Bank ordered to disclose suspicious activity reports to customer
Headlines in this article
Related news and insights
Blog Post: 29 November 2023
Blog Post: 28 November 2023
Blog Post: 27 November 2023
Publications: 27 November 2023
Lonsdale v National Westminster Bank  EWHC 1843 (QB) (18 July 20181)
A bank was ordered to disclose, to a customer, suspicious activity reports (SARs) that the bank had sent to the National Crime Agency (NCA) at the time of freezing the customer’s bank accounts. The bank’s arguments concerning confidentiality, tipping-off and prejudicing an investigation were unsuccessful. The court’s observations on the interplay between the SARs regime and the law on data protection, defamation and breach of contract will be of interest to all banks.
Suspicious Activity Reports – a reminder
A bank may protect itself from committing a money laundering offence under the Proceeds of Crime Act 2002 by making a SAR to the National Crime Agency and obtaining appropriate consent. When a SAR has been submitted a bank will freeze the suspicious accounts. If it has not received a ‘notice of refusal’ from the NCA within seven working days it may unfreeze the account. The level of suspicion required to attach criminal liability to a bank for money laundering is low – and, in part, is a subjective test. Banks are responsible for 82.85% of SARs submitted to the NCA2.
Bank submits SARs and freezes accounts
In March 2017 the bank froze a joint account belonging to one of its customers, a barrister, for eight days and in December it froze seven other accounts of the same customer – a personal account, another joint account and four accounts for businesses in which he was a director. The customer requested access to documents relating to the freezing of his accounts. The bank provided limited documentary evidence, and did not disclose the SARs.
Customer does not believe bank held genuine suspicion
The customer launched a multi-pronged attack on the bank’s actions, including making claims for breach of contract, defamation, breach of the Data Protection Act 1998 (the acts took place pre-GDPR) and also an application for disclosure of the SARs.
Implicit in all these claims was the customer’s belief that the bank did not hold a genuine suspicion that the money in his accounts was the proceeds of crime, that his accounts had been unnecessarily suspended and his reputation damaged.
The customer wanted to see the SARs and information held by the bank relevant to its decision to make the SARs and freeze (and unfreeze) his accounts. He sought summary judgment on his claims (summarised below).
|Customer's claims||Bank's defence/application||Court's ruling|
|Breach of contract: the bank was in breach of contract by failing to follow the accountholder’s instructions and by failing to evidence that it had a genuine suspicion that the account held criminal proceeds.||Express contractual provisions allowed bank to freeze accounts if not to do so would expose it to criminal liability.||Not a matter for summary judgment since it involved questions of fact – the bank must show that it held the relevant suspicion.|
|Breach of DPA 1998: the bank (1) had not provided in time (or at all) all personal data in response to the data subject access request and (2) the data provided was not in intelligible form and it included inaccurate information.||The decision to freeze accounts did not concern ‘personal data’. The information sought contained that of other individuals (so it was mixed data) and there was an exemption for the prevention and detection of crime.||The customer’s claim was not a matter for summary judgment. However, the bank’s approach to determining whether information was the customer’s personal data was “clearly flawed” and the customer had a “strong claim” that the bank’s deliberations and decision to submit SARs and freeze and unfreeze accounts was his personal data. Accordingly the bank's application for strike out / summary dismissal was rejected.|
|Defamation: the bank had defamed the customer by suggesting that it had suspicions that his account contained criminal proceeds. Defamatory statements were published in the SARs and in internal bank employee communications concerning the decision to make the SARs and freeze the accounts.||The statements were not defamatory, not published, did not cause harm and in any case were protected by qualified privilege.||Not a matter for summary judgment: statements were capable of being defamatory and they were published. However qualified privilege was likely to apply, subject to malice.|
|Inspection: The customer was entitled to see SARs as they had been referred to in the bank’s defence and counterclaim.||SARs are, in general, confidential, and these SARs were disclosed to The NCA in the strictest confidence. Permitting inspection of the SARs may expose the bank to the offence of tipping-off or prejudicing an investigation. Inspection was not necessary for fair disposal of action.||The SARs in question must be disclosed after 14 days of the court’s order (to enable the NCA to consider its position on making such disclosure). There was no evidence that inspection would trigger tipping-off. There was no evidence that the SARs are required to be kept confidential. The SARs were plainly relevant to the assessment of whether the bank’s employees genuinely held a relevant suspicion.|
Impact of decision
This was a summary judgment/strike out application, so is of limited precedent value. The case has settled, so we will not see the issues that arose fully resolved.
We are not expecting this decision to cause a rush by customers to bring claims of this sort against banks:
• Courts have historically provided banks with considerable protection and discretion relating to SARs due to the fact that banks are merely seeking to help law enforcement and avoid criminal liability. The courts would not want to encourage civil claims of this sort.
• It is hard to imagine why a bank would file a SAR without a genuinely held suspicion (even if that suspicion turns out to be unfounded).
• Many customers would be deterred by the potential cost. The claimant in this case was a barrister, who represented himself, so this aspect was less of an issue for him.
The ruling does however provide a reminder that should a bank be faced with a similar claim, it is very unlikely to be able easily and quickly to defeat it (by way of strike out). The ruling makes clear that the question of whether a bank has a genuine suspicion that money in an account was criminal property is a primary fact for the bank to prove at trial3.
Banks may start receiving data subject access requests for personal data relating to SARs. The judge’s view on this summary judgment application was that there was a “strong case” that a bank’s deliberations and decision to submit SARs and freeze accounts constituted personal data, and that the bank had demonstrated “a flawed understanding of the scope of that concept”. Since it was a summary judgment application, the judge felt unable to address whether the exemption relating to the prevention or detection of crime was available stating “[t]here is no evidence before me regarding the likelihood of the provision of further personal data to Mr Lonsdale prejudicing the prevention and detection of crime.” It is difficult to imagine that the rules relating to tipping-off would not prevail since it seems to be a paradigm example of what the crime exemption was aimed at (provided the bank held a genuine suspicion). It is a shame that the judge did not feel able to make this finding even on a summary basis.
There is a call for reform to the UK’s SARs regime. The OECD has criticised the UK for the low level of corruption enforcement activity from the current regime. A UK Law Commission consultation states that there are on average 2000 SARs filed per day with the NCA, many of ‘low quality’, making it hard for investigation authorities to detect where the real risks are.
The low level test for suspicion for the substantive money laundering offences in the UK has also been criticised in the consultation. “A majority of stakeholders expressed the view that suspicion remains ill-defined, unclear and inconsistently applied by banks and businesses.” This leads to defensive reporting where reports are made more because of concerns regarding a failure to comply with POCA than because of genuine suspicion.
The Law Commission recommends improvements to the SARs regime, in particular suggesting that better guidance on ‘suspicion’ would lead to better quality SARs.
If you would like to discuss the issues arising from this case, including how to respond to data subject access requests in the SARs context, please contact Arnondo Chakrabarti, Eve Giles or your normal Allen & Overy contact.
1 But only recently made public.
3 Applying Shah v HSBC Private Bank  EWHC 79 (QB)