold to £1,000 for a single transaction to either Pakistan or Bangladesh. They had also strengthened their CDD for new customers: on registering the government-issued ID document would be scanned into the Remit ERP system and no subsequent transactions would be approved unless the sender produced the same ID document as that held on the system,
On 23 October 2020, Ms Chapman told Ms Dhillon the proposed changes were insufficient, and that “EDD needs to have a threshold of zero due to the fact that the jurisdictions that the customers have been transmitting to have been identified as high risk”. Ms Chapman had a further conversation on the same day with Mr Salam and Mr Furnival, in which she said that “EDD requires going further than just verifying the customer it needs to look at the purpose of the transaction and the source of funds”. Mr Salam and Mr Furnival said that other MSBs did not operate a zero threshold; Ms Chapman reiterated that it was a requirement and said “she couldn’t comment on other MSBs”.
In her witness statement, Ms Chapman said that as a result of that conversation she “was concerned that BSEL was reluctant to comply with its obligations in respect of the Regulations and that it’s overriding concern was its competitors and market position”. That witness statement prompted Mr Salam to file a further statement, because the call had been recorded. The transcript shows that Mr Furnival said:
“[BSEL] is very keen to be super compliant, but we are also concerned that where we are in the market we are on an equal playing field with our competitors if you like. So there's a there's a level playing field in terms of the way the regulations are applied in the way they are interpreted etcetera.”
Thus, Mr Furnival did not say BSEL was reluctant to comply with its regulatory obligations, or that it needed to consider business needs “alongside” the regulatory requirements, but instead that BSEL was keen to be compliant, but needed HMRC to apply the same approach to the competition. Evidence provided for the hearing showed BSEL was correct: at least two other well-known MSBs operated a £2,000 EDD threshold for Pakistan: that Mr Salam and Mr Furnival were right to be worried can be seen by the effect on BSEL’s business after the zero threshold was implemented, see §305 below.
On 27 October 2020, Ms Dhillon and Mr Curran held a telephone conversation with another HMRC officer, Ms Zoe Kenning. They discussed whether a zero threshold was required; the note of that call shows that Ms Kenning replied as follows:
“ZK said EDD should be applied to remittances to high-risk jurisdictions (HRJs) and should go above and beyond normal customer due diligence (CDD). For example, verifying source of funds (SOF) in a high-risk situation. ZK continued and said it does not necessarily mean SOF must be applied
on every transaction. ZK said it does mean you have to go beyond the standard
requirements and for EDD to be meaningful source of funds verification is the most relevant. [BSEL] need to consider what else you are going to establish; including, asking for the purpose of the transaction.”
Ms Dhillon and Mr Curran responded by saying that none of their competitors required customers sending small amounts of money to Pakistan/Bangladesh to provide information or documentation about the source of funds. BSEL subsequently provided Ms Chapman with documentation to show that the majority of its customers’ transactions were under £250.
Eversheds 2020 audit
BSEL instructed Eversheds to carry out a further audit. It is clear from the documents reviewed that this took place before BSEL’s next EWRA, even though the EWRA was dated October, and Eversheds issued its report on 5 November 2020.
The purpose of the audit was:
“To examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted to comply with the MLR 2017 (as amended by the) MLR 2019; and make recommendations in relation to those policies, controls and procedures.”
Eversheds’ summary of the position was as follows:
“This audit focused on BRAC Saajan Exchange Limited’s (“BSEL”) AML, CTF and sanctions control framework. We conducted a review of relevant policies and procedures in order to assess the effectiveness of the controls which BSEL has implemented to mitigate its risk of money laundering and/or terrorist financing. In order to determine whether BSEL is compliant with its legal and regulatory requirements, we conducted a review of relevant policies, procedures and systems against legal requirements set out in the legislation and guidance, detailed at page 9 of this report.
With the exception of our one high priority recommendation, we are of the opinion that BSEL is complying with its legal and regulatory obligations pursuant to the MLR 2017 (as amended by MLR 2019) and the majority of the recommendations made in this report are generally to reflect best practice. We identified one recommendation of high priority, which should be dealt with by BSEL on an urgent basis. We identified 3 recommendations of medium priority, and in our opinion these recommendations should be implementable by BSEL within a relatively short timeframe.”
That high priority recommendation was as follows:
“As a matter of priority, BSEL is advised to update its compliance procedures so that EDD is carried out for funds transfers exceeding 1,000 euros to/from
Pakistan in accordance with Regulation 33 MLR 2017 (as amended by Regulation 5 MLR 2019). The EDD carried out must include those requirements specifically set out in regulation 33 MLR 2017 (as amended)”.
As is clear from the above:
this recommendation followed the changes introduced when 5MLD was implemented in the UK by amending the MLR with effect from 10 January 2020. The relevant legislation is set out later in this judgment.
Eversheds did not agree with Ms Chapman that all transactions with Pakistan and Bangladesh required EDD, but only those to Pakistan above €1,000.
In the list of low priority/no breach issues, Eversheds repeated their recommendation that transaction risk be reclassified as “high”. Mr Hashmi explained to Eversheds that BSEL still considered that it was appropriate to take the size of transactions into account, but he nevertheless agreed that BSEL would accept the recommendation.
The October 2020 EWRA
The October EWRA covered the period from January to September 2020; it was triggered by BSEL’s decision to stop doing business with cash-based aggregators. The EWRA also changed the weighting given to Bangladesh, for the following reasons:
“Bangladesh, which previously rated as a high-risk country in the March 2020 enterprise-wide risk assessment, has been downgraded to medium risk. The previous assessment of the country was made on the basis of FATF’s assessment of 2016, when Bangladesh was asked to implement
recommendations for the improvement of its AML regime. Since then, there have been three updates, August 2019 being the most recent one, where Bangladesh has been assessed by FATF as fully compliant / mostly compliant on most of the recommendations (the link below refers). Additionally,
Bangladesh is also not on the European Union list of high risk third countries.”
In the October EWRA, BSEL assessed each risk category as follows:
Customers: medium (previously rated low) because 77% of customers were now rated as “medium risk”, 13% as high risk and 10% as low risk.
Geography: medium (previously high) because more than 78% of transactions were to Bangladesh, with less than 22% sent to the high risk jurisdiction of Pakistan; all outgoing transactions were from agents or individuals based in the UK, or from Visa, the sole remaining aggregator, which was also resident in the UK.
Transaction type: high (previously medium). The key reason for the change was that no weight was given to the fact that most of the transactions were of relatively low value. Although there were factors going the other way (the non-cash element increased to 18.4% of money received, and 44.5% of the funds were now paid into beneficiaries’ bank accounts), those elements were insufficient to allow a medium rating to be maintained.
Products/services: high (unchanged) because BSEL’s only product is cross-border money remittance, which is high risk.
Distribution: medium (unchanged). This category was contingent on the risk rating of the agents, as before.
Taking into account the weighting of the above factors, BSEL’s overall risk rating remained at “medium”. That took into account both the lower rating for transfers to Bangladesh, and the higher ratings for customers and transaction type. The weighting given to each factor was unchanged from that in the earlier EWRAs, namely customers and products 15%; distribution and geography 25%, and transaction type 20%. The control mitigation assessment continued to be “effective”.
The changes notified in early November
On 2 November 2020, Mr Curran emailed Ms Chapman attaching amended PCPs, which included the following changes:
For all transactions:
declaration of type of employment;
declaration of income;
ID and address to be checked using Experian’s ProveID application; and
an enhancement to the Remit ERP system to include fields for occupation and annual income which would allow BSEL to apply cumulative periodic thresholds per customer, based on their income.
For all transactions with Pakistan, strong customer authentication using a one-time password sent to the person’s phone.
For transactions with Pakistan over £1,000, evidence of source of funds and a written declaration of the source of funds.
For transactions with Pakistan over £2,000, a secondary proof of address or ID.
On 5 November 2020, a telephone conference took place between Ms Chapman, Mr Garcia and Mr Curran. Ms Chapman rejected the proposed PCPs as insufficient, and said that (a) proof of address was required for all transactions, and did not constitute EDD, and (b) declarations were insufficient; BSEL must also “verify” the senders’ occupation and income. At §390, I consider whether Ms Chapman was correct that EDD was required.
A few hours after that telephone conversation, Ms Chapman emailed Mr Curran setting out her understanding of the main points discussed. Mr Curran responded the following day, replying to her specific points. I have transcribed the parties’ points verbatim as they form a part of the basis for the Decisions which followed.
Ms Chapman | Mr Curran | |
1 | When considering the risks faced by BSEL please ensure that the volume and size of linked transactions is taken into account as these transactions can pose higher risks than single transactions. | Yes, we are going to enhance the transaction monitoring platform further by including more monitoring criteria, which will include transaction volume, use of multiple agents, common telephone numbers, common names and addresses. It is important to mention that common telephone number identification is already in place Reports from the transaction monitoring platform will be reviewed by the financial crime team daily. The financial crime team has the ability to stop any unusual and suspicious transaction. The enhancements will be rolled out in production as below: Exported reports for the financial crime team for daily review: by Friday, November 13, 2020 |
2 | Agreed that BSEL will consider the various areas of Pakistan and the risks associated with specific areas. Consideration to be given to having lower thresholds for some areas and absolute limits or consider disallowing transactions to areas of extreme risk. | BSEL will implement the following: • Restrict registration of beneficiaries based in extremely high-risk areas identified by the financial crime team, and • Request all partner banks in Pakistan to not to payout to beneficiaries based in extremely high-risk areas identified by the financial crime team The financial Crime team research will include reference to South Asia Terrorism Portal, Mutual Evaluation Report (FATF). |
3 | Customer address must be verified for all customers, not just that the address exists. BSEL indicated that it will use Experian checks to do this. | BSEL will be using Experian’s ProveID API for all existing and new customers with effect from 06/11/2020. For all new customers, if the customer can provide a valid UK photo driving licence, this will be used to confirm the identity and address of the customer. If the customer provides a passport, residence permit card or any other document to prove the identity, then Experian will be used to confirm the address. If Experian is unable to verify the identity or the address of the customer, the agent must obtain documents to confirm the information provided by the customer. BSEL is already using the ProveID solution to confirm the identity and address of customer through its mobile app (REMITnGO) since February 2020. |
4 | Customer occupation and income must be verified at the point of customer registration (and refreshed as and when BSEL deem necessary). | BSEL is going to implement the verification of occupation and income as below: • For any customer sending money to any HRJ [High Risk Jurisdiction] For the above-mentioned, the customers will be asked to provide either: • A recent payslip, • A recent bank statement showing incoming salary/wage from the employer • A letter from the employer confirming the employment • The latest P60 to confirm annual income • Evidence of pension or any other State benefits • A confirmation from accountant or proof of tax submission The documents will be uploaded by the agents for manual review by the financial crime team before any transaction by the customer can be processed. The above will be implemented in production from Tuesday, November 10, 2020. |
5 | Address and occupation/income verification will be carried out on existing as well as new customers. | This is already implemented on November 01, 2020 |
6 | Limits for senders per beneficiary and number of beneficiaries per sender to be communicated to me once these have been decided | The financial crime team, in conjunction with the Management decided to set the limit as below: • Senders per beneficiary: Six • Beneficiaries per sender: Six The above will be implemented in production by Friday, November 13, 2020 |
7 | To enable ongoing monitoring a unique identifier for all beneficiaries must be obtained, consideration to be given to using the identification number in order to avoid false telephone numbers being provided | BSEL has implemented to allocate a unique identifier for beneficiaries and from August 02, 2020 BSEL uses allocates [sic] a unique identifier to identify beneficiaries. |
8 | Controls to be put in place to monitor and prevent linked transactions by way of multiple customers (above what would be deemed normal) living at the same address | BSEL considers that four or more customer[s] living at the same address and sending remittance to the same city/town as linked transactions. Such transactions will be picked up by the transaction monitoring platform, and will be flagged for manual review by the financial crime team. The above will be implemented in production by Friday, November 13, 2020. Additionally the financial crime team has the capability of identifying linked transactions at any level. |
9 | Controls to be put in place to monitor and mitigate the risks of customers using agents remote to their home address | BSEL is going to implement the following control measures: • Customer is using three or more agents over a seven-day period • Beneficiary is receiving from three or more agents over a seven-day period |
On 10 November 2020, revised PCPs were sent to Ms Chapman; these included the above changes. The wording of “customer/beneficiary limits” in the PCPs was identical to that in Box 6 above. Because Bangladesh had been reclassified as “medium-risk”, the new proof of occupation and income requirements applied only to Pakistan, the remaining HRJ.
On 12 November 2020 Mr Curran emailed Ms Chapman, stating that “all promised enhancements to our Remit ERP systems have been completed and are now ‘live’”. What was meant by that statement, and by some of Mr Curran’s responses in the table set out above, was disputed and I return to those points later in this judgment.
The Reinstatement Decision
Ms Chapman lifted the suspension and issued the Reinstatement Decision on 13 November 2020. Her letter said (my emphasis):
“The Business has revised its Risk Assessment (RA) and Policies, Controls and Procedures (PCP). The updated RA and PCP address the specific points detailed within the Suspension Notice and the Business has also provided assurances and evidence that the updated PCP have been fully implemented throughout the Business and its agent network. As such, I am satisfied that the Business is a fit and proper person under Regulation 58(1). As a result, the registration of the Business has been reinstated with effect from 13 November 2020.
This decision is specifically in relation to the Regulations and associated risks detailed in the Suspension Notice of 22 October 2020, it should not be taken as acceptance that the Business is fully compliant with its obligations under the Regulations or that it will be able to demonstrate compliance in the future.
In addition, please be aware that my ongoing review of the Business’s current and historical compliance with the Regulations will continue and this could result in further sanctions, including where appropriate a financial penalty.”
Ms Chapman thus accepted that, by the date of the Reinstatement Decision, BSEL had remedied both of the breaches she had identified, namely the failure to notify HMRC that Mr Garcia, Mr Furnival and Ms Dhillon had been appointed as responsible persons; and the failure to apply EDD to all transactions with high risk jurisdictions.
At the hearing, Ms Toman explicitly confirmed on behalf of HMRC that:
requiring occupation and income from all senders constituted EDD;
the failure to apply EDD to all HRJ jurisdictions had been remedied before the date of the Reinstatement Decision; and
the Reinstatement Decision had been issued because both breaches had been remedied.
Eversheds’ letter
On 16 November 2020, Eversheds wrote to BSEL summarising the outcome of the audit and BSEL’s subsequent response. The letter said:
“We are of the opinion that BSEL is complying with its legal and regulatory obligations pursuant to MLR 2017 (as amended by MLR 2019), subject to one audit finding relating to EDD requirements. The remaining 21 recommendations included in the report were made to reflect recent guidance and best practice only.
With regard to EDD, we recommended that BSEL should amend its procedures as a priority in order to comply with Regulation 33 MLR 2017 (as amended by Regulation 5 MLR 2019). In particular, we noted that BSEL must apply EDD measures as stipulated by the aforementioned regulations for all funds transfers exceeding 1,000 Euros in respect of any High Risk Third
Country (“HR3C”) it transacted with.Since the audit, we can confirm that BSEL has taken steps to comply with these requirements set out above by amending its Compliance Policy to apply EDD for all funds transfers, regardless of the transfer amount, in respect of customer transactions to/from any HR3C;
introducing a beneficiary identifier process, including a new policy of refusing to accept beneficiaries from HR3C as customers;
requiring verification of the occupation and income of customers wishing to send money to a HR3C; and
refreshing the ID and address verification of active customers transacting with an HR3C on a six-monthly basis rather than annually.”
The second of those changes is listed in the table at §292 above, the first is additional and the third was further developed by using Experian to check ID and address details for all transactions.
Further discussions
Ms Chapman continued to discuss AML/CTF compliance with BSEL. On 1 and 3 December 2020 a conference call took place, which was attended on behalf of BSEL by Mr Garcia, Ms Dhillon, Mr Curran and Mr Furnival; Mr Hashmi was unable to attend as he was off sick with severe covid during November and December 2020.
During the call, Ms Chapman raised more issues, and subsequently sent BSEL a list of questions. On 10 March 2021 a video meeting took place; this was attended for BSEL by Mr Garcia, Ms Dhillon, Mr Curran, Mr Hashmi, Mr Gomes and Mr Agarwal, BSEL’s Business Manager. This was the only meeting which Mr Gomes attended, and he did so in order to offer to demonstrate the Remit ERP system, as he was BSEL’s head of IT. However, in his words “she did not appear to be remotely interested in having a full system demonstration that I offered”. Mr Hashmi also attended only this one meeting. Mr Furnival did not attend because he had been furloughed on 1 February 2021 and he subsequently left the business by mutual agreement.
After that meeting, Ms Chapman sent BSEL a list of 22 questions. In the later Parts of this judgment I make further findings of fact about the calls on 1 and 3 December 2020; about the video meeting on 10 March 2021, and about the communications between Ms Chapman and BSEL after both meetings.
Mr Allington-Jones and Mr McLean
When she began her review, Ms Chapman had required BSEL to provide significant amounts of data. In September 2020 she gave the aggregator and agent data to Mr Allington-Jones, together with a brief describing what she required, and a set of parameters. Mr Allington-Jones began working on the data around 26 October 2020, and provided Ms Chapman with his first spreadsheets at the end of November. He discussed those spreadsheets with Ms Chapman, and in February and March 2021 she asked him to run more tests. In total, Mr Allington-Jones ran over 150 tests/programs, of which around two-thirds were summaries, and thus in total he produced some 50 spreadsheets. Ms Chapman did not discuss Mr Allington-Jones’s analysis, or the conclusions she had drawn from that data, with BSEL.
In March or April 2021, Ms Chapman sent her draft ToF and draft Prohibition Decisions to an internal HMRC governance panel, which approved those Decisions without making any changes. On 8 April 2021, Ms Chapman provided a draft of her ToF and a draft Cancellation Decision to Mr McLean, and he began to draft the Personal Decisions. I make findings at §888ff about the process he followed.
Transactions with Pakistan
By March 2021, BSEL’s business with Pakistan had reduced by 98%. This had been caused by the new EDD requirement that every customer transferring funds to Pakistan had to provide proof of occupation and income, irrespective of amount and without taking into account BSEL’s knowledge of their previous transactions. In consequence, BSEL’s customer base had transferred to competitor MSBs which did not require EDD for all transactions, but instead continued to allow money (below a threshold) to be transferred to Pakistan without senders having to provide payslips, bank statements or other proof of source of funds.
The JW Risk audit
As noted earlier in this judgment, JW Risk is the company through which Mr Wall provides consultancy services following his thirty-year career in the Metropolitan Police. It specialises in combatting financial crime and money laundering. One of Mr Wall’s clients is the Choice Group, for which he has carried out over 160 compliance audits.
On 24 May 2021 JW Risk carried out an audit of BSEL; this was only two days before the Cancellation Decision was issued. Mr Wall concluded in his written report that BSEL “have invested heavily in Compliance systems and are very strict with Regulatory adherence” and “have a achieved a very good level of Compliance”. In his witness evidence for these appeals, he said that, from his sample of BSEL’s agent files “these were probably some of the most in-depth agent due diligence records I have seen as an auditor”. He added that:
“From the material I inspected, I formed the impression that excellent and very in-depth due diligence is carried out on all agents, all to the same high standard. Furthermore, BSEL keep excellent records which record the due diligence undertaken.”
In relation to CDD, he said:
“I was able to verify that the high level of customer due diligence described to me at this stage of the inspection, was actually in place. In my opinion, Brac Sajaan have one of the best operational approaches to compliance and due diligence that I have seen during my time working with the Choice Group.”
The Decisions
On 26 May 2021, Ms Chapman sent BSEL the Cancellation Decision, and on the same day, she issued the Prohibition Decisions to Mr Salam, Mr Garcia and Mr Furnival, and Mr McLean issued the Personal Decisions to all the Individual Appellants, with the exception of Mr Furnival as he was no longer employed by BSEL. I make further findings of fact about all the Decisions later in this judgment.
Effect on the Appellants
Mr Salam’s unchallenged evidence as set out in his first witness statement on 16 July 2021 was the Decisions had the following consequences for BSE::
It was unable to trade; although it has continued to pay the wages of its 62 employees, this could not be sustained for long.
Taken together with the other fixed costs, including premises and bank interest, it was unlikely that BSEL could remain solvent for more than 3-4 months.
Agents and business partners will form agreements with other principals, damaging BSEL’s future business.
BSEL’s reputation for trust, honesty and integrity will be damaged
The Decisions caused personal distress to all the Individual Appellants, as well as harming their livelihoods and reputations. The Personal Decisions made it difficult for the six Individual Appellants to obtain work commensurate with their experience. Mr Salam, Mr Garcia and Mr Furnival were banned for life from taking a management role in a regulated industry: Mr Furnival said “the terms of the prohibition are very wide-ranging and effectively render me unemployed for the rest of my life. All of my skills and experience in 35 years have been gained in financial institutions and I am devastated by this decision”. Mr Lakha described the Decisions as having “catastrophic drastic consequences” and I agree.
PART 4: THE LEGISLATION, REGULATIONS AND GUIDANCE
This Part summarises the EU money-laundering legislation and the UK regulations which implement that legislation. It also summarises the relevant parts of the related guidance provided by the NRA, HMRC and the Joint Committee of the EU Supervisory Authorities.
EU LEGISLATION
The EU issued 4MLD on 20 May 2015. Recital 4 states that the implementation and enforcement of the Directive represent “relevant and effective means of preventing and combating money-laundering and terrorist financing”; this is followed by Recital 5, which provides that:
“This Regulation is not intended to impose unnecessary burdens or costs on payment service providers or on persons who use their services. In this regard, the preventive approach should be targeted and proportionate.”
Recital 22 reads:
“The risk of money laundering and terrorist financing is not the same in every case. Accordingly, a holistic, risk based approach should be used. The risk-based approach is not an unduly permissive option for Member States
and obliged entities. It involves the use of evidence-based decision-making in order to target the risks of money laundering and terrorist financing facing the Union and those operating within it more effectively.”
The EU issued 5MLD on 30 May 2018. Recital 1 says:
“Directive (EU) 2015/849 of the European Parliament and of the Council constitutes the main legal instrument in the prevention of the use of the Union financial system for the purposes of money laundering and terrorist financing. That Directive…sets out an efficient and comprehensive legal framework for addressing the collection of money or property for terrorist purposes by requiring Member States to identify, understand and mitigate the risks related to money laundering and terrorist financing.”
Recital 2 says:
“Recent terrorist attacks have brought to light emerging new trends, in particular regarding the way terrorist groups finance and conduct their operations…In order to keep pace with evolving trends, further measures should be taken to ensure the increased transparency of financial transactions…with a view to improving the existing preventive framework and to more effectively countering terrorist financing. It is important to note that the measures taken should be proportionate to the risks.”
Recital 5 begins:
“While the aims of Directive (EU) 2015/849 should be pursued and any amendments to it should be consistent with the Union’s ongoing action in the field of countering terrorism and terrorist financing, such amendments should be made having due regard to the fundamental right to the protection of personal data, as well as the observance and application of the proportionality principle.”
Many of the Recitals refer to alternative currencies, beneficial ownership of trusts and other corporate bodies, and cross-border co-operation between governments. However, Recital 43 includes this passage:
“…recognising that not all cross border correspondent banking services present the same level of money laundering and terrorist financing risks, the intensity of the measures laid down in this Directive can be determined by application of the principles of the risk based approach and do not prejudge the level of money laundering and terrorist financing risk presented by the respondent financial institution.”
THE MLR
The MLR, which implemented 4MLD, came into force on 26 June 2017. The UK implemented 5MLD by the Money Laundering And Terrorist Financing (Amendment) Regulations 2019. This amended the MLR, and which came into effect on 10 January 2020.
The Explanatory Memorandum to the 2019 amending regulations includes the following statement:
“There are over 100,000 businesses within scope of the MLRs, requiring businesses to know their customers and manage their risks. The MLRs are deliberately not prescriptive, providing flexibility in order to promote a proportionate and effective risk based approach to combating money laundering and terrorist financing.”
The specific regulations in issue are set out under the relevant headings in the rest of this judgment.
THE NRA 2017
The UK published its first NRA in 2015; a revised and updated NRA was published in 2017 (“NRA 2017” or “the NRA”). A further version was published in December 2020. Although this was included in the Authorities Bundle, Ms Chapman relied only on NRA 2017 in making her Decisions, on the basis that it was the version current during the period of her review. Ms Toman made two references to the 2020 version in her skeleton argument, but only to emphasise that the position had not changed since 2017, and neither party referred to the 2020 version during the hearing. I have therefore referred only to NRA 2017 in this judgment; key passages are set out below; paragraph references where relevant are in brackets.
The Executive Summary set out certain “key findings”, which included the following:
“Cash, alongside cash intensive sectors, remains the favoured method for terrorists to move funds through and out of the UK. The UK’s terrorist financing threat largely involves low levels of funds being raised by UK individuals to send overseas, fund travel or fund attack planning. The primary means of doing this are assessed to be through cash, retail banking or money service businesses (MSBs)”.
Under the heading “International Threat” is a subheading “Remittance and other financial flows”. Para 2.30 of that section includes the following passage:
“Given the large remittance and business links between Pakistan and the UK, both countries are exposed to this corridor being abused for money laundering or terrorist financing. There is a risk of criminal groups exploiting these links to facilitate money laundering, particularly the laundering of the proceeds of corruption, fraud and drug trafficking. Criminals have exploited tools including MSBs, cash smuggling, front businesses, trade based money laundering and property to launder funds both from the UK to Pakistan and vice versa.”
Chapter 10 is headed “Cash”, and opens by saying (10.1):
“Cash is inherently high risk due to it being untraceable, readily exchangeable and anonymous… use of cash remains a high risk for both money laundering and terrorist financing.”
Chapter 11 is headed “Money service businesses”, and begins:
“The MSB sector encompasses a range of services relating to the transmission or conversion of funds, including money transmission services, foreign exchange and cheque cashing. The sector is highly diverse, with providers ranging from local convenience stores offering remittance services to large multinational corporations and web-based businesses providing peer-to-peer money transfers. MSBs play an important function in many communities by providing financial services to those without access to banking services. Cross-border remittances facilitated by MSBs have also been shown to play a key role in supporting economic development within developing countries.”
The overall risk for the MSB sector was rated as high for both money laundering and terrorist financing (11.3 and 11.4). The Chapter continues at 11.5 by saying that “high risks associated with the MSB sector should be managed on a case-by-case basis”.
The compliance of smaller and larger MSB businesses are distinguished (11.15):
“the largest principal MSBs have sophisticated compliance and systems, HMRC considers that other businesses do not allocate sufficient resource to AML/CTF policies and controls.”
At 11.9 the NRA says:
“There is evidence of MSBs seeking to register with banks as different cash- rich businesses or routing their business through third party accounts and other MSBs. HMRC has also found strong evidence that the principal-agent relationship is being exploited to launder criminal funds, including through businesses becoming agents of well-known money transmitters while operating their own separate systems for illicit transactions.”
Paragraph 11.12 reads:
“The 2015 NRA identified key terrorist financing risks within the MSB sector as complicit employees involved in remitting funds destined for terrorists, terrorist exploitation of the CDD threshold, and low reporting from the sector in relation to terrorist financing. While the due diligence threshold has been lowered from €1,000 to €0 through the Funds Transfer Regulation 2017, the general risks in the sector remain. The low cost of transferring funds and the ability to reach a wide number of jurisdictions linked to terrorism continue to make MSBs an attractive method for moving terrorist funds in small volumes.”
THE HMRC GUIDANCE
In March 2018 HMRC updated its guidance to MSBs, entitled “Anti-Money Laundering Supervision: Money Service Business” (“the HMRC Guidance”), and it was common ground that this version was the most relevant for the purposes of the Appellants’ appeals. The document was updated again in April 2020, after the implementation of 5MLD in January of that year. Where that later version is relevant to specific requirements and provisions, I have made reference to it. The HMRC Guidance was approved by the Treasury.
Chapter 3 of the HMRC Guidance is headed “Risk-based approach”, and begins:
“A risk-based approach is where you assess the risks that your business may be used for money laundering or terrorist financing, and put in place appropriate measures to manage and lessen those risks. An effective risk-based approach will identify the highest risks of money laundering and terrorist financing that your business faces, and put in place measures to manage these risks.”
Paragraph 3.3 of that Chapter reads:
“A risk-based approach should balance the costs to your business and customers with a realistic assessment of the risk that your business may be exploited for the purpose of money laundering and terrorist financing. It allows you to use your informed judgement to focus your efforts on the highest-risk areas and reduce unnecessary burdens on customers presenting a
limited risk of money laundering and/or terrorist financing.”
Paragraph 3.4 reads “Assessing your business’s risk profile will help you understand the risks to your business and how they may change over time…”; and 3.6 similarly says that each risk assessment needs to reflect changes in your business and the environment that you do business in”. The need for the risks to be re-assessed over time as circumstances change is repeated in other parts the HMRC Guidance.
Chapter 9 deals with principal-agent relationships; gives guidance for the appointment of an agent; says that HMRC expect principals to have “clear agent selection criteria”; train the agents, and have PCPs to monitor agent transactions.
Chapter 10 is headed “risk indicators for each type of money service business” and it opens:
“The following is an example list of common risk indicators that call for enhanced due diligence. It's not an exhaustive list, and neither are these signs always suspicious. It depends on the circumstances of each case.”
That heading is followed by a long lists of “common risk indicators”. These include problems around customer identity or source of funds; unusual or large transactions; a change in the normal pattern of transactions, and customers who are under-age or who seem to be acting under instruction from others. Among that list are the following points:
“• there's no apparent reason for a customer using your business's services, for example, another business is better placed to handle the size of transaction or the destination of the transmission;
• non face-to-face customers;
• the customer sends or receives money to or from himself;
• agents who undertake business outside normal business hours;
• agents who carry out transactions too fast to be possible;
• multiple money service business premises operating in very small area.”
Para 10.6 says:
“Where the beneficiary of a money transmission is in a high risk country you should do enhanced due diligence checks on your customer. To help you decide if you're sending money to a high-risk country, FATF and the EC publish a list of high risk and non-cooperative countries.”
The HMRC Guidance also directs the reader to other guidance including:
that published by the Joint Money Laundering Steering Group (“JMLSG”). The JMLSG is a private sector body, but its guidance is approved by HM Treasury, and HMRC say that “some of the sections of Part 1 of the guidance may be “particularly relevant” to MSBs;
the Risk Factors Guidelines published on 4 January 2017 by the joint committee of the EU Supervisory Authorities (“the EU Guidance”), which is considered below;
the “detailed guidance” published by the FCA;
the NRA; and
guidance published by FATF, which as noted earlier in this judgment, is an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering and terrorist financing; they are recognised as the global AML/CTF standard. FATF has published 40 Recommendations; Recital 43 to 4MLD states that the Directive was drafted so that its provisions align with the FATF Recommendations; the Explanatory Notes to the MLR also state that this is the position.
EU GUIDANCE
Before setting out a list of risk factors, the EU Guidance says:
“Firms should note that the following risk factors are not exhaustive, nor is there an expectation that firms will consider all risk factors in all cases. Firms should take a holistic view of the risk associated with the situation and note that, unless Directive (EU) 2015/849 [4MLD] or national legislation states otherwise, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category.”
It also says:
“34. Firms should take a holistic view of the ML/TF risk factors they have identified that, together, will determine the level of ML/TF risk associated with a business relationship or occasional transaction.
35. As part of this assessment, firms may decide to weigh factors differently depending on their relative importance.
36. When weighting risk factors, firms should make an informed judgement about the relevance of different risk factors in the context of a business relationship or occasional transaction. This often results in firms allocating different ‘scores’ to different factors; for example, firms may decide that a customer’s personal links to a jurisdiction associated with higher ML/TF risk is less relevant in light of the features of the product they seek.
37. Ultimately, the weight given to each of these factors is likely to vary from product to product and customer to customer (or category of customer) and from one firm to another.”
At para 51 the EU Guidance says “Firms should apply additional EDD measures in those situations where this is commensurate to the ML/TF risk they have identified”. It sets out numerous risk factors, of which the following are of particular relevance to this appeal, and/or were relied on by HMRC:
Whether the sender has relevant personal links to the destination country (para 22(c)).
Several of the firm’s customers transfer funds to the same payee or appear to have the same identification information, for example address or telephone number (para 134).
The customer’s needs may be better serviced elsewhere, for example because the
money remitter is not local to the customer or the customer’s business (para 134).
The agent undertakes business outside normal business hours (para 136).
PART 5: SUSPENSION AND REINSTATEMENT
As is clear from the findings of fact set out earlier in this judgment, Ms Chapman suspended BSEL on 22 October 2020 for having breached (a) Reg 57(4) and (b) Reg 19(1)(a) by reference to Reg 33(1)(a). On 13 November 2020 she accepted that those two breaches had been remedied and issued the Reinstatement Decision.
However, the issues which had caused the suspension were also included by Ms Chapman as part of her justification for the Cancellation Decision. This Part therefore consider whether Ms Chapman was correct that BSEL had breached the MLR in the ways identified in the Suspension Decision.
REGULATION 57(4)
The first breach included in the Suspension Decision was that BSEL had not notified HMRC within 30 days that four individuals had been appointed as responsible persons, as required by Reg 57(4).
The regulations
Reg 57 sets out the requirements a person must satisfy when it applies to be registered with its supervisory authority, which in BSEL’s case was HMRC. Para 1 provides that that information is to be provided “in such manner and provide such information as the registering authority may specify”.
Reg 57(4) provides that if, at any time after the applicant has provided the registering authority with any information under paragraph (1), there is a material change affecting any matter contained in that information, “the applicant must provide the registering authority with details of the change…within 30 days beginning with the date of the occurrence of the change…or within such later time as may be agreed with the registering authority”.
It is clear from the above that when there is a change to a relevant officer or manager, the business must inform HMRC within 30 days, and must provide “such information as HMRC may specify” about that person.
Reg 58, to which reference is made in Reg 57(2)(h)(ii) cited above, is headed “Fit and proper test”, and para 1 reads:
“The registering authority must refuse to register an applicant for registration in a register maintained under regulation 54 as a money service business or as a trust or company service provider, if it is satisfied that—
(a) the applicant;
(b) an officer or manager of the applicant;
(c) a beneficial owner of the applicant; or
(d) where the applicant is a money service business—
(i) any agent used by the applicant for the purposes of its business; or
(ii) any officer, manager or beneficial owner of the agent,
is not a fit and proper person to carry on that business.”
Reg 58(3) deems any person who has been convicted of a criminal offence in Schedule 3 of the Regulations as not being a fit and proper person. Schedule 3 lists a range of criminal offences under English law; it also includes criminal offences under the law of a foreign country and acts which would have constituted criminal offences within Schedule 3 had they been committed in the UK.
Paras 4 and 5 read as follows:
“(4) If paragraph (3) does not apply, the registering authority must have regard to the following factors in determining the question in paragraph (1)—
(a) whether the applicant has consistently failed to comply with the requirements of—
(i) these Regulations;…
(b) the risk that the applicant's business may be used for money laundering or terrorist financing; and—
(c) whether the applicant, and any officer, manager or beneficial owner of the applicant, has adequate skills and experience and has acted and may be expected to act with probity.
(5) Where the applicant is a money service business, the registering authority may, in determining the question in paragraph (1), take account of the opinion of the applicant as to whether any person referred to in paragraph (1)(d) is a fit and proper person to carry on the business.”
The F&P Guidance
In addition to the HMRC Guidance considered in Part 4, HMRC also issued guidance entitled “The fit and proper test and HMRC approval: technical guidance” (“the F&P Guidance”). The version provided for the hearing was dated 14 August 2018; neither party sought to argue that it was different in any material respect at an earlier or later date.
The F&P Guidance begins by saying that “Most businesses supervised by HMRC for anti-money laundering purposes are subject to either the fit and proper test or approval requirements under the regulations”. Under the heading “the fit and proper test” it says that “HMRC carries out the fit and proper test as part of the money laundering supervision registration process for money services business…” and adds “you do not have to apply every year but if a new person joins your business they’ll have to take a test if it applies to them”.
Under the heading “who must apply”, the F&P Guidance defines “responsible persons” as being those who are:
running the business either on their own or in partnership;
officers of the business including directors and the company secretary;
senior managers who are engaged directly in the provision of regulated activity but excluding “managers who are not routinely involved in the anti-money laundering and counter terrorist policies and procedure of the business”;
the nominated officer;
a “beneficial owner” of the business:
a person who is effectively directing the business, being either a person formally appointed as a director, or a person who “acts as if they were a director”.
The F&P Guidance links to separate online guidance which specifies that businesses must complete an MLR101 form to notify HMRC of a new responsible person who is required to satisfy the F&P test.
The Suspension Decision
As set out in Part 3 of this judgment , Ms Chapman decided on 22 October 2020 that Reg 57(4) had been breached because BSEL had not notified HMRC within 30 days that Mr Garcia, Mr Furnival and Ms Dhillon had been appointed as responsible persons. She also:
decided there had been a failure to notify Mr Ahmad, but later accepted that he had been notified to HMRC many years previously and his “fit and proper” status had been accepted; and
said that although BSEL had notified Mr Curran and Mr Hashmi within 30 days, this was “only after being prompted in an email from HMRC”.
I consider below the position of each of those individuals. I first make findings of fact, some of which were included in Part 3 but are repeated here for ease of reference. Other findings are additional.
Mr Garcia
It was HMRC’s case that Mr Garcia was required to be registered, and that Mr Salam shared responsibility for the failure to notify him to HMRC.
Findings of fact about Mr Salam and the MLRO
As the chief executive, Mr Salam had overall responsibility for the operations of the company, and for developing and executing the company’s business strategies. He carried out that role in large part by ensuring that he recruited appropriately skilled and experienced senior staff, to whom he gave the necessary leadership and direction. In relation to compliance and risk management, Mr Salam ensured that BSEL recruited MLROs, Heads of Global Compliance and heads of RAIC with the relevant experience and qualifications. Mr Salam is not a member of the RAC; that body reports to the Board.
BSEL’s policy was that the MLRO was responsible for notifying HMRC when a new responsible persons was appointed. When the MLRO changed, Mr Salam asked the new MLRO to check that all relevant compliance requirements had been met, and was assured on each occasion that this was the case.
Findings of fact about Mr Garcia
Mr Garcia became BSEL’s Head of Global Compliance and Chief Information Officer in January 2017. At the time of his appointment, BSEL conducted a F&P assessment to assess his suitability for the job; obtained job references covering the last five years; carried out a DBS check and a credit check; Mr Garcia was also screened to ensure he was not on a sanctioned or politically exposed persons (“PEP”) list. Mr Garcia’s unchallenged evidence was that he had understood that the MLRO at the time, Mr Strathie, had completed the relevant HMRC and FCA/PSR approval forms and submitted them. He also said that the FCA had previously checked and confirmed he was a fit and proper person; Ms Toman relied on that statement as factually correct in her closing submissions.
I therefore find as facts that Mr Garcia had been given F&P status by the FCA; he completed all relevant forms when he joined BSEL; he understood that the MLRO had submitted the necessary forms to HMRC, and he was unaware of the breach until Ms Chapman contacted Ms Dhillon on 24 September 2020. Mr Garcia’s MLR101 was sent to HMRC on 29 September 2019.
Whether there was a breach and if so, who was responsible
Mr Garcia was the Head of Global Compliance, so it was plainly necessary for him to be notified under Reg 57(4). Although the FCA had already confirmed that he was a fit and proper person in relation to the PSR, HMRC is the relevant regulator for AML purposes. I was unable to find any provision, or any official guidance, which allows a person regulated by both bodies to rely on F&P clearance by the FCA, and I had no related submissions. I therefore find that there was a failure to notify HMRC within 30 days that Mr Garcia had joined the business, and that this was a breach of Reg 57(4).
Responsibility for the initial timely notification rested with Mr Strathie, who was the MLRO when Mr Garcia was appointed. However, responsibility for the continuing failure to notify rested with the subsequent MLROs, Mr Olayinka and Mr Kirby, each of whom were required by Mr Salam to check the compliance position when they took on the role.
Ms Toman submitted that Mr Salam was also responsible for the breach because he “didn’t adequately supervise the MLRO”. I do not accept this. Mr Salam was the chief executive. His role was to provide overall direction and leadership, and to ensure that appropriately qualified and experienced senior staff were appointed, and he carried out that responsibility. When a new MLRO was appointed, Mr Salam asked him to check that all relevant compliance requirements had been met, and was assured this was the case. It was not Mr Salam’s role to monitor whether an MLRO had sent each individual MLR101 to HMRC.
Mr Furnival
The parties disagreed on whether BSEL was required to notify Mr Furnival under Reg 57(4).
Findings of fact about Mr Furnival
Mr Furnival joined BSEL in July 2018 when the MLRO was Mr Olayinka. He was BSEL’s Chief Operating Officer (“COO”) and a member of its Management Committee. In reliance on BSEL’s corporate governance document I find that the role of the Management Committee was as follows:
“The Management Committee (MANCOM) meets monthly and is a key sub-committee which ensures that all department heads are aware of and can
contribute to any areas of risk, opportunity or challenge which the company is facing.”
The Management Committee was made up of the Managing Director, the Head of Global Compliance, the MLRO, the Head of Finance, the Head of RAIC, the COO, the Manager of International Relationships, the Head of UK Sales, the Manager for Collection, Recovery and Communication, the Manager of Business Systems and the Head of Foreign Exchange and Fund Management.
BSEL accepted that Mr Furnival was “a key member of the senior management team”. He reported to Mr Salam; his role was to run the operations, marketing, sales, HR and business development teams. He was not involved in managing compliance, risk and audit, or finance functions.
Shortly before Mr Furnival’s appointment, Exiger produced their first report. One of their recommendations was that:
“The terms of reference for the RAC should be extended to
include a suitably senior member of the business. A good candidate for
inclusion would be incoming the Chief Operating Officer [sic] who is expected to be appointed soon. This will help to ensure that the business, which ultimately owns the financial crime risk, is properly represented at the RAC.”
BSEL responded by saying that “the COO who joined on 15 July will be part of the RAC as recommended”. As set out at §207, RAC’s role was to oversee BSEL’s AML/CTF governance and provide oversight of the compliance function. Mr Furnival’s evidence was that he joined to provide information as to the business and operational consequences of policy decisions, and not because he had any knowledge of AML or compliance. I accept that evidence, which was consistent with Exiger’s recommendation that he join the RAC to represent the business.
On 24 September 2020, Ms Chapman informed Ms Dhillon that Mr Furnival was required to be “fit and proper tested” and he completed the MLR101 on 28 September 2020. The form was submitted on the following day.
Whether notification was required
Ms Toman submitted that Mr Furnival was an officer of BSEL, because he was a member of BSEL’s Management Committee. Mr Furnival denied that he was an officer. I decided, for the reasons given later in this judgment (see §969) in the context of his Prohibition Decision, that he was not an officer.
HMRC’s alternative argument was that Mr Furnival was s a manager “engaged directly in the provision of regulated activity” because of his role on the RAC. Mr Furnival’s position was that he was not “routinely involved” in BSEL’s AML/CTF PCPs, see the F&P Guidance at §354(3).
The RAC is a permanent committee which reports to the Board. As set out at §208, its role was “to provide assurance on the adequacy and effectiveness of the company’s system of internal controls” and it was “responsible for understanding BSEL’s major risk areas and ensuring that appropriate internal controls are in place to manage the risk exposure”. Although Mr Furnival had joined the RAC to represent the business, I agree with HMRC that by virtue of his position on that committee, he was “routinely involved” in BSEL’s AML/CTF PCPs. I therefore agree with Ms Chapman that Mr Furnival should have been notified under Reg 57(4).
Ms Dhillon
Findings of fact
Ms Dhillon was recruited by Mr Kirby as Deputy MLRO. The Tribunal was not given the date she joined BSEL, but it is clear from the documents in the Bundle that she completed a compliance training course on 3 February 2020 and it is reasonable to infer that she had joined the business shortly before that date. She was furloughed from 1 April 2020 to 30 June 2020. On 6 August 2020 she replaced Mr Kirby as BSEL’s MLRO on a temporary basis.
Before the end of August 2020, Ms Dhillon tried to make her F&P registration online, but was denied access to the relevant part of HMRC’s system. She emailed BSEL’s contact in HMRC’s Large Traders Team for assistance, but received no reply. On 16 September 2020, Ms Chapman emailed Ms Dhillon to ask if she had submitted her MLR101, and Ms Dhillon replied on the following day, saying:
“We have been in the process of getting myself registered but I believe there have been some queries we have gone back to HMRC with and are yet awaiting a response from them.”
Ms Chapman followed up internally, and on the same day, 17 September 2020, a Ms Ingham from the Large Traders Team contacted Ms Dhillon: told her that she needed to complete a form and email it, rather than using the online portal, and she attached a copy of the MLR101. Ms Dhillon completed the form on 27 September 2020, the day before she handed over the MLRO role to Mr Curran: her form was submitted to HMRC on 29 September 2020.
Was there a breach?
Ms Dhillon was the deputy MLRO from her appointment in January 2020, and was acting MLRO from 6 August 2020. Ms Chapman decided Ms Dhillon should have been notified with effect from the latter date. I have therefore taken it that Ms Chapman accepted that Ms Dhillon was not a “senior manager” until she took on the MLRO role, see the F&P Guidance at §354(3).
Ms Dhillon was therefore required to be registered within 30 days of 5 August 2020. However, when she tried to register, she was denied access to the relevant part of HMRC’s system; she tried to resolve this by emailing her contact in the Large Trader Team, but received no reply until Ms Chapman intervened.
Reg 57(4) provides that the relevant information is to be provided within 30 days “or within such later time as may be agreed with the registering authority”. HMRC might reasonably have exercised that discretion in a case such as this, where a person had tried to make contact in advance of the deadline to resolve a difficulty, but had received no reply from HMRC. However, Ms Chapman did not take that position in Ms Dhillon’s case. Instead, she decided that the failure to notify within the 30 day period was a breach of Reg 57(4). As HMRC did not exercise their discretion to grant an extension, there was a breach. Responsibility for the late notification rested with Ms Dhillon as she was the Nominated Officer.
Mr Hashmi and Mr Curran
Mr Hashmi was the Head of Risk and Internal Control, and Mr Curran the new MLRO, so both had to be notified to HMRC. Mr Hashmi joined BSEL on 1 September 2020 and his MLR101 was submitted to HMRC on 29 September 2020. Mr Curran joined on 28 September 2020 and completed an MLR101 form on 30 September 2020, which was submitted to HMRC on 7 October 2020.
Ms Chapman said Ms Dhillon had notified Mr Curran and Mr Hashmi within the 30 days “only after being prompted in an email from HMRC”. I do not accept that. It is clear from the contemporaneous evidence of Ms Dhillon’s emails that she had already contacted HMRC about making her own notification, and I reject the inference that Ms Dhillon only notified Mr Curran and Mr Hashmi because of an email from Ms Chapman.
Other officers and managers?
Ms Chapman checked the Companies House website to identify BSEL’s directors and officers, and having done so, she incorrectly identified not only Mr Ahmad as not having been notified to HMRC, but also Mr Hussein, one of BSEL’s other two directors, see §271.
Ms Chapman has not said that there was any other failure to comply with the Reg 57(4) notification requirement in relation to other responsible persons. I make the reasonable inference that, having carried out that Companies House research, Ms Chapman would have informed BSEL had she identified any other failures, and these would have been taken into account in her Decisions. Moreover, it was clearly part of BSEL’s policy that the MLRO should notify HMRC when a new responsible person was appointed. I therefore find as a fact that all other responsible persons had been notified as required by Reg 57(4).
Was there “a consistent failure to comply”
Ms Chapman said in the Suspension Decision that BSEL had demonstrated “a consistent failure” to comply with the Regulations by:
failing to notify Mr Garcia, Mr Furnival and Ms Dhillon by the statutory time limits; and
notifying Mr Curran and Mr Hashmi within the 30 days “only after being prompted in an email from HMRC”.
Of the three relevant individuals notified late, Ms Dhillon had made contact with HMRC before the deadline and was awaiting a response, a situation which might reasonably have been expected to result in an extension of the deadline. Mr Garcia’s F&P status had already been confirmed by the FCA, and he reasonably believed that any further relevant checks had been carried out by the MLRO. Mr Furnival was required to be registered because of his role on the RAC, and not because of his day-to-day responsibilities. There were no other failures, and both Mr Curran and Mr Hashmi were notified before the due date. I find that BSEL did not “consistently fail” to comply with Reg 57(4).
Whether the failures were deliberate
Ms Chapman states in the Cancellation Decision that BSEL’s breaches of the MLR were “deliberate”. It is clear from the above findings of fact that the failure to notify Mr Garcia, Mr Furnival and Ms Dhillon by the due dates was not “deliberate”. Ms Dhillon tried to file online before the deadline but was unable to do so, and HMRC failed to reply to her request for assistance. There is no evidence that BSEL acted deliberately in relation to either Mr Garcia or Mr Furnival. On the contrary, BSEL had a policy which required the MLROs to notify all responsible persons. Given the existence of that policy and the very small number of failures, I find that the MLROs failed to notify HMRC of Mr Garcia and Mr Furnival by oversight and the failures were not deliberate.
Conclusion on Reg 57(4)
I find that there was a breach of Reg 57(4) in relation to Mr Garcia and Mr Furnival. There was also a breach in relation to Ms Dhillon, but she had tried to HMRC failed to reply to her email. There was no consistent breach and no deliberate breach.
REGULATION 19(1) AND REGULATION 33(1)
The other reason for the Suspension Decision was that Ms Chapman also decided BSEL had breached Reg 19(1)(a) by reference to Reg 33(1)(a), because since “at least” February 2018 BSEL’s PCPs had failed to treat all transactions with Pakistan and Bangladesh as requiring EDD; instead, BSEL had set a threshold below which only CDD was required.
This Part is structured as follows:
whether BSEL has a “business relationship” with its UK customers and/or with the overseas beneficiaries, because that question underpins the other issues;
the relevant paragraphs of Reg 19;
Reg 33, both before and after 5MLD, followed in each case by the position for Pakistan; and
the position for Bangladesh.
Business relationship?
Regulation 4 defines “business relationship” as:
“a business, professional or commercial relationship between a relevant person and a customer, which—
(a) arises out of the business of the relevant person, and
(b) is expected by the relevant person, at the time when contact is established, to have an element of duration.”
Regulation 27 is headed “Customer due diligence” and the first paragraph reads:
“A relevant person must apply customer due diligence measures if the person—
(a) establishes a business relationship;
(b) carries out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the funds transfer regulation exceeding 1,000 euros;
(c) suspects money laundering or terrorist financing; or
(d) doubts the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification.”
Regulation 28 is headed “Customer due diligence measures” and begins:
“(1) This regulation applies when a relevant person is required by regulation 27 to apply customer due diligence measures.
(2) The relevant person must—
(a) identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person;
(b) verify the customer's identity unless the customer's identity has already been verified by the relevant person; and
(c) assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.”
It is thus clear that if there is a “business relationship” between BSEL and its customers, it is required to apply CDD to all transactions, but if there is no business relationship, it has only to apply CDD to “occasional transactions” of more that €1,000.
The HMRC Guidance at para 4.13 gives the following examples of a “business relationship”:
“• another money service business is your customer
• you set up a customer account
• there's a contract to provide regular services
• you give preferential rates to repeat customers
• any other arrangement [which] facilitates an ongoing business relationship or repeat custom, such as providing a unique customer identification number for the customer to use.”
The issues to be decided
The parties agreed that BSEL had a business relationship with its agents and aggregators. The issues to be decided were whether BSEL had a business relationship with the following, each of which is considered below:
the customers who carry out transactions by visiting BSEL’s own branches;
the customers of BSEL’s agents;
the customers of the aggregators; and/or
the overseas beneficiaries.
Mr Garcia understood there to be no business relationship with any customers, because (a) each person could choose whether to use BSEL or whether to use a competitor MSB, and (b) this had been confirmed by Eversheds (as to which see §433 below) and (c) Exiger and Eversheds had consistently confirmed that the aggregators’ customers were not BSEL’s customers. I find that to be his honest belief, for the reasons he gave.
Whether BSEL has a business relationship with its direct customers
Ms Toman submitted that BSEL had a “business relationship” with its customers because that relationship had the necessary element of duration. She relied on the last of the bullet points in HMRC’s list of examples, namely that it was “any other arrangement [which] facilitates an ongoing business relationship or repeat custom, such as providing a unique customer identification number for the customer to use”.
Mr Lakha submitted that there was no business relationship because:
it is up to each customer whether he comes back to BSEL or goes to another MSB;
BSEL does not come within any of the specific bullet points in the HMRC Guidance; and
in particular, BSEL does not come within the final bullet point, because it does not provide a unique customer identification number “for the customer to use”. Although BSEL registers each customer, it does so for internal reasons only: the customer is not given a number or a passbook or a code, see §198.
My starting point is the statutory definition in Reg 4, which has two parts. The first requires there to be a business or commercial “relationship”. According to the Oxford English Dictionary, the primary meaning of a “relationship” is “the state or fact of being related; the way in which two things are connected; a connection, an association”. The word therefore has a wide meaning, and the usages cited in the OED indicate a low threshold. Applying that definition, there is plainly a “connection” or an “association” between BSEL and a direct customer.
The second part of Reg 4 requires that the relationship “is expected by the relevant person, at the time when contact is established, to have an element of duration”. It is clear from the italicised words that this must be seen from BSEL’s perspective, not that of the customer. In my judgement, BSEL does have an expectation that the customers are likely to return, for the following reasons:
BSEL does not simply store the information relating to each remittance on a transactional basis, as normally happens, for instance, in a retail shop or restaurant. Instead, it internally allocates a unique customer number.
That number allows BSEL to link the first transaction with later transactions, and minimises the administrative requirements for both parties on subsequent visits.
BSEL’s own compliance framework is designed around applying either CDD or EDD to all customers. In particular:
there is no attempt to identify occasional transactions below €1,000. Instead, all BSEL’s thresholds were above that figure, see §201 and §253; and
BSEL tracks cumulative transactions when applying its thresholds.
I therefore find that BSEL has a business relationship with its direct customers.
Whether BSEL has a business relationship with the customers of its agents
Jowett’s Dictionary of English Law (5th ed) defines “agency” as “the legal relationship that arises when one person (the agent) has the authority to act for another (the principal)”. It follows that customers who transact with an agent are transacting with BSEL. The HMRC Guidance reflects this when it says at para 9.6 that an MSB acting as principal “is the party that contracts with a customer through its agent and owns and is responsible for the transaction”. BSEL therefore has a business relationship with customers who transact through its agents, just as it has a business relationship with its direct customers.
Whether BSEL has a business relationship with the customers of the aggregators
I found this a difficult issue, on which neither side provided submissions. As set out at §195, aggregators are APIs who may operate from a single location, through branches or via agents, or they may be purely digital businesses offering electronic, non-cash services. They take money from their own customers and transfer it to BSEL, which in turn transfers the money to its destination in Pakistan or Bangladesh using its bank account with Barclays. The simple answer is thus that customers have a business relationship with the aggregators, who in turn have a business relationship with BSEL.
However, that simple answer was difficult to fit with the documentation in the Bundle. BSEL has a standard “Aggregator Agreement” with its aggregators, but no copy of that agreement was provided to the Tribunal. The Bundle did include BSEL’s Aggregator Policy, which says that the relationship between BSEL and its aggregators was governed by Reg 39. That provision is headed “Reliance” and provides:
“(1) A relevant person may rely on a person who falls within paragraph (3) (‘the third party’) to apply any of the customer due diligence measures required by regulation 28(2) to (6) and (10) but, notwithstanding the relevant person's reliance on the third party, the relevant person remains liable for any failure to apply such measures.
(2) When a relevant person relies on the third party to apply customer due diligence measures under paragraph (1) it—
(a) must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10)…in relation to the customer, customer's beneficial owner, or any person acting on behalf of the customer;
(b) must enter into arrangements with the third party which—
(i) enable the relevant person to obtain from the third party immediately on request copies of any identification and verification data and any other relevant documentation on the identity of the customer, customer's beneficial owner, or any person acting on behalf of the customer;
(ii) require the third party to retain copies of the data and documents referred to in paragraph (i) for the period referred to in regulation 40.
(3) The persons within this paragraph are—
(a) another relevant person who is subject to these Regulations under regulation 8;…”
Reg 39 thus imposes specific requirements in relation to reliance on third parties acting as such, ie who are not acting as agents. It also allows relevant persons (such as BSEL) to rely on another relevant person (such as an aggregator which is also an API) to carry out CDD or EDD as required by Reg 28. But BSEL is only required to carry out CDD and EDD if it has a business relationship with the customer; in other words, Reg 39 allows a relevant person to delegate the carrying out of CDD and EDD in relation to its own customers. The Aggregator Policy correctly summarises the effect of Reg 39 when it says:
“Reliance is where BSEL may agree to rely on the CDD undertaken by a third
party. Where appropriate, BSEL may rely on a third party to conduct CDD on BSEL’s part. Any agreement must be in writing and the requirements are set out in the regulations. The third party must consent to being relied upon.
In these circumstances, BSEL continues to be liable for any failure in relation to CDD/EDD. i.e. BSEL can outsource responsibility, but not accountability.”
The Aggregator Policy also says (my emphasis):
“The legal basis of the relationship and responsibilities of the parties are
detailed in the Aggregator Agreement and are subject to the law of agency
in England and Wales.”
Under the heading “Agency/Aggregator Agreement Model”, the Aggregator Policy reads:
“The use of the agency model is widespread in the MSB sector. Law of Agency applies - where the agent is authorised to act on behalf of the principal. The arrangements between the agent/aggregator and the principal is set out
in an agency/aggregator agreement. An agent/aggregator who acts within the scope of authority conferred by their principal binds the principal in the obligations the agent/aggregator creates with third parties. The agent/aggregator binds the principal to perform the service the customer has paid for.”
The above passages were the only evidence before the Tribunal which set out BSEL’s understanding of its relationship with the aggregators, and I thus conclude that the aggregators were acting as agents for BSEL. As a result, the aggregator is acting on BSEL’s behalf, and a business relationship exists between BSEL and the aggregator’s customer.
Whether BSEL has a business relationship with the beneficiaries
HMRC’s position on this was not entirely clear, see Ms Toman’s submissions in the context of EDD at §424 below. The Appellants’ position was that they had no business relationship with the beneficiaries.
I agree with the Appellants. It is clear on the facts that BSEL does not have a “relationship” with the beneficiaries: it does not make contact with the beneficiary at all. Instead, it transfers the money to a bank overseas; the beneficiaries access the funds by visiting a branch of that bank or by accessing their account with that bank, see §189.
Conclusion
For the reasons set out above, BSEL has a business relationship within the meaning of the MLR with its UK customers, including those who transact with agents and aggregators, but does not have a business relationship with the beneficiaries.
Regulation 19
Regulation 19 is headed “Policies, controls and procedures”. The paragraphs in issue were not changed by 5MLR; they read:
“(1) A relevant person must—
(a) establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person under regulation 18(1);…
….
(3) The policies, controls and procedures referred to in paragraph (1) must include—
(a)-(b)…;
(c) customer due diligence (see regulations 27 to 38);…
(4) …
(5) In determining what is appropriate or proportionate with regard to the size and nature of its business, a relevant person may take into account any guidance which has been—
(a) issued by the FCA; or
(b) issued by any other supervisory authority or appropriate body and approved by the Treasury….”
Regulation 33: before 5MLD
The regulation
Regulation 33 is headed “Obligation to apply enhanced customer due diligence”. In the period before the amendments introduced by 5MLD, it read as follows:
“(1) A relevant person must apply enhanced customer due diligence measures and enhanced ongoing monitoring, in addition to the customer due diligence measures required under regulation 28 and, if applicable, regulation 29, to manage and mitigate the risks arising—
(a) in any case identified as one where there is a high risk of money laundering or terrorist financing—
(i) by the relevant person under regulation 18(1), or
(ii) in information made available to the relevant person under regulations 17(9) and 47;
(b) in any business relationship or transaction with a person established in a high-risk third country;
(c) - (f) …
(g) in any other case which by its nature can present a higher risk of money laundering or terrorist financing…
(3) For the purposes of paragraph (1)(b), a ‘high-risk third country’ means a country which has been identified by the European Commission in delegated acts adopted under Article 9.2 of the fourth money laundering directive as a high-risk third country…
(4) …
(5) Depending on the requirements of the case, the enhanced customer due diligence measures required under paragraph (1) may also include, among other things—
(a) seeking additional independent, reliable sources to verify information provided or made available to the relevant person;
(b) taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;
(c) taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
(d) increasing the monitoring of the business relationship, including greater scrutiny of transactions.
(6) When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk, relevant persons must take account of risk factors including, among other things—
(a) customer risk factors, including whether—
(i) the business relationship is conducted in unusual circumstances;
(ii) the customer is resident in a geographical area of high risk (see sub-paragraph (c));(iii) the customer is a legal person or legal arrangement that is a vehicle for holding personal assets;
(iv) the customer is a company that has nominee shareholders or shares in bearer form;
(v) the customer is a business that is cash intensive;
(vi) the corporate structure of the customer is unusual or excessively complex given the nature of the company’s business;
(b) product, service, transaction or delivery channel risk factors, including whether—
(i) the product involves private banking;
(ii) the product or transaction is one which might favour anonymity;
(iii) the situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures;
(iv) payments will be received from unknown or unassociated third parties;
(v) new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products
(vi) the service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in a third country;
(c) geographical risk factors, including—
(i) countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering or terrorist financing;
(ii) countries identified by credible sources as having significant levels of corruption or other criminal activity, such as terrorism (within the meaning of section 1 of the Terrorism Act 2000, money laundering, and the production and supply of illicit drugs;
(iii) countries subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations;
(iv) countries providing funding or support for terrorism;(v) countries that have organisations operating within their territory which have been designated—
(aa) by the government of the United Kingdom as proscribed organisations under Schedule 2 to the Terrorism Act 2000, or
(bb) by other countries, international organisations or the European Union as terrorist organisations;
(vi) countries identified by credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations as not implementing requirements to counter money laundering and terrorist financing that are consistent with the recommendations published by the Financial Action Task Force in February 2012 and updated in October 2016.
(7) In making the assessment referred to in paragraph (6), relevant persons must bear in mind that the presence of one or more risk factors may not always indicate that there is a high risk of money laundering or terrorist financing in a particular situation….”
Reg 33(1)(a)(ii) cross-refers to Reg 17(9) and Reg 47. The first of those provisions does not apply on the facts of this case, but the second is headed “Duties of supervisory authorities: information” and until Brexit it read as follows. After IP completion day on 31 December 2020, subparagraphs (3)(a) to (e) were revoked.
“(1) A supervisory authority must, in any way it considers appropriate, make up-to-date information on money laundering and terrorist financing available to those relevant persons which it supervises (“its own sector”).
(2) The information referred to in paragraph (1) must include the following—
(a) information on the money laundering and terrorist financing practices considered by the supervisory authority to apply to its own sector;
(b) a description of indications which may suggest that a transfer of criminal funds is taking place in its own sector;
(c) a description of the circumstances in which the supervisory authority considers that there is a high risk of money laundering or terrorist financing.
(3) The information referred to in paragraph (1) must also include information from the following sources which the supervisory authority considers is relevant to its own sector—
(a) reports drawn up by the European Commission under Article 6.1 of the fourth money laundering directive;
(b) recommendations made by the European Commission under Article 6.4 of that directive (unless the Treasury and the Home Office notify the supervisory authority that a recommendation will not be followed);
(c) joint opinions issued by the European Supervisory Authorities under Article 6.5 of that directive;
(d) high-risk third countries identified in delegated acts adopted by the European Commission under Article 9.2 of the fourth money laundering directive;
(e) guidelines issued by the European Supervisory Authorities under Articles 17, 18.4, or 48.10 of that directive;
(f) the report prepared by the Treasury and the Home Office under regulation 16(6);
(g) any relevant information made available by the Treasury and the Home Office under regulation 16(8);
(h) any relevant information published by the Director General of the NCA under section 4(9) (operations) or 6 (duty to publish information) of the Crime and Courts Act 2013.”
From those lengthy provisions, the following points are particularly relevant:
EDD is required where there is a high risk of MLTF, both when that high risk is identified by the relevant person, and/or when it is set out in information made available by HMRC or the NCA, see Reg 33(1)(a)(ii), with reference to Reg 47.
EDD is also required where there is a “business relationship or transaction with a person established in a high-risk third country”, see Reg 33(1)(b), where a “high risk third country” is one identified by the EU and specified in delegated legislation, see Reg 33(3). Pakistan was so specified.
When a relevant person is assessing whether there is a high risk of MLTF, it must take into account the risk factors set out at Reg 33(6) relating to customers, products, services, delivery channel and geography, but must also bear in mind that the presence of one or more risk factors may not always indicate that there is a high risk of MLTF in a particular situation, see Reg 33(7).
If EDD is required, the nature and scope of the relevant measures are not prescribed; Reg 33(5) sets out some possibilities, but it depends on “the requirements of the case”.
Reg 33(1)(a)(ii)
Ms Toman submitted that Reg 33(1)(a)(ii) required EDD where information made available” by HMRC or the NAC identified the case as high risk, and that was the position here. She relied on the following:
the HMRC Guidance at 10.6 which says that “where the beneficiary of a money transmission is in a high risk country you should do enhanced due diligence checks on your customer”; together with the fact that Pakistan was identified as a high risk country by both FATF and the EU; and
the NRA identification of both MSBs and the use of cash as high risk of MLTF.
Mr Lakha did not accept that EDD was required by that guidance, and I agree. The first of the citations relied on by Ms Toman is from Chapter 10 of the HMRC Guidance. That Chapter opens by saying that it is setting out “examples of common risk indicators”; that the signs listed in the Chapter are not always suspicious, but “it depends on the circumstances of the case”. That guidance is also given in the context of the overall approach at Chapter 3, namely that the relevant person is required to carry out its own risk-based approach and use its informed judgement.
At the relevant time, there was no statutory requirement that all transactions with Pakistan required EDD. Instead, as the EU Guidance said “Firms should apply additional EDD measures in those situations where this is commensurate to the ML/TF risk they have identified”. That is what BSEL had done. There is more about BSEL’s risk assessment at Part 6 in the context of Reg 18.
Although the NRA did identify money services as high risk, it also said that this should be “managed on a case-by-case basis”, and noted in particular the difference between large MSBs with sophisticated compliance and systems (such as BSEL) and smaller businesses.
Nothing in the HMRC Guidance or the NRA 2017 required all cash transactions, or all transactions with agents, to be classified as high risk: as the Explanatory Memorandum to the amending regulations said, “the MLRs are deliberately not prescriptive, providing flexibility in order to promote a proportionate and effective risk based approach” and the EU Guidance stated:
“Firms should take a holistic view of the risk associated with the situation and note that, unless Directive (EU) 2015/849 or national legislation states otherwise, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category.”
Ms Toman also submitted that when assessing the risks, BSEL should have reclassified transaction risk when it received Eversheds’ 2019 audit report (see §248). Mr Lakha made the following submissions, with which I agree:
Eversheds categorised the reclassification of transaction risk as a “low priority”;
this classification was used by Eversheds where there was no breach of the MLR;
the same audit report also stated that “the CDD and EDD thresholds are appropriate and in compliance with BSEL’s legal and regulatory obligations”; and
Eversheds also concluded that BSEL was “complying with its legal and regulatory obligations pursuant to the MLR 2017”.
Reg 33(1)(b)
Although not referred to by Ms Chapman in either the Suspension Decision or the Cancellation Decision, Ms Toman also submitted that BSEL had breached Reg 33(1)(b) on the basis that EDD was required “in any business relationship or transaction with a person established in a high-risk third country”.
Again, I do not agree. Although the beneficiaries were established in Pakistan, which was a high-risk third country, BSEL does not have a business relationship with the beneficiaries for the reasons set out at §411. BSEL also does not transact with those beneficiaries; it simply arranges for cash to be transferred to a bank in that country.
Reg 33(1)(g)
Reg 33(1)(g) extends EDD to “any other case which by its nature can present a higher risk of money laundering or terrorist financing”. This subparagraph also formed no part of the Suspension Decision or the Cancellation Decision, but was relied on by Ms Toman. I reject that submission, for the following reasons:
Reg 33(1)(g) is a classic example of an “eiusdem generis” provision, in other words, wide residuary words which follow a list of more particular terms. As is well established, these residuary words do not stand alone, but are confined and limited by the preceding provisions. As the respected authority on statutory interpretation Bennion, Bailey and Norbury, says at Chapter 23.5: “though the residuary words are often described as general terms, the application of the ejusdem generis principle means that they end up being read as having a narrower meaning”.
That principle of statutory interpretation is particularly apposite here, where the provisions form part of legislation designed to be proportionate; or where the MSB is directed to use “informed judgement to focus [its] efforts on the highest-risk areas and reduce unnecessary burdens on customers”. Reg 33(1)(g) cannot be used as a catch-all provision so as to undermine those basic principles.
Conclusion on Reg 33 before 5MLR
For the reasons set out above, I find that BSEL did not breach Reg 33 in the period before the implementation of 5MLR. In coming to that conclusion, I note that it was also the view of Exiger, who in their 2018 report specifically recorded and approved both (a) the categorisation of transactions below £2,000 as “low risk” and (b) the CDD checks which BSEL carried out on those transactions; it was also the view of Eversheds, who in their April 2019 audit report concluded that “the CDD and EDD thresholds are appropriate and in compliance with BSEL’s legal and regulatory obligations”.
Regulation 33: 10 January 2020 to 10 November 2020
I next consider the position in the period from implementation of 5MLD to the changes notified to Ms Chapman on 5 November 2020, and in particular, the change to verification of occupation and income which went live on 10 November 2020.
The regulation
By 5MLD, Reg 33 was amended as follows (here was no change to Reg 33(5) to (7)):
“(1) A relevant person must apply enhanced customer due diligence measures and enhanced ongoing monitoring, in addition to the customer due diligence measures required under regulation 28 and, if applicable, regulation 29, to manage and mitigate the risks arising—
(a) in any case identified as one where there is a high risk of money laundering or terrorist financing—
(i) by the relevant person under regulation 18(1), or
(ii) in information made available to the relevant person under regulations 17(9) and 47;
(b) in any business relationship with a person established in a high-risk third country or in relation to any relevant transaction where either of the parties to the transaction is established in a high-risk third country
(c) …
(d) if a relevant person has determined that a customer or potential customer is a PEP, or a family member or known close associate of a PEP (in accordance with regulation 35);
(2) …
(3) For the purposes of paragraph (1)(b)—
(a) a “high-risk third country” means a country which has been identified by the European Commission in delegated acts adopted under Article 9.2 of the fourth money laundering directive as a high-risk third country (Footnote: 1);
(b) a “relevant transaction” means a transaction in relation to which the relevant person is required to apply customer due diligence measures under regulation 27;
(c) being “established in” a country means—
(i) in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country; and
(ii) in the case of an individual, being resident in that country, but not merely having been born in that country.
(3A) The enhanced due diligence measures taken by a relevant person for the purpose of paragraph (1)(b) must include—
(a) obtaining additional information on the customer and on the customer's beneficial owner;
(b) obtaining additional information on the intended nature of the business relationship;
(c) obtaining information on the source of funds and source of wealth of the customer and of the customer's beneficial owner;
(d) obtaining information on the reasons for the transactions;
(e) obtaining the approval of senior management for establishing or continuing the business relationship;
(f) conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.”
Reg 33(1)(b) was therefore rewritten, so that EDD was required not only in any business relationship with a person established in a high-risk third country but also “in relation to any relevant transaction where either of the parties to the transaction is established in a high-risk third country”.
In this case, one of the parties to the transactions (the beneficiary) is established in Pakistan. The key question is thus whether there is a “relevant transaction”. That term defined at Reg 33(2)(b) as “a transaction in relation to which the relevant person is required to apply customer due diligence measures under regulation 27”. As already set out but repeated for ease of reference, Reg 27(1) says:
“A relevant person must apply customer due diligence measures if the person—
(a) establishes a business relationship;
(b) carries out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the funds transfer regulation exceeding 1,000 euros;…”
I have already decided at §413 that BSEL has a business relationship with its direct customers and those transacting through UK agencies and aggregators, and thus that it is required to apply CDD to all its transactions. The transactions are therefore “relevant transactions” and it follows that BSEL was required to apply EDD to all transactions with Pakistan from 10 January 2020 when the revised version of Reg 33 came into force.
My conclusion differs from that of Eversheds, who advised BSEL on 5 November 2020 (see §284) that it was only required to apply EDD in relation to transactions above €1,000, in other words, on the basis that they were carrying out “occasional transactions”. Since I have found that BSEL has a business relationship with its UK customers; the occasional transaction threshold is irrelevant.
My conclusion also differs from that of Ms Chapman, who decided that BSEL had breached Reg 33(1)(a), whereas I have found that it breached Reg 33(1)(b). But the outcome is the same: I agree with Ms Chapman that for this period, BSEL was required to apply EDD to all its transactions with Pakistan.
What EDD was required?
Para (3A) opens by saying that “the enhanced due diligence measures taken by a relevant person for the purpose of paragraph (1)(b) must include”, and this is then followed by a list of measures. This new provision is in addition to para (3), which as before says that “Depending on the requirements of the case, the enhanced customer due diligence measures required under paragraph (1) may also include, among other things…”.
Given that para (3A) begins with a “must”, I considered whether each of the EDD measures there specified were required. I noted that:
they items are not connected by “and”, so they are not expressly cumulative;
on the other, they are also not connected by “or”, so they are not expressly alternatives; and
the list is “cut and pasted” from Article 1(11) of 5MLD which amended Article 18a of 4MLD so as to insert the exact same provision; it also has no “and” or “or” between the various measures.
It is however clear that some of the items on the list cannot be applied to all relevant persons: for example, the references to “the customer’s beneficial owner” is inapplicable to individuals, and the requirement to obtain “additional information on the intended nature of the business relationship” is not applicable to an MSB such as BSEL because the nature of the business relationship is to send funds overseas, and no additional relevant information could be provided. It would also be surprising if the senior management of an MSB such as BSEL had to check every single customer transacting with Pakistan, to see whether or not to continue that particular business relationship, rather than being able to rely in at least some cases on information already obtained about its customer base, and about the nature and type of the transactions.
The HMRC Guidance says at 4.42: “If enhanced due diligence is appropriate, then you must do more to verify identity and scrutinise the background and nature of the transactions than for standard customer due diligence. How this goes beyond standard due diligence must be made clear in your risk assessment and procedures”. It then sets out a bullet point list of examples. When the guidance was updated for 5MLD, in April 2020, a new bullet point has been added which transcribes Reg 33(3A), including the list of specified measures, again without using “and” or “or” after each one. I have thus taken it that HMRC also do not consider that Reg 33 requires that every one of these measures be applied by each relevant person, because if so, HMRC would have said so clearly, and they have not done so.
Taking into account that it is not possible or realistic to apply each of the measures to every relevant person, together with the approach taken in the 2020 edition of the HMRC Guidance, I find that it is mandatory to comply with at least one of the Reg 33(3A) measures, but not with all of them.
What did BSEL do?
As set out in Part 1 of this judgment, on 22 January 2020 Mr Kirby signed off the document entitled “MLRO Approval - CDD and EDD threshold conditions 5th MLD” by which he reduced the threshold for Pakistan from £5,000 to £2,000 for cash, and to £3,000 for electronic bank transfers; in either case the threshold applied whether there had been a single transaction or a cumulative total over 30 days. For transactions under that threshold, customers had only to provide proof of identity in order to meet the CDD requirement. It followed that EDD was not required for all transactions with Pakistan, and none of the mandatory requirements of Reg 33(3A) were met.
Conclusion on whether there was a breach
I therefore find that in the period from 10 January 2020 to 10 November 2020, BSEL was in breach of Reg 19(3)(b) because it did not introduce EDD for all transactions with Pakistan.
Who was responsible for the breach?
Mr Kirby was the MLRO at the time, and he formally approved the changes to BSEL’s procedures. As MLRO, part of his role was to ensure that the policies and procedures to combat money laundering and terrorist financing were up to date. Ms Chapman and Mr McLean were both asked in cross-examination whether HMRC had taken any action against Mr Kirby. Ms Chapman’s response was that she had not done so because Mr Kirby had left BSEL by the time of the Cancellation Decision; Mr McLean said he was “only looking at what is happening now”, in other words, he was focused on the review of the Individual Appellants which he had been instructed to carry out.
Regulation 33: 10 November 2020 onwards
As is clear from the foregoing, BSEL was required to implement EDD on all transactions with Pakistan from 10 January 2020. From 10 November 2020, BSEL introduced verification of occupation and income from customers transacting with Pakistan, with documented proof such as recent payslips, bank statements or P60s, see §292 at box 4.
One of the mandatory EDD requirements at Reg 33(3A) is “obtaining information on the source of funds”. Consistent with that requirement, by the Reinstatement Decision Ms Chapman accepted that providing third party evidence of source of funds was sufficient to meet the EDD requirements of Reg 33.
At the hearing Ms Toman explicitly confirmed on behalf of HMRC that this was the position, and that BSEL’s breach of Reg 33 had been remedied before the date of the Reinstatement Decision. It is not necessary for the purposes of this judgment for me to express a view on whether BSEL could have satisfied Reg 33 by introducing a form of EDD other than proof of source of funds.
Bangladesh
In the Suspension Decision, Ms Chapman also decided BSEL had breached Reg 19(1)(a) by reference to Reg 33 in relation to transactions with Bangladesh.
During the period before the implementation of 5MLD, BSEL had classified Bangladesh as a high-risk country, and so the analysis set out at §419ff above in relation to Pakistan also applies to Bangladesh. In summary, BSEL was entitled to rely on its own risk-based approach in deciding whether EDD was required, and there was no breach of the MLR.
When the law changed on 10 January 2020, Reg 33(3)(a) defined Pakistan (but not Bangladesh) as a high risk country which required EDD. The legal position in relation to Bangladesh was thus unchanged. The HMRC Guidance was also the same: the relevant person was still required to carry out its own risk-based approach and use its informed judgement, with Chapter 10 setting out examples of common risk indicators. There was thus no breach of the MLR.
In October 2020, following FATF’s reassessment, BSEL reclassified Bangladesh as medium-risk (see §287). By the Reinstatement Decision, Ms Chapman accepted that EDD was not required because Bangladesh was no longer a high risk jurisdiction.
Overall conclusion
In relation to transactions with Pakistan, BSEL was in breach of Reg 19(1) read with Reg 33(1)(b) for the period from 10 January 2020 to 10 November 2020, when the breach was remedied. In relation to transactions with Bangladesh, there was no breach.
PART 6: THE CANCELLATION DECISION
The Cancellation Decision was made under Reg 60, which reads:
“(1) If paragraph (2) applies, the registering authority may suspend (for such period as it considers appropriate) or cancel—
(a) the registration of a money service business or a trust or company service provider in a register maintained under regulation 54…
(2) This paragraph applies if, at any time after registration, the registering authority is satisfied that—
(a) the money service business…
is not a fit and proper person for the purposes of regulation 58.”
As set out at §351, Reg 58 requires that when deciding whether or not a person is “fit and proper”, HMRC must have regard to whether the person has “consistently failed to comply” with the MLR; the risk that the business may be used for MLTF, and whether the business, and any of its officers, managers or beneficial owners, has “adequate skills and experience and has acted and may be expected to act with probity”.
Ms Chapman’s reasons for the Cancellation Decision were as follows:
Mr Salam, Mr Ahmad, Mr Garcia, Mr Gomez, Mr Curran and Mr Hashmi were not fit and proper persons within the meaning of Reg 58, for the reasons set out in the Personal Decisions;
BSEL was not a “fit and proper person” within the meaning of Reg 58;
HMRC suspected, on reasonable grounds, that BSEL would fail to comply with any of its relevant obligations, within the meaning of Reg 59(1)(e); and
HMRC suspected, on reasonable grounds, that six “persons identified as officers or managers” of BSEL will fail to comply with the relevant obligations. I have taken it that the “persons identified as officers or managers” were the six Individual Appellants in (1), and did not include Mr Furnival, who had already left BSEL by the time of the Cancellation Decision.
This Part 6 of the judgment considers the second and third of those reasons. The first and fourth are at Part 7, which discusses the Personal Decisions.
Attached to the Cancellation Decision was the ToF, which set out in more detail why Ms Chapman had decided BSEL was not a “fit and proper person” by reference to particular provisions of the MLR. Both the Personal Decisions and the Prohibition Decisions are also based on the matters set out in the ToF.
I have therefore first considered each of the issues set out in the ToF, and then any additional points made in the Cancellation Decision, see §871ff. Because the Cancellation Decision depends not only on Ms Chapman’s conclusions in relation to BSEL, but also on the Personal Decisions, it is not possible to decide whether to uphold or set aside the Cancellation Decision until the Personal Decisions have been considered. As a result, my conclusion on the Cancellation Decision is at the end of Part 7.
REGULATION 18
Reg 18 begins as follows:
“(1) A relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject.
(2) In carrying out the risk assessment required under paragraph (1), a relevant person must take into account—
(a) information made available to them by the supervisory authority under regulations 17(9) and 47, and
(b) risk factors including factors relating to—
(i) its customers;
(ii) the countries or geographic areas in which it operates;
(iii) its products or services;
(iv) its transactions; and
(v) its delivery channels.
(3) In deciding what steps are appropriate under paragraph (1), the relevant person must take into account the size and nature of its business.”
Reg 18 therefore requires a relevant person to assess the risks of MLTF. A “relevant person” is a person who is required to comply with the MLR, see Reg 3 read with Reg 8. Such persons include financial institutions, defined by Reg 10(2)(a) to include most MSBs. It was common ground that BSEL was a “relevant person”.
REGULATION 18(2)(a): INFORMATION FROM THE NRA AND HMRC
Reg 18(2) requires that, when carrying out its risk assessment, a relevant person must take into account “information made available to them by the supervisory authority under regulations 17(9) and 47”. Reg 17(9) is not relevant on the facts; Reg 47 is at §416. It sets out the type of information which the supervisory authority must provide, and requires that authority to take into account information and guidelines relevant to its own sector from Treasury and the Home Office; from the NCA, and from various EU sources.
Ms Chapman decided that BSEL had failed to comply with Reg 18(2)(a) because, having taken into account the HMRC Guidance and the NRA 2017, it should have assessed all its products, transactions and delivery channels as “high risk”, and had not done so. In particular, she considered that BSEL had wrongly assessed transactions as “low risk” despite the majority of those transactions being in cash. Relevant extracts from the HMRC Guidance and the NRA 2017 are set out in Part 4 of this judgment.
Findings of fact
As is clear from the findings of fact already made:
Products: BSEL has always assessed its products as high risk, because its only product is cross-border money remittance.
Transaction Type: In its April 2019 and April 2020 EWRAs, BSEL assessed “transaction type” as medium risk, after taking into account payment method, amount and number of transactions, collection method and both incoming and outgoing transfers, as further detailed at §240ff. Included in that risk assessment was the fact that the average transfer was cash of £516, well below the EDD threshold. In its 2019 and 2020 audits, Eversheds recommended changing the classification of transaction risk, but said that the recommendation was a low priority issue and there was no breach of the MLR. In response to the 2020 recommendation, BSEL changed the risk assessment from medium to high, see §288(3).
Delivery channels: This risk was assessed as medium, contingent on the risk rating of the agents. The risk scoring allocated a “low” risk where less than 5% of agents were risk-rated as ‘high’ in Remit ERP, “medium” where between 5-10% were risk-rated as high, and “high” where more than 10% of agents were risk-rated as high. That methodology was approved by both Exiger and Eversheds.
Agent PCPs
BSEL’s PCPs provide that the first stage in a person becoming an agent for BSEL is that the following must be provided to the compliance department:
original passport;
proof of address and proof of trading address;
Individual Information Form for F&P testing purposes, and related credit checks and AML checks (see further §713);
completed application form; and
completed agency service agreement.
BSEL’s compliance department reviews those documents and carries out the related checks. If all is satisfactory, BSEL registers the agent with the FCA. The agent must then carry out AML/CTF training and pass an exam with at mark of at least 80%. Unless and until the training has been completed, the agent cannot act for BSEL or carry out any transactions. There are further findings about the risk rating of agents and about training at §742.
The parties’ submissions
Ms Toman asked the Tribunal to find that Ms Chapman was right, for the reasons she had given. Mr Lakha submitted that Ms Chapman had misunderstood what Reg 18(2)(a) actually requires, which is for BSEL to assesses overall risk by considering of each separate factor before coming to an overall conclusion. Consistently with that approach, the HMRC Guidance requires each MSB to use its own “informed judgement to focus efforts on the highest-risk areas and reduce unnecessary burdens on customers presenting a limited risk of money laundering and/or terrorist financing”. He submitted that this was exactly what BSEL had done, as was clear from the EWRAs.
He emphasised that BSEL had already assessed products as high risk, and that the “transaction” factor considered the range of issues summarised at §461(2). The Eversheds’ recommendation had been expressly flagged as “low priority/no breach but recommended action to reflect best practice”.
The Tribunal’s view
The Recitals to 4MLR specify that the provisions are “targeted and proportionate”, requiring a “holistic, risk-based approach”, involving “the use of evidence-based decision-making”, and this is reflected in the HMRC Guidance cited by Mr Lakha.
There is nothing in the HMRC Guidance or in the NRA 2017 which require all cash transactions, or all transactions with agents, to be classified as high risk: as the Explanatory Memorandum to the amending regulations says, “The MLRs are deliberately not prescriptive, providing flexibility in order to promote a proportionate and effective risk based approach”.
The EU Guidance explicitly states that “unless Directive (EU) 2015/849 or national legislation states otherwise, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category”; firms are instead to take a “holistic view of the MLR” so as to “make an informed judgement about the relevance of different risk factors in the context of a business relationship or occasional transaction” noting that “this often results in firms allocating different ‘scores’ to different factors”, and that “the weight given to each of these factors is likely to vary from product to product and customer to customer (or category of customer) and from one firm to another”.
BSEL instructed Exiger, a market leading firms of international repute, to design its methodology and having taken into account further advice from Eversheds as to the separation of transaction risk, it followed that methodology. Products were always assessed as high risk; transaction type was moved to high risk in October 2020 and delivery channel risk was medium. The HMRC Guidance requires businesses to use their “informed judgment”. I agree with Mr Lakha that this is exactly what BSEL has done, and I also agree with his submissions on transaction risk.
Ms Chapman’s specific criticisms
Ms Chapman made a number of specific criticisms of the EWRAs of April 2019 and March 2020.
Transactions as low risk
Her first criticism was that BSEL had rated transactions as “low risk” on the basis that almost 100% were below the EDD threshold. In fact, transaction risk as a whole was always assessed as medium risk, as explained above, and that rating changed to high in the November 2020 EWRA.
Eversheds’ recommendation
Ms Chapman also criticised BSEL for not changing its transaction risk following receipt of the Eversheds’ 2019 audit. That report identified no high priority breaches of the MLR, and two unrelated medium priority issues. The recommended change to transaction risk was categorised as low priority. Moreover, the original risk classification was itself dependent upon the CDD threshold, which Eversheds explicitly approved (see §249).
NRA and cash
Ms Chapman also said that BSEL had failed to take into account the NRA which stated that “cash is inherently high risk due to it being untraceable, readily exchangeable and anonymous”. However, BSEL had already assessed its products as high risk on the basis that they consisted almost entirely of cash remittances, and as explained above, had assessed transaction risk by balancing a number of different factors.
Overall medium risk rating
Ms Chapman also criticised BSEL for having arrived at an overall risk rating of “medium” having considered its customer type, geography, products and services, distribution channel and transaction type. She said that as the business used agents and sent cash to Pakistan, this overall risk assessment was a “direct contradiction” to both the NRA, which stated that cash was high risk, and the HMRC Guidance, which said that (a) the “principal-agent relationship is being exploited to launder criminal funds” and (b) that there was “ risk of criminal groups exploiting UK-Pakistan corridor”.
However, as is clear from the findings of fact, BSEL carried out a complex and sophisticated risk assessment. It classified its products (cash) as high risk, and its Pakistan business as high risk. Indeed, BSEL classified Bangladesh as high risk on the basis of its own assessment in 2019, and maintained that assessment in its April 2020 EWRA, even though Bangladesh was not identified as high risk jurisdiction by the amendments to the MLR introduced by 5MLD. BSEL only reduced the assessment of Bangladesh to medium when that country’s risk level was formally confirmed by FATF as being fully compliant/ mostly compliant (see §287).
The HMRC Guidance does not require that all businesses using agents classify that part of their risk as “high”. Instead, it sets out criteria for principals to follow in managing their agents (see Chapter 9). As set out at §462 and §742, BSEL required agents to meet numerous requirements before being accepted (on-boarded). Its compliance team visited the agents and carried out audits; its Remit ERP system checked every single transaction; and agent oversight formed a separate “Dashboard” on the MI Dashboards (see §224(5)).
Multiple agents in small area
Ms Chapman also said that BSEL had failed to include in its assessments the risk of multiple agents operating within a small area, despite it being identified in the HMRC Guidance as a risk factor. However, as Mr Lakha pointed out, the HMRC Guidance states that their list of common risk indicators (which includes MSBs operating in a small area) is not an “exhaustive list, and neither are these signs always suspicious. It depends on the circumstances of each case”. BSEL’s customers tend to live in communities (such as around Whitechapel), and I agree with Mr Lakha that it entirely reasonable that multiple MSBs would be set up in such an area to offer money transfer services to those communities, many of whom are migrant workers.
Moreover, as set out under the previous sub-heading, BSEL’s risk assessment of agents was the result of monitoring and checks carried out via the Remit ERP system and by a programme of visits. These steps were appropriate, taking into account the size and nature of BSEL’s business, as required by Reg 18(3), and BSEL did not breach Reg 18 by not including the risk of multiple agents operating within a small area as a check within its systems.
Transactional data?
Ms Chapman also said that the transactional data reviewed by Mr Allington-Jones had shown that “almost £36m was transmitted through 13 agents, all with premises located on approximately 0.3 miles of Whitechapel Road in London, including three within the same building”. Mr Allington-Jones’s witness statement and exhibits did not provide any supporting evidence for this statement. For the reasons explained at §133ff, it is not in the interests of justice for the Tribunal to place any reliance on spreadsheet data which has not been exhibited, unless it was clear from the Appellants’ Schedule that they had re-run the transactional data and obtained the same results, and then only to that extent.
In relation to this particular statement in the ToF, the Appellants’ Schedule confirmed the existence of 13 agents along Whitechapel Road and the total value of the transactions over the two year period, although not the reference to 0.3 miles or there being three in the same building. Mr Garcia’s unchallenged evidence was that Whitechapel was the only place in the UK where there was this concentration of agents.
I therefore find as a fact that there were 13 agents operating in Whitechapel Road and that over the two year period they transacted almost £36m of business. However, this fact does not change the reasoning set out in the previous paragraphs: BSEL had numerous and appropriate checks on its agents, and not having a further check relating to agent proximity was not a breach of the regulation.
Conclusion on Reg 18(2)(a)
For the reasons set out above, BSEL did not fail to comply with Reg 18(2)(a).
REGULATION 18(2)(b)
Reg 18(2)(b) requires a relevant person, when carrying out its risk assessment, to take into account the risk factors posed by customers, the countries in which it operates, its products or services, its transactions and its delivery channels. Ms Chapman decided that BSEL had failed properly to risk assess its customers, transactions and delivery channels, for the reasons set out and considered below.
Customers: addresses
Ms Chapman decided that BSEL had failed properly to risk assess its customers, because it had not taken into account the risk of customers using agents not local to their residential address. She said:
“the risk of MLTF here is that these customers have chosen agents not based on convenience or economic factors, but rather on ease of carrying out illicit transactions or carrying them out without detection. There is also an increased possibility of these transactions not being carried out face to face and thus posing a higher risk of MLTF as potential criminals may seek to exploit this to conceal their identity.”
Spreadsheet SAJ04
In deciding that this risk should have been taken into account in BSEL’s PCPs, Ms Chapman relied on SAJ04. As explained at §114ff, HMRC identified during the hearing that this contained “material errors”, and the parties subsequently agreed that “as a result of those material errors, HMRC cannot and do not rely on SAJ04 or the alleged failures within the Table of Failures based on SAJ04”.
Despite that agreed statement, Ms Toman said that HMRC had nevertheless not withdrawn the part of their case which relied on BSEL not having taken into account the risk of customers using agents not local to their residential address. However, absent the data, HMRC had no evidence to support Ms Chapman’s decision that this risk that should have been taken into account.
Even before the withdrawal, Mr Allington-Jones had in terms accepted under cross-examination that the spreadsheet did not support Ms Chapman’s decision. That was because the program had been run by comparing the postcode of the customer with that of the agent: the report showed where the two differed. Postcodes had been reduced to the first two digits, and no further analysis had been carried out to eliminate postcodes which were geographically close together. Mr Allington-Jones agreed that “further work would be required to see how far apart the postcodes are”. The detailed data in the spreadsheet showed that many locations were close together: for example, both sender and agent having Luton or East London postcodes. Thus, even had the spreadsheet not been withdrawn, the Tribunal would have found that it did not support Ms Chapman’s conclusion that this risk should have been taken into account.
The HMRC Guidance and BSEL’s risk assessment
Ms Chapman said in her witness statement that in deciding that BSEL had failed properly to risk assess its customers, because it had not taken into account the risk of customers using agents not local to their residential address, she had relied on one of HMRC’s list of risk factors, namely that “there's no apparent reason for using your business's services, for example, another business is better placed to handle the size of transaction or the destination of the transmission”.
However, the use of an agent in a different location is not the same as there being “no apparent reason” for using the agent. The customer may work close to the agent’s location or the customer may be away from home or have a mobile job: many of BSEL’s customers are taxi-drivers. In cross-examination Ms Chapman agreed that “there may be genuine reasons” for a person to use an agent in a different postcode.
The HMRC Guidance is not prescriptive; as cited above in relation to Reg 18(2)(a), it requires MSBs to “balance the costs to your business and customers with a realistic assessment of the risk that your business may be exploited for the purpose of money laundering and terrorist financing. It allows you to use your informed judgement to focus your efforts on the highest-risk areas”. BSEL had done exactly that, as can be seen from the following six points, which constitute findings of fact:
BSEL carries out a risk assessment on all customers which take into account nationality, age, type of transaction, frequency of transactions and the destination country to which funds are sent.
From September 2019, BSEL introduced real-time automated customer risk assessment into the Remit ERP system, which calculated the customer’s risk score in real time. Previously, the risk assessment was recorded on the Remit ERP system and monitored on an on-going basis.
BSEL also has an internal blacklist, which is a database of customers with whom BSEL has decided to discontinue a relationship after previous transactions have been flagged by the Remit ERP system and reviewed by compliance.
At the time of customer registration, BSEL’s system automatically checks customer names and transaction references against the BCN Library, which is a database that contains restricted words which BSEL considers high risk such as ‘charity’, ‘mosque’, ‘LTD’ or ‘Limited’ where extra precaution is required before the transaction is released.
If a potential customer’s name is partially or fully matched with any of the words from the BCN Library or the internal blacklist, the registration request is sent to the Security Queue for review by a compliance officer.
BSEL is aware that its customer base is mobile and may travel to locations a distance away from where they live for a variety of reasons including work, association with others from the same community, shopping in areas known to have a large Bangladeshi/Pakistani population or simply out of loyalty to an agent that they have used over the years. The monitoring of these customers is just as stringent in terms of CDD and EDD as it is of customers using agents local their home.
The EU Guidance
Ms Chapman did not say, in either the ToF or in her witness statement, that she had relied on the EU Guidance in making this part of her Cancellation Decision; the EU Guidance was not included in the Authorities Bundle and neither was it referred to in HMRC’s skeleton. The first time Ms Chapman said she had relied on the EU Guidance was under cross-examination.
The EU Guidance lists as one possible factor “The customer’s needs may be better serviced elsewhere, for example because the money remitter is not local to the customer”. The risk factor here is that “the customer’s needs may be better serviced elsewhere”, the reference to a non-local agent is an example. There was no evidence that by using an agent in a different postcode, a customer was choosing an agent despite his needs being better served elsewhere.
Moreover, this is one the very long list of possible risk factors set out in the EU Guidance, all of which are prefaced by the statement that:
“the following risk factors are not exhaustive, nor is there an expectation that firms will consider all risk factors in all cases. Firms should take a holistic view of the risk associated with the situation”.
I find that BSEL did not fail to follow the EU Guidance by not having a control which flagged when a customer was using an agent in a different postcode, or (more broadly) one who was not local to the customer
Non face-to-face?
Ms Chapman also said that using a non-local agent increased the risk of the transaction not being on a face-to-face basis. However, BSEL classify all non-face-to-face transactions as high risk, so this is plainly wrong.
Conclusion on customers: addresses
BSEL did not breach Reg 18(2) by deciding that there was no need to have an extra control factor based on the postcodes of the agent and the customer, or based on the distances between them. BSEL instead made a realistic risk assessment of customer and agent risk, as it was required to do by the HMRC Guidance and the EU Guidance..
Customers: aggregators
Ms Chapman also decided that BSEL had breached Reg 18(2)(b) because “it had not identified the risk of aggregators having agents with high average transaction sizes”.
Findings of fact
BSEL has had a written Aggregator Policy since 2017 under which it carries out enhanced due diligence before onboarding an aggregator, including screening of all directors, disclosure and review of beneficial ownership, list of directors, shareholding structure, proof of ID and address for each director and other directorships held, the three most recent sets of financial accounts, the aggregators’ latest AML/CTF policies. BSEL also requires information about the number of agents, how long they have been trading and the level of business, and it carries out a company credit check, an adverse media search, a site visit and an audit. Once these internal control and compliance checks have been passed, the aggregator also has to be approved by BSEL’s CEO. BSEL’s PCPs also require the Internal Control department to perform yearly visits and evaluations on all aggregators, including refreshing the AML, director and company credit checks.
The software used by the aggregators has to be compatible with the Remit ERP system and transactions made by the aggregator are subject to the same monitoring thresholds as those carried out by BSEL’s agents. As already found earlier in this judgment, BSEL monitored transactions on a customer by customer basis, so customers’ transactions were cumulated irrespective of which agent/aggregator they used, and customers were also risk-assessed. In addition, each aggregator is individually registered with HMRC and with the FCA.
Transactional data?
Ms Chapman placed reliance on an analysis of one of the aggregators which she said had been carried out by Mr Allington-Jones, but no related spreadsheet was provided. For the reasons explained at §133ff, I find that there is no reliable evidence before the Tribunal to support Ms Chapman’s view as to the extent of the risk.
The Tribunal’s view
Mr Lakha submitted that this was another example of Ms Chapman seeking to impose her own views as to the correct risk assessment for BSEL and failing to acknowledge that, as stated in HMRC’s own guidance, the business used its own “informed judgement” to asses the risks to its business. I agree with Mr Lakha and find there is no basis for Ms Chapman’s conclusion.
Transactions
Ms S decided that BSEL had failed properly to risk assess its transactions, saying it had “failed to take cumulative transactions into account” because it “assessed its transactions as being low risk due to being small average amounts, however it did not take into account customers who make multiple transactions within a short period of time”.
This is simply wrong. BSEL did not assess its transactions as being low risk, but as being medium risk. Moreover, one of the factors which was explicitly taken into account in coming to the overall medium risk assessment was cumulative transactions (see the findings of fact at §240(3)).
Ms Chapman’s example
Ms Chapman provided an example of a named customer who “sent five transactions on 9 May 2020 of £149, £486, £729, £149 and £390” and said that BSEL “did not take into account the fact that £1,903 had been sent on one day”.
Mr Garcia’s evidence, which was not challenged, and which was supported by detailed documentation, was that the BSEL had previously carried out enhanced due diligence on that customer and had obtained proof of ID, proof of address; several declarations of source of funds and purpose of transfer and proof of source of funds. The customer works for a national utility company and sends monies to his family for support and for medical purposes; he made 45 transactions in two years, but only ever to a total of eight beneficiaries.
Mr Lakha submitted that this finding by Ms Chapman demonstrates “the severe limitation on simply relying on transaction quantity and amount” without considering factors that are known to BSEL, namely the identity of the sender, source of funds and the purpose of the transaction, and BSEL’s processes for monitoring transactions. I again agree.
Delivery channels: agent proximity
Ms Chapman decided that BSEL had failed properly to assess its delivery channels, because the Remit ERP system did not include, as a risk factor, a “dense proximity of agents”. She said that “the transactional data showed, for example, almost £36 million was transmitted through 13 agents, all with premises located on approximately 0.3 miles of Whitechapel Road in London, including three within the same building”. This has already been considered at §477, and for essentially the same reasons I find there was no breach of Reg 18(2)(b).
Delivery channels: agents’ transactions
Ms Chapman decided that BSEL had failed correctly to asses its delivery channels for the further reason that the system did not include a specific flag to identify when agents are sending money to themselves. She said agents “know BSEL’s CDD and EDD thresholds, which gives them the potential to create fictitious transactions or purposely split larger amounts into smaller transactions” and in reliance on Mr Allington-Jones’s spreadsheet (SAJ09) said “the transactional data for the period 1 September 2018 to 31 August 2020 showed that 83 agents had sent funds themselves, from their own premises, totalling £642,354.95”.
Findings of fact
On the basis of Mr Garcia’s unchallenged evidence, I find that agents are unable to approve and override BSEL systems in order to transfer their own money. In particular:
an agent who wants to transfer his own money has to undergo the same stringent CDD/ EDD checks as any other customer;
BSEL has numerous checks on agents, see §519 below;
the same tests for cumulative transactions and proof of earnings apply to agents as they do to other customers; and
agents have no capacity to approve an ID Document; release a transaction that is in the Security Queue list awaiting verification by BSEL’s compliance department or amend any transaction which has already been completed.
Ms Chapman did not say that the spreadsheet provided by Mr Allington-Jones demonstrated that agents were splitting transactions and Mr Allington-Jones did not give evidence to that effect. I find as a fact that the spreadsheet does not demonstrate that these agents were splitting transactions.
I have already found as facts (see §187ff) that there were 306 agents in in July 2020; that they were mostly from the same ethnic background as the customers, and, like the customers, transfer funds back home to friends and family and travel to see relatives overseas. I have made the reasonable assumption that the 83 agents in Mr Allington-Jones’s spreadsheet were those who had remitted the highest amounts of money. The following further facts are based on that spreadsheet:
every beneficiary listed on Mr Allington-Jones’s spreadsheet had a unique identifier;
in many cases the exact familial relationship between the beneficiary and the agent was visible in the spreadsheet, so that information was available to BSEL for transaction monitoring purposes; and
on average each of the 83 agents sent £3,869 per annum, or £74.40 a week.
I agree with the Appellants that this figure is entirely consistent with agents sending money to their friends and family. Moreover, that figure is the average remittance of the 83 agents with the highest level of remittances. This is around 25% of the total number of agents, with around 75% of agents sending lower amounts.
Conclusion on distribution channel: agent transactions
BSEL did not breach Reg 18(2) by deciding that there was no need to have an extra control factor relating to agents’ own transactions.
Conclusion on Reg 18(2)(b)
For the reasons set out above, BSEL did not fail to comply with Reg 18(2)(b) in relation to customers, transactions or delivery channels.
REGULATION 19: POLICIES CONTROLS AND PROCEDURES
Regulation 19 is headed “Policies, controls and procedures”. The paragraphs in issue were not changed by 5MLR; they read:
“(1) A relevant person must—
(a) establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person under regulation 18(1);
(b) regularly review and update the policies, controls and procedures established under sub-paragraph (a);
(c) maintain a record in writing of—
(i) the policies, controls and procedures established under sub-paragraph (a);
(ii) any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (b); and
(iii) the steps taken to communicate those policies, controls and procedures, or any changes to them, within the relevant person's business.
(2) The policies, controls and procedures adopted by a relevant person under paragraph (1) must be—
(a) proportionate with regard to the size and nature of the relevant person's business, and
(b) approved by its senior management.
(3) The policies, controls and procedures referred to in paragraph (1) must include—
(a) risk management practices;
(b) internal controls (see regulations 21 to 24);
(c) customer due diligence (see regulations 27 to 38);
(d) reliance and record keeping (see regulations 39 to 40);
(e) the monitoring and management of compliance with, and the internal communication of, such policies, controls and procedures.
(4) The policies, controls and procedures referred to in paragraph (1) must include policies, controls and procedures—
(a)-(c) …
(d) under which anyone in the relevant person's organisation who knows or suspects (or has reasonable grounds for knowing or suspecting) that a person is engaged in money laundering or terrorist financing as a result of information received in the course of the business or otherwise through carrying on that business is required to comply with—
(i) Part 3 of the Terrorism Act 2000; or
(ii) Part 7 of the Proceeds of Crime Act 2002;
(e) which, in the case of a money service business that uses agents for the purpose of its business, ensure that appropriate measures are taken by the business to assess—
(i) whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58; and
(ii) the extent of the risk that the agent may be used for money laundering or terrorist financing.
(5) In determining what is appropriate or proportionate with regard to the size and nature of its business, a relevant person may take into account any guidance which has been—
(a) issued by the FCA; or
(b) issued by any other supervisory authority or appropriate body and approved by the Treasury….”
REGULATION 19(3)(a): RISK MANAGEMENT
Ms Chapman decided that BSEL breached Reg 19(3)(a) on the basis that it had failed to establish and maintain appropriate risk management practices in the ways set out below. In addition, Ms Chapman also relied on the “agents not local to the residential address” issue, which has already been considered at §484.
Agents using the system outside the registered premises
Ms Chapman decided that BSEL had breached Reg 19(3)(a) because it did not prevent agents from logging into their system from outside their registered premises. In the Cancellation Decision she said BSEL “was aware that its system cannot currently prevent agents from logging on outside of their registered premises; it as not yet implemented a PCP to prevent this” and that this constituted a “deliberate failure” to comply with the MLR.
Ms Chapman did not refer to any guidance in coming to this conclusion. I note that the HMRC Guidance lists among its common risk indicators, “agents who undertake business outside normal business hours”, and the same factor is also included in the EU Guidance. Neither includes any risk indicator relating to agents logging on to their computers outside their registered premises.
Findings of fact
The Remit ERP system:
blocks access to the Remit ERP system between midnight and 8am;
uses Experian (see further §544) to check the agent’s own ID documents before transacting, in the same way as it does for other customers;
issues agents with a multifactor authentication tool that generates a one-time pin to access the system;
records compliance visits to agents and the risk assessment of the agents;
uploads and stores copies of signed money transfer receipts;
triggers an automatic alert when several transactions are made below limits in a short period of time by the same agent; the MLP Dashboard also tracks cumulative agent transactions.
The only effective way of preventing an agent from logging on to his computer other than at his registered premises would require the Remit ERP system to track his location. However:
it is technically difficult to monitor the exact location of an agent, because this type of monitoring is based on IP addresses;
internet providers change IP addresses frequently;
where agents live above the premises, or in a nearby location, the IP address would not identify that the agent was working from home rather that at the registered premises; and
BSEL had considered whether it was possible to include a further enhancement to the system, but decided that no other control was technically feasible at present.
The parties’ submissions
Ms Toman invited me to agree with Ms Chapman that BSEL had failed to comply with Reg 19(3)(a) because it did not have a flag to identify when an agent was accessing the Remit ERP system outside of his registered premises. Mr Lakha emphasised various of the facts set out above, and made this further submission:
“Sarah Chapman commenced this review during the Coronavirus Pandemic, when working from home was the norm. It is surprising that HMRC has elected to focus on this as a risk indicator given the particular circumstances that BSEL found itself in at that time. Furthermore, the particular nature of the underlying risk is not entirely clear. The Coronavirus Pandemic has utterly transformed the prevailing attitude towards remote use of computers.”
The Tribunal’s view
Reg 19(2) requires PCPs to be “proportionate with regard to the size and nature of the relevant person's business”. BSEL had numerous PCPs relating to agent onboarding, transactions and risk assessments, as set out at §519 and §742ff. Neither the HMRC Guidance nor the EU Guidance identifies, as a risk factor, an agent logging on away from his premises.
Taking into BSEL’s extensive and detailed PCPs in relation to agents, together with the other facts set out above, I find that BSEL acted entirely proportionately in not including in its Remit ERP system a measure relating to whether an agent was logging on to that system from a location other than his registered premises, and that there was no breach of Reg 19(3)(c).
Moreover, BSEL did not “deliberately” fail to address the issue. It was reasonable and appropriate for it to rely on its existing PCPs, and it was not technically possible to implement the further control which Ms Chapman wanted BSEL to install.
Special characters
Ms Chapman decided BSEL had breached Reg 19(3) because it “did not establish PCPs to effectively mitigate the risk of its customers setting up and using multiple accounts” by using variants of their names. The risk here was that if customer had more than one account, his transactions would not be cumulated, allowing him to stay below the EDD threshold. Possible variants to a name might include putting a dot after an initial, or including a space, a hyphen, a number, or an alphabetic variant using an accent, tilde or similar (“a special character”),
Findings of fact
Not all special characters are indicators of a name being wrongly recorded: for example, some names correctly include foreign letters, such as ñ in Spanish or ç in French.
BSEL recognised the risk of incorrect special characters leading to duplicate accounts. In January 2018, it introduced a new tool into the Remit ERP system. This deleted any special character inserted by an agent when he created a customer profile. That default spelling could only be overridden by the compliance department who would compare the name the customer wanted to register with that on his official ID document.
In January 2020, BSEL introduced an OCR feature into Remit ERP which checked ID documents and prevented any transaction being completed if the name included special characters; any such cases were flagged and checked by the compliance department against the official ID document.
Mr Allington-Jones’s spreadsheet
In reliance on a spreadsheet produced by Mr Allington-Jones (SAJ01) based on agent data, Ms Chapman said that BSEL’s controls were ineffective. The spreadsheet showed that there were just over £1m of agent transactions between September 2018 to 31 August 2020 in which a customer had either a dot or a hyphen in the name.
However, Mr Allington-Jones accepted in cross-examination that some customers’ names (including his own) did include hyphens or special characters and the mere occurrence of these special characters in a name did not mean that it had been recorded incorrectly.
I find as follows:
Mr Allington-Jones’s spreadsheet identified just over £1m of agent transactions over a two year period. Around 16 months of that period predated the automated check using the OCR function.
During that two year period BSEL carried out £418m of agent transactions. In other words, around 0.2% of BSEL’s transactions were with a customer whose recorded name contained a special character.
As Mr Allington-Jones accepted, having a small residual number of names with special characters does not mean that those names are duplicate or erroneous.
Spreadsheet SAJ01 thus does not prove that the controls introduced by BSEL were ineffective.
Aggregators
I find as a fact, on the basis of the Appellants’ evidence as given to Ms Chapman during the meeting on 10 March 2021, that the same Remit ERP tool was introduced for special characters for aggregator transactions, and that the OCR function was added in March 2020.
Ms Chapman says in the ToF that “the aggregator data for the same period contains over £1 million of transactions where a dot or hyphen appears in the sender name”. However, no related evidence was exhibited by Mr Allington-Jones, and there is also no reference to this alleged breach in the Appellant’s Schedule. HMRC have therefore provided no evidence to support Ms Chapman’s statement and for the reasons explained at §133ff, I do not accept it.
In any event, the total figure is around 0.2% of aggregator transactions in the two year period, and as explained in the previous paragraphs, the existence of a small number of special characters does not indicate that BSEL’s controls were ineffective.
The Tribunal’s conclusion
BSEL did not fail to establish PCPs to mitigate effectively the risk of its customers setting up and using multiple accounts using special characters. On the contrary, it introduced controls in January 2018 and improved them in January 2020. There was no breach of Reg 19(3).
Duplicate customer names
Ms Chapman also decided that BSEL had breached Reg 19(3) because, in addition to the special character issue, it “did not establish PCPs to effectively mitigate the risk of its customers setting up and using multiple accounts”. She followed this statement by a reference to work carried out by Mr Allington-Jones, but no supporting evidence was provided and there is no reference to it in the Appellants’ Schedule. For the reasons explained at §133ff, I have not placed any weight on Ms Chapman’s summary of that work.
Findings of fact
In 2018 BSEL identified the possibility that customers could have opened more than one account, but the issue was very difficult to resolve, because many Bangladeshis and Pakistanis have the same name: for instance, Mohammed Ali or Mustafa Khan, and the same customer name may also have been entered with slightly different spelling over the many years of the company’s operation. BSEL sought to resolve this issue as follows:
In January 2018 it manually merged duplicate customer profiles and before doing so created a specific procedure to clean the data.
BSEL also implemented the automated control to the Remit ERP system to avoid special characters, as discussed above, which reduced the risk of duplicate accounts.
In January 2020, BSEL introduced the OCR check. If the ID matches the customer profile the transaction is permitted to proceed, if the document does not match, the transaction is stopped and referred for manual review. This ensured that where there had been manual errors in the input of a customer’s details this would be identified and rectified.
In the same month, BSEL commissioned xGen Media, a third-party software developer, to devise a program to cleanse the system of old duplicate accounts. In September 2020, BSEL introduced the first version of that new program, which was called the Virtual Customer Profile (“VCP”) merging process
On 27 October 2020, during the call with Ms Kenning (see §279) , Ms Dhillon said that BSEL had “created within their software the ability to identify duplicate accounts which merge into one profile, so there is no risk of multiple transactions through different accounts”.
On 5 November 2020, a conference call took place between Ms Chapman, Mr Curran, Mr Furnival and Mr Garcia. Mr Furnival confirmed Ms Dhillon’s earlier comment. After that call, Ms Chapman emailed Mr Curran asking him to “provide the date that the system disallowed multiple customer accounts to be opened by a customer”. At one of the conference calls which took place on 1 and 3 December 2020, Mr Garcia told Ms Chapman that “sender profiles had been merged so that multiple accounts can no longer be set up”.
However, subsequent testing of the VCP program showed that the algorithm needed to be adjusted, because some customers’ accounts had been incorrectly merged: in other words, accounts had been merged when they belonged to different individuals. Further work was done on the VCP program to amend the algorithm, and by March 2021 the program ensured that all duplicate customer profiles had been correctly merged. The changes applied to any customer carrying out a transaction after that date, whether an existing or a new customer.
The position of the parties
Ms Chapman decided that:
BSEL had taken too long to resolve this issue, and as a result had breached Reg 19(3)(a);
BSEL had deliberately misled her into thinking that the VCP program had been implemented by October 2020, when it was not fully implemented until January 2021; and
the control only applied to new customers.
The Appellants’ position was that:
they had throughout been doing their best to solve this difficult problem. Ms Chapman’s decision demonstrates her lack of understanding of the basic reality that few computer programs are implemented without any problems.
When they informed Ms Chapman that the VCP program had been implemented, those providing that information were honestly communicating their understanding of the position.
Ms Chapman was wrong to conclude that the VCP program applied only to new customers; it applied to all customers who made transactions after the changes had been implemented.
The Tribunal’s view
I agree with the Appellants on all three points.
It is clear from the findings of fact that BSEL had done its best to solve this difficult problem, and finally succeeded.
The Appellants’ witnesses gave honest and credible evidence, and I accept that when they communicated with Ms Chapman they were communicating their genuine understanding of the position. They did not deliberately mislead Ms Chapman when they told her that the program had been implemented: that was their honest belief. And, of course, it had been implemented, albeit that testing showed that a change to the algorithm was required to ensure that some customers’ accounts remained active. In any event, the VCP program introduced in September 2020 over-compensated, by merging genuine accounts, so there was no continuing risk from that point.
I have already found as a fact, on the basis of the evidence provided, that the VCP program applied to all transactions after implementation, and thus did not apply only to new customers.
Conclusion
For the reasons set out above, BSEL did not fail to establish PCPs to mitigate effectively the risk of its customers setting up and using multiple accounts, and there was no related breach of Reg 19(3).
Shared telephone numbers
Ms Chapman also decided that BSEL had breached Reg 19(3) because “until March 2019 BSEL had failed to establish effective PCPs to prevent customers providing a telephone number that was shared with more than one other customer and had no PCPs to monitor the transactions of these senders as being linked”.
Findings of fact
On registration, BSEL requires original proof of identity to be provided. Valid ID documents are limited to a passport, driving licence, national identity card or a residence permit card, all of which must contain the customer’s full name, photograph, and date of birth. Proof of UK residency is required for all customers.
BSEL also undertakes an electronic ID verification for all customers, using an independent external provider, Experian. From July 2019, BSEL used Experian’s Auto Doc function to authenticate electronically the identity documents. In November 2020, BSEL instead implemented Experian’s Proof ID, which authenticated the customer’s name, date of birth and address.
In February 2019, BSEL introduced a control which flagged when a telephone number was shared by more than two individuals, but that a number shared by two people did not trigger an alert. BSEL decided on that threshold because it had taken into account its customer base: the majority of customers are Bangladeshi or Pakistani migrants, who commonly live in a house with two or more households; in addition, some customers are elderly. It is therefore common for an individual to share the same contact number with another close family member.
That two-person control operated as a flag, not an absolute bar. If two people were already on the Remit ERP system as sharing a given phone number, and a third individual then gave the same number, the transaction would be referred to the compliance department for review. If the three individuals were, for example, two elderly parents and a child, the transaction would be released. Some numbers therefore continued to be shared between more than two people after February 2019.
BSEL has subsequently developed a new program called “One Customer, One Mobile Number” which would require each customer to have a separate mobile number. However, BSEL was unable to implement this program before its registration was cancelled.
EU Guidance
Ms Chapman did not cite any HMRC guidance in the ToF, and her witness statement does not say that she relied on any guidance. Under cross-examination, she again said she had been relying on the EU Guidance. That lists as one of many possible risk factors that “several of the firm’s customers transfer funds to the same payee or appear to have the same identification information, for example address or telephone number”.
The risk factor referred to in the EU Guidance is therefore overlapping ID, but BSEL does not rely on customers’ telephone numbers to establish their identity. Instead, it requires the provision of government approved third party documentation, independently verified by Experian. Ms Chapman has misunderstood the EU guidance.
The data
Ms Chapman relied on a spreadsheet prepared by Mr Allington-Jones (SAJ02), which in HMRC’s submission showed that 446 telephone numbers accounted for:
“Transactions totalling £5,340,952 in the period 1 September 2018 to 31 August 2020 where three or more sender accounts shared the same telephone number.”
The Appellants did not agree that that this was correct. On the basis of the same transaction data, their results as set out in the Schedule showed that there were 257 shared phone numbers and the transactions totalled £2,616,293, less than half HMRC’s figure.
Mr Allington-Jones accepted that there was more than one way of summarising the data, and said that “if the test was summarised in a different way…it would likely give different results”. My own review of the spreadsheet shows that users with the same family name have not been removed, nor been separately quantified as a subset of the data, before conclusions were drawn.
I find that HMRC have failed to prove the extent of the risk, because:
Mr Allington-Jones’s conclusions were not replicated by the Appellants;
he accepted that “if the test was summarised in a different way…it would likely give different results”;
the data included individuals with the same family name, where sharing a telephone is unlikely to indicate MLTF; and
even if the figure of £5,340,952 were to be correct, it was for the entire period from 1 September 2018 to 31 August 2020, and thus includes six months before the two person control was introduced in February 2019.
The ToF also stated that Mr Allington-Jones had carried out an analysis of the position for the period after the number of customers had been limited to two. Not only has no supporting evidence been exhibited in Mr Allington-Jones’s witness statement, but in cross-examination he said he had not carried out a test to identify transactions after the two person limit had been introduced. I have therefore not placed any reliance on that part of the ToF.
The Tribunal’s view
I find that BSEL did not fail to establish PCPs to mitigate effectively the risk of its customers sharing phone numbers. Instead BSEL had taken an informed decision, in the light of its knowledge of its client base, that two customers sharing phones was not a significant risk factor. That decision was made in accordance with the holistic and risk-based approach required by the MLR and the related guidance. There was no related breach of Reg 19(3).
Fast transactions
Ms Chapman decided that BSEL had breached Reg 19(3) because it “had not established PCPs to ensure that the time taken to carry out transactions by its agents was credible and thus allowed potentially fictitious transactions to take place without detection”. Ms Chapman relied on (a) the HMRC Guidance; (b) spreadsheet SAJ03 and (c) the minutes of the conference call on 1 and 3 December. I consider each in turn, but I first make findings of fact.
Findings of fact
In reliance on Mr Garcia’s unchallenged evidence, I find that the Remit ERP system includes the following functions:
a control which prevented transactions within one minute from the same customer;
a “Repeat” function designed to assist the agent to be more efficient so that where a customer wants to repeat a similar transaction previously undertaken, copies of the original transaction data are used to repopulate the screen so that the new transaction can be executed quickly;
a “retain” function which allows a transaction order to be held as pending, so that when the reason for that has been resolved, it can be finalised very quickly;
a “flag” for review by compliance if an agent completes multiple transactions of the same value, or within a short time; and
as a result it is possible for two genuine transactions to take place in under a minute.
As Ms Chapman herself accepted, BSEL had repeatedly invited her to view and test the Remit ERP system, but she had always declined; in the context of “fast transactions”, BSEL had also invited her to visit the branch and interview cashiers, but she also refused that offer.
Given that the Remit ERP system was designed to function quickly and efficiently, plus the extensive checks already in that system together with the other compliance checks on agents, BSEL did not consider that it was necessary to include a further control to monitor the number of transactions within a defined time period, such as one or two minutes. However, when this issue was raised by Ms Chapman, BSEL agreed to introduce a new control.
The HMRC Guidance
Ms Chapman relied on one of HMRC’s long list of “common risk indicators” which was “agents who carry out transactions too fast to be possible”. However, on the basis of my findings of fact, it is possible for two genuine transactions to take place in under a minute.
Spreadsheet SAJ03
In the ToF Ms Chapman cited Mr Allington-Jones’s analysis of the transactional data (SAJ03) saying that it had identified “163 occasions with transactions totalling £166,396.04, where a cashier has carried out two transactions for two different customers in less than a minute, this has occurred across 40 different agents”. The Appellants reran the data but were “not able to confirm or deny” those conclusions.
In her witness statement, Ms Chapman said that in the process of writing that statement she had identified that the figures stated in the ToF were wrong, and she now considered that the correct figures were 131 occasions totalling £131,876. If Ms Chapman were to be correct, the figure in the ToF was 26% too high, but Ms Chapman said that the “difference in the figures is minimal” and she was not changing her decision on this issue.
I place no reliance on spreadsheet SAJ03. As explained at §114ff, HMRC accepted at the hearing that one of the spreadsheets (SAJ04) contained “material errors” and although I rejected Mr Lakha’s submission that no reliance should therefore be placed on the other spreadsheets, I made an exception for spreadsheets where Ms Chapman had identified an error. This was such a case: Ms Chapman herself identified that the figures in the ToF were incorrect, but she did not explain how the error had arisen, or why the new number was in her view correct.
Even if Ms Chapman’s new figures were to be correct, I would have come to the same conclusion, because it was possible for genuine transactions to take place in less than a minute, see the findings of fact above.
Statements in meetings
In the ToF Ms Chapman relied on two points from HMRC’s notes of the telephone meetings she had held with BSEL on 1 and 3 December 2020. The first was that Mr Curran had “confirmed BSEL does not monitor the speed of transactions carried out by agents in order to ensure that they are credible” and the second that Mr Furnival had said that “a transaction would take a couple of minutes if no new documents or further information was required”.
However, those citations were incomplete. The notes of the meeting on which Ms Chapman relied also included the following:
Mr Curran “highlighted that if an agent completed too many transactions in one day it would be flagged up by the system”; and
Mr Furnival had added that the Remit ERP system had been programmed to flag up when there were “four or five transactions to the same country, which are of the same value with[in] the same agent”.
Thus, both Mr Curran and Mr Furnival had explained to Ms Chapman that the Remit ERP system had controls which were relevant to her concerns about “fast” transactions, but she failed to mention those controls in the ToF. I add that Mr Furnival’s statement that “a transaction would take a couple of minutes” was plainly not intended to be a definitive statement as to the minimum time within which a genuine transaction could be completed: in normal speech the phrase “a couple of minutes” simply means “quickly” or “a very short time”.
Conclusion
For the reasons set out above, BSEL did not breach Reg 19(3) as the result of not including in the Remit ERP system a specific flag to identify when two transactions were completed in less than a minute.
Aggregator risk assessments
Ms Chapman decided that “BSEL had failed to establish effective risk management PCPs to ensure its aggregators were complying with MLR 2017” because:
it failed to obtain their risk assessments as a pre-requisite to onboarding until January 2020; and
no risk assessment had been obtained from four of its aggregators.
Findings of fact
BSEL has had a written Aggregators Policy since October 2017 which has been regularly updated by the MLRO, Mr Garcia and others. The Aggregators Policy provides that BSEL will carry out a risk assessment before onboarding an aggregator, and prescribes a list of twenty documents which must be obtained and considered at that stage. These include:
company credit check.
shareholding structure;
list of directors;
AML checks and proof of identity for all directors;
ID and address checks for each director;
DBS check for directors and shareholders;
latest AML/CTF policies;
last three financial reports; and
FCA registration.
In some cases BSEL obtained additional supporting documents, such as external audit reports and CVs of directors and key personnel such as compliance managers and MLROs.
The following searches and reports were then run on an annual basis: company credit checks, AML checks of UK directors and shareholders owning more than 10% of the business, directorship search and adverse media search on the entity, its directors and its principal shareholders. The Aggregator Policy also sets out a programme for annual site visits for the compliance team to perform an independent assessment of each aggregator’s controls. Ms Chapman accepted in cross-examination that BSEL had PCPs for onboarding aggregators and for their regular review.
After the telephone meetings on 1 and 3 December 2020, on 10 December 2020 Ms Chapman emailed Mr Curran attaching “a list of further information required and outstanding from the meetings”. She has not exhibited either that list or all the information provided in response, but what is clear is that the list of information required was extensive: Ms Chapman’s email refers to “the size of the list” and she gave two delivery dates of 17 December 2020 and 7 January 2020 “to reduce the burden on BSEL”. From the numbering on the specific items which have been exhibited, she asked for information about at least 27 issues.
BSEL supplied the first tranche of that information on 18 December 2020 and the balance on 7 January 2021. Item Number 24 included a statement that no risk assessment had been obtained for the following four aggregators, all of which were “small payment institutions” or SPIs:
Standard Exchange Ltd, consisting of one branch with no agents;
Mercantile Exchange House (UK) Ltd, for the same reason;
Rashid Exchange Ltd, which had one branch and a small agent network; and
MTB Exchange UK Ltd.
Mr Garcia’s witness statement clarified that information, saying that for all but Standard Exchange, the risk assessments were not separate but contained within their PCPs, and he exhibited those risk assessments. In her subsequent witness statement, Ms Chapman accepted that Mr Garcia’s clarification was factually accurate.
In relation to Standard Exchange, Mr Garcia gave unchallenged evidence that this company had carried out a stand-alone risk assessment which was reviewed at the time of onboarding, and he exhibited a copy of that risk assessment.
Item 24 also contained this statement:
“Company risk-assessments were not a pre-requisite prior to onboarding in 2017, 2018, 2019 or within the BSEL compliance policy. We started requesting Risk assessment to our aggregators on Jan 2020, they were notified, particularly with the new companies which came on board in 2020.”
Mr Garcia’s unchallenged evidence was that this statement was simply wrong, and that it is instead clear from the Aggregator Policy that risk assessments were required as a pre-requisite of onboarding. I accept that evidence, which is consistent with the fact that BSEL was able to supply Ms Chapman with copies of the risk assessments it had obtained for all its aggregators.
I also make the reasonable inference that BSEL was under a lot of pressure at the time of Ms Chapman’s further demands. It had only just had its registration reinstated; its Barclays account had been closed; its Pakistan business was disappearing and the pandemic was still causing problems. On top of those difficulties, Ms Chapman required information on at least 27 further topics to be provided by her deadlines of 18 December 2020 and 7 January 2021, a period which included Christmas and New Year.
Ms Chapman’s decision
On the basis of the facts as found, the basis for Ms Chapman’s decision falls away. BSEL did not failed to obtain aggregators’ risk assessments as a pre-requisite to onboarding, and it is not the case that no risk assessment was obtained for the four named aggregators.
Although Ms Chapman accepted this was the position, her witness statement sought to amend the part of her decision relating to the three aggregators which had provided their PCPs to BSEL. She said:
“However, my review of these [PCPs] has identified that these references to risk within the PCPs did not meet the requirements of regulation 18(1) and would not have been adequate in order for BSEL to assess whether these aggregators had established PCPs to effectively mitigate and manage the specific risks each faced.”
In closing, Ms Toman asked me to find that Ms Chapman’s new position was correct. However, HMRC have not explained in what way the PCPs failed to meet the requirements of Reg 18. The burden of proof is on them, and requires considerably more than a mere assertion.
Conclusion
On the basis of my findings of fact, which were not in dispute, BSEL did not fail to establish effective risk management PCPs to ensure its aggregators were complying with the MLR, and thus did not breach Reg 19(3).
REGULATION 19(4)(d): SUSPICIOUS ACTIVITY REPORTING
Ms Chapman decided that BSEL failed to adhere to its own PCPs in relation to SARs, and so breached Reg 19(4)(d).
The legislation and the guidance
As set out above, Reg 19(4)d) requires that a company must have PCPs under which anyone in the company who “knows or suspects (or has reasonable grounds for knowing or suspecting)” that a person is engaged in MLTF is required to comply with Part 3 of the Terrorism Act 2000 and/or Part 7 of the Proceeds of Crime Act 2002.
Reg 21 requires that a firm within the scope of the MLR must appoint a “nominated officer”, defined at Reg 3 as “a person who is nominated to receive disclosures under Part 3 (terrorist property) of the Terrorism Act 2000 or Part 7 (money laundering) of the Proceeds of Crime Act 2002”. Reg 21(5) provides that:
“Where a disclosure is made to the nominated officer, that officer must consider it in the light of any relevant information which is available to the relevant person and determine whether it gives rise to knowledge or suspicion or reasonable grounds for knowledge or suspicion that a person is engaged in money laundering or terrorist financing.”
The HMRC Guidance says at 6.9:
“Staff must report to the nominated officer as soon as possible if they know or suspect that someone, not necessarily the customer, is involved in money laundering or terrorist financing. The nominated officer will then decide whether to make a report.”
The HMRC Guidance also warns against “tipping off”, saying that “nobody should tell the person involved or anyone else” that a SAR is being or has been made. It provides an outline as to how to obtain a “defence against money-laundering” or “DAML” from the National Crime Agency (“NCA”), which allows the transaction to proceed, and adds at 6.17:
“If you do not receive a refusal notification from the NCA within the notice period it is up to you to interpret your position and you may, if you consider that you have met the requirements for making a disclosure, assume a defence at the end of the notice period.”
The HMRC Guidance cross-refers to that published by the NCA. Under the heading “What constitutes ‘suspicion’ under POCA”, that guidance says:
“Suspicion is not defined in legislation. The Court of Appeal (R v Da Silva) defined suspicion of money laundering as a possibility, which is more than fanciful, that the other person was or had been engaged in, or benefited from criminal conduct and that the suspicion formed was of a settled nature. There does not need to be anything amounting to evidence of the suspected money laundering. The threshold for suspicion under POCA is generally considered to be low.”
Findings of fact
BSEL’s 2018 PCPs contain three pages on SARs, which include the following:
Every member of staff and all agents must “remain alert” to the possibility of MLTF and “shall report any and every suspicion for which they believe there are reasonable grounds” to the MLRO, together with a list of examples of suspicious activity;
There is “a statutory and regulatory obligation for the MLRO to report to the National Crime Agency (NCA) information or other matters which come to his attention during business activities and which in his opinion give rise to knowledge or suspicion of money laundering”.
“No copies or records of money laundering suspicion reports are to be made, except by the MLRO who will keep such records secure, and separate from the Company’s client files and other repositories of information”.
Apart from the “user who submits the SAR” and the MLRO “nobody else can view the SAR” and “no copies or records of money laundering suspicion reports are to be made, except by the MLRO who will keep such records secure.”
Later PCPs contained all the above with some further detail, in particular in relation to DAMLs. Between the middle of 2017 and January 2019, BSEL submitted 221 SARs, and the related reference numbers were provided to Officer Stuart Marlor after his meeting with Mr Olayinka and others in January 2019. Exiger reported in July 2018 that “BSEL files approximately two SARs a week to the NCA, which demonstrates that employees, including the MLRO, have a high level of awareness of their reporting requirements”.
Eversheds’ November 2020 audit report recorded that “BSEL also provided us with confirmation of five agents with whom it terminated its relationship in the last 12 months due to their misuse of IDs”. In the course of the meetings with BSEL on 1 and 3 December 2021, Ms Chapman asked for the names of those agents; what the misuse entailed, and whether SARs had been submitted. Ms Dhillon said that BSEL had identified via its ID verification procedures that the ID documents in question did not belong to the customer, and that “the agent may have created ghost accounts to transmit money overseas”. For the avoidance of doubt, I make no finding of fact that the agents created such accounts but only that Ms Dhillon said this was a possibility. Ms Dhillon also said she did not know if SARs had been submitted but would check. She subsequently confirmed that a SAR had been filed with respect to one agent. The MLRO at the time was Mr Kirby.
Ms Chapman’s decision and her evidence
In the ToF Ms Chapman accepted that the PCPs recognise that there was “a statutory and regulatory obligation for the MLRO to report to the National Crime Agency (NCA) information or other matters which come to his attention during business activities and which in his opinion give rise to knowledge or suspicion of money laundering”. She continued by saying that as BSEL had nevertheless failed to submit a SAR in relation to four of the five agents, it had “knowingly disregarded” its MLR obligations in relation to the position of those four agents.
Under cross-examination, Ms Chapman:
said she was not criticising the PCPs, which satisfied the statutory requirements, but she had decided there had been “a lack of adherence” to those PCPs;
specifically confirmed that placing the SAR reporting obligation on the MLRO was appropriate;
accepted that there can be good reasons for not making a SAR;
when asked whether she had asked Mr Kirby why he had not filed SARs relating to the other four agents, said she had not done so because he was no longer part of BSEL’s business at the time of her enquiry; and
confirmed that she knew Mr Kirby had “improperly and wrongly” deleted data after leaving the company.
The parties’ submissions
Ms Toman asked the Tribunal to confirm Ms Chapman’s decision for the reasons she had given. Mr Lakha pointed out that under the MLR, BSEL was required to appoint a Nominated Officer, and to have appropriate PCP. There was no dispute that BSEL had complied with those requirements. Reg 21(5|) then placed the obligation on the Nominated Officer to make SARs reports: as set out at §586 above, it says (his emphasis):
“Where a disclosure is made to the nominated officer, that officer must consider it in the light of any relevant information which is available to the relevant person and determine whether it gives rise to knowledge or suspicion or reasonable grounds for knowledge or suspicion that a person is engaged in money laundering or terrorist financing.”
Mr Lakha said that the MLR imposed a “personal obligation”, which here rested on Mr Kirby. Given the serious nature of that obligation, it was reasonable to assume that Mr Kirby would have considered “any relevant information” before making the decision only to file a SAR in relation to one of the agents.
The Tribunal’s conclusion
HMRC’s case on this point rests on BSEL having failed to file SARs for the other four agents. However, the obligation to file those SARs rested on Mr Kirby. HMRC have no evidence that Mr Kirby improperly failed to file SARs when he should have done, and they did not seek to investigate the issue. The burden of proof is on HMRC and they have not met that burden.
I agree with Mr Lakha that, given Mr Kirby’s role and the seriousness of a failure to file a SAR, the reasonable presumption is that he decided for good reasons that no SAR was required. Even if that were to be wrong, the failure to file SARs would have been a breach of Mr Kirby’s obligation as the Nominated Officer. As Mr Lakha said, BSEL had met its own MLR requirements by putting in place appropriate PCPs and by appointing an appropriately qualified and experienced Nominated Officer.
It follows that BSEL did not fail to adhere to its own PCPs in relation to SARs; had not “knowingly disregarded” its MLR obligations and had not breached Reg 19(4)(d).
REGULATION 19(3)(c): MANY-TO-ONE TRANSACTIONS
As set out at §515, Reg 19(3)(c) requires PCPs to include CDD. The main issue under this heading has already been considered in Part 5 at §415ff. However, Ms Chapman also decided that BSEL breached Reg 19(3)(c) for the further reason that it failed to establish and maintain appropriate PCPs in relation to CDD as regards “many-to-one” transactions.
The term “many-to-one” transactions is used to refer to separate persons sending money to a single individual. The following points were common ground:
Many-to-one transactions can be entirely innocent, for example a number of family members in the UK may send money to support the same elderly relative, or send gifts to the same person for Eid or for birthdays.
Many-to-one transactions may also be a way of splitting a larger sum between many senders, in order to avoid the EDD requirements that would apply if it were sent as single amount.
I have already found that the beneficiaries were not BSEL’s customers: BSEL did not have a business relationship with them, or carry out occasional transactions for them. Instead, BSEL transacted with a UK customer to send money to a bank in Pakistan or Bangladesh, where it was either credited to the account of the beneficiary or collected over the counter. BSEL therefore had no contact with the beneficiaries.
Ms Chapman did not cite any guidance relating to this alleged breach and neither did Ms Toman. From my own review, the HMRC Guidance does not set out any requirements for MSBs to obtain information about beneficiaries who are not customers, and I was unable to identify any such requirement in other guidance. Instead, the requirement was the more general one that businesses take a risk-based approach which “should balance the costs to your business and customers with a realistic assessment of the risk” of MLTF.
Findings of fact
As BSEL’s client base was made up of migrant workers who sent money back to their home countries, their family and kinship networks meant that multiple remittances from different senders to the same beneficiary were normal, particularly around Eid and Ramadan.
The flag in the Remit ERP system
BSEL nevertheless recognised the risk that many-to-one transactions could be used to split a larger sum, and in November 2018 introduced an automatic flag in its Remit ERP System which would alert the compliance department when many senders were making remittances to a single beneficiary. For instance, the system would flag when more than a certain number of senders were making transfers to a beneficiary called Habibur Rahman within a certain period. However, this was not an efficient method of managing the risk, because it returned too many false positives. To use the same example, BSEL now know (as the result of the work described below) that they had over 4,370 different beneficiaries called Habibur Rahman.
The beneficiary identifier project
BSEL therefore decided to stop the alert, and instead to address the issue in a different way. They contracted with an external IT partner to create a unique beneficiary identifier using the following information about the beneficiary: name, mobile number, plus proof of ID and bank account details where these were available. In order to carry out this project, the key missing piece of information was the beneficiaries’ mobile numbers.
Obtaining the beneficiaries’ phone numbers took time, and it was a mammoth task because:
BSEL’s database held some 2.5m beneficiary names;
some beneficiaries had more than one mobile number;
some beneficiaries had more than one bank account;
some beneficiaries lived in remote areas and had no mobile phone;
some beneficiaries’ names were recorded in different ways by their banks, for instance Mohammed being also stored as Md; and
some beneficiaries shared a mobile phone.
The Appellants’ evidence was that:
In January 2019, BSEL contracted with an external firm, SSL Commerz, for them to check mobile numbers which appeared to have been provided for more than one beneficiary, and that firm sent almost 600,000 SMA text messages to beneficiaries as part of the unique beneficiary identifier exercise.
From the following month, February 2019, BSEL required all customers conducting transactions to provide the beneficiaries’ telephone number (unless the money was being transferred to the beneficiary’s bank account). If the customer did not provide the mobile number, BSEL refused to carry out the transaction.
The first of those points was unchallenged, but in relation to the second, Ms Chapman did not accept that BSEL began requiring mobile numbers from beneficiaries in February 2019. In her witness statement, she said that “this chronology is contradicted by the information Mr Garcia gave during the meeting of 5 November 2020 where he stated that the phone numbers for beneficiaries had been mandatory since June/July 2020”. However, HMRC’s notes of that meeting do not say that. Instead, they record (my emphasis) that “[Mr Garcia] stated that since June/July this year a beneficiary isn’t able to share their phone number, he explained that in the past they have allowed father and son to share a number”.
It is clear from those meeting notes that Mr Garcia was not talking about the collection of the beneficiaries’ numbers from senders, but a later development, preventing the sharing of phone numbers by beneficiaries. I find as a fact that the position is as stated by the Appellants: from February 2019, senders had to provide beneficiary phone numbers and if the sender refused, BSEL did not carry out the transaction. I further find that from June/July 2020, the phone number for each beneficiary could not be the same as that for another beneficiary, but had to be unique.
The creation and implementation of the VBP
In November 2019, having gathered sufficient data, BSEL commenced the creation of a “Virtual Beneficiary Profile” (“VBP”) for each beneficiary. This proved difficult for technical reasons (for example, some telephone numbers were provided in different formats) and also for external reasons: the pandemic and the consequential lockdowns, and an unusually long and severe cyclone season in South Asia.
In August 2020, before Ms Chapman became involved, BSEL implemented an algorithm which it hoped would allow the identification of each individual beneficiary using the newly developed VBP. However, some problems with the algorithm emerged. BSEL’s management team thought these had been sorted out by November 2020, but the problems proved more intractable than anticipated. All issues were however resolved by April 2021.
The controls while the VBP was being developed
During the period before the introduction of the VBP, the Remit ERP system flagged many-to-one cases for review by the compliance department. That this is the case is clear from the compliance reports. For example, the October 2019 report issued by the MLRO said that the compliance team were “checking all daily transactions submitted by agent and aggregator network and using pivot tables” to identify any concerns around many-to-one transactions, and it also recorded that two related SARs had been made. The amount of time invested by BSEL in monitoring the many-to-one issue is illustrated by a comment made in the same report that the VBP program was entering the testing phase and that when live it would “free up many hours spent by compliance analysing daily transactions”. The monitoring procedures are exemplified by Mr Kirby filing a SAR in March 2020 relating to three beneficiaries who had received money from a large number of senders. Because of the sensitivity around SARs, I have called these beneficiaries MSU, AH and ZHC. After filing the SAR, BSEL blocked transfers to two of the beneficiaries in June 2020, and it also terminated one of the agents involved. In November 2020, BSEL identified that a fourth beneficiary, AK, was also receiving money from multiple senders.
Communication with Ms Chapman
As already noted at §291, on 5 November 2020 a telephone conference took place between Ms Chapman, Mr Garcia and Mr Curran. A few hours later, Ms Chapman emailed Mr Curran setting out her understanding of the main points discussed and agreed. These included “Limits for senders per beneficiary and number of beneficiaries per sender to be communicated to me once these have been decided”.
As noted in the table set out at §292, Mr Curran replied to that question as follows:
“The financial crime team, in conjunction with the Management decided to set the limit as below:
Senders per beneficiary: Six
Beneficiaries per sender: Six
The above will be implemented in production by Friday, November 13, 2020.”
The PCPs issued on 10 November 2020 included the following text:
“Customer/Beneficiary Limits
the number of sending customers per beneficiary, and the number of beneficiaries per customer, has been limited as set out below:
• Senders per beneficiary: Six
• Beneficiaries per sender: six
Beneficiary Identifiers
the system will allocate a unique identifier to each beneficiary, and this will be used for ongoing monitoring. This identifier is established through a combination of at least three of the beneficiary’s details as listed below:
• Full name
• Country/city
• mobile number
• Bank account number
• Mobile wallet number.”
On 12 November 2020 Mr Curran emailed Ms Chapman, stating that “all promised enhancements to our Remit ERP systems have been completed and are now ‘live’”, and on 13 November 2020, Ms Chapman lifted the suspension.
On 31 March 2021 a telephone conversation took place between Ms Chapman and Mr Curran, at the end of which she sent him an email which included the following text:
“My understanding of our conversation is as follows:
• The virtual beneficiary profile (based on name and bank account number/telephone number was trialled successfully last week…
• The automated process of identifying beneficiaries with multiple senders is expected to be implemented fully by the end of this week, this will use the virtual beneficiary profile. Prior to this the monitoring has been manual, the system did not have the ability to automate it.
• There is not an absolute limit of six senders per beneficiary or six beneficiaries per sender, this is instead a trigger point at which further investigation will be carried out. The sender profile on the system cannot have more than six beneficiaries on it at one time so in order to send to a seventh beneficiaries the most historical beneficiary would drop off of the preferred beneficiary list.”
Mr Curran responded on 1 April 2021, confirming that there had been some implementation issues with the VBPs, but that they were expected to be fully automated by the end of the week. He also confirmed the text in Ms Chapman’s final bullet point was correct.
Mr Garcia and Mr Curran both gave evidence about these exchanges. They said that the intention had always been for the system to set a “threshold limit”, or flag, of six senders to a single beneficiary, so that if more than six senders sent money to the same beneficiary the transaction would be flagged for review by the compliance team. That team would then investigate the reasons for the transactions: in other words, whether there was no reason for concern – for example, because beneficiary was an elderly person receiving support or a child receiving birthday presents, or whether there was reason to suspect MLTF. As Mr Garcia said, “an absolute limit of six made no sense because of large families”.
Ms Chapman’s position was that BSEL had changed its position, and had originally promised to set an absolute limit of six senders per beneficiary, with the result that if a seventh person tried to make a remittance to that person, the system would inevitably and automatically bar the beneficiary from receiving that money. It was also HMRC’s case that the Appellants had deliberately given Ms Chapman “false or misleading” information about the limit of six senders to one beneficiary.
I find as a fact that there was no change of position, but that BSEL had always intended to implement these controls by introducing a flag into the Remit ERP system. I come to that conclusion both because I found that Mr Garcia and Mr Curran had given honest evidence, but also because it is the only sensible reading of the communications. As Mr Lakha said, it would be a nonsense for BSEL to implement an absolute limit of six senders, because it would automatically prevent any beneficiary from receiving transfers from more than six senders. So no child could receive more than birthday presents, or gifts at Eid, from more than six senders. That is plainly an absurd outcome. I further find that none of the Appellants deliberately misled Ms Chapman. Instead, she misunderstood the position.
Ms Chapman also concluded that Mr Curran had deliberately misled her by saying in his letter of 5 November 2020 that the VBP was in place; that this untruth was repeated in the PCPs, and that in reality the VBP was not completely operational until April 2021. I do not accept that, but instead confirm my finding above, that BSEL and its management team genuinely thought that the VBP had been fully implemented when they so informed Ms Chapman in November 2020. In making that finding I accept the Appellants’ evidence both (a) as to their genuine belief, and (b) that the implementation was more intractable than anticipated. I agree with Mr Lakha that this is another example of Ms Chapman’s failure to grasp that implementing changes to large and complex computer systems commonly takes longer than expected.
Finally, Ms Toman submitted that BSEL had intentionally misled Ms Chapman in order to get the suspension lifted. I reject that submission for the following reasons:
The Appellants did not mislead Ms Chapman: they never intended there to be an absolute limit of six senders per beneficiary, for the reasons set out above; and they genuinely believed that the VBP was operational when they told Ms Chapman that was the case.
The Reinstatement Decision was expressly made because BSEL had addressed “the specific points detailed within the Suspension Notice”. Those points were the F&P notifications, and the zero EDD threshold for high-risk jurisdictions. Moreover, Ms Toman confirmed this was the position during the hearing.
Ms Chapman’s decision
Ms Chapman decided that BSEL had failed to comply with Reg 19(3)(c) in relation to many-to-one transactions for the reasons set out below.
Failure to act?
Ms Chapman decided that although BSEL had correctly identified many-to-one transactions as a risk, it had not established effective PCPs until April 2021. In the Cancellation Decision, the “many-to-one” issue was the first of Ms Chapman’s examples of alleged non-compliance: she said that BSEL had failed to introduce PCPs “to automatically identify beneficiaries of many-to-one transactions until April 2021” and that BSEL had therefore demonstrated “a consistent and deliberate failure to address this risk”. In her oral evidence she said “they have left this issue for so long and did nothing”, and criticised BSEL for having rejected the original approach of placing a flag in the Remit ERP system because it had produced too many false positives.
Ms Toman’s skeleton argument said that “this was a very serious breach of the MLR”; although in her oral submissions she took a less extreme position, acknowledging that BSEL had been trying to resolve the issue, but she said this was insufficient. She reiterated Ms Chapman’s position that BSEL was only compliant with Reg 19(3)(c) after it had installed the automated unique beneficiary identifier.
Mr Lakha submitted that this was plainly wrong. BSEL had taken a proportionate approach to dealing with this risk, taking into account (a) that its client base would be expected to make many entirely innocent many-to-one transactions, and (b) the nature and scale of the task which BSEL had decided to undertake in order to provide a thorough and robust solution. He added that it was a nonsense to say that BSEL had “left this issue for so long and did nothing”; on the contrary, BSEL was continually working to design an effective automated solution, and this took a considerable investment in time and money to resolve.
I again agree with Mr Lakha for the reasons he gave. There is nothing in the guidance which requires MSBs to provide a unique identifier for each beneficiary (none of whom are customers). It would be contrary to the proportionate approach prescribed by the MLR, and to the recognition that systems and approaches will change over time, for BSEL to be held in breach of Reg 19(3)(c) until it had perfected an automated solution: BSEL was continually monitoring and controlling this issue in the meantime. In addition, when BSEL decided that flagging all customers who shared the same name gave rise to too many false positives, this was not an indicator of its unwillingness to address the issue. On the contrary, it was a recognition that the control was not proportionate, and that a new approach was required. That is exactly the approach the MLR requires.
The SARs
Ms Chapman decided that BSEL had also breached Reg 19(3)(c) because:
in relation to the three beneficiaries who were the subject of the SARs in March 2020 (see §613):
BSEL had continued to allow agents to initiate transactions to two of these beneficiaries until July 2020 and was still sending transactions to the third beneficiary in August 2020. Ms Chapman said that as a result “BSEL had shown a complete and knowing disregard for preventing itself from being used for MLTF”;
BSEL had only terminated one of the four agents who had acted for the senders in these transactions; and
in relation to AK, the fourth identified beneficiary, Ms Chapman decided that a SAR should have been submitted.
I agree with Mr Lakha that these conclusions cannot stand. It was Mr Kirby’s role as the MLRO to send in SARs, and the same points apply as at §597ff. As regards the three beneficiaries about whom he had filed SARs, there was no evidence as to whether Mr Kirby decided that there was a risk of “tipping off”; whether the NCA provided a DAML; or if not, whether he had considered it was appropriate to “assume a defence”, see §588. In relation to AK, it was for Mr Kirby to decide whether or not to file a SAR.
In short, there was no evidence before the Tribunal to support Ms Chapman’s conclusion that BSEL had acted in breach of Reg 19 in failing to blacklist the beneficiaries sooner; failing to terminate the other agents, and/or failing to file a SAR in relation to AK.
Spreadsheet SAJ08
Mr Allington-Jones produced two spreadsheets relating to the many-to-one issue. One of these (SAJ08) summarised beneficiaries’ phone numbers. Ms Chapman relied on this to state that there were:
“large amounts of invalid phone numbers, 879 beneficiaries with no telephone number recorded at all, a lack of consistency in the length of the numbers and the use of numbers by multiple beneficiaries. For example, the number 880088 was used for 11,294 beneficiaries on transactions totalling over £9 million.”
The data provided to Mr Allington-Jones covered the period from September 2018 to August 2020. In January 2019, BSEL required senders to provide the beneficiaries’ phone numbers. Mr Allington-Jones’s evidence was that the spreadsheet did not analyse the information by date, so it was not possible to know whether his results came entirely from transactions made in the period between September 2018 and January 2019. Given that fundamental uncertainty, I placed no reliance on this spreadsheet.
Spreadsheet SAJ05
Ms Chapman said that another of Mr Allington-Jones’s spreadsheets (SAJ05) showed that in the same two year period, 1,488 beneficiaries had received funds from more than 10 senders, and that these transactions totalled £39 million. She added that “this included 336 beneficiaries that had received funds from over 20 customers, with transactions totalling £20,111,766.71”. There are several difficulties with those conclusions:
It is clear from the Appellants’ Schedule that BSEL did not agree with Ms Chapman’s figures. Having rerun the transactional data, BSEL identified 936 beneficiaries who had received funds from more than 10 senders, and these transactions totalled £29.7m. Mr Allington-Jones accepted that BSEL had had access to more data (such as bank account numbers) and so would have been able to separate and identify more unique beneficiaries. I therefore find BSEL’s figures to be the more reliable. It follows that Ms Chapman has relied on total beneficiary numbers which are 59% too high (1,488 instead of 936) and total fund transfers which are 31% too high (£39m rather than £29.7m).
The transactional data was from a period before the VBP had been implemented. Although BSEL was able to use more identifier information than Mr Allington-Jones, until the implementation it was simply not possible to carry out an accurate exercise to separate out all the beneficiaries by looking at the data in this way - see the example of Habibur Rahman at §605.
BSEL was monitoring for many-to-one transactions using other flags and alerts within the Remit ERP system (see §613); that review information was not considered by Mr Allington-Jones, so he did not consider whether any of these cases had been reviewed by BSEL’s compliance team: in other words, there was no qualitative assessment of the data, but only a quantitative assessment.
Mr Allington-Jones also said in cross-examination that his results did not distinguish between amounts sent to beneficiaries in cash, and those sent to a bank account. As Mr Lakha said, the latter would have been subject to “Know Your Customer” (“KYC”) checks by the bank in Pakistan.
For those reasons, all that can be reliably concluded from SAJ05 is that, as the Appellants accept, many-to-one transactions occurred. That is not surprising, given the customer base. BSEL designed and implemented the unique beneficiary identifier to improve its PCPs in this area.
In addition, in reliance on the same spreadsheet, Ms Chapman said in the Cancellation Decision (my emphasis) that “Analysis of the transactional data highlighted that in the period 1 September 2018 to 31 August 2020 approximately £22 million was transmitted to beneficiaries that each had over 20 different senders”. Mr Allington-Jones’s spreadsheet had produced a figure of £20,111,766.71. The figure used in the Cancellation Decision to exemplify this alleged breach by BSEL is £2m higher than that in Mr Allington-Jones’s spreadsheet. The difference is unexplained and I place no reliance on the figure in the Cancellation Decision.
SAJ06
Mr Allington-Jones’s witness statement exhibits a further spreadsheet (SAJ06) which was based on data-sets extracted from SAJ05, and in reliance on that spreadsheet, the ToF additionally sets out various details relating to specific values, ranges, agents and thresholds. However, given the extent of the differences between SAJ05 and the figures in the Appellants’ Schedule and the other points set out at §635 above, it is not possible to use SAJ05 as the basis for making reliable detailed findings of facts as to specific values, ranges, agents or thresholds. I therefore place no reliance on SAJ06 or the related figures in the ToF.
Continued dealing with agents
In reliance on her own analysis of Mr Allington-Jones’s data and of BSEL’s lists of agents, Ms Chapman also concluded that in March 2021 BSEL was still dealing with 8 out of the 15 agents who had acted for senders to the ten largest recipients of transferred funds in the two year period considered by Mr Allington-Jones.
For the reasons given in the previous section I place no reliance on the detailed figures taken from SAJ05. I note also that Ms Chapman emphasised the fact that BSEL did not terminate eight out of 15 agents, rather than on the fact that it did terminate the other seven. This is a significant percentage, and supports BSEL’s case that it is actively monitoring compliance by agents in relation to many-to-one as well as in other respects.
REGULATION 19(3)(c): ONE-TO-MANY TRANSACTIONS
Ms Chapman also decided that BSEL had breached Reg 19(3)(c) because it did not introduced a PCP relating to “one-to-many” transactions until November 2020, and that control was not automated until April 2021.
One-to-many transactions are where a sender in the UK sends money to more than one beneficiary overseas. These transactions could be entirely innocent: for instance one person sending money at Eid to several different relatives overseas. It is also possible that a sender could send small amounts (below the EDD threshold) to different beneficiaries, who would then collude to recombine the funds.
Findings of fact
On 2 November 2018, BSEL implemented a transaction monitoring alert in the Remit ERP system to identify cases where a person had sent to more than 10 different beneficiaries. However, this produced too many false positives, in other words cases where, on review by compliance, there was no risk of MLTF. This was because it was not unusual for a customer with a South Asian background to be sending money to more than 10 beneficiaries, because of the size of their family network, and because religious practices and cultural traditions meant that it was normal practice to give money widely, especially during Ramadan.
On reconsideration BSEL decided the alert was not necessary, given that:
the Remit ERP system automatically accumulates transaction amounts in real time for all customers irrespective of the beneficiaries. As a result separate payments by the same person are added together, whether the same agent or a different agent is used; if the cumulative amount is above the EDD threshold, evidence of source of funds must be provided. In other words, BSEL already had a control which significantly reduced the risk of transaction splitting in one-to-many transactions;
the HMRC Guidance required that businesses take a risk-based approach which “should balance the costs to your business and customers with a realistic assessment of the risk” of MLTF.
BSEL knew that its customer base generally had a network of friends and family overseas, and that religious practices and cultural traditions meant that it was normal practice to give money more widely; and
BSEL carries out a risk assessment on all customers which takes into account nationality, age, type of transaction, frequency of transactions and the destination country to which funds are sent. From September 2019, BSEL introduced real-time automated customer risk assessment into the Remit ERP system, which calculates the customer’s risk score in real time. Taking into account the risk score, the Remit ERP system flags transactions for review by the compliance team.
In summary, BSEL considered that its decision not to include a flag to identify one-to-many transactions was proportionate and in compliance with the MLR.
Communications with Ms Chapman
Because of Ms Chapman’s concerns, BSEL agreed to introduce a control. As I have already found, on 5 November 2020, Mr Curran told Ms Chapman that it would implement a limit of six beneficiaries per sender and included this in the November PCPs, and on 10 November he emailed her to say that “all promised enhancements to our Remit ERP system have been completed and are now ‘live’”. The Appellants’ evidence was that by this they were communicating to Ms Chapman that their intention was as follows:
for the Remit ERP System to flag transactions where a single sender sent to more than six beneficiaries; these transactions would then be reviewed by the compliance department;
that flag would be implemented initially by the use of pivot tables on daily spreadsheets provided by the Remit ERP system and this had been implemented before 10 November 2020; and
the check would be automated as soon as this could be accomplished, which was around March 2021.
As with the many-to-one control, Ms Chapman had understood that BSEL had promised to implement an automatic limit of six beneficiaries per sender, with the result that it would be impossible for customers to send money to more than six beneficiaries, and a customer who tried to do so would be find that transaction had been automatically blocked. When Ms Chapman realised this was not the position, she decided Mr Curran and others of the Individual Appellants had deliberately misled her by making statements that were “not true” about the introduction of absolute limits on the number of beneficiaries per sender and that the checks had not been automated when Mr Cullen told her that the changes were “live”.
I accept the Appellants’ evidence because:
flagging these transactions is the only sensible meaning which can be read into the correspondence. As with the many-to-one transactions, it would have been entirely disproportionate for BSEL to set an absolute limit, so that a single sender would be prevented from sending to a seventh beneficiary. As Mr Cullen said in oral evidence, most families send gifts to more than six people at Christmas, and the tradition of gift-giving is more embedded and widespread within South Asian cultures.
The only way BSEL could implement this change so quickly would be to do it by way of spreadsheets, pivot tables and review, because introducing new automated systems changes takes time.
The email from Mr Curran said that the changes to the Remit ERP system were now “live”, and this was true. The Remit ERP system had had to be programmed to produce the relevant spreadsheets with pivot tables. Mr Curran did not say that BSEL had introduced an automatic control.
I found all the Appellants’ witnesses to be honest and straightforward.
I therefore reject HMRC’s case that the Appellants acted dishonestly in their communications with Ms Chapman about one-to-many transactions. None of the Appellants deliberately misled Ms Chapman. Instead, she again misunderstood the position.
Spreadsheet SAJ07
On the basis of spreadsheet SAJ07 exhibited by Mr Allington-Jones, Ms Chapman said that “the transactional data for the period 1 September 2018 to 31 August 2020 showed that 8,395 sender accounts sent to more than 10 beneficiaries with transactions totalling £84,972,052”. Those figures were not challenged and I accept them. However, from my own review of SAJ07, I find that:
only 10% of the 8,395 customers sent money to more than 20 beneficiaries over a two year period;
the 90% of customers who sent to fewer than 20 beneficiaries over a two year period accounted for £73m of transactions, or 86% of the total,
the spreadsheet considers those who sent “to more than 10 beneficiaries”, but 21% of those senders sent money to only 11 beneficiaries; and
the average sum remitted by each customer is about £5,000 per annum (£84,972,052 divided by £8,395 over two years).
From this it can be seen that the overwhelming majority of the transactions are well within what would be expected of BSEL’s client base. In particular, 90% of those on his spreadsheet sent to fewer than 20 beneficiaries over a two year period, which is self-evidently well within normal parameters, as is the average remitted amount. Moreover, the spreadsheet figures should not be considered in a vacuum, separately from BSEL’s other control procedures including the transaction monitoring carried out by BSEL’s compliance teams.
Whether there was a breach
Ms Toman submitted that Ms Chapman was correct to have decided that BSEL had breached Reg 19(3)(c) because it did not introduce a PCP relating to customers sending to multiple beneficiaries until November 2020, and the process which was then introduced was less effective than the automated check which was operational from April 2021.
Ms Lakha submitted that this was another example of Ms Chapman failing to understand the approach required by the MLR. BSEL’s PCPs dealt in a proportionate way with the nature and extent of the risk involved, and none of the Appellants had acted dishonestly. I agree with Mr Lakha for the reasons he gives. It follows that BSEL’s PCPs did not breach Reg 19(3)(c).
REGULATION 19(3)(c): OTHER POINTS
Ms Chapman also decided that BSEL had breached Reg 19(3)(c) in four further ways. Of those, two points have already been addressed:
Failing to obtain unique and valid telephone numbers for beneficiaries until June 2020. This has been discussed at §600ff. In summary, although the beneficiaries are not BSEL’s customers, BSEL nevertheless embarked on the massive exercise described at §607. There was no breach of Reg 19(3)(c).
Failing to include a specific flag on the Remit ERP system relating to agents sending funds. This has been considered at §508ff in the context of Reg 18(2)(b), and for the same reasons, I find that BSEL did not breach Reg 19(3)(c) by deciding that there was no need to have an extra control factor relating to agents’ own transactions.
The remaining two points are considered below.
Senders at the same address
Ms Chapman also decided BSEL had breached Reg 19(3)(c) because:
“Until November 2020 BSEL had not established PCPs regarding multiple senders transacting large amounts from the same address, such as identifying the transactions as linked or having controls in place to restrict the numbers of customers per household.”
Whether BSEL had PCPs relating to senders at the same address
It was Mr Garcia’s unchallenged evidence that the statement above was factually incorrect. Mr Gomes’ witness statement added further detail:
“Customers from Same Address is an enhancement which was implemented in October 2015 and generates a report which shows customers registered in the same postcode and residing at the same address. Compliance officers monitor any of the transactions which have been identified and review the profile of all customers registered at the same address including the KYC documents on the profiles, check for electronic ID verification results and contacting all the customers at the address at the contact numbers on record. If necessary, further action may be taken such as follow up on the customers or escalating the matter to a senior compliance officer or the MLRO or adding the customer to BSEL’s Internal Blacklist.”
Ms Toman asked Mr Gomes about this evidence but did not challenge its correctness. In addition, the Appellants’ list of IT implementations states that on 19 October 2015, a change was implemented to the Remit ERP system so as to produce a report which showed customers registered at the same postcode and residing at the same address. HMRC’s comments on that list did not dispute that this reform had been implemented, but said that they understood “that customers residing in the same address still had to be manually identified”. The Appellants responded by saying that since October 2015, the system has produced a report which is used by the compliance team to monitor customers from the same postcode and address; this is consistent with Mr Gomes’ evidence. Moreover, a print-out of this report was provided to Ms Chapman on 29 March 2021, and another example is included in the Bundle as part of BSEL’s internal IT guide for Remit ERP.
I find as a fact that since October 2015 the Remit ERP system has produced a report showing customers registered at the same postcode and residing at the same address, and this report was reviewed by BSEL’s compliance department in the ways set out in Mr Gomes’s witness statement.
BSEL’s position was that no further control was required. However, in response to concerns raised by Ms Chapman, BSEL began to implement an automated systems amendment that flagged when multiple senders from the same address sent money to the same city, and this was implemented from November 2020.
The parties’ submissions
HMRC’s position was that customers from the same household would have been able to split their transactions to avoid triggering additional CDD or EDD thresholds, and that BSEL had breached Reg 19(3)(c) because, until November 2020, there was no automated flag within the system.
Mr Lakha submitted that the system had included a control since October 2015, and the nature and extent of that control was entirely appropriate, given BSEL’s knowledge of its client base and the very limited extent of the related risks: many of BSEL’s customers are migrants who typically share accommodation, not just on a family basis but also in flats above shops and restaurants. He said in his skeleton argument that Ms Chapman “appears to operate under the belief that every conceivable risk factor should be dealt with, whereas as 3.1 of the HMRC Guidance states that ‘An effective risk-based approach will identify the highest risks of money laundering and terrorist financing that your business faces and put in place measures to manage these risks’”. Mr Lakha said that was what BSEL had done, and there was no breach of Reg 19(3)(c).
The Tribunal’s view
It follows from the findings of fact that Ms Chapman was wrong to say that BSEL did not have PCPs in place to check transactions made by customers from the same address: such a control had been in place for over five years. There is no requirement, statutory or otherwise, that controls have to be fully automated.
The spreadsheet
Mr Allington-Jones produced a spreadsheet (SAJ10) which showed that, over the two year period to August 2020, transactions with agents where five or more senders resided at the same address totalled over £1.3 million and of these, 22 addresses had sent over £50,000. The Appellants’ Schedule set out that detailed information but did not disagree with it. I accepted the evidence in the spreadsheet.
Ms Chapman relied on SAJ10 to support her inference that senders at the same address were transaction splitting to avoid the CDD or EDD thresholds. However:
The spreadsheet did not contain information about the frequency or amount of individual transactions but only a total amount for each person for the two year period.
Over the two years, BSEL’s transactions via agents totalled £418m, of which only £1.3m (or 0.3%) were made by the people Mr Allington-Jones identified as living at the same address during the two year period.
There is no relevant detail in the spreadsheet to show the amounts or frequency of individual transactions, so it does not provide support for Ms Chapman’s inference that they are being split. Moreover, the amounts are very small in the context of BSEL’s overall transactions, and thus does not support her conclusion that this was a serious risk which should have been addressed in a different way. .
Overall conclusion
BSEL did not breach Reg 19(3)(c) in relation to its PCPs for senders living at the same address.
Customers using multiple agents
Ms Chapman decided that BSEL had breached Reg 19(3)(c) because it “had not established PCPs to identify customers using multiple agents, despite this being listed as a risk indicator in HMRC guidance”.
The HMRC Guidance
The HMRC Guidance includes in its list of “common risk indicators for new customers” that “the customer (or two or more customers) is using more than one local Money service business, perhaps to break one transaction into smaller transactions”. The risk indicator thus relates to new customers, and the underlying risk factor is transaction splitting.
HMRC preface their list of risk indicators by saying that “it not an exhaustive list, and neither are these signs always suspicious. It depends on the circumstances of each case”. I have already set out earlier in this judgment the approach required by 4MLD and 5MLD and by the MLR, together with relevant extracts from the HMRC Guidance about the need for business to take “a risk-based approach” and use their “informed judgment”, and it is not necessary to repeat those citations.
Findings of fact
Mr Allington-Jones provided a spreadsheet (SAJ11) relating to this issue. The Appellants’ Schedule set out the specific details relied on by Ms Chapman, and did not challenge them. I accept the evidence in SAJ11.
On the basis of that spreadsheet I find that during the two year period 1 September 2018 to 31 August 2020, 20,964 customers used more than one agent, with transactions totalling over £127 million. Of these customers, 190 used five or more agents.
Customers are free to use any agent, because it makes no difference to the procedure which is applied to the transaction. A customer may use one agent when transacting near his home, and another close to his place of work; in a two year period a migrant worker may move home a number of times, and many of BSEL’s customers are taxi-drivers who may use an agent based in an area where they happen to be working.
All BSEL’s agents are linked by the Remit ERP system, and so using a different agent for a second or subsequent transaction does not prevent the transactions being cumulated for CDD or EDD purposes, so using separate agents would be an ineffective means of splitting transactions.
BSEL has a detailed and co prehensive policy for “onboarding” agents, which requires that they provide extensive supporting documentation, including certified copies of passports or residence cards; details of shareholding and corporate structure; BSEL also carries out AML and (from 22 November 2018) DBS checks and company credit checks, see §462ff and §713ff. Once on-boarded, the agent is monitored and assessed as set out in more detail at §742ff.
Nevertheless, in an attempt to cooperate with HMRC, BSEL implemented further controls to identify customers using several agents. As set out at §292, on 6 November 2020, Mr Curran told Ms Chapman that:
BSEL was “going to enhance the transaction monitoring platform further by including more monitoring criteria” including the use of multiple agents;
“Reports from the transaction monitoring platform will be reviewed by the financial crime team daily”;
those reports “will be rolled out in production as below: Exported reports for the financial crime team for daily review: by Friday, November 13, 2020”; and
“BSEL is going to implement” a control measure which would flag when a customer is using three or more agents over a seven-day period.
In accordance with those commitments, new transaction monitoring reports were run off the Remit ERP system every day and the financial crime team monitored them for the use of more than two agents. As already noted, on 12 November 2020 Mr Curran emailed Ms Chapman, stating that “all promised enhancements to our Remit ERP systems have been completed and are now ‘live’”. In 2021 the alert was automated.
The parties’ submissions
Ms Toman asked the Tribunal to uphold Ms Chapman’s decision that the failure to track customers using “multiple agents” was a breach of Reg 19(3)(c). She also submitted BSEL had provided “misleading information” because Mr Curran had said in November 2020 that the system would generate a report which included this criteria, but it was not automated until the following year.
Mr Lakha said that BSEL had been dealing with the underlying risk factor – transaction splitting – by cumulating all transactions irrespective of the agent, and that BSEL had not provided misleading information to Ms Chapman. Daily reports were prepared for the financial crime team who reviewed them to identify use of non-local agents, and this was later automated.
The Tribunal’s conclusion
It is clear from the HMRC Guidance that the identified risk factor relating to transaction-splitting, and equally clear that BSEL’s linkage of all agents so as to cumulate all transactions was an appropriate and sufficient PCP to address the risk of transaction splitting by using different BSEL agents.
I also agree with Mr Lakha that BSEL did not provide misleading information about the introduction of a system change to satisfy Ms Chapman. Mr Curran’s email of 6 November 2020 said that BSEL’s financial crime team would review reports from the system daily so as to check for use of multiple agents, and that was what they did. Entirely reasonably, it took BSEL time to automate the flag.
Aggregator data not received in real time
Ms Chapman also decided BSEL had breached Reg 19(1)(c) because it did not receive data from most of the aggregators in real time; instead the aggregators uploaded the data once every working day. In Ms Chapman’s view “this prevented BSEL monitoring transactions in real time, meaning that transactions could only be stopped or reported as suspicious after they had been processed”.
Findings of fact
I have already made findings of fact relating to aggregators at §498ff and §570ff. Each aggregator is registered with and licensed by HMRC and the FCA, and carries out due diligence on the transactions; once received each individual transaction is then subject to BSEL’s usual policies including CDD/EDD thresholds and are monitored accordingly. Any breach of thresholds or documentary evidence triggers a request for additional information and prevents the transactions from being completed. Accordingly, it made no difference whether the transactional data was in real time because until it cleared the Remit ERP system it would not be processed.
The Tribunal’s conclusion
It is plain that (a) a transaction was not “processed” until BSEL moved the money to the overseas country, and (b) BSEL could not make that transfer until after the transaction data was received from the aggregators.
Ms Chapman was thus wrong to say that the practice of uploading data once a day meant that “transactions could only be stopped or reported as suspicious after they had been processed”. Instead, when the bulk data was received by BSEL, it was subject to due diligence measures including those which followed from cumulating transactions, and if the relevant requirements were not met, the transaction was not processed – in other words, the money was not moved to the overseas country. Furthermore, aggregators were MSBs in their own right, separately registered with HMRC and required to comply with the MLR. I find that receiving aggregator data in bulk did not breach Reg 19(1)(c).
Aggregator – date and time of transactions?
Ms Chapman also decided that BSEL had breached Reg 19(3)(c) because:
“BSEL did not establish PCPs to obtain the date and time of when the transaction took place, from its aggregators. Without this BSEL was unable to identify suspicious activity in relation to split transactions that occurred within short periods of time, leaving it vulnerable to criminals exploiting this to split illicit funds without detection.”
Findings of fact
Each aggregator was required to apply the thresholds for cumulation set out in BSEL’s CDD/EDD policies, and the aggregators therefore linked transactions and required extra information and documentation as necessary. Ms Chapman accepted that this was the case in cross-examination.
When the aggregator’s upload of daily transactions was received, the date was logged in the Remit ERP system. The transactions were not processed until they were checked by the controls within the Remit ERP system and where appropriate reviewed by the compliance department; those checks included thresholds when transactions were linked.
A new aggregator Application Programming Interface integration was implemented in June 2020, and this extracted the date and time of the customer’s transaction from the aggregator’s own system.
The Tribunal’s view
The aggregator had already applied cumulation thresholds to the transactions before uploading them into the Remit ERP system. Until June 2020, when the Application Programming Interface was introduced, BSEL carried out an extra check based on the date of upload. If the cumulated amount exceeded the EDD threshold, BSEL checked that the relevant documentation had ben uploaded before processing the transaction.
There is thus no basis for Ms Chapman’s conclusion that this risk was not being managed by BSEL’s PCPs. Her statement that “BSEL was unable to identify suspicious activity in relation to split transactions that occurred within short periods of time” ignores the fact that the CDD/EDD cumulation thresholds were applied by the aggregator, and BSEL then carried out an extra check based initially on the date of upload, with a more sophisticated version being implemented in June 2020. There was no breach of Reg 19(3)(c).
Bulk receipts from one aggregator?
Ms Chapman decided that BSEL had breached Reg 19(3)(c) because transactions were received from one aggregator, M Ltd, “in bulk rather than being split by agent” and “as a result, BSEL was unable to carry out any monitoring on the transactions of this aggregator at agent level”.
Findings of fact
M Ltd was onboarded as an aggregator in August 2019. The Compliance Report for October 2019 issued by Mr Kirby, the MLRO, included this statement:
“[M Ltd] has been by far the most efficient and compliant aggregator…The upload of correct IDs and KYC documentation has been right first time from their agent network.”
However, M Ltd was suspended by HMRC on 14 December 2019 and was offboarded by BSEL in consequence.
As noted at §573, on 10 December 2020, Ms Chapman asked BSEL an extensive list of questions covering at least 27 issues, although that list of questions is not exhibited to her witness statement. The replies are numbered, and as part of the answer to Q27, BSEL provided this response:
“M Ltd did operate a network of agents and, although historically some of [its] data was in bulk, BSEL started to capture the details of its agents in early 2020. M Ltd was offboarded in December 2019.”
That statement is internally inconsistent – since M Ltd was offboarded in December 2019, BSEL cannot have “started to capture details of its agents the following month”. It is also inconsistent with the contemporaneous evidence of the October 2019 Compliance Report that (a) BSEL was receiving “correct IDs and KYC documentation from their agent network” and (b) was monitoring that documentation, as it was “right first time”. In addition, I have already found that BSEL was under pressure to meet Ms Chapman’s deadlines which extended over the Christmas and New Year period, see §579.
I place no reliance on the answer given to question 27, and find as facts, in reliance on the October Compliance Report, that BSEL did receive documentation about individual customers from M Ltd’s agent network, and that those transactions were monitored.
The Tribunal’s conclusion
It follows from my findings of fact that Ms Chapman was wrong to conclude that BSEL was breaching Reg 19(3)(c) in relation to the data supplied by M Ltd.
Other aggregator issues
Ms Chapman also decided that there had been breaches of Reg 19(3)(c) because BSEL had not implemented an effective PCPs so as to:
identify customers of the aggregators who were living at the same address; and
identify the beneficiaries of the transactions made by aggregators.
These are essentially the same issues as have already been considered at §656ff and §600ff, and for the same reasons, I find there was no breach. I add that the aggregators were also separately regulated by HMRC.
Ms Chapman additionally stated in the ToF that “although a phone number is now mandatory for all beneficiaries and the format of it is now checked, these controls weren’t implemented until the new aggregator API [Application Programming Interface] integration in June 2020”.
I have already found that all aggregator transactions in cash were subject to the same monitoring thresholds as for agents, and any breach of thresholds or documentary evidence provided by the aggregator would trigger a request for additional information and prevent the transactions from being completed; furthermore BSEL designed and implemented a new Application Programming Interface to obtain additional transaction and customer data from the computer system of each aggregator, and this was finalised in June 2020. I accept that evidence, and incorporate it into my findings of fact.
Reg 19(2) requires PCPs to be “proportionate with regard to the size and nature of the relevant person's business”. BSEL had numerous checks on its aggregators (see §570ff). In June 2020, BSEL improved the controls over aggregator data in the ways set out above. That is consistent with Reg 19(1)(b), which requires relevant persons to “regularly review and update” its PCPs.
REGULATION 19(4)(e)(i): AGENTS AND THE FIT AND PROPER TEST
Ms Chapman also decided that BSEL had breached Reg 19(4)(e)(i) because it did not have PCPs so as to ensure “that appropriate measures are taken…to assess whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58”. Ms Chapman came to her conclusion because she decided that:
BSEL had failed properly to check whether agents had been convicted of criminal offences;
had failed to identify, for the purposes of F&P testing, that company secretaries and managers were “responsible persons”; and
had failed to identify certain individuals who were officers or managers of BSEL’s agents as being responsible persons.
The legislation and guidance
Reg 58 has already been considered at Part 5, and so far as relevant to this part of the ToF, it provides that HMRC “must refuse to register” an MSB if it is satisfied that “any officer, manager or beneficial owner” of an agent is not a “fit and proper” person, but in deciding whether or not that is the case, HMRC may take into account the opinion of the principal, here BSEL.
The HMRC Guidance says at 9.16 that:
“Principals should ensure that an agent meets minimum expectations, in particular that:
● the beneficial owners, senior managers, officers and nominated officer of the agency are fit and proper persons for their fiduciary role;
● they should be of good character, they should not have criminal records (see Appendix 1: Relevant offences under schedule 3 of the Regulations), or have been the subject of any professional conduct or disciplinary action, and they must demonstrate professional standards and competence in business conduct…”
Schedule 3 of the Regulations lists a range of criminal offences under English law; it also includes criminal offences under the law of a foreign country, and acts which would have constituted criminal offences within Schedule 3 had they been committed in the UK.
HMRC’s Guidance on the F&P test says that principals “must”:
make sure its agents understand the requirements of the MLR;
have a policy and procedures to screen agents;
carry out and keep a record of appropriate enquiries to satisfy themselves that responsible persons of their agents will pass the fit and proper test; and
keep an up to date list of agents with their details, to allow HMRC to carry out its own checks
The same guidance also says that “HMRC suggests” that “principals should have the individuals concerned get a certificate following a basic Disclosure and Barring Service check” but goes on to say that “HMRC is happy to consider accepting other methods as long as the results achieved can be shown to be equally robust” and that “HMRC cannot register a principal unless it’s satisfied that responsible persons in the business and its agents are fit and proper”.
HMRC’s separate guidance entitled “Apply for the fit and proper test and HMRC approval” says:
“To reach a decision we’ll consider a range of information including whether you have:
• been convicted of or are being investigated for money laundering or other offences involving dishonesty, fraud or financial crime
• been disqualified from acting as a company director
• been subject to a confiscation order under the Proceeds of Crime Act 2002
• a track record of consistent non-compliance with the Money Laundering Regulations, or with the EU Payments Regulation which applies to money
transmission service providers• been disciplined or expelled by another supervisor or professional body for regulatory or professional failings.”
In addition to the MLR, Reg 29(4)(iii) of the Payment Services Regulations 2009 similarly required that an authorised payment institution such as BSEL ensured that agents were fit and proper: the provision reads:
“In the case of an agent of an authorised payment institution, the identity of the directors and persons responsible for the management of the agent and evidence that they are fit and proper persons.”
Reg 34(3)(a) of PSR 2017 provided that an application for an agent to be included on the register must contain, inter alia “the identity of the directors and persons responsible for the management of the agent and, if the agent is not a payment service provider, evidence that they are fit and proper persons”.
Findings of fact
BSEL has a detailed and comprehensive policy for “onboarding” agents, as outlined at §462ff. In reliance on Mr Garcia’s evidence I find that since at least since January 2017, when he joined BSEL, would-be agents have been required to complete an “Individual Information Form”. That form had to be completed and signed by the owner of the business (if a sole proprietor); by each partner (if the business was a partnership); and by each director (if a company) and also by “any other person directly and/or indirectly responsible for managing the business”. These requirements are explicitly set out in the “Application Checklist” which summarises all the documents which must be submitted by an applicant.
Under the heading “Fitness and Propriety” the Individual Information Form asks extensive questions. which include the following:
whether the individual and/or any firm with which the individual holds or has held an influential position has ever been:
convicted of a criminal offence, been cautioned, the subject of a criminal investigation; or been required to produce documents pursuant to any criminal investigation;
the subject of a search pursuant to any criminal proceedings even when the individual was not the subject of the investigation;
found liable by a court (whether in the UK or overseas) for any fraud, misfeasance, negligence, wrongful trading or other misconduct;
the subject of a judgment debt or award;
party to any other proceedings which resulted in a finding against him. including injunctions and employment tribunal proceedings;
whether the individual and/or any firm with which he holds a influential position is aware of anybody’s intention to bring civil proceedings against him/it;
whether the individual has ever filed for bankruptcy and related matters; and whether any firm with which he held an influential position has ever been wound up, ceased trading, entered into a voluntary arrangement with its creditors or had a receiver/administrator appointed; and
whether the individual has any outstanding obligations connected with regulated matters.
In relation to the questions about criminality, the Individual Information Form specifies that disclosure is required of “matters whether in your country of residence or overseas” and must include “spent convictions and cautions”.
Before November 2018, BSEL checked the information on the Individual Information Form by carrying out credit checks and AML checks via a third-party provider, Creditsafe; these checks also identified whether the applicant had any registered county court judgments. In November 2018 Exiger provided its second report to BSEL. Under “Recommendations” Exiger said that although there was no regulatory requirement to conduct negative news searches, BSEL should consider these for higher risk agents. Exiger then said:
“Similarly, BSEL should consider performing criminal record checks on UK based agents using a risk based approach to target higher risk agents.”
BSEL accepted that recommendation, and went further: from November 2018 BSEL carried out DBS checks before onboarding for all agents, not just those who were “higher risk”.
Once the agent had submitted all the required documents and satisfied all BSEL’s extensive checks, the compliance team applied to the FCA to register the agent. In addition, BSEL’s PCPs require that it notify HMRC of the agent’s name and address within 30 days from its first transaction.
All agents undergo extensive online AML/CTF training before they are permitted to carry out any transaction, and before they can access the Remit ERP system. The Bundle included around 200 pages of training material relating to AML/CTF, covering periods from 2018 to 2021. Applicants who fail the training are not permitted to be an agent.
BSEL classifies agents as high, medium or low risk (see further §743ff below). Agents classified as high risk are subject to an annual review; medium risk agents are subject to review every 18 months and low risk agents every two years. On review, BSEL carries out another AML check using Experian and also obtains a further PEP screening, sanction screening and adverse media screening. In addition, a further DBS check is obtained on high risk agents. If an agent appoints a new director, a DBS check has to be obtained for that individual. BSEL’s unchallenged evidence was that it was one of very few MSBs in the UK to require DBS checks on its agents.
The parties’ submissions
Ms Toman asked the Tribunal to uphold Ms Chapman’s decision for the reasons given in the ToF, namely that there had been a breach of Reg 19(4)(e)(i) because:
although BSEL had introduced DBS checks for new agents from November 2018, they had not required them of existing agents unless they are classified as “high risk”;
although agents are required to complete the “Individual Information Form” before onboarding, they are not required to renew or refresh that form;
Ms Chapman’s review of the documents relating to the agent on-boarding process “confirmed that there is no reference to identifying, verifying or F&P testing in relation to managers or company secretaries, as required by Regulation 58”; and
thirteen agents with transactions totalling more than £32 million had responsible persons who had not been identified as such by BSEL and were thus not F&P tested.
Mr Lakha submitted that he said it was patently clear on the facts that BSEL had taken “appropriate measures” to assess whether its agents would satisfy the F&P test. In relation to the final point, reliance was placed on BSEL’s rebuttal which is set out below.
The Tribunal’s view
I have taken each of HMRC’s points in turn.
DBS checks
Reg 19(2)(a) requires that a business adopt PCPs which are “proportionate with regard to the size and nature of the relevant person's business”; by Reg 19(4)(e)(i) these include taking “appropriate measures” to assess the F&P status of an agent. Reg 19(5) says that “in determining what is appropriate or proportionate with regard to the size and nature of its business”, a person may take into account guidance issued by HMRC.
The HMRC Guidance has a list of requirements which it says “must” be followed by MSBs. In relation to DBS checks, it says only that “HMRC suggests” that a DBS check is obtained for agents, but that HMRC are “happy to consider accepting other methods as long as the results achieved can be shown to be equally robust”.
There is thus no mandatory requirement for principals to obtain DBS checks on any agent, let alone to renew them every year. BSEL has carried out these checks for all agents onboarded since November 2018 and annually for all agents categorised as high risk.
In relation to agents who had been onboarded before November 2018, it would be extraordinary if the steps taken by BSEL were insufficient to fall within HMRC’s alternative category of “other methods” so as to be “satisfied the responsible persons in the business are fit and proper”, given that (a) BSEL has consistently required all agents to complete a lengthy disclosure form which more than meets the requirements of Schedule 3, as it covers not only criminal convictions and civil judgments but also a range of other indications of involvement with the justice system, both in the UK or overseas; and (b) BSEL also carried out credit checks and AML checks via a third-party provider, Creditsafe which additionally confirmed whether the applicant had any registered county court judgments.
Annual checks
BSEL carries out AML and other checks on each agent; the frequency depended on the that agent’s risk status, see §743ff. I find that this, taken together with its other PCPs, is sufficient to meet the MLR requirement to have “appropriate measures…to assess whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58”, as required by Reg 19(4)(e)(i).
Managers and company secretaries
Ms Chapman’s decision that BSEL’s documentation had “no reference to identifying, verifying or F&P testing in relation to managers or company secretaries” is incorrect because:
the Individual Information Form has to be completed not only by each director, but also by “any other person directly and/or indirectly responsible for managing the business”.
this explicitly incorporates managers; and
since 2008, there has been no requirement for private limited companies to have company secretaries (see Companies Act 2006 (“CA”), s 270) but if they are appointed, they are “officers” of the business, and liable with directors for any defaults committed by the company (CA s 1121(1)), it follows that they are at least indirectly responsible for its management.
The thirteen agents
The final point under this heading was Ms Chapman’s conclusion that thirteen agents with transactions totalling more than £32 million had responsible persons who had not been identified as such by BSEL and were thus not F&P tested. That conclusion was based on (a) the company’s list of 272 agents together with (b) a second list of individuals she had obtained from BSEL, which she took to be a list of those who had been “F&P” tested.
Ms Chapman (or a colleague at her direction) meticulously checked each of the agents on the first list against the Companies House register to identify their directors and officers. Each of those directors and officers were then checked against BSEL’s second list, with the aim of identifying whether any agent had a director or officer who had not been F&P tested. This exercise having been carried out, Ms Chapman concluded that BSEL had omitted 13 individuals from F&P testing.
On 16 July 2021, BSEL filed and served the Appellants’ Schedule (see §110). This set out the following detailed rebuttal of those conclusions:
the second list used by Ms Chapman was not a list of all relevant persons, but a list of BSEL’s contacts at each of those agents, so it was not a complete summary of those who had been F&P tested;
although Ms Chapman listed thirteen agents, the Appellants considered numbers 5 and 6 together on the basis that they were duplicates;
BSEL had carried out F&P testing on six of those on Ms Chapman’s list;
Ms Chapman had identified one of the individuals (number 12 on her list) as a director and beneficial owner as well as a Company Secretary; BSEL denied this. I have taken it that BSEL do not deny that the individual was a company secretary; and
the remaining four were company secretaries.
Ms Chapman’s witness statement is dated 30 November 2021, over four months later, but she did not respond to BSEL’s detailed rebuttals. In particular, HMRC did not file and serve any evidence from Companies House to support points where her ToF had been challenged by the Appellants; neither did HMRC dispute BSEL’s statement that the list on which Ms Chapman was relying did not show all those who had been F&P tested.
As HMRC have the burden of proof, I have accepted BSEL’s evidence that six of the twelve had been “F&P” tested; that one was a duplicate, and that the twelfth was not a director or beneficial owner. Ms Chapman had also inferred that (a) as one agent had two branches, there must be a manager in the second branch, and (b) as no second person was on BSEL’s list, there had been a further failure. However, Ms Chapman did not provide evidence that there was a manager in the second branch.
I therefore find as a fact that the only individuals on Ms Chapman’s list who had not been F&P tested were five company secretaries. Mr Garcia told Ms Chapman during the conference call on 1 and 3 December that all those who transact business with BSEL are F&P tested, and I therefore further find that the five company secretaries identified by Ms Chapman did not transact business. That finding is consistent with the responses on the Appellants’ Schedule.
As already set out above, BSEL required all directors of agents, and also “any other person directly and/or indirectly responsible for managing the business” to complete the Individual Information Form. A company secretary comes within that definition. It follows that company secretaries are required by BSEL’s PCPs to undergo F&P testing, and there was no failure to comply with Reg 19(4)(e)(i).
I accept that five company secretaries did not complete that testing, but that was a failure to comply with the PCPs. I decided that this was a minor failure, having taken the following into account:
BSEL had 306 agents in July 2020, the majority of which were companies. Some had more than one officer, and/or other managers, all of whom were subject to F&P testing. It follows that several hundred agency personnel were F&P tested, and five were not;
Although Ms Chapman said that the twelve agents transacted business of £32,468,840, she provided no evidential support and Mr Allington-Jones did not exhibit a related spreadsheet. For the reasons set out at §133ff, I place no reliance on the figure cited by Ms Chapman. The lack of evidential support, detail or analysis also means that it is impossible to establish the volume of business carried out by the five agents whose company secretaries were not F&P tested; and
in any event none of the five company secretaries transacted business with BSEL.
Conclusion
On the basis of the facts as found, and for the reasons set out above, BSEL did not breach Reg 19(4)(e)(i). Instead, it had appropriate PCPs so as to “ensures that appropriate measures are taken…to assess whether an agent used by the business would satisfy the F&P test provided for in regulation 58”. The failure of BSEL to subject five company secretaries to F&P testing was a breach of its own PCPs, but a minor breach.
REGULATION 19(4)(e)(ii): AGENTS’ RISK ASSESSMENTS
Ms Chapman decided that BSEL had breached Reg 19(4)(e)(ii) because it did not have PCPs so as to ensure “that appropriate measures are taken…to assess…the extent of the risk that the agent may be used for money laundering or terrorist financing”. Ms Chapman came to her conclusion because she decided that the risk matrix used by BSEL to assess agents was fundamentally flawed.
The MLR and the guidance
Reg 19(2)(a) requires a business to adopt PCPs which are “proportionate with regard to the size and nature of the relevant person's business” and by Reg 19(4)(e)(ii) these include taking “appropriate measures” to assess the extent of the risk that an agent may be used for MLTF. Reg 19(5) says that “in determining what is appropriate or proportionate with regard to the size and nature of its business”, a person may take into account guidance issued by the FCA, or “any other supervisory authority or appropriate body and approved by the Treasury”.
I was unable to identify any specific guidance on the risk management of agents issued by HMRC or by the FCA, but FATF has published guidance for MSBs, entitled “Guidance for a risk-based approach” which includes a section on risk-assessment of agents. It says that “agent risk analysis should include such factors as the following based on the extent that these are relevant to the [MSB’s] business model”, and then lists 16 factors including these:
agents representing more than one principal;
agents serving high-risk jurisdictions;
agents conducting an unusually high number of transactions;
transaction patterns just below a CDD threshold;
agents that have been the subject of negative attention from credible media or law enforcement sanctions;
agents that have failed to attend or complete training programs;
agents with a history of regulatory non-compliance; and
agents whose data-collection or record keeping is lax or inconsistent.
Findings of fact
BSEL does not onboard an agent unless he has completed AML/CTF training, which is concluded by a test of at least 25 questions, with a pass mark of 80%. Agents are subsequently required to attend annual training, which is also followed by a test. An agent who fails to meet those requirements, or who does not attend the training, is suspended until the training record is up to date. At the time of Ms Chapman’s investigation, all training records were up to date. Ms Chapman was provided with BSEL’s training materials, sample tests and agent training records, but did not include any training-related issues in the ToF. I find that BSEL’s approach to agent training met all relevant regulatory requirements.
After onboarding, a new agent is automatically considered high risk for the first six months, and may then be reclassified depending on their risk assessment. This is carried out using a weighting algorithm made up of eleven different factors, each of which was weighted as set out below. Factors 3 and 5-10 related to the previous 12 months. Factor 9 was scored based on the higher of number of transactions and volume of remittances.
Parameter | High | medium | Low | Weighing | |
1 | Length of Relationship | < 6 months | >= 6 and < 24 months | >= 24 months | 10% |
2 | Financial Risk Rating (Experian) | <= 25 | > 25 and <= 80 | > 80 | 5% |
3 | Recordkeeping Duty - Receipt Upload | < 60% upload last 12 months | < 75% upload last 12 months | >= 75% upload last 12 months | 11% |
4 | Active users | >= 4 | > 1 and < 4 | 1 | 5% |
5 | Transaction Volume as percentage of total for country | >= 1% of | >= 0.5% and < 1% of | < 0.5% of | 11% |
6 | SARs Reported Against the Agent | 1 SAR | 0 SAR | 0 SAR in the | 10% |
7 | Internal SARs reported by Agent | < 5 SARs | >= 5 and < 10 SARs | >=10 SARs | 10% |
8 | Average Ticket Size | > 750 per transaction | > 500 and <= 750 per transaction | <= 500 per transaction | 10% |
9 | High Risk Beneficiary Jurisdiction (EU High Risk Third Countries) | > 51% no of transaction/ remittance volume | > 25% and <= 51% no of transactions/ remittance volume | <= 25% no of transactions/ remittance volume | 18% |
10 | Cancelled Transactions | > 1% | > 0.50% and <= 1% | <= 0.50% | 5% |
11 | Nature of Business | MSB and other high-risk services | Not applicable | “MSB only” and “MSB and other non- high-risk services” | 5% |
An agent who achieved an overall risk score of less than 2 was rated as low risk; one who scored between 2 and 3.25 was rated medium risk, and an agent who scored 3.25 or above was rated as high risk. The Agent Risk Assessment was continually and automatically adjusted according to real time transaction data from each agent.
Exiger advised on this risk assessment methodology; when Eversheds reviewed it they said that:
“As recommended by FATF, BSEL undertakes a specific risk assessment of its agents, both prior to commencing business and on an ongoing basis.
Once on-boarded, every agent is automatically considered high risk for the first six months of operations and during this time BSEL conducts EDD.
After this time, the agent may be re-classified as either low or medium risk depending on the prevailing risk assessment. The risk assessment takes
into account location specific volume, location specific number of transactions, unusual spikes in volume, number of SARs in the last 12 months,
notifications from law enforcement, fraud alerts and the agent visit report.”
Whether the risk assessment was “not appropriate”
Ms Chapman decided that BSEL’s risk methodology was “not appropriate” because:
“it fails to identify agents as high risk unless they have multiple high risk indictors and thus is not appropriate to assess the level of risk they pose. For example, an agent whose business is a high risk type such as a travel agent with an average transaction size of £1,000, sending all of its transactions to a high risk third country, but with no other identified risks, would score 2.82, leading to a risk rating of only medium.”
Mr Lakha said that Ms Chapman had failed to consider the whole picture. For example, taking her example of the travel agent “factors such as the length of time he has been an agent with BSEL, his record keeping, the number of customers and the transaction volume would all properly serve to reduce that risk”.
The Tribunal’s view
Ms Chapman does not cite any guidance or authority for her statement that BSEL’s risk assessment methodology is “not appropriate”. It was designed on Exiger’s advice, and Eversheds confirmed that it was in line with the FATF guidance. That this is correct can be seen from the list of factors cited at §741 above. FATF specifically include transaction volumes, transaction patterns, negative media coverage (which BSEL identified by the Experian search) and whether recordkeeping was good or poor. The other factors used by BSEL, such as length of the agency relationship, the number of cancelled transactions and SARs are all clearly relevant when assessing an agent’s risk profile. I agree with Mr Lakha that there is no basis for Ms Chapman’s decision that BSEL’s risk assessment methodology was “not appropriate” so as to be a breach of Reg 19(4)(e)(ii).
Whether the risk assessment should have included agent proximity
Ms Chapman also decided that BSEL’s agent risk assessment breached Reg 19(4)(e)(ii) because “it did not take into account the risk of agents in close proximity to each other or
those that were registered as agents with a large number of other MSBs”. This is essentially a revisiting of the issue already considered at §477ff. I found that BSEL did not breach Reg 18 by not including a flag within the Remit ERP system relating to the relative proximity of agents. For essentially the same reasons, there was also no breach of Reg 19(4)(e)(ii).
Whether the risk assessment should have included transactions near the CDD threshold
Ms Chapman’s third point under this heading was that BSEL had “failed to establish PCPs to identify agents carrying out large proportions of transactions just below BSEL’s CDD thresholds as being high risk”.
Findings of fact
BSEL monitors the risk of agents carrying out frequent transactions just below the CDD limit by use of an flag on the real-time MLP Dashboard. The alert is raised if the same agent transacts £10,000 or more in one hour to the same destination country in more than five transactions (in other words, with each one being below the CDD thresholds). If the alert is raised, the transactions are checked by BSEL’s transaction monitoring team. If the check indicated that the agent was deliberately seeking to transact below the CDD threshold, the matter would be escalated and the MLRO would decide whether to raise a SAR. Thus, the risk is controlled using the Remit ERP system.
Ms Chapman said that “an analysis of the transactional data and agent files showed that, for example, although O Ltd carried out 2,908 transactions between the value of £1,800 and £2,000, it was assessed as being a medium risk agent”. However, she provided no supporting evidence for her figures; she did not exhibit the risk assessment carried out on O Ltd, and there is no reference to O Ltd in her long and comprehensive witness statement, which ran to 126 paragraphs. I therefore make no finding of fact about the value of transactions carried out through O Ltd or about its risk assessment rating.
I am able, however, to make findings of fact about the monitoring of O Ltd by BSEL. The December 2019 Compliance Report recorded that each of that agent’s transactions were reviewed by the transaction monitoring team; subsequent compliance reports recorded that the firm was under ongoing investigation, and the Appellants’ Schedule stated that a SAR was raised in March 2020.
In the course of cross-examination, Ms Toman suggested to Mr Salam and Mr Curran that O Ltd should have been offboarded, but as they both pointed out, this was decision for the MLRO, who at the time was Mr Kirby. I agree that it was for Mr Kirby to decide whether or not to offboard O Ltd in the light of the information available to him; the Tribunal had no information as to the facts he considered, or his reasoning.
HMRC’s decision that the agent assessment process was not appropriate has no evidential foundation.
Conclusion
for the reasons set out above, BSEL’s agent assessment process was not a breach of Reg 19(4)(e)(ii).
REGULATION 19(1): RISK MANAGEMENT OVERALL
As set out at §515, Reg 19(1)(a) requires that a relevant person:
“must establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person under regulation 18(1).”
Reg 19(3) and (4) then set out particular requirements for PCPs in order to comply with Reg 19(1)(a). Ms Chapman decided that BSEL had breached Reg 19(1)(a), because of the failures she identified in BSEL’s PCPs as set out above:
in relation to risk management, under Reg 19(3)(a);
in relation to one-to-many transactions, many-to-one transactions, and other points under Reg 19(3)(c);
in relation to SARs, under Reg 19(4)(d); and
in relation to agents under Reg 19(4)(e).
For the reasons explained in each of the relevant parts of this judgment, I have found that there were no breaches of any of those regulations, and it follows that there was also no consequential breach of Reg 19(1)(a).
REGULATION 28: CDD MEASURES
Ms Chapman decided that BSEL had breached Reg 28 in the ways set out in the next following sections of this judgment. Reg 28 is headed “Customer due diligence measures” and the relevant paragraphs are as follows:
“(1) This regulation applies when a relevant person is required by regulation 27 to apply customer due diligence measures.
(2) The relevant person must—
(a) identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person;
(b) verify the customer's identity unless the customer's identity has already been verified by the relevant person;…
(3) Where the customer is a body corporate—
(a) the relevant person must obtain and verify—
(I) the name of the body corporate;
(ii) its company number or other registration number;
(iii) the address of its registered office, and if different, its principal place of business;
…
(16) The relevant person must be able to demonstrate to its supervisory authority that the extent of the measures it has taken to satisfy its requirements under this regulation are appropriate in view of the risks of money laundering and terrorist financing, including risks—
(a) identified by the risk assessment carried out by the relevant person under regulation 18(1);
(b) identified by its supervisory authority and in information made available to the relevant person under regulations 17(9) and 47
(17) …
(18) For the purposes of this regulation—
(a) except in paragraph (10), “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;…”.
REG 28(2)(b): VERIFICATION OF CUSTOMERS
Ms Chapman decided that BSEL had failed to verify some of its customers, as required by Reg 28(2)(b) because:
“Paragraph 4.95 of HMRC guidance for MSBs states that as a minimum a private individual’s given and family name, date of birth and residential address should be obtained and verified in order to meet the requirements of MLR 2017. BSEL failed to verify the residential address and thus the identity of some of its customers as required by Regulation 28(2)(b). BSEL’s PCPs confirms that it did not verify the addresses of those customers who provided a passport as their single form of ID and whose transactions did not exceed
£2,000 either in a single transaction or cumulatively within a 90 day period. For transactions to Bangladesh from January 2020 to November 2020 the threshold was £3,000.”
The HMRC Guidance
The HMRC Guidance at 4.65 states that:
“As part of your customer due diligence measures, you must identify individuals. You should obtain a private individual’s given and family name, date of birth and residential address as a minimum.
Documentation purporting to offer evidence of identity may come from a number of sources. These documents differ in their integrity, reliability and independence. Some are issued after due diligence on an individual’s identity has been undertaken; others are issued on request, without any such checks being carried out. There is a broad hierarchy of documents:
certain documents issued by government departments and agencies, or by a court; then
certain documents issued by other public sector bodies or local authorities; then
certain documents issued by regulated firms in the financial services sector; then
those issued by other firms subject to the Regulations, or to equivalent legislation; then those issued by other organisations.
You should verify these using identity evidence that has been issued by a recognised body, for example a Government department, that has robust identity proofing measures, and includes security features that prevent tampering, counterfeiting and forgery with the customer’s full name and photo, with a customer’s date of birth or residential address such as:
● a valid passport
● a valid photo card driving licence (full or provisional)
● a national identity card
● a firearms certificate
● an identity card issued by the Electoral Office for Northern Ireland.”
Findings of fact
On registration, BSEL require a customer to provide an original passport, driving licence, national identity card or residence permit, which contained the customer’s full name, photograph, and date of birth. Some of these ID documents also include the person’s address, but the British passport does not.
BSEL carried out KYC checks on all customers, which required the customer to provide his address, date of birth and postcode. The validity of the address and postcode were then checked using the Royal Mail Database service.
In the period before January 2020, when 5MLD was implemented, BSEL also required proof of address for one-off transactions of £2,000 or above, and for cumulative totals of that amount over a 90 day period. As set out at §253, following the implementation of 5MLD Mr Kirby changed the CDD/EDD thresholds. For transactions to Pakistan, customers were required to provide proof of address for cash transactions of £2,000 or more, and for non-cash transactions of £5,000 or more. For transactions to Bangladesh, proof of address was required for cash transactions of £3,000 or more, and for non-cash transactions of £5,000 or more.
BSEL also undertook an electronic ID verification for all customers, using an independent external provider, Experian. From July 2019, BSEL used Experian’s Auto Doc function to authenticate the identification documents. From February 2020, BSEL used Experian’s ProveID solution to confirm the identity and address of customers using its mobile app REMITnGO.
As set out earlier in this judgment, on 6 November 2020, in response to Ms Chapman’s concerns, Mr Curran informed Ms Chapman that BSEL would be implementing Experian’s ProveID to authenticate the identification and address information for all customers from 6 November 2020.
It is thus the case that until 6 November 2020:
All customers provided original identity documents issued by a recognised body. Most of these documents include the person’s address, but the British Passport does not.
All customers provided BSEL with their address.
BSEL checked that the address was valid using the Royal Mail database, but this check did not confirm that the customer lived at the address.
For customers whose ID was a British Passport, proof of address was obtained only if/when they transacted above the EDD threshold, or if they used REMITnGO.
Whether the HMRC Guidance requires proof of address
Ms Toman submitted that Ms Chapman was correct that that proof of address was required by the HMRC Guidance. Mr Lakha said this was wrong, and that that the requirements were that:
the MSB must obtain the customer’s residential address; and
should verify the person’s identity using evidence issued by a recognised body, for example a government department. That verification requirement was met by production of a valid passport.
I again agree with Mr Lakha. The opening part of the HMRC Guidance clearly states that the MSB must “obtain” the person’s residential address, and BSEL did this as part of its normal KYC checks. The HMRC Guidance also requires that the MSB verifies the person’s identity using evidence that has (my emphasis) “robust identity proofing measures, and includes security features that prevent tampering, counterfeiting and forgery with the customer’s full name and photo, with a customer’s date of birth or residential address”. Passports have the person’s full name and photo and their date of birth. It is explicit in the HMRC Guidance that presentation of a valid passport is sufficient to prove a person’s identity and Ms Chapman’s conclusion is therefore incorrect.
The legislative requirements
That this is the correct conclusion can also be seen from the MLR. Reg 28(2) requires the relevant person to “identify the customer” and “verify the customer’s identity”. Where the customer is a corporate body, Reg 28(3) adds the additional requirements that the relevant person must obtain and verify its name, registration number and “the address of its registered office, and if different, its principal place of business”. In other words, Reg 28 explicitly states that addresses must be verified for companies, but there is no such requirement for individuals. Reg 28(18)(a) further provides that “verify” requires that the person’s identity is checked with a reliable independent source, and a passport obviously meets that description.
Conclusion
For the reasons set out above, BSEL did not breach the requirements of Reg 28(2)(b) by relying on the provision of British passports as evidence of identity.
REGULATION 28(16)(b) AND REGULATION 28(11))a)
Reg 28(16) is set earlier in this judgment, but is repeated here for ease of reference. It provides:
“The relevant person must be able to demonstrate to its supervisory authority that the extent of the measures it has taken to satisfy its requirements under this regulation are appropriate in view of the risks of money laundering and terrorist financing, including risks—
(a) identified by the risk assessment carried out by the relevant person under regulation 18(1);
(b) identified by its supervisory authority and in information made available to the relevant person under regulations 17(9) and 47.”
Reg 28(11) reads:
“The relevant person must conduct ongoing monitoring of a business relationship, including—
(a) scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile;
(b) undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.”
Ms Chapman’s decision
Ms Chapman decided that BSEL had breached Reg 28(16)(b) on the basis that it “had not been able to demonstrate, that the extent of the measures it had taken to satisfy its requirements under Regulation 28 were appropriate in view of the risks of MLTF in the ways set out below”. That statement is followed by a list of points under the heading Reg 28(11)(a). Thus, in this part of the ToF, Ms Chapman decided BSEL had breached Reg 28(16)(b) because it had failed to comply with Reg 28(11)(a) for the reasons set out below.
Many-to-one transactions
The first reason was many-to-one transactions. Ms Chapman essentially reiterated the points she had previously made in relation to Reg 19(3)(c), which were considered at §600ff . I concluded there was no breach of that Regulation.
In the context of Reg 28(11)(a), Ms Chapman relies on the fact that the automated VBP was not fully operational until April 2021, and that until then BSEL “was reliant on manual checks” which in her view constituted inadequate “scrutiny of the transactions”. There is, as I said earlier in this judgment, no statutory requirement for checks to be automated. Until full implementation of the VBP, the compliance department reviewed many-to-one transactions and referred cases to the MLRO for appropriate action, which could include filing SARs, off-boarding and/or blocking transfers.
Ms Chapman also relied on analysis carried out by Mr Allington-Jones, which for the reasons explained at §133ff, I found to be unreliable. Just as there was no breach of Reg 19(3)(c), there was also no breach of Reg 28(11)(a).
Since BSEL’s approach to many-to-one transactions did not breach Reg 28(11)(a), it follows that it also did not breach Reg 28(16)(b).
One-to-many transactions
At an earlier point in the ToF, Ms Chapman had decided BSEL had breached Reg 19(3)(c) in relation to one-to-many transactions, and I rejected that conclusion for the reasons given at §641ff. In the context of Reg 28(11)(a), Ms Chapman relied on the following three points, each of which I consider below:
that “in 2018 BSEL stopped automatically monitoring customers sending to large numbers of beneficiaries”;
Mr Allington-Jones’s spreadsheet SAJ07 relating to one-to-many transactions; and
three examples Ms Chapman had sent to BSEL.
Cessation of automatic monitoring
My findings of fact at §643ff are repeated here. In summary, BSEL stopped the automatic monitoring of one-to-many transactions because it produced too many false positives, in other words these were cases where, on review by compliance, there was no risk of MLTF. BSEL relied instead on other PCPs, in particular the fact that the Remit ERP system also automatically accumulates transaction amounts in real time for all customers irrespective of the numbers of beneficiaries, and each customer has a risk rating. In addition, BSEL trains its agents on monitoring transactions to spot MLTF.
Deciding not to use flags in the Remit ERP system to monitor one-to-many transactions was not a breach of Reg 28(11)(a); it was a recognition that the control was not proportionate. The risk was instead addressed by the other measures set out above.
Mr Allington-Jones’s spreadsheet
I considered Mr Allington-Jones’s spreadsheet SAJ07 at §650ff. I said that it was clear from his figures that the overwhelming majority of the transactions identified were well within what would be expected of BSEL’s client base, and that the spreadsheet should not be considered in a vacuum, separately from BSEL’s other control procedures and from the transaction monitoring carried out by BSEL’s compliance teams.
Ms Chapman’s examples
Ms Chapman also said that during the telephone meeting of 10 March 2021, she showed BSEL three examples which she had identified from the transaction data:
Ref | Beneficiaries | £ |
CM119319 | 61 | £21,582 |
CM13697 | 53 | £28,018 |
CM5686 | 34 | £41,793 |
The ToF states that on 29 March 2021 “BSEL confirmed…that it had not identified these”, and that statement then formed the basis for the statement in HMRC’s Statement of Case that this showed that “customers with large numbers of beneficiaries were not identified and monitored”. That passage from the ToF is mirrored in Ms Chapman’s witness statement
However, Ms Chapman did not set out the full picture in the ToF or her witness statement. On the basis of the evidence in the Bundle, I make the findings of fact in the next two paragraphs.
Following the telephone meeting on 10 March 2021, Ms Chapman asked BSEL to respond to 22 questions, one of which was “confirmation of whether any of the following senders (agent data) had been identified as having multiple beneficiaries, either prior to or after November 2020, and dated copies of any investigations into these transactions”; that question was followed by the table set out above.
On 29 March 2021, BSEL replied, saying that:
the three senders were not identified and therefore not investigated;
the primary reason for that was that the senders did not exceed the CDD threshold: the average transaction size of the first sender was £297, that for the second was £334 and that for the third was £603;
BSEL had ID documents for all three senders (which were copied to Ms Chapman). The first was a driving licence, the second a passport, and the third provided both a driving licence and a letter from his bank;
declarations of funds were also provided; and
all three were Bangladeshi customers sending money to their home country.
It is clear from BSEL’s detailed response that BSEL had significant information about these three customers and their remittances. Taken together with (a) BSEL’s other PCPs, in particular the real-time cumulation of transactions irrespective of beneficiary and the real-time risk rating of customers, and (b) the fact that it was normal practice for its customer base to send to a wide network of friends and family, I find that BSEL was monitoring these customers using the flags and controls in the Remit ERP system, and there was no need to carry out investigations in relation to these three individuals, simply on the basis of the number of transactions. There was no breach of Reg 28(11)(a).
Reg 28(16)(b)
As BSEL’s approach to one-to-many transactions did not breach Reg 28(11)(a), it follows that it also did not breach Reg 28(16)(b).
Customer details
Ms Chapman also decided that “BSEL’s PCPs were ineffective in ensuring integrity of the data it obtained from its customers and customers were able to set up multiple accounts within and across the agent network” and that “inaccurate recording of information and customers with multiple accounts have resulted in BSEL being unable to carry out effective ongoing monitoring of its customers transactions”.
For that conclusion Ms Chapman relied on another spreadsheet produced by Mr Allington-Jones (SAJ12), which she said showed:
“in the period 1 September 2018 to 31 August 2020 1,984 customers with the same name and date of birth had more than one account with transactions totalling £16,881,725.89, across 263 different agents. For example, [Mr JK] with a date of birth of [XX] had five separate accounts with transactions totalling £13,505.63.”
BSEL re-ran the transactional data on which Mr Allington-Jones’s spreadsheet was based, and were unable to replicate those results.
Findings of fact
As previously found earlier in this judgment (see §536) BSEL identified the issue of duplicate customer accounts in 2018 and resolved the issues as follows:
In January 2018 it manually merged duplicate customer profiles and before doing so created a specific procedure to clean the data.
In the same month it implemented the automated control to the Remit ERP system to avoid special characters, see §525ff.
In January 2020, it introduced an OCR Engine which ensured that where there had been manual errors in the input of a customer’s details, these would be identified and rectified.
In September 2020, BSEL introduced the VCP merging process which cleansed the system of duplicate accounts; this originally over-compensated by merging some accounts which belonged to different people, but after changes to the algorithm all duplicate customer profiles were correctly merged.
It was common ground that in some countries (including Pakistan and Bangladesh), not all births were officially registered, especially in rural areas, and subsequent official documentation was issued on the basis that the individual had been born on 1 January of the probable year of birth. Furthermore as already found at §537 and §605, many Bangladeshis and Pakistanis have the same name: for instance, Mohammed Ali, Mustafa Khan or Habibur Rahman. It was also common ground that as SAJ12 was based on data for the two year period ending in August 2020, so it did not take into account the implementation of the VCP
On the basis of Mr Allington-Jones’s evidence about SAJ12, I find that:
he was unable to explain why BSEL’s re-running of the transactional data did not replicate his results; and
he had not run the data chronologically, so he was not able to say whether the duplicate accounts arose:
in the period between August 2018 and January 2019 (when the special character program was implemented); and/or
in the period between August 2018 and January 2020 (when the OCR program was implemented).
From my own review of SAJ12, I find that:
the only individual identified as having five accounts is the Mr JK selected by Ms Chapman as an example of the issue she was considering;
two individuals had four accounts, and 46 had three accounts; the remaining 1,935 had two accounts;
when asked in cross-examination by Mr Lakha whether it was possible for two different individuals with the same name and date of birth to have been incorrectly treated as the same person, Mr Allington-Jones said this wasn’t possible because he had also matched the individuals by address. However, from my review of the spreadsheet, that is not the position: there are multiple cases where the name and date of birth match, but the address is different; and
the spreadsheet also shows entries with (say) three different account numbers but the same name; the date of birth in each case was 1 January of a particular year and there were different addresses; these had been treated as the accounts of the same person.
Findings about Mr Allington-Jones’s spreadsheet
I make the following findings about SAJ12:
It has assumed that two (or more) accounts were opened by the same person in reliance on the name and date of birth, despite:
the customer base sharing a relatively small number of similar names;
1 January being used as the default birthday where there was no birth certificate; and
customers having different addresses.
It was impossible to tell whether the identified duplicates predated the cleaning of the data by BSEL in May 2019 and/or those introduced in January 2020.
BSEL could not replicate Mr Allington-Jones’s results, possibly because of the problems set out at (1) above.
Earlier in this judgment I said that less weight would be placed on spreadsheets where the Appellants had re-run the data and had explicitly challenged the conclusions in their Schedule: this is such a case. Taking into account the factors in the previous paragraph, I decided that no weight could reliably be placed on SAJ12. I add that my conclusion would be the same even were I to be wrong in my findings at §798(1).
The Tribunal’s conclusion on Reg 28(11)(a)
As I have found SAJ12 to be unreliable, there is no evidential basis for Ms Chapman’s decision that “inaccurate recording of information and customers with multiple accounts have resulted in BSEL being unable to carry out effective ongoing monitoring of its customers transactions”. There is thus no evidence that BSEL breached Reg 28(11)(a), and it follows that there is no evidence that it breached Reg 28(16)(b).
I add that when Ms Chapman selected Mr JK as an example, she did not say he was the only identified case of a person with five accounts; that there were only two identified cases with four accounts, and that almost 99% of the identified cases had two accounts (which may not have been actual duplicates, and which may have predated January 2019).
Customers sharing phone numbers
Ms Chapman also decided that BSEL had breached Reg 28(11)(a) because it “did not identify transactions carried out by customers sharing a phone number as being linked”. I have already considered this issue in the context of Reg 19(3)(a) at §542ff and found that there was no breach of that regulation.
In relation to Reg 28(11)(a) Ms Chapman referred back to the data analysis relied on for Reg 19(3)(a). The related spreadsheet was SAJ02, which was considered at §550ff. In summary, the Appellants were unable to replicate the outcomes on that spreadsheet; Mr Allington-Jones accepted that there was more than one way of summarising the data, and that “if the test was summarised in a different way…it would likely give different results”. My own review of SAJ02 showed that customers with the same family name were neither removed from the dataset, nor separately quantified, before conclusions were drawn, and that for all those reasons, little weight could be placed on SAJ02.
In relation to Reg 28(11)(a) Ms Chapman cited three particular shared telephone numbers, together with details of the precise time the transactions took place; the related agent and the total number of transactions. However, I was only able to find two of those telephone numbers on SAJ02 (and one of those had a different transaction total from that in the ToF). In addition, SAJ02 does not include the number or timing of transactions, or the identity of the agent. Furthermore, Mr Allington-Jones’s witness statement also does not cite this part of the ToF (see §133ff). For all those reasons, I place no reliance on these three examples.
I find that (a) for essentially the same reasons as set out at §550ff, customers sharing phone numbers did not breach Reg 28(11)(a) or Reg 28(16)(b), and (b) as explained above, no reliance can be placed on Ms Chapman’s examples.
Senders from the same address
Ms Chapman decided that BSEL had breached Reg 28(11)(a) because it “did not identify and monitor the transactions of multiple senders residing at the same address”. I have already considered this issue in the context of Reg 19(3)(c) at §656ff and found that there was no breach of that regulation.
In the context of Reg 28(11)(a), the ToF set outs four specific addresses about which Ms Chapman said (my emphasis) “BSEL confirmed, in information uploaded to Dropbox on 29 March 2021, it had not identified” that more than one person was living at the same address.
In her witness evidence, her position changed, although she did not acknowledge that change. She said (my emphasis) that BSEL “had not identified the four examples, shown to it during the meeting of 10 March 2021, of multiple customers residing at the same address…within its agent data, prior to the meeting”.
I considered the evidence in the Bundle. The “Dropbox” responses provided on 29 March 2021 did not refer to these four addresses. I then considered the minutes of the meeting on 10 March 2021. These say that Mr Simon Terry, an HMRC Officer attending the meeting with Ms Chapman:
“shared his screen to show some examples of multiple customers residing at the same address, the details of which have been e-mailed separately to TC to ascertain whether these had been previously identified by BSEL.”
HMRC’s own notes of that meeting therefore do not say that BSEL agreed that they had not checked the four examples, they instead record that the examples were shared during the meeting. They also do not say when the examples were “separately” emailed to Mr Curran, and I was unable to locate any earlier correspondence between Ms Chapman and Mr Curran which supports her statement that the examples were sent to him before the meeting.
I find as a fact that BSEL did not say that they had failed to identify the four examples of multiple customers residing at the same address, and I reject that statement in the ToF as unreliable. That is because
Ms Chapman changed her position as between the ToF and the witness statement without explanation;
there is no documentary evidence that she provided the examples to Mr Curran;
there is no evidence that the examples shared at the meeting are the same as those relied on by Ms Chapman in the ToF; and
Ms Chapman’s evidence about some other matters was not entirely reliable, see §150ff.
It follows from the above, taken together with my analysis and conclusions in relation to the same issue in the context of Reg 19(3)(c) at §656ff, that that BSEL did not breach Reg 28(11)(a) in relation to customers living at the same address, and also did not breach Reg 28(16)(b).
Non-local agents
Ms Chapman decided that BSEL “did not identify the risk of customers whose address was not local to that of the agent it was using and so had not identified and carried out ongoing monitoring of these transactions”. For the reasons set out in relation to Reg 18(2)(b), I find that there was also no breach of Reg 28(11)(a) or Reg 28(16)(b).
Multiple agents
Ms Chapman decided BSEL had breached Reg 28(11)(a) because it “did not identify and monitor customers using multiple agents unless their transactions exceeded normal threshold amounts”. For the reasons set out in relation to Reg 19(3)(a), I find that there was also no breach of Reg 28(11)(a) or Reg 28(16)(b).
Aggregators: real time data and M Ltd
Ms Chapman decided BSEL had breached Reg 28(11)(a) in relation to the same “real time” and “M Ltd” issues raised in the context of Reg 19(3)(a), and for essentially the same reasons, I find that BSEL did not fail to comply with Reg 28(11)(a) in either respect, and also did not fail to comply with Reg 28(16)(b).
Aggregators: one-to-many
Ms Chapman decided BSEL had breached Reg 28(11)(a) because it did not effectively identify and monitor situations where the customers of aggregators had sent funds to a number of beneficiaries. In relation to the “one-to-many” issue and the position of aggregators I have already found as follows:
The aggregators take money from their own customers and transfer it to BSEL, which in turn transfers the money to its destination in Pakistan or Bangladesh using its bank account with Barclays.
Aggregators conduct their own risk assessments of their individual customers, and BSEL will not onboard an aggregator unless it has approved its risk assessment methodology.
The Remit ERP system automatically accumulates transaction amounts in real time for all customers irrespective of the numbers of beneficiaries.
BSEL carries out a real-time risk assessment on all customers which takes into account nationality, age, type of transaction, frequency of transactions and the destination country to which funds are sent.
It was not unusual for a customer with a South Asian background to send money to multiple beneficiaries, because of the size of their family network and for religious and cultural reasons.
To support her conclusion, Ms Chapman cited a number of examples, about which I make the following findings of fact.
Findings of fact
In reliance on a further spreadsheet produced by Mr Allington-Jones (SAJ14) Ms Chapman identified four customers who had made payments to more than one beneficiary during the two years from 1 September 2018 to 30 August 2020, as set out below:
Number | No of beneficiaries | £ |
xxx912 | 31 | 9,413 |
xxx719 | 30 | 9,455 |
xxx797 | 27 | 14,338 |
xxx975 | 25 | 12,977 |
After the telephone meeting on 10 March 2021, Ms Chapman sent a list of questions to BSEL. Question 10 was “Were the following senders with multiple beneficiaries (aggregator data) identified and investigated? If yes, please provide dated copies of investigations including any communications”, and she attached the table above. On 29 or 30 March BSEL answered question 10 by provided the following details of these four customers:
Sender xxx912 had made 36 transactions in the two years; had provided two driving licenses and a “Creditsafe report”; the average transaction size was £241 pcm sent to 16 different beneficiaries, so on average each beneficiary had received two amounts in the two year period;
Sender xxx719 had provided a British passport; a bank statement from Halifax; a Creditsafe report and a declaration of funds; the average transaction size was £260 and he made around 3 transactions every two months.
Sender xxx797 had provided a driving licence, the average transaction size was £478, and he made around 3 transactions every two months.
Sender xxx975 had provided a driving licence; the average transaction size was £499 and he made just over one transaction a month.
The Remit ERP system has a specific field to monitor the number of transactions by each customer in a rolling twelve month period, as well as checking CDD/EDD thresholds and ID validity.
The senders were not flagged for investigation because they had all provided the necessary ID; many had supplied additional information and the transactions were all well below the thresholds.
In the ToF, Ms Chapman did not refer to the first sender. In relation to the others, she said only that BSEL had failed to carry out further investigations, and these three cases were examples of its failure to carry out “scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile”. She did not refer, either in the ToF or in her witness statement, to any of the further information provided by BSEL, set out in the previous paragraph. She also did not refer to the fact that the Remit ERP system carried out a real-time risk assessment of customers.
The Tribunal’s view
The facts as found demonstrates that the four examples were exactly what would be expected of migrant workers sending relatively small sums of money on a regular basis to friends of family in Bangladesh or Pakistan. Plainly they do not demonstrate that BSEL failed to scrutinise transactions undertaken throughout the course of the relationship to ensure that they were consistent with BSEL’s person's knowledge of its customers”.
Ms Chapman came to her conclusion having failed to take into account most of the evidence provided by BSEL, both in relation to these customers, and more generally in relation to the controls within the Remit ERP system. Having taken that relevant evidence into account, I find that there was no breach of Reg 28(11)(a) or Reg 28(16)(b).
Aggregators: many-to-one
Ms Chapman similarly decided that BSEL failed to comply with Reg 28(11)(a) in relation to many-to-one transactions carried out by customers of the aggregators. I have already made findings in relation to the many-to-one issue, see §600ff. In the context of Reg 28(11)(a) Ms Chapman relied on four examples, about which I make findings of fact.
Findings of fact
Mr Allington-Jones produced another spreadsheet (SAJ15) setting out 1,256 individuals he had identified as beneficiaries of more than 10 transfers over the two year period to 30 August 2020. He accepted that this was likely to be an over-estimate as he was relying on limited data to identify the beneficiaries.
Question 11 on Ms Chapman’s list of questions after the meeting on 10 March 2021 concerned three individual beneficiaries, for each of which Mr Allington-Jones had identified a phone number. I was able to locate two of those three among the 1,256 names on Mr Allington-Jones’s spreadsheet, but was unable to locate the third. Mr Allington-Jones had linked the first of the two identified beneficiaries to 29 senders over the two year period, totalling £96,363, and the second to 33 senders, totalling £57,880. I could not locate in the spreadsheet the source of the figure cited by Ms Chapman for the third beneficiary.
In response to Ms Chapman’s question, BSEL provided further data about all three beneficiaries. As they did not dispute the figures for the third beneficiary, I have accepted that those figures are valid. I also accept that, as a phone number was given on Mr Allington-Jones’s spreadsheet, on the balance of probabilities the identified amounts were transferred to these three beneficiaries by 29, 33 and 31 senders respectively.
The further data provide by BSEL included confirmation that they had ID data for all the senders to these beneficiaries; proof of address for 23 of the senders to each of the first two beneficiaries and for 11 senders to the third beneficiary, and declarations and sources of funds for some of the senders. BSEL also said that as none of the senders had breached any of the relevant thresholds, no further investigations had been carried out.
Only the last part of that response found its way into the ToF and Ms Chapman’s witness statement: she said that BSEL had accepted it had failed to investigate these transactions and this showed it had breached Reg 28(11)(a).
The Tribunal’s view
Reg 28(11)(a) requires that a relevant person (such as BSEL) should scrutinise transactions undertaken throughout the course of its relationship with its customers to ensure that they were consistent with BSEL’s knowledge of its customers. The beneficiaries were not BSEL’s customers; as BSEL said in its response to Ms Chapman’s questions, they had monitored their customers and ensured that they had met all relevant AML requirements. In other words, BSEL acted entirely in accordance with Reg 28(11)(a).
There is nothing in the HMRC Guidance which requires MSBs to monitor the beneficiaries. It was BSEL which, of its own initiative, recognised the risk of transaction splitting using many-to-one transactions, and as set out at §606ff, undertook the significant and difficult task of creating a VBP, which was completed in April 2021. The three examples on which HMRC rely relate to a period before the VBP had been introduced.
For all those reasons, I find that there was no breach of Reg 28(11)(a), or Reg 28(16)(b).
Aggregators: customers at same address
Ms Chapman decided that BSEL had breached Reg 28(11)(a) because it did not flag for review transactions made by customers of aggregators residing at the same address. In reliance on a spreadsheet prepared by Mr Allington-Jones (SAJ16) she gave three specific examples.
This issue has already been considered at §656ff, and for the same reasons I find that there was no breach of Reg 28(11)(a), or Reg 28(16)(b). In relation to the three examples, I find as a fact in reliance on BSEL’s detailed response that BSEL had obtained suitable ID documentation for each of the individuals, and none of the transactions breached the CDD thresholds, which are applied both individually and cumulatively, and they do not demonstrate any failure to comply with Reg 28(11)(a), or Reg 28(16)(b), but the contrary.
REGULATION 35: PEPs
Ms Chapman decided that BSEL had breached Reg 35, which deals with politically exposed persons (“PEPs”) because until November 2020 it did not screen all transactions to see if the individual was a PEP, but only transactions above a threshold of £850 (€1,000). I set out the legislation, the guidance, my findings of fact, the parties’ submissions and my conclusions.
The MLR
Reg 35 is headed “Enhanced customer due diligence: politically exposed persons” and it includes the following provisions:
“(1) A relevant person must have in place appropriate risk-management systems and procedures to determine whether a customer or the beneficial owner of a customer is—
(a) a politically exposed person (a “PEP”); or
(b) a family member or a known close associate of a PEP,
and to manage the enhanced risks arising from the relevant person's business relationship or transactions with such a customer.
(2) In determining what risk-management systems and procedures are appropriate under paragraph (1), the relevant person must take account of—
(a) the risk assessment it carried out under regulation 18(1);
(b) the level of risk of money laundering and terrorist financing inherent in its business;
(c) the extent to which that risk would be increased by its business relationship or transactions with a PEP, or a family member or known close associate of a PEP, and
(d) any relevant information made available to the relevant person under regulations 17(9) and 47.
(3) If a relevant person has determined that a customer or a potential customer is a PEP, or a family member or known close associate of a PEP, the relevant person must assess—
(a) the level of risk associated with that customer, and
(b) the extent of the enhanced customer due diligence measures to be applied in relation to that customer.
(4) In assessing the extent of the enhanced customer due diligence measures to be taken in relation to any particular person (which may differ from case to case), a relevant person—
(a) must take account of any relevant information made available to the relevant person under regulations 17(9) and 47; and
(b) may take into account any guidance which has been—
(i) issued by the FCA; or
(ii) issued by any other supervisory authority or appropriate body and approved by the Treasury.”
In summary, Reg 35 requires a relevant person to have appropriate PCPs to determine whether a person is a PEP. In deciding what PCPs are “appropriate”, the person must take into account its own risk assessment made under Reg 18; the level of risk of MLTF inherent in its business; the extent to which that the risk would be increased by transacting with a PEP, and “relevant information” made available under Regs 17(9) and 47. Reg 17(9) does not apply, and Reg 47 has been set out at §416.
The guidance
The HMRC Guidance at 4.44 defines a PEP as follows:
“Politically exposed persons are persons that are entrusted with prominent public functions, whether in the UK or abroad.
The definition does not include:
middle ranking or more junior officials
persons who were not a politically exposed person under the 2007 regulations where they ceased to hold a prominent public function prior to 26 June 2017, such as former MPs or UK Ambassadors
In the UK, civil servants below Permanent or Deputy Permanent Secretary-level will not normally be treated as having a prominent public function. When assessing whether a person is a PEP, you should be mindful of whether a person is acting on the instruction of, or on behalf of, a PEP. This is more likely to be the case when the relevant persons hold prominent functions in a third country which presents a relatively higher risk of money laundering.”
The HMRC Guidance then set out a list of persons who are PEPs, and those who are not. It says that “information is available in the public domain” such as from news agencies, which will help to identify whether a person is a PEP and that “you are not required to, but you may decide to use a commercial provider”.
The HMRC Guidance directs the reader to the JMLSG Guidance. In relation to “risk-based procedures” that Guidance says at 5.5.24:
“The nature and scope of a particular firm’s business will generally determine whether the existence of PEPs in their customer base is an issue for the firm, and whether or not the firm needs to screen all customers for this purpose. In the context of this risk analysis, it would be appropriate if the firm’s resources were focused in particular on products and transactions that are characterised by a high risk of money laundering.”
The HMRC Guidance also refers to the “detailed guidance” published by the FCA. This is set out in FG/17, which is entitled “The treatment of politically exposed persons for anti-money laundering purposes” and published in July 2017. Under the heading “Summary of the Guidance”, the FCA say:
“The FCA expects that firms take appropriate but proportionate measures in meeting their financial crime obligations. The MLRs set out that all firms must apply a risk sensitive approach to identifying PEPs and then applying enhanced due diligence measures.”
At para 2.6, the FCA explain why the legislation has been introduced, saying that “a PEP may be in a position to abuse their public office for private gain and a PEP may use the financial system to launder the proceeds of this abuse of office”.
The FCA and the JMLSG also refer to the FATF Recommendations and the related FATF guidance. As noted at §339(5), the FATF Recommendations underpin the EU Directives and the MLR. The FATF guidance on PEPs says that EDD measures are not required:
“to be applied to customers who conduct ‘occasional’ transactions below the applicable thresholds in the circumstances which are described in Recommendations 10 and 16 (wire transfers). Consequently, financial institutions…are not expected to determine whether such customers are PEPs.”
The “applicable threshold” for “occasional transactions” is €1,000, see Reg 27 of the MLR. That threshold is derived from the Payment Services Regulation EU 2015/847, to which BSEL was also subject. Recital 16 of that Regulation says:
“In order not to impair the efficiency of payment systems, and in order to balance the risk of driving transactions underground as a result of overly strict identification requirements against the potential terrorist threat posed by small transfers of funds, the obligation to check whether information on the payer or the payee is accurate should, in the case of transfers of funds where verification has not yet taken place, be imposed only in respect of individual transfers of funds that exceed EUR 1,000, unless the transfer appears to be linked to other transfers of funds which together would exceed EUR 1 000, the funds have been received or paid out in cash or in anonymous electronic money, or where there are reasonable grounds for suspecting money laundering or terrorist financing.”
Findings of fact
Given the nature of its customer base, BSEL considered that the risk of a customer being a PEP was low. They worked as taxi drivers and in restaurants and were very unlikely to be in a position to “abuse their public office for private gain”. However, since at least 2017, BSEL required that every customer had to answer the following three questions on registration:
Do you hold any Political Position in any country?
Does any of your relatives hold any Political Position in any country?
Does any of your close contacts hold any Political Position in any country?
If any of those questions was answered positively, the case was referred to BSEL’s compliance team, who would ask the customer for more information. This included obtaining the contact details of the beneficiary so that further checks could be carried out. If PEP status was confirmed, the case would be referred to the MLRO to decide whether to accept the customer, and if the MLRO agreed, the case was then referred to Mr Salam to make the final decision. If the customer was accepted, BSEL applied EDD to all the PEPs transactions. BSEL’s compliance department maintained a PEP Register on an Excel spreadsheet, which monitored identified PEPs; in August 2020 this was digitised and stored on the Remit ERP system in its “PEP log”.
In addition, since July 2017, agent transactions above €1,000 were automatically screened for PEPs by an external provider, Acuris Risk Intelligence, using their KYC6 program (the €1,000 threshold was converted to £850 for part of the relevant period, and subsequently lowered to £800). The KYC6 screening checked both the sender and the beneficiary against more than 20 external sources and databases, and considered both domestic and foreign PEPs. The screening used the data provided by the customer, and so included name, date of birth, address and telephone number.
KYC6 screening of the beneficiaries produced a high number of false positives because of the number of identical names (see at §537 and §605). As a result, for a few weeks in 2020, on a trial basis for transactions with agents, BSEL introduced a higher threshold of £2,500 for the beneficiary. In other words, all senders who would be PEP screened by KYC6 if the amount (on a single or cumulated basis) was £850 or more, and the beneficiary would also be checked if he was to receive £2,500 or more, also on a single or cumulated basis.
The €1,000 threshold
The reason for the €1,000 threshold was in dispute:
Mr Garcia’s evidence in his witness statement, and confirmed in his oral evidence, was that the €1,000 was chosen because of the FATF guidance, which as noted above, says that that businesses are not required to determine whether customers below the €1,000 threshold are PEPs.
HMRC’s note of the conference calls on 1 and 3 December 2020 records Ms Chapman asked about the PEP threshold, and Mr Curran said that the reason for not screening all transactions “was due to the cost”.
Ms Toman asked Mr Salam if BSEL had set the screening threshold “at a level so that most of your customers would hit it”. Mr Salam denied this, adding that he “would never compromise compliance over profit”.
Ms Toman also drew attention to the Eversheds audit report issued in November 2020, which said “the rationale for the PEP threshold was queried with BSEL who replied that the PEP threshold had recently been increased due to the large amount of false positives that had to be discounted by the// compliance team on a regular basis”.
I find as a fact that the €1,000 threshold was implemented for the reasons given by Mr Garcia at (1) above. That is because:
Mr Garcia repeatedly referred to his reliance on the FATF guidance, and I found him to be a reliable witness;
that evidence is consistent with the fact that BSEL’s threshold was in euros, which had been converted into sterling at different rates during the period; and
the threshold was identical to that for occasional transactions.
Although BSEL could have screened all transactions without a threshold, that would have come with a cost, as Mr Garcia said. There is no evidence that the threshold was introduced so as to “cut out” the majority of the transactions. HMRC sought to rely on the extract from the audit report, but that relates to the temporary increase to the beneficiary screening threshold, not to the €1,000 threshold for senders. I consider below whether the €1,000 threshold was a breach of Reg 35.
Sanction screening
BSEL carried out sanctions screening for all transactions, with no threshold. Until July 2017, BSEL did this using the Remit ERP system, which was programmed to screen the senders and beneficiaries of each transaction, using multiple sanctions lists, including the Office of Financial Sanctions Implementation’s Consolidated List of Financial Sanctions Targets in the UK; UN Security Council Committees; SDN Sanctions List; the US Department of State; the Bureau of International and Non-proliferation Sanctions and EU Defence Trade Controls. The lists were updated on a daily basis. In July 2017, BSEL implemented the KYC6 service which screened all transactions against numerous sanctions lists.
The audit reports
Eversheds’ 2019 audit report said that “we understand that BSEL screens every transaction (both sender and recipient) for sanctions and PEPs”.
Their 2020 report said “based on information we have been given, our 2019 Audit Report inaccurately stated that all transactions are screened for PEPs. BSEL has now confirmed in fact only transactions above a certain threshold are screened for PEPs”.
Mr Salam’s evidence was that the statement in the 2019 audit report was due to a misunderstanding by Eversheds; BSEL had told Eversheds about the mistake and it was corrected the following year. Mr Lakha pointed out that the statement in the audit report was made in the context of both sanctions and PEPs, and suggested Eversheds had not appreciated that the position was not the same for both. Ms Toman submitted that BSEL had deliberately misled Eversheds.
I accept Mr Salam’s evidence and find as a fact that the statement in the 2019 audit report was due to a mistake by Eversheds. That firm had full access to BSEL’s PCPs and in particular to the 2019 EWRA, which clearly refers to “transactions made by PEPs (over the thresholds)”.
Missed PEP?
When Eversheds carried out their November 2020 audit, they also said:
“We were informed by the Compliance Officers we interviewed that there were 5 positively matched PEPs found in the time period under review …However, we were also advised that one of these customers was not in fact identified as a PEP until their third transaction because KYC6 did not produce an alert for their first two transactions in 2019. We queried the reasons why an alert was not initially produced and BSEL advised that they were unable to check the reasons themselves but would make further enquiries.”
The reason BSEL was “unable to check the reasons” why Acuris’s screening had initially failed to identify that the fifth person was a PEP was because that question could only be answered by Acuris, who carried out the screening.
HMRC’s note of the meeting on 1 and 3 December 2020 records that Ms Chapman asked whether BSEL had followed up Eversheds’ reference to a missed PEP, and that Mr Furnival “explained this was still being investigated so BSEL has not yet been able to put anything into place to prevent this happening again”.
Acuris responded to BSEL’s enquiries by saying that the first and second screening had in fact been correct: in other words, the individual was not a PEP; it was their classification of the third transaction as a PEP which had been wrong. That evidence was not challenged and I find as facts that:
Acuris had not failed to identify a PEP, because the individual was not a PEP; and
BSEL had not failed to investigate; instead they were reliant on Acuris to carry out its own investigation and inform them of the outcome.
Removal of thresholds in November 2020
In the same audit report, Eversheds flagged as a “low priority/no breach but recommended action to reflect best practice” that BSEL remove the threshold so that PEP screening was carried out for all transactions, and BSEL did so the same month.
Whether BSEL breached Reg 35
Ms Chapman said that BSEL had breached Reg 35 because it had decided to implement a €1,000 threshold for reasons of cost, and because, by the time of the meetings on 1 and 3 December, the issue with the fifth PEP was still being investigated and “as such BSEL had not yet been able to put anything in place to prevent this happening again yet”.
I have already found as a fact that the €1,000 threshold was set by reference to the FATF guidance. In relation to Ms Chapman’s second point, there was no failure by KYC6 and no failure to identify a PEP.
Ms Toman submitted that the €1,000 threshold was a breach of Reg 35, because screening was required for all PEPs. I do not agree, for the following reasons:
BSEL was required by Reg 35(1) and (2) to have “appropriate” risk management procedures in place, taking into account its own risk assessment under Reg 18(1), the level of risk of MLTF inherent in its business, and the relevant guidance. As set out earlier in this judgment, this involved taking a “risk-based approach” which, as the HMRC Guidance says at 3.3 “should balance the costs to your business and customers with a realistic assessment of the risks of money laundering and terrorist financing” using its “informed judgment”. In the particular context of PEPs, the JMLSG Guidance says that “the nature and scope of a particular firm’s business will generally determine whether the existence of PEPs in their customer base is an issue for the firm, and whether or not the firm needs to screen all customers for this purpose”, and the FCA say firms should take “appropriate but proportionate measures”.
BSEL had decided, based on its customer base of migrants on a low wage, working in jobs such as in restaurants and as taxi-drivers, that there was a very low risk of a customer being a PEP. Nevertheless, BSEL asked all customers to answer the three questions set out at §844, and if any of those were answered “yes”, BSEL carried out PEP screening.
In my judgment, BSEL’s assessment, and its requirement that customers answer those three questions, was an entirely proportionate assessment of the risk of MLTF which took into account all relevant guidance. It was not a breach of Reg 35.
That conclusion is consistent with: Eversheds’ recommendation for change, which was expressly not identified as a breach of the law, but a “best practice” recommendation, which was promptly adopted.
The Tribunal’s conclusion
For the reasons set out above, BSEL did not breach Reg 35.
REGULATION 57(4): BSEL AND ITS AGENTS
As noted at §345, one of the two reasons for the Suspension Decision was BSEL’s failure to notify certain “responsible persons” within the 30 days required by Reg 57(4). In the Cancellation Decision, Ms Chapman relied on the same point, which has already been fully considered at Part 5 of this judgment.
Reg 57(2)(i) also requires that on registration an MSB must notify HMRC of “the full name and address of any agent it uses for the purposes of its business”, and Reg 57(4) provides that any change to the information provided on registration be notified “within 30 days…or within such later time as may be agreed with the registering authority”.
Having checked BSEL’s entire list of agent premises against HMRC’s records, HMRC identified seven agents who had been notified late, and BSEL accepted this was the case. It is therefore not disputed that there was a failure to comply with Reg 57(4). However, I also take into account the following:
In July 2020, BSEL had 306 agents, and in March 2021 it had 272 agents.
BSEL’s PCPs included the requirement to notify new agents to HMRC.
All of the seven agents were notified to the FCA before they commenced business with BSEL.
Three of the agents began trading between 4 January and 13 January 2021, and were notified on 17 February 2021, so around two weeks late. I take judicial notice of the fact that lockdown began on 5 January 2021.
A fourth agent began trading on 15 December 2021, shortly before Christmas and New Year, and the 30 day notification date was also during lockdown and this agent too was notified on 17 February 2021.
The time limit for two of the three remaining agents fell within the second half of 2020, when the pandemic continued to have a significant effect on BSEL, see §256.
Notification of the single remaining agent was overlooked and was notified to HMRC at the same time as the two agents referred to in the previous subparagraph.
Although it would have been reasonable for HMRC to extend the time limit for compliance with the notification obligation during the pandemic, it did not do so. Taking into account all the points set out above, I find that although BSEL breached Reg 57(4) by failing to notify these seven agents within the 30 day time limit, six of those late notifications were during the pandemic and (given that BSEL’s policy required notification) the seventh was an oversight. I find that these were minor failures of BSEL to follow its own PCPs.
In her witness statement, Ms Chapman said that:
“These failures occurred despite regulation 57(4) breaches being part of the reason for its registration being suspended in October 2020. This led me to conclude that BSEL had consistently failed to comply with the Regulations.”
I disagree. There was no consistent failure to comply with Reg 57(4) because:
BSEL’s PCPs require notification of agents; although these seven agents were notified late, six of those occasions were during the pandemic and the seventh was an oversight; and
BSEL required its MLROs to comply with the notification requirement for responsible persons and they did so, with two exceptions: they overlooked Mr Garcia (who had already been found to be fit and proper by the FCA), and Mr Furnival, who required notification because of his RAC role rather than because of his day-to-day responsibilities. Ms Dhillon tried to notify within the time limit but HMRC failed to respond to her email.
OTHER POINTS IN THE CANCELLATION DECISION
As explained at §455, the cancellation of BSEL’s registration was essentially based on the points listed in the ToF, all but one of which have been considered above. I deal with that remaining point at the end of this section. But first I consider the other points made in the text of the Cancellation Decision.
Ms Chapman opened by saying:
“I am satisfied, and evidence below, that the Business is not a fit and proper person for the purposes of Regulation 58, having regard to Regulation 58(4)(a)(i), as it has consistently failed to comply with the requirements of the Regulations. In addition, it is not a fit and proper person for the purposes of Regulation 58, having regard to Regulation 58(4)(b), due to the risk that the Business may be used for money laundering and/or terrorist financing
(MLTF).”
Under the heading “consistent failure to comply with the Regulations”, Ms Chapman said:
“I established that the Business was aware of a number of the risks that it faced but, due to resource implications, had decided not to implement effective PCP to mitigate these risks. The information provided by the Business also identified that it had knowingly allowed serious MLTF risks to continue for considerable periods of time whilst controls were, and still are, being implemented. This allowed the risk of the Business being used for MLTF to continue and breaches of the Regulations to occur.”
Those statements were supported by a number of examples, all of which were taken from the ToF. I have considered all of them earlier in this judgment and found that there were no breaches of the MLR other than (a) those already remedied at the time of the Reinstatement Decision and (b) the minor failures concerning the five company secretaries of agents and the late notification of seven agents There is no evidential basis for Ms Chapman’s statement that BSEL had “decided not to implement effective PCP to mitigate …risks” because of “resource implications”.
Having set out examples taken from the ToF, Ms Chapman then said:
“The Business has deliberately failed to mitigate all of the risks its faces, including the serious failure to effectively identify and prevent beneficiaries receiving funds from excessive numbers of senders and as such the significant risk of the Business being used for MLTF on vast amounts of funds has continued.”
The reality is that BSEL had invested significant time and money in reconfiguring its sophisticated Remit ERP system to address the many-to-one issue, even though:
the beneficiaries were not its customers;
there is no requirement in the MLR or in any of the guidance for MSBs to monitor beneficiaries;
creating the VBPs was complicated for the reasons given at §604ff; and
while BSEL was constructing the VBPs, it carried out transaction monitoring for the many-to-one risk.
It is clear from the above and from my findings earlier in this judgment that BSEL was not “deliberately failing to mitigate” the risk. Moreover, since the VBPs were in operation before the Cancellation Decision was issued, there was no basis for Ms Chapman’s statement that the risk “continued”.
Ms Chapman is also wrong, for the reasons set out in the earlier parts of this judgment, to say that BSEL acted “deliberately in failing to mitigate” any of the risks it was managing and controlling. Two breaches had been remedied by the time of the Reinstatement Decision, after which Ms Chapman rightly accepted that BSEL was a “fit and proper” person to carry on the MSB business. Neither was an example of a “deliberate failure” to mitigate the risk. To recapitulate, they were:
a breach of Reg 57(4) because BSEL did not notify HMRC about Mr Furnival’s and Mr Garcia’s appointments. These breaches were not deliberate for the reasons set out at §388. There was also a breach of that Regulation in relation to Ms Dhillon. This was not only not deliberate, the delay was caused by HMRC failing to respond to her email; and
a breach of Reg 19(1) read with Reg 33(1)(b) in relation to transactions with Pakistan for the period from 10 January 2020 to 10 November 2020, when the breach was remedied. The breach came about because Mr Kirby, the MLRO at the time 5MLD was implemented, failed to realise that it required a zero threshold for transactions with Pakistan. I find that this was not a deliberate breach, for the following reasons:
Mr Kirby did not give evidence at the Tribunal, and Ms Toman stated that Ms Chapman had not spoken to him (see §264). There is no evidence whatsoever to suggest that he deliberately failed to implement a zero threshold, and it is thus not possible to find that BSEL acted deliberately; and
although the existence of a zero threshold for Pakistan was Ms Chapman’s view, it was not shared with others: Eversheds (see §298) advised BSEL that the threshold was €1,000, and BSEL’s competitors were not applying a zero threshold (see §305). It is plainly not the case that BSEL knew that the threshold should have been zero, but deliberately failed to implement that threshold.
From Ms Chapman’s detailed list of alleged breaches, the position is as follows:
Having checked the premises list for BSEL’s many agents against HMRC’s records, Ms Chapman identified seven who had not been notified within the 30 day period prescribed by the MLR. BSEL had appropriate PCPs in relation to the notification of agents, and all but one of these late notifications occurred during the pandemic and the other was an oversight. There is no basis for Ms Chapman’s finding that these late notifications were deliberate; and
HMRC similarly checked every agent against the Companies House register to see if any individuals had not been F&P tested, and successfully identified five company secretaries. I have found that this was is a minor and non-deliberate failure: BSEL had appropriate PCPs in relation to the F&P testing of agents; five is a small number and none of the five transacted business with BSEL.
In the rest of the Cancellation Decision Ms Chapman repeats some of the earlier examples to provide support for her conclusion that BSEL had shown “a consistent and deliberate pattern of non-compliance” and that she had “reason to suspect on reasonable grounds” that BSEL and the Individual Appellants “will continue to fail to comply”. For the reasons already explained, none of those statements is correct.
The breaches remedied before the Reinstatement Decision
On 22 October 2020, Ms Chapman issued the Suspension Decision because she had identified two breaches – a failure to notify under Reg 57(4) and a failure to apply EDD to all transactions with Pakistan and Bangladesh since at least the beginning of 2018.
On 10 November 2020 she issued the Reinstatement Decision “specifically in relation to the Regulations and associated risks detailed in the Suspension Notice of 22 October 2020” and said that as those breaches had been remedied, she was “satisfied that the Business is a fit and proper person under Regulation 58(1)”. At the hearing, Ms Toman explicitly confirmed that the Reinstatement Decision had been issued because both breaches had been remedied.
However, when Ms Chapman issued the ToF, she included both breaches as part of the reason for the Cancellation Decision. It was difficult to understand the rationale for this, but I have taken it that she considered that these two breaches formed part of the picture she had painted of an entirely non-compliant business, and that they were relevant for that reason.
For the reasons given in earlier in this judgment, the picture she painted is wrong. Leaving aside the breaches which were remedied by the time of the Reinstatement Decision, BSEL’s only failures were minor: the late notification of seven agents (six during the pandemic, including four during lockdown), and not “fit and proper” testing five company secretaries, none of whom had transacted any business with BSEL.
There is no justification for cancelling BSEL’s registration on the basis that, in addition to those minor failures, BSEL had failed to comply with Reg 57(4) and Reg 19(1)(a) by reference to Reg 33(1)(a). Those two breaches had been remedied by the time of the Reinstatement Decision, and HMRC had rightly decided that BSEL had thereby shown it was a “fit and proper” person.
The behaviour of the Individual Appellants
As set out above, the Cancellation Decision was also issued because of the alleged behaviour of the Individual Appellants (except Mr Furnival), so it is not possible to come to a final conclusion on the Cancellation Decision until after the Personal Decisions have been considered, and it is to those I now turn.
PART 7: THE PERSONAL DECISIONS
The Personal Decisions were issued under Reg 58 by Mr McLean to each of the Individual Appellants (with the exception of Mr Furnival) on 16 May 2021.
MR McLEAN’S DECISIONS
Findings of fact
I first make findings of fact about what Mr McLean said he had done in order to arrive at the Personal Decisions, followed by findings about what actually happened, based on the evidence given by Mr McLean under cross-examination.
What the Personal Decisions said
Mr McLean began each of the Personal Decisions by saying “This letter is to notify you that I have undertaken a review to consider whether you are a fit and proper person” for the purposes of carrying on the business of an MSB. He continued:
“In order to determine whether I am satisfied that you are a fit and proper person, I have had regard to the following:
• Whether the Business has consistently failed to comply with the requirements of the Regulations in accordance with Regulation 58(4)(a)(i).
• The risk that the Business may be used for money laundering or terrorist financing (MLTF) in accordance with Regulation 58(4)(b).
• Whether you have adequate skills and experience and have acted or may be expected to act with probity in accordance with Regulation 58(4)(c).
Based on the information I have reviewed, I am satisfied you are not a fit and proper person for the purposes of Regulation 58. I have set out below how I have reached this decision.”
The letters then set out various points under each of the bullet points above, including that BSEL’s failings were of a “fundamental nature”, before adding, in bold, that “after consideration of the details outlined above, I am satisfied that you can no longer be considered a fit and proper person and so cannot hold any relevant position, namely a beneficial owner, officer or manager within Brac Saajan Exchange Ltd”.
What Mr McLean actually did
Mr McLean was provided with:
a draft of Ms Chapman’s ToF, and of her draft CDs and Prohibition Decisions; those drafts did not subsequently change;
BSEL’s corporate governance document which described the roles of the individuals within the company; and
HMRC’s notes of the conference call which took place on 1 and 3 December 2020, and possibly the notes of the video meeting held on 10 March 2021 (although Mr McLean was usure about this).
Mr McLean considered no other documents and none of Mr Allington-Jones’s spreadsheets; he also did not consider the Appellants’ earlier experience or any information about their background. In his own words, he “relied on the evidence of Officer Chapman, and that satisfied [him] that [the Appellants] weren’t fit and proper”. He said he “had to find” the Appellants were not compliant, so as to be “consistent” with Ms Chapman’s conclusions, and that when he stated there had been “fundamental failures”, he had “entirely relied on Ms Chapman in identifying these”. His conclusions that there would be “continuing breaches” of the MLR was based on his understanding (from Ms Chapman) that BSEL’s PCPs “were deficient” but he was “not able to say” in what respects they were deficient.
Despite the wording of the Personal Decisions, Mr McLean had not “undertaken a review” of the evidence, and his conclusions were “based on the information [he had] reviewed only in the sense that he had reviewed Ms Chapman’s ToF, the Cancellation Decision and one (possibly two) sets of meeting notes.
Mr McLean also acknowledged he had made errors in his witness statement about Mr Gomes (as to which see further below). When asked whether he had considered discussing the Personal Decisions with the Individual Appellants, he said that “I wouldn’t have benefited in this case from hearing from the Appellants because I had made my decision at that point”.
Mr Lakha drew Mr McLean’s attention to the wording of Reg 58(4)(c), which requires HMRC to consider the risk that the business “may be used” for MLTF; and Reg 58(5), which requires HMRC to consider whether BSEL’s officers and managers “may be expected to act with probity. Mr McLean:
accepted that those provisions of Reg 58 required him to look forwards in time; and
also accepted that facts about recent actions the Individual Appellants had taken to reduce the risk of MLTF were “important” and “fundamental” to the task he had to perform; but
said he had not taken into account any such recent changes, such as the VBP or the VCP, because he had not reviewed any of the relevant documentation or spoken to any of the Individual Appellants; and
it wouldn’t have made any difference to the outcome had he done so, because Ms Chapman “still wasn’t satisfied up to the point of cancellation”.
In re-examination, Ms Toman asked Mr McLean if he was able to recall particulars of the alleged breaches. His reply was “I didn’t get too bogged down in the technical breaches as this wasn’t my area”.
My conclusion
I have no hesitation in finding that Mr McLean did not carry out any sort of review of the relevant evidence, let alone an independent review, before making the Personal Decisions. Instead, he simply adopted Ms Chapman’s conclusions.
Personal Decisions invalid?
Mr Lakha submitted that the Personal Decisions were “wholly invalid”, as there had been no “review” of the evidence and the Decisions did not comply with the basic principles of natural justice. Ms Toman said that if the Tribunal’s jurisdiction had been supervisory, it would have had to decide whether Mr McLean had acted unreasonably, but as the jurisdiction was appellate, the Tribunal had to decide whether the Personal Decisions were justified on the basis of the facts as found.
I agree with Ms Toman. Mr McLean had not considered any of the evidence for himself, but simply rubber-stamped Ms Chapman’s ToF and her Cancellation Decision, so he plainly had not considered relevant facts. Had the Tribunal’s jurisdiction been supervisory, the appeals would have been allowed on that basis. However, as Ms Toman said, the Tribunal’s jurisdiction is appellate, and I have therefore considered for myself whether HMRC were right that these six Individual Appellants were not “fit and proper” persons.
THE LEGISLATION
The Personal Decisions were made under Reg 58(4). That provision has already been set out earlier in this judgment, but for ease of reference it is repeated here. It provides that in deciding whether a person is “fit and proper” HMRC “must have regard to the following factors”:
“(a) whether the applicant has consistently failed to comply with the requirements of [the MLR];
(b) the risk that the applicant's business may be used for money laundering or terrorist financing; and
(c) whether the applicant, and any officer, manager or beneficial owner of the applicant, has adequate skills and experience and has acted and may be expected to act with probity.”
Each of the Personal Decisions was structured by reference to those three factors. In addition, Ms Toman made further submissions based on points she had put to the Appellants in cross-examination.
MR SALAM
I set out the parties’ position in relation to each of the three factors in Reg 58(4), followed by my conclusions.
Consistently failed to comply with the MLR?
Mr McLean listed the Regulations which Ms Chapman had decided had been breached by BSEL; said that “full details of the breaches have been sent to the Business under separate cover” and that as Mr Salam was the Managing Director, he was “ultimately responsible for the management of compliance and risk in the Business and for ensuring adequate and effective compliance practices and controls exist”. He then said he was “satisfied” that Mr Salam was not “fit and proper” as “the Business, for which you have overall compliance responsibility, has consistently failed to comply with the requirements of the Regulations”.
The parties’ submissions on the alleged breaches in the Personal Decisions were essentially the same as those made in relation to the alleged breaches listed in the ToF, which I have considered and discussed in the context of the Cancellation Decision. Two were resolved by the time of the Reinstatement Decision, by which HMRC rightly decided that BSEL met the “fit and proper” requirements. There were two minor failures in relation to late notification of seven agents and the fit and proper testing of five company secretaries of agent firms. However, I have found that BSEL did not “consistently fail” to comply with the MLR, so Mr McLean’s conclusion that Mr Salam was not a “fit and proper” person for that reason is therefore incorrect.
Adequate skills and experience?
The third of the factors to which HMRC “must” have regard under Reg 58(4) has two parts, the first of which is whether the person has “adequate skills and experience”. Under that heading, Mr McLean said that during Ms Chapman’s review, it was identified that BSEL had breached Reg 19(1); the failings in BSEL’s PCPs were “of a fundamental nature” which resulted in the company breaching further regulations; they were also of “such an extent that all transactions undertaken posed a significant risk of MLTF” and that in consequence Mr Salam had “failed to satisfy the relevant competence requirements” in relation to his role at BSEL . For the reasons set out in the previous paragraph, none of those statements is correct.
In cross-examination, Ms Toman suggested to Mr Salam that he had not acted with the necessary competence when he left it for Mr Kirby to decide on the correct CDD/EDD thresholds. Mr Salam’s response was that as the Managing Director his role was to ensure that competent, skilled and experienced people were recruited to run BSEL’s regulatory compliance, and he had done that; when those people were in place he relied on their expert advice, together with that given by Exiger and Eversheds. In closing, Ms Toman submitted that Mr Salam “did not provide proper oversight of those responsible for compliance” and “was not entitled to leave it up to the auditors”.
In my judgement, Mr Salam amply demonstrated the skills and experience necessary to run BSEL. He recruited experienced MLROs; he set up the RAC, and he instructed Exiger and then Eversheds to advise on regulatory compliance. Under Mr Salam’s strategic direction, BSEL set up the RAIC; introduced a three-tier compliance structure whose staff comprised 20% of the total workforce and ensured that the Remit ERP system and the PCPs were continually improved.
I reject Ms Toman’s submission that Mr Salam should have checked whether Mr Kirby had correctly understood 5MLD. Mr Salam had ensured that Mr Kirby, an experienced professional, was recruited to take the MLRO role, and he rightly relied on Mr Kirby to interpret and apply the detailed provisions of the MLR. As set out at §206, the FCA specify that the MLRO is “the focal point within the relevant firm for the oversight of all activity relating to anti-money laundering [and] needs to be free to act on his own authority”, and that was the position at BSEL. There was no failure of supervision; instead Mr Salam had an entirely proper appreciation of the role played by an MLRO in a regulated firm.
It follows from the above that I find that Mr Salam has more than adequate skills and experience to run an MSB, and that Mr McLean’s decision to the contrary was incorrect.
Acted with probity?
The second part of the third factor to which HMRC “must” have regard under Reg 58(4) was whether the person “has acted and may be expected to act with probity”. In the Personal Decision, Mr McLean said that Mr Salam had signed off the PCPs despite being aware of BSEL’s AML responsibilities; that he should have known the PCPs did not meet the requirements of the MLR, and that he had failed to “take reasonable steps” to prevent BSEL from contravening those requirements. Mr McLean concluded that “this leads me to consider that you have not performed your role with integrity. In view of this, I consider that you cannot be expected to act with probity”.
I have reviewed all the alleged breaches of the MLR by reference to BSEL’s PCPs, and have found that there were no such failures, other than the CDD/EDD threshold for Pakistan from 10 January 2020 to 10 October 2020,which HMRC accepted had been remedied by the time of the Reinstatement Decision. The failures to notify employees and agents under Reg 57(4), and the failure to F&P test the five company secretaries were not failures of the PCPs, but minor failures by oversight to comply with the PCPs. It follows that the reasons Mr McLean gave in the Personal Decisions for deciding that Mr Salam had not acted and may not be expected to act with probity were not correct.
In cross-examination, Ms Toman put to Mr Salam that he had failed to act with probity in the following further ways:
he had allowed the 2019 Eversheds audit report to be issued despite it wrongly stating that all PEPs were screened;
he sat down “month after month” with the MLRO and “did not compel him to take any steps to cancel or blacklist” the agents in relation to which SARs had been issued; and
he allowed the CDD/EDD thresholds to be set “at a level so most of your customers wouldn’t hit it”.
Mr Salam robustly denied all those allegations. He said the first was a mistake of the auditors; that SARs were a matter for the MLRO with which it would be improper for him to interfere, and that he “would never compromise compliance over profit”.
I agree with Mr Salam that none of these new points have any validity. Taking them in turn:
It was Eversheds’ audit report, and the mistake was theirs, see §855. There is also no evidential basis for Ms Toman’s assertion that Mr Salam deliberately allowed the report to be issued containing a mistake.
In relation to the SARs, the points at §598 and §631 apply. In addition, the HMRC Guidance at 6.9 rightly warns against “tipping off”, saying that “nobody should tell the person involved or anyone else” that a SAR is being or has been made.
In the 2019 audit report, Eversheds concluded that “the CDD and EDD thresholds are appropriate and in compliance with BSEL’s legal and regulatory obligations”, see §249.
Mr McLean’s decision that Mr Salam lacked probity and could not be expected to act with probity is therefore without foundation. On the contrary, he acted in an honest and straightforward way both in running BSEL and in his dealings with HMRC.
Risk of MLTF?
The remaining requirement that HMRC must consider under Reg 58(4) is the risk the business would be used for MLTF. Under this heading Mr McLean reiterated points made earlier in his Decision, all of which I have already rejected.
Conclusion on Mr Salam’s Personal Decision
For the reasons set out above, I find that Mr McLean’s Decision that Mr Salam is not a “fit and proper” person within the meaning of Reg 58 was without foundation, I cancel that Decision and allow Mr Salam’s appeal.
MR GARCIA
The part of Mr Garcia’s Personal Decision relating to “consistent failure to comply with the MLR” was essentially the same as the text under the same heading in Mr Salam’s Personal Decision, other than as regards the part describing Mr Garcia’s role in BSEL. My conclusion is the same as in relation to Mr Salam, for the same reasons.
Adequate skills?
Under this heading Mr McLean reiterated the points set out in Mr Salam’s Personal Decision other than the references to Mr Garcia’s role at BSEL, and I find that they are without foundation for the same reasons as set out in relation to Mr Salam.
Ms Toman additionally submitted that Mr Garcia had failed adequately to supervise the MLRO. On that point, my conclusion is essentially the same as in relation to Mr Salam. Ms Toman also said that Mr Garcia wrongly thought that being approved by the FCA was sufficient, when separate notification to HMRC was required, and this indicated that he lacked the necessary skills. As set out at §361ff, I have found as a fact that on joining BSEL Mr Garcia completed a fit and proper self-declaration form and understood that the MLRO had submitted it.
I find that Mr McLean’s decision that Mr Garcia lacked adequate skills is entirely without foundation, as can also be seen from the substantial improvements which he initiated and completed in his role as Head of Global Compliance, some of which are explained and discussed in Part 6 of this judgment.
Act with probity?
Mr McLean began this section of the Personal Decision by making some general points about BSEL’s alleged compliance breaches; these were followed these with five further points. Each is set out below in italics followed by my view:
Mr Garcia “knowingly failed” to ensure that there were effective PCPs to mitigate the risk of customers setting up multiple accounts until January 2021. On the basis of the facts as found at §537, there was no breach of the MLR and there is no basis for the finding that Mr Garcia “knowingly failed” to ensure that there were effective PCPs in relation to the duplication of customer names.
Although the “special character” issue was addressed in November 2018, it “had not been used to rectify customer information prior to this”; similarly the OCR tool “was not applied to existing customers” and thus Mr Garcia “knowingly failed to address the risk of poor data integrity in respect of customer details”. There was no breach of the MLR, see §525ff. In addition, any transaction after the OCR implementation date, whether carried out by a new customer or a previous customer, was subject to the new control.
Despite being aware of the “many-to-one” risk, Mr Garcia stopped the alert which had been introduced into the Remit ERP system and “failed to address this risk”. The facts about the “many-to-one” issue are at §604ff, followed by my consideration of HMRC’s points and my decision that there was no breach of Reg 19(1).
Mr Garcia “knowingly allowed the risks of unidentified PEPs carrying out transactions to continue”. This is considered at §844ff. For the reasons there given, Mr McLean’s decision on this point is incorrect.
Despite the Eversheds’ audit report stating that a PEP had not been identified until a customer’s third transaction, Mr Garcia had confirmed in the meeting with Ms Chapman on 1 and 3 December that it was still being investigated, and he therefore “knowingly allowed” BSEL to breach Reg 35. As set out at §856ff, there was no “missed PEP”; moreover, the error had been made by the third party provider of the screening service, and only that firm could identify why it had happened.
Mr McLean then concluded that he was not “satisfied” that Mr Garcia had performed his role with integrity, because he had “allowed the Business to continue conducting high-risk activity” despite the fact that the PCPs “did not effectively mitigate the risk of MLTF”. I reject that conclusion for the reasons already set out above and further expanded in the rest of this judgment.
Mr McLean then said that Mr Garcia had “failed to act with integrity by allowing the financial implication of employing effective compliance measures [to] supersede the Business’s obligations to comply with the Regulations”. That statement appears to be based only on Mr Garcia’s comment in the meeting with Ms Chapman about the cost of introducing PEP screening for all transactions. As set out at §863, Mr Garcia’s comment was entirely compatible with the principles on which the MLR are based, and the related guidance. There was no lack of integrity.
Mr McLean concludes this part of his Decision by saying that the consequence of Mr Garcia failing to act with integrity was that BSEL breached the regulations set out earlier, and “in view of this, I consider that you have not acted, nor can you be expected to act with probity” and was not a fit and proper person for that additional reason. For the reasons set out above, that conclusion is incorrect.
Risk of MLTF?
Under this heading, Mr McLean reiterated points made earlier in his Decision, all of which I have already rejected, together with the statement that BSEL “has failed to mitigate all of the risks it faces”. That statement is plainly wrong.
Ms Toman added that Mr Garcia’s view that requiring senders to provide evidence of source of funds for all transactions with Pakistan had caused BSEL to lose most of that part of their customer base showed he would be “reluctant to comply in the future” with the MLR. I have found as a fact that the new EDD requirements were the reason why BSEL lost 98% of its Pakistan business, see §305. Mr Garcia’s view was correct, and Ms Toman’s inference incorrect.
Conclusion on Mr Garcia’s Personal Decision
For the reasons set out above, I find that Mr McLean’s Decision that Mr Garcia is not a “fit and proper” person was wrong. I cancel that Decision and allow Mr Garcia’s appeal.
MR GOMES
The structure of the Personal Decision issued to Mr Gomes was the same as that used for Mr Salam and Mr Garcia.
Consistently failed to comply?
Mr McLean began this part of the Personal Decision by saying:
“You currently hold the position in the Business as the Business Systems Manager. However, you are noted by the Business as the person responsible for drafting the policies, controls and procedures (PCPs) for the Business from September 2018 to September 2020.. You also were present on the call between the Business and Officer Chapman on 10 March 2021 and demonstrated your knowledge of all the system controls that were in place, agent risk assessments and when PCPs were implemented. Therefore, due to your involvement, knowledge and level of responsibility to ensure the Business’s compliance with the Regulations, you are aware of its obligations and requirements under the Regulations.”
Mr Gomes’ evidence was as follows:
“As can be seen from the Document Revision History of the compliance policy, the last revision that I made was on 3 July 2017 to version 7.1 of the compliance policy. The reason for the revision was to assist the then new MLRO, Mr Ola Olayinka in updating the compliance policy. I did not have any involvement in amending or drafting any policies since 3 July 2017.”
Mr Gomes exhibited to his witness statement a copy of the Document Revision History of the EWRA, which provided independent support for his evidence. That witness statement was filed and served on 16 July 2021; Mr McLean’s followed almost five months later. In it he reiterated that Mr Gomes was “the individual responsible for drafting the PCPs for BSEL from September 2018 to September 2020”, and he added:
“He was therefore responsible for ensuring BSEL’s compliance with the Regulations; and he had responsibility for ensuring that BSEL had PCPs in place to mitigate and manage effectively the risks of MLTF to which BSEL was subject.”
Mr McLean then referred to the passage from Mr Gomes’ witness statement cited above but he rejected it, saying that “no further evidence was provided” by Mr Gomes to support his statement.
When cross-examined by Mr Lakha, Mr McLean said:
HMRC would not have issued a Personal Decision to “an IT person”;
he had issued the Personal Decision to Mr Gomes because he understood he was responsible for the PCPs;
he had not looked at the exhibits to Mr Gomes’s witness statement; and
he now accepted his understanding was incorrect.
When asked by Mr Lakha if he would have withdrawn the Decision had he looked at the exhibit and seen the proof that Mr Gomes was not involved in drafting the PCPs, Mr McLean said that he would have accepted that “he got it wrong”.
I find as facts on the basis of Mr Gomes’s evidence and Document Revision History, that after 3 July 2017, Mr Gomes had no role in drafting the PCPs, and he has had no overall responsibility for them since before that date. I further find that Mr McLean issued the Personal Decision on the basis that Mr Gomes was responsible for BSEL’s PCPs, but had he understood the correct position, he would not have done so.
Mr McLean gave the evidence set out above on the fourth day of a ten day hearing. However, HMRC did not withdraw Mr Gomes’s Personal Decision. Instead, Ms Toman cross-examined Mr Gomes on his attendance at the video meeting with Ms Chapman on 10 March 2021, asking him to accept that his contributions at that meeting showed that he had knowledge of BSEL’s PCPs. Mr Gomes confirmed what I have already found to be factually correct (see §301), namely that he attended only this one meeting with Ms Chapman and did so in his role as head of IT in order to offer to demonstrate to Ms Chapman how the Remit ERP system. In addition, the fact that Mr Gomes showed familiarity with the PCPs at the meeting does not mean he was responsible for drafting them or for ensuring compliance with them: all staff were expected to be familiar with BSEL’s AML/CTF PCPs.
The remainder of this first part of Mr Gomes’s Personal Decision repeats the statement that he had “responsibility for ensuring the Business’s compliance with the requirements of the Regulations and the breaches identified have been committed over the whole of the review period and across multiple areas of the legislation” and that given those breaches, Mr Gomes was “not a fit and proper person”.
I find that (a) Mr Gomes was not responsible for ensuring BSEL’s compliance during the relevant period and (b) the position on breaches is in any event the same as set out above in relation to Mr Salam and Mr Garcia. For both those reasons, Mr McLean was wrong to say that Mr Gomes was not a “fit and proper” person.
The rest of the Personal Decision
The next following sections of the Personal Decision repeat the earlier statements about Mr Gomes’ compliance responsibilities, together with essentially the same references to the alleged breaches of the MLR which I have already considered in relation to Mr Salam. I find that Mr McLean was wrong to decide that Mr Gomes did not satisfy the fit and proper test on the basis of inadequate skills or lack of probity.
Conclusion on Mr Gomes’s Personal Decision
For the reasons set out above, I find that Mr McLean’s Decision that Mr Gomes is not a “fit and proper” person within the meaning of Reg 58 was incorrect. I cancel that Decision and allow his appeal.
MR AHMAD
Mr Ahmad was BSEL’s Company Secretary from 2011 until March 2021, and he was thus an officer of the company. He was a member of the RAC; although he was based in Bangladesh, he attended some of the meetings.
The Personal Decision stated that, given Mr Ahmad’s role as a member of the RAC, he shared responsibility for the alleged breaches and was thus not a fit and proper person. I have already summarised the position in relation to the alleged breaches in the context of Mr Salam’s Personal Decision, and it follows that Mr McLean’s Decision that Mr Ahmad is not a “fit and proper” person within the meaning of Reg 58 was incorrect. I cancel that Decision and allow his appeal.
MR HASHMI
I have already found as facts that Mr Hashmi joined BSEL as the Head of Risk and Internal Control on 1 September 2020, but that he was off sick with serious Covid in November and December 2020. He only attended one meeting with Ms Chapman, that on 10 March 2021. His Personal Decision was structured in the same way as those issued to the other five Individual Appellants
Consistently failed to comply with the MLR?
Mr McLean stated that, as head of the RAIC, Mr Hashmi was responsible for ensuring BSEL’s compliance with the MLR, and that Ms Chapman had identified “serious and fundamental” breaches of those regulations during the period from 1 September 2018 to 31 March 2021, and had reviewed transactional data for the two year period ending on 31 August 2020.
As with all the other Personal Decisions, Mr McLean said that “full details of the breaches have been sent to the Business under separate cover”. He concluded that because of the alleged breaches of the MLR identified by Ms Chapman, he was satisfied that Mr Hashmi was not “a fit and proper person”. I have already summarised, in the context of Mr Salam’s Personal Decision, the position in relation to the breaches, and it follows that Mr McLean was wrong to say that Mr Hashmi was not a “fit and proper” person for those reasons.
Mr McLean added this rider: “although you joined the Business in September 2020, you had responsibility for the continued non-compliance and risk of MLTF from that time”. His conclusion that Mr Hashmi was not a “fit and proper” person thus rested on his role since he joined BSEL on 1 September 2020, but Mr McLean made no attempt to identify which of the alleged breaches post-dated Mr Hashmi joining BSEL, and he did not take into account that Mr Hashmi had been sick during November and December 2020.
Mr Hashmi said that Mr McLean’s failures to consider those relevant facts meant that his procedure for assessing whether he was a “fit and proper” person was “both unreasonable and fundamentally flawed”. I agree with Mr Hashmi. However, my jurisdiction is appellate, which means (in ordinary language) that I have to consider for myself whether the Personal Decision was correct, not whether Mr McLean followed the right process in arriving at his conclusions.
The rest of the Personal Decision
The next following sections of the Personal Decision also depend on the alleged breaches, and for the same reasons as set out in relation to Mr Salam and the wider findings in the rest of this judgment, I find that Mr McLean was wrong to decide that Mr Hashmi was not a fit and proper person on the basis of inadequate skills or lack of probity, or on the basis that his “failings…have put the Business at risk of being used for MLTF”.
Conclusion on Mr Hashmi’s Personal Decision
I find that Mr McLean’s Decision that Mr Hashmi is not a “fit and proper” person within the meaning of Reg 58 was incorrect. I cancel that Decision and allow his appeal.
MR CURRAN
Mr Curran joined BSEL as the MLRO on 28 September 2020. His Personal Decision was structured in the same way as those issued to the other five Individual Appellants.
Consistently failed to comply with the MLR
Mr McLean stated that, as the MLRO, Mr Curran was responsible for ensuring BSEL’s compliance with the MLR; that Ms Chapman had identified “serious and fundamental” breaches of those regulations during the period from 1 September 2018 to 31 March 2021, and had reviewed transactional data for the two year period ending on 31 August 2020, and that he had concluded that because of the alleged breaches of the MLR identified by Ms Chapman, he was satisfied Mr Curran was not “a fit and proper person”. I have already summarised, in the context of Mr Salam’s Personal Decision, the position in relation to the breaches, and it follows that Mr McLean was wrong to say that Mr Curran was not a “fit and proper” person for those reasons.
Although the Tribunal’s jurisdiction is not supervisory, I record that Mr McLean ended this part of the Personal Decision by saying “Although you joined the Business in September 2020, you had responsibility for the continued non-compliance and risk of MLTF from that time”. Mr McLean’s conclusion that Mr Curran was not a “fit and proper” person thus rested on his role since he joined BSEL on 28 September 2020, but he made no attempt to identify which of the alleged breaches post-dated Mr Curran taking up his appointment. Mr McLean accepted in cross-examination that he had simply relied on Ms Chapman’s view that certain MLR breaches continued after Mr Curran had joined BSEL, but was unable to give reliable evidence as to what those alleged breaches were, saying only that he was “under the impression” from talking to Ms Chapman that the Reg 19 failure “was still ongoing” but he hadn’t been “looking at details”.
The rest of the Personal Decision
The remaining parts of Mr Curran’s Personal Decision also depended on the alleged breaches, and for the same reasons as set out in relation to the other Personal Decisions, I find that Mr McLean was wrong to decide that Mr Curran did not satisfy the fit and proper test on the basis of inadequate skills or lack of probity, or on the basis that his “failings…significantly increased the risk” of BSEL being used for MLTF.
Ms Toman’s challenges
In cross-examination, Ms Toman put to Mr Curran that he had failed to act with probity in relation to the information provided to Ms Chapman on 6 November 2020 (§292) because he had told her that:
BSEL had implemented the VBP, but this was only fully operational the following year;
there was a “limit” on beneficiaries, when there was only a flag; and
reports from the financial crime team would be reviewed daily, when it later transpired that they were reviewing a spreadsheet report and the automatic flag was not implemented till later.
I have already found that BSEL had no intention of misleading Ms Chapman on any of those points. Since Mr Curran sent the email in question on 6 November 2020, it is implicit in my findings that he did not intend to mislead Ms Chapman, and that there was no lack of probity. For completeness I record that under cross-examination Mr Curran denied intentionally misleading Ms Chapman, saying the suggestion was “totally incorrect” and he had been entirely honest. I find as a fact that this was the case.
Conclusion on Mr Curran’s Personal Decision
For the reasons set out above, I find that there is no basis for HMRC’s decision that Mr Curran is not a “fit and proper” person within the meaning of Reg 58. I cancel that decision and allow Mr Curran’s appeal.
PERSONAL DECISIONS: OVERALL CONCLUSION
All the Personal Decisions are cancelled and the appeals of Mr Salam, Mr Garcia, Mr Gomes, Mr Ahmad, Mr Hashmi and Mr Curran are allowed.
CANCELLATION DECISION: OVERALL CONCLUSION
The Cancellation Decision was made on four grounds (see §453), two of which related to BSEL and two of which related to the Personal Decisions issued to the above Individual Appellants. As set out at §879ff, there was no basis for the parts of the Cancellation Decision which related to BSEL, and I have now allowed all the appeals against the Personal Decisions. As a result, BSEL’s appeal against the Cancellation Decision is also allowed.
PART 8: THE PROHIBITION DECISIONS
On 26 May 2021, Ms Chapman issued the Prohibition Decisions to Mr Salam, Mr Furnival and Mr Garcia, under which they were given lifetime bans preventing them from working in any management role for any business which has to comply with the MLR and/or the PSR.
THE LEGISLATION
The Prohibition Decisions were issued under Reg 78, which is headed “Power to impose civil penalties; prohibitions on management” and reads as follows (where “P” refers to the relevant person, in this case BSEL):
“(1) Paragraph (2) applies if a designated supervisory authority considers that another person who was at the material time an officer of P was knowingly concerned in a contravention of a relevant requirement by P.
(2) The designated supervisory authority may impose one of the following measures on the person concerned—
(a) a temporary prohibition on the individual concerned holding an office or position involving responsibility for taking decisions about the management of a relevant person or a payment service provider (“having a management role”);
(b) a permanent prohibition on the individual concerned having a management role.
(3) ….
(4) A prohibition imposed under paragraph (2) may be expressed to be a prohibition on an individual having a management role in—
(a) a named relevant person or payment service provider;
(b) a relevant person or payment service provider of a description specified by the designated supervisory authority when the prohibition is imposed; or
(c) any relevant person or payment service provider.
(5) A relevant person or payment service provider must take reasonable care to ensure that no individual who is subject to a prohibition under paragraph (2) on having a management role with that relevant person or payment service provider is given such a role, or continues to act in such a role.”
A “relevant person” is a person who is required to comply with the MLR, see Reg 3 read with Reg 8. Such persons include financial institutions, which are in turn defined by Reg 10(2)(a) to include most MSBs; also included are credit institutions, estate agents, auctioneers and accountants. A “payment service provider” is a person who is required to comply with the PSR, see Reg 3 read with Reg 2(1) of those Regulations. The term “relevant requirement” includes compliance with Regs 19, 28, 33(1), and 35, see Regs 3 and 75 read with Schedule 6 para 5(a)(ii) and para 7(b)(f) and (h). A Prohibition Decision can only be issued if the person has been “knowingly concerned” in a contravention of a relevant requirement, including Regs 19, 28, 33(1), and 35.
As is clear from the alternatives in Reg 78, the Prohibition Decisions were in the widest possible terms: they were permanent rather than temporary, and they prevented the Appellants from having a management role in “any relevant person or payment service provider” rather than in a specific business, or in a particular type of business.
MR SALAM
I first summarise Ms Chapman’s Decision and then set out the Tribunal’s view.
Ms Chapman’s Decision
Ms Chapman said that she was issuing the Prohibition Decision to Mr Salam because he was the Managing Director of BSEL, a company which had breached the MLR in the numerous ways set out in the ToF; he had approved the PCPs and in particular knew they did not comply with Reg 19(1)(a) of the MLR. Ms Chapman highlighted many-to-one transactions and one-to-many transactions, and then said:
“[his] failure to ensure that BSEL’s PCPs were compliant with Regulation 19(1)(a) has resulted in BSEL contravening this relevant requirement and in BSEL also breaching Regulations 28(2), 28(11), 28(16), 33(1) and 35(1) MLR 2017.”
The Tribunal’s view
As set out in the preceding Parts of this judgment, BSEL breached Reg 57(4) by failing to notify Mr Garcia, Mr Furnival and Ms Dhillon within the requisite 30 days, and breached Reg 19(1) in relation to the CDD threshold for transactions with Pakistan during the period from 10 January 2020 to 10 October 2020, both those breaches had been remedied by the time of the Reinstatement Decision, when Ms Chapman rightly decided that BSEL met the “fit and proper” requirements.
BSEL also breached Reg 57(4) by notifying seven agents after the 30 days in that regulation, and failed to comply with its own PCPs because it did not F&P test five company secretaries of agent firms. Both of those failures are minor and fall very far short of the threshold for the imposition of a prohibition notice under Reg 78, still less this extremely harsh lifetime bar preventing Mr Salam from working in a management role in “any relevant person or payment service provider”. Mr Salam’s appeal against the Prohibition Decision is therefore allowed.
MR FURNIVAL
There were three issues to consider here: whether Mr Furnival was an “officer” of BSEL; if so, whether BSEL had breached the MLR so as to provide a basis for the Prohibition Decision; and if so, whether Mr Furnival was “knowingly concerned” in that or those breaches.
Whether Mr Furnival was an “officer” of BSEL
Mr Furnival’s first ground of appeal against the Prohibition Decision was that he was not an officer of BSEL. I first consider the meaning of the term “officer” and then whether Mr Furnival met that description.
The meaning of “officer”
For a person to be issued with a Prohibition Decision, he must be an “officer” of the business, see Reg 78(1). Reg 3 defines an “officer” as including a “a director, secretary, chief executive, member of the committee of management, or a person purporting to act in such a capacity”.
Ms Toman very fairly drew my attention to the fact that the same term in the Friendly Societies Act 1992 is defined by s 27 of that Act as analogous to a board of directors. She went on to submit that in the MLR the term was not so limited, and that by its normal and natural meaning encompassed a management committee such as that of which Mr Furnival was a member.
While I agree with Ms Toman that there is no basis for importing a definition from the Friendly Societies Act into the MLR, the comparison is nevertheless instructive. I make the following observations:
Reg 3 also includes the definition of a “manager”, which reads: “a person who has control, authority or responsibility for managing the business of that firm, and includes a nominated officer”.
Unlike the Personal Decisions issued under Reg 58, a prohibition notice can only be issued to officers of the company. In particular, the power to issue prohibition notices is not extended to a “manager”, as defined.
The Cambridge Dictionary defines “management committee” as "a group of people who are chosen or elected to make decisions about how a club or charity is run”. That definition is consistent with the usage of the term “Committee of Management” in the context of the Friendly Societies Act.
Taking into account all the above, I find that a prohibition notice can be imposed on a person who sits on the sort of committee of management which is in terms the governing body of the organisation. It is a harsh sanction, reserved for officers and those who have an equivalent role controlling the body in question. It does not extend to managers, even including the Nominated Officer.
Mr Furnival’s membership of BSEL’s Management Committee
In the Prohibition Decision Ms Chapman decided Mr Furnival was an officer, first because he was a member of BSEL’s Management Committee; Ms Toman submitted that this was correct.
I have already found the following facts (see §178 and §367ff):
The Board has “oversight on the general conduct of the operations of BSEL” as well as “oversight on the maintenance of compliance and internal controls”.
Mr Salam, Mr Ahmad, Mr Sattar and Mr Hussein sit on the Board;
BSEL’s Management Committee is “a key sub-committee which ensures that all department heads are aware of and can contribute to any areas of risk, opportunity or challenge which the company is facing”; and
members of the Management Committee include the Manager of International Relationships, the Head of UK Sales, the Manager for Collection, Recovery and Communication, the Manager of Business Systems and the Head of Foreign Exchange and Fund Management.
From the above it is clear that the Board is BSEL’s governing body, while the Management Committee is a sub-committee which reports to the Board. Many of its members are indisputably “managers”: it would be plainly wrong to find, for example, that the Manager of Business Systems and the Head of Foreign Exchange and Fund Management were “officers” of BSEL because they sat on this committee.
The Management Committee is therefore not a “committee of management” within the meaning of Reg 3. It follows that Mr Furnival was not an “officer” of BSEL within the meaning of the MLR by virtue of his membership of the Management Committee.
Mr Furnival’s membership of the RAC
Ms Chapman also decided that Mr Furnival came within the meaning of “officer” because he was “a member of its Risk and Audit Committee” and Ms Toman also made that submission.
I have made findings of fact about the role of the RAC at §207. Its role was to provide independent oversight of the compliance function and to report on compliance to the Board. It was plainly not a “committee of management” within the meaning of Reg 3, and Mr Furnival was not an officer of BSEL by virtue of his membership of that body.
Mr Furnival’s title
Ms Chapman also relied on the fact that Mr Furnival’s title was Chief Operating Officer, and Ms Toman put forward the same point in her submissions. However, it has no merit. The fact that a person has the title of “officer” does not, without more, make him an officer within the meaning of the MLR. I note, in particular, that the Nominated Officer is specifically identified by Reg 3 as a manager and not as an officer.
Conclusion
For the above reasons, I find that Mr Furnival was not an “officer” of BSEL and so could not be issued with the Prohibition Decision. That is enough to decide this appeal in Mr Furnival’s favour, but I have also considered the other two issues.
The alleged breaches
This part of the Decision was similar to Mr Salam’s: Ms Chapman referred to Reg 19(1), stated that BSEL had “failed to establish PCPs to effectively mitigate the risks it has identified” which had been set out in the ToF, in particular the risk of many-to-one transactions; duplicate accounts and PEPs, and that as a result, BSEL had also breached Regs 28(2), 28(11), 28(16), 33(1) and 35(1).
As set out above in relation to Mr Salam, BSEL’s only failures were those remedied by the time of the Reinstatement Decision, plus the late notification of certain agents and the failure to carry out F&P testing on five company secretaries. For the reasons given earlier in this judgment, those identified failures were minor, and way below the threshold which would justify a Prohibition Decision.
It follows that even if I were to be wrong in my decision that Mr Furnival was not an officer of BSEL, his appeal would be allowed for essentially the same reasons as given in relation to Mr Salam.
Whether “knowingly concerned”
Mr Furnival also appealed on the alternative basis that the Decision should be cancelled because he was not “knowingly concerned” in any breach if, contrary to his main submissions, (a) he was an officer, and (b) there had been any relevant breach of the MLR. Mr Furnival’s case on that alternative ground rested on the role he had within BSEL, which did not relate to compliance or risk.
HMRC’s position was that it could be seen from the Document Revision History of BSEL’s PCPs issued in September and November 2020 that Mr Furnival had been responsible for drafting them, and HMC also said that during two calls in September and December 2020, Mr Furnival “led in answering comprehensively and knowledgably” about BSEL’s risk assessments, CDD requirements, controls, agents and training.
I accept Mr Furnival’s evidence and make the following findings of fact about his role at BSEL:
As Chief Operating Officer, Mr Furnival’s role was to run the operations, marketing, sales, HR and business development teams; he was not involved in managing compliance, risk and audit or finance functions. As I have already found at §371, he was a member of the RAC in order for him to provide information as to the business and operational consequences of policy decisions, and not because of his knowledge of AML or compliance.
Responsibility for drafting the PCPs normally lay with the MLRO, but when Mr Kirby left unexpectedly in August 2020, the task fell to Mr Garcia, whose native language was not English. In his previous roles with other employers, Mr Furnival had extensive experience of drafting and editing documents, and he used those skills at the beginning of September 2020 to review Mr Garcia’s draft PCPs and ensure that they were written using a “professional high standard” of English. Mr Furnival had no role in designing those PCPs.
On 28 September 2020 Mr Curran joined BSEL as the new MLRO, and on 22 October 2020 Ms Chapman issued the Suspension Decision. Mr Furnival participated in a conference call with Ms Chapman on 23 October 2020 because Mr Garcia did not speak fluent English and Mr Curran had only just joined BSEL.
In November 2020, Mr Furnival provided the same editorial role for Mr Curran in relation to the amended PCPs sent to Ms Chapman. He also participated in the conference call which took place on 1 and 3 December 2020, as Mr Curran was still relatively new; Mr Garcia’s language skills were the same and Mr Hashmi was ill with Covid.
Mr Furnival was furloughed on 1 February 2021 and subsequently left the company. He did not participate in the video meeting which took place on 10 March 2021.
It is not in dispute that Mr Furnival was aware of BSEL’s PCPs, and part of his role as COO was managing relations with agents and aggregators. However, it does not follow that he was responsible for BSEL’s PCPs; he was not. Neither did he have knowledge of the MLR or the related guidance: that was the responsibility of the MLRO, Mr Garcia and the other members of the three-tier risk and compliance structure.
The law
Neither party cited any authority on the meaning of “knowingly concerned” in the MLR, but Ms Toman, rightly in my view, said that the Tribunal should have regard to the authorities on s 382 of the Financial Services and Markets Act 2000 (“FSMA”) which gives jurisdiction to grant restitution orders against those “knowingly concerned” in breaches of that Act.
In SIB v Scandex Capital Management [1998] 1WLR. 712, the Securities and Investment Board (a predecessor to the FCA) sought a compensation order against a director on the basis that he had been “knowingly concerned” in the contravention by Scandex of a regulatory requirement. Millett LJ (as he then was), endorsed an earlier dictum of Neville J in Burton v Bevan [1908] 2 Ch 240 at 246-247, which concerned whether the defendant had “knowingly contravened” a particular statutory provision. Neville J said:
“I think that 'knowingly' means with knowledge of the facts upon which the contravention depends. I think it is immaterial whether the director had knowledge of the law or not. I think he is bound to know what the law is, and the only question is, did he know the facts which made the act complained of a contravention of the statute?”
The Court of Appeal recently approved that dictum in the context of another case involving FSMA s 382, see FCA v Ferreira [2022] EWCA Civ 397 at [18]. Ms Toman referred me to an earlier decision to the same effect, FCA v Capital Alternatives [2018] 3 WLUK 623.
Application to Mr Furnival
Although I have found that Mr Furnival was not responsible for risk and compliance, or for BSEL’s PCPs, that does not assist him. As a matter of law, what matters is whether he knew what BSEL was doing. I agree with HMRC that Mr Furnival knew about BSEL’s risk assessments, CDD requirements, controls, agents and training, and so had the necessary factual knowledge. Thus, Mr Furnival would not have succeeded on his alternative argument. However, as I have found that he was not an officer, and that BSEL’s failures fell way below the threshold to justify a prohibition notice, this third ground falls away.
MR GARCIA
The Prohibition Decision issued to Mr Garcia also begins by stating that he was an “officer” of BSEL for essentially the same reasons as given in relation to Mr Furnival: he was a member of BSEL’s Management Committee; he was the Chair of the RAC and he was BSEL’s “Chief Information Officer” as well its Head of Global Compliance. For the same reasons given above in relation to Mr Furnival, I find that Mr Garcia was not an officer within the meaning of the MLR.
Under “relevant requirements contravened”, Ms Chapman refers to Reg 19(1), and cited in particular many-to-one transactions and one-to-many transactions; she went on to say that as a result, BSEL had also breached Res 28(2), 28(11), 28(16), 33(1) and 35(1).
Under “knowingly concerned”, Ms Chapman referred in particular to the following alleged breaches:
the risk of customers having duplicate accounts;
the special character issue;
the risk of many-to-one transactions; and
the lack of screening of PEPs for transactions under €1,000.
The position on breaches is the same as set out in relation to Mr Salam. It follows that even if I were to be wrong in my decision that Mr Garcia was not an officer of BSEL, his appeal is allowed for essentially the same reasons as set out above in relation to Mr Salam.
CONCLUSION ON PROHIBITION DECISIONS
For the reasons set out above and further expanded in the earlier Parts of this judgment I set aside the Prohibition Decisions and allow the appeals of Mr Salam, Mr Furnival and Mr Garcia.
OVERALL CONCLUSION AND APPEAL RIGHTS
For the reasons given in this judgment, all the Decisions are cancelled and the Appellants’ appeals allowed.
My thanks to the barristers for their detailed oral and written submissions, and my thanks also to those “sitting behind”. Their contributions have been of considerable assistance in deciding these appeals.
This document contains full findings of fact and reasons for the decision. Any party dissatisfied with this decision has a right to apply for permission to appeal against it pursuant to Rule 39 of the Tribunal Procedure (First-tier Tribunal) (Tax Chamber) Rules 2009. The application must be received by this Tribunal not later than 56 days after this decision is sent to that party. The parties are referred to “Guidance to accompany a Decision from the First-tier Tribunal (Tax Chamber)” which accompanies and forms part of this decision notice.
ANNE REDSTON
TRIBUNAL JUDGE
Release date: 09 JUNE 2022
APPENDIX
List of Abbreviations
AML/CTF | Anti-money laundering/counter-terrorist financing |
API | Authorised Payment Institution |
CDD | Customer Due Diligence |
COO | Chief Operating Officer |
DAML | Defence Against Money Laundering, obtained from the NCA |
EDD | Enhanced Due Diligence |
EWRA | Enterprise Wide Risk Assessment |
FATF | Financial Action Task Force |
FSMA | Financial Services and Markets Act 2000 |
F&P | Fit and Proper, see Reg 58 |
HRJ | High Risk Jurisdiction |
IPSP | Intermediary Payment Service Provider |
MI | Management Information [Dashboard] |
MLP | Money Laundering Prevention [Dashboard] |
MLR | The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 |
MLRO | Money Laundering Reporting Officer |
MLTF | Money Laundering and Terrorist Financing |
MSB | Money Services Business |
NCA | National Crime Agency |
NCIS | National Criminal Intelligence Service |
NRA | National Risk Assessment: Treasury and Home Office |
PCPs | Policies, Controls and Procedures |
PEP | Politically Exposed Person |
PSR | Payment Services Regulations 2017 |
RAC | BSEL’s Risk and Audit Committee |
regulated business | A business which had to comply with the MLR and/or the PSR |
RAIC | Risk and Internal Control group within BSEL |
Remit ERP | BSEL’s payment and transaction monitoring system |
SAR | Suspicious Activity Report |
VBP | Virtual Beneficiary Profile |
VCP | Virtual Customer Profile |