How to manage law enforcement enquiries: an MLRO’s advice
William Price, Ladbroke's, MLRO, London, 7 March 2017
William Price, the group head of Ladbrokes' anti-money laundering department, gave the audience at a recent conference hosted in London by MLROs.com a good grounding in how to deal with law enforcement authorities and their various requests. All reporting entities, including banks, are likely to find his observations useful.
Money-laundering reporting officers have to contend with many formal and informal enquiries from law-enforcement authorities or LEAs, among them data requests, customer information orders, account monitoring orders, production orders, search and seizure orders, restraint orders and bankruptcy orders. These requests can come from a wide range of LEAs, among them the 52 territorial police forces of the United Kingdom, three special police forces (the Ministry of Defence Police, the British Transport Police and Police Scotland), the National Crime Agency, HM Revenue & Customs, the Department of Works and Pensions, the Social Security Agency and the Serious Fraud Office. Price told the audience that requests also came from other bodies that were "not strictly LEAs." These included the Information Commissioner's Office, the Financial Conduct Authority and other regulators.
What do the LEAs want?
Price told the gathering of money-laundering reporting officers that these bodies were interested in obtaining names and addresses, telephone numbers, account details and transaction history with a view to gathering evidence that they could use in court to obtain convictions. They ask for such information by making informal enquiries through telephone calls and personal contact and by going through legal procedures that are set down in section 29 Data Protection Act, the Police and Criminal Evidence Act (PACE), the Proceeds of Crime Act and the Terrorism Act (and amending legislation).
Price had a word of warning for MLROs: "Don't be fooled when the officer says that the enquiry is off the record. Even if he feels that it is, it is not! Nothing is off the record. If he asks for some information about Mr X's account, you first need to verify that he is a police officer. There is no reason why you should not indicate that you hold or do not hold data. However, in order to protect yourself, you should ask the officer to get a Court Production Order. This will protect you from any claim of unlawful disclosure.
Informal enquiries
Price advised the MLROs to consider speaking only to financial investigation officers to the exclusion of other police people, adding: "the fact that they're police officers does not mean that they are suitably qualified or they are aware of the Data Protection Act."
He continued: "Do not take enquiries, even of a general nature, from operational detectives. FIOs, on the other hand, are specially trained and strictly monitored. All forces have them. Never speak to these individuals on their mobiles. Always call them back on their landlines or ask them to send emails with their addresses on that you can confirm. They could be private detective agencies seeking information. As such they will use police jargon to give the impression that they are a police officer when in fact they are not!"
The Data Protection Act
Requests for data often fall short of what is legally required under the Data Protection Act and could amount to a ‘fishing exercise’.
As an MLRO, Price requires people from LEAs to conform to the DPA: "We require them to identify the person they are seeking information about; details of any known accounts held (including telephone numbers) and an overview of the type of offences alleged to have been committed.
“LEAs will often use section 29(3) DPA to seek access to data. However, section 29(3) DPA relates to the data provider not LEAs.
“If you do provide data under section 29(3) I would advise you to insert the following text in your response: This data is provided for intelligence purposes only. If the information is required for evidential purposes then a Production Order should be obtained. This should prevent your data being used in any other capacity.”
It should be noted that the DPA does not allow them access to special procedure material.
"Special procedure material" is defined in section 14 PACE 1984 and includes journalistic material and material acquired in the course of a trade or profession and which is held subject to a duty of confidence. A justice of the peace cannot authorise a search of premises for such material. Special procedure production orders are made under s9 and schedule 1 PACE 1984. A judge may issue an order under schedule 1 PACE 1984 requiring the production of special procedure material if he is satisfied that the documents are likely to be relevant evidence or of substantial value to an investigation into an offence.
Applications: example 1
Price presented the audience with some real, although 'sanitised,' examples of requests from HMRC and the police for his organisation to waive the rights that its customers' would normally have under the DPA. In each case, he invited them to guess whether the MLRO should have complied.
The first data request was entitled "Disclosure of information from your company records" and said: "Will you please disclose the information held in your record(s) in respect of the following subject(s). Name, date of birth and UK address: (left blank). Details required: A client list containing ONLY the client name. (Any additional information would be made via a court order.) I confirm that this information will be treated in strict confidence and will not be disclosed to any third party.
"In order to satisfy the exemption provisions of the Data Protection Act 1998, if applicable, I hereby certify that the information is required for the purpose of enabling us to continue with our enquiries and that failure to disclose it may prejudice our enquiries. Our investigation concerns money laundering contrary to the Proceeds of Crime Act 2002."
The language of the letter was intimidating and, at least at first, did not take into account the volume of documents to which the request referred (a staggering 15,000 files).
Price revealed that the MLRO in question refused, quite rightly, to comply. This was because the request in this case was not specific enough. The LEA was not looking for data about a specific person and instead, in his words, "wanted all the company records." Price said that this was not 'reasonable or proportionate.' Data protection requests must be reasonable and proportionate, as dictated by the High Court of England & Wales. The court also noted that the purpose of data protection legislation was to protect data subjects’ rights to privacy and ensure the accuracy of the information that people were holding about them.
Applications: example 2
The next example came from an anonymised police data request form which began: "The request for personal data and other information is made under the powers invested in me as a constable of.... by the Police Act 1996 (section 30(1)), which gives constables the powers and privileges of a constable throughout England & Wales, and section 30(5) which defines powers as powers under any enactment whenever passed or made."
At this point Price pointed to the daunting language of the policeman's request and told the audience: "He's trying to overwhelm you with acts and sections."
The request went on: "These powers include the investigation and detection of a crime, apprehension and prosecution of offenders, protection of life and property and maintenance of law and order. Under the Police Reform Act 2002, the Chief Constable can delegate certain powers to police staff."
Price commented: "All it says is 'I am a police officer and I have the powers of a police officer' (i.e. arrest powers) - but that doesn't confer on him any powers to waive the Data Protection Act. Most MLROs would say ooh, it's the Police Act, I'd better comply. You mustn't do that!"
Section 29(3) DPA
The police are most likely to ask an MLRO to release personal information in line with section 29(3), which states that personal data are exempt from the non-disclosure provisions of the Data Protection Act in any case in which they are being processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty. It also says that data are exempt if the application of those non-disclosure provisions would be likely to prejudice the prevention or detection of crime etc.
The exemption, however, does not cover the disclosure of all personal information in all circumstances. It only allows the MLRO to release personal information for the stated purposes and only if not releasing it would be likely to prejudice any attempt by the police to prevent crime or catch a suspect (that is, significant harm).
The MLRO, then, should release information for the stated purpose only. For every request for personal information he receives (and about each separate individual), he ought to ask himself the following questions.
(i) Am I sure that the person is who he says he is? (For this reason, he should take particular care if the request is made over the telephone).
(ii) Is the person who is asking for this information doing so to prevent or detect a crime or catch or prosecute an offender?
(iii) Why is it necessary for us to provide this personal information (can the LEA not acquire it from another source)?
(iv) How will this personal information help the LEA's attempts to prevent crime or catch a suspect?
Price went on: “Under s29(3) it is up to the data controller (the MLRO acts on his behalf) to decide whether to give the information to the police. [Note – under s29(3) DPA personal data is exempt from the first data protection principle – for the purpose of (a) the prevention or detection of crime, (b) the apprehension or prosecution of offenders or (c) the assessment or collection of any tax or duty or of any imposition of a similar nature.] It should be noted that section 29(3) is not a legal gateway to personal data for the police or other bodies – YOU must make the decision whether to disclose!”
Data requests and fishing expeditions
Another example of the sort of request that an MLRO can receive read as follows: "I am making enquiries into the activities of one John Smith, born on 11/11/83 at 1 New Town, New Street, Newtown. Can you please tell me what his history with you is? I wish to establish his spending pattern and what he is either losing or gaining.
"I shall also require email details, telephone details, contact details, spending habits and details of identity confirmation that he has provided. A statement will be required in due course. Please ensure that this information is kept discreet as this is a continuing money laundering enquiry and I would not want the person concerned to be informed about this police enquiry."
Price thought that this was "not sufficient." He explained: "What he failed to do was describe WHY he wanted the information. Our [gambling] regulator is concerned about the provision of information to LEAs that is not justified. Such instances are regarded as a ‘fishing exercise’ and should not be entertained".
He came up with a better example of how to ask for information: "He has an account with you and he is involved in selling drugs, the proceeds of which are being used to fund his account. We therefore require details of all transactions and information held..."
He added: "Some officers won't even give you that, because they think you're asking too much. but it'll come back to haunt you later if you don't collect enough information to make a judgment and write down WHY you made it."
The provision of data on a person in a way that is not fully compliant with s29(3) DPA could result in a complaint being lodged with the Information Commissioner’s Office and result in the MLRO being required to justify his actions and rationale for the decisions he has made.
The Police and Criminal Evidence Act 1984 (PACE)
PACE allows the police to apply for production orders that compel firms to divulge material relating to suspects.
The police use the Act to gather evidence for money laundering and other cases. Orders issued under PACE can apply to the aforementioned "special procedure material" which is confidential material (other than legally privileged or excluded material) acquired or created in the course of a trade, business, profession, or unpaid office. A production order for this material requires the authority of a district judge or a higher judge.
A PACE order will normally specify the period of time that a person has in order to comply with the ‘order,’ e.g. it might say that the firm has seven days to produce the material.
Proceeds of Crime Act 2002
POCA is the most useful tool in the LEA’s armory. It can give rise to all manner of orders – customer information orders, production orders, restraint orders, confiscation orders and account monitoring orders. Every MLRO has had experience of the last type of order. Account monitoring orders can last up to 90 days and can be extended. The authorities can use them to ask for daily, weekly or monthly information about accounts.
Section 7 Crime and Courts Act
The National Crime Agency (NCA) replaced the Serious Organised Crime Agency (SOCA) on 7th October 2013 as the UK's main body for tackling organised crime. Since then, the NCA has been seeking more and more information (and more and more types of information) from businesses under cover of a "request for information" brought about by section 7. This section provides banks with a pseudo-protective blanket because it gives any person or organisation lawful authority to disclose information to the NCA as long as it is for the purposes of gathering, storing, processing, analysing and disseminating information that is relevant to the fight against crime. In other words, the disclosure of information to the NCA in these circumstances will not breach any statutory or other obligation of confidence that the person who makes the disclosure owes to anyone else. For example, a suspect's bank may report suspected criminal activity relating to a bank account to the NCA without breaching the duty of confidentiality that it owes to its customers.
It should be noted that 2016 saw a number of SARs that led the National Crime Agency to demand to see the relevant banks’ internal reports, together with the identities of all the members of staff involved. Although SARs are protected from public view, a High Court Judge can order people to make such information available to others if he pleases.
Customer Information Orders (section 364 POCA 2002)
These orders relate to asset confiscation investigations / money laundering investigations or external investigations and are applied for at a Crown Court.
The ‘customer information’ is in relation to a person and a financial institution, and is information about whether the person holds, or has held, an account or accounts or any safe deposit box at the financial institution (whether solely or jointly with another) and (if so) information about: (a) the matters specified if the person is an individual; and (b) the matters specified if the person is a company or limited liability partnership or a similar body incorporated or otherwise established outside the United Kingdom.
‘Customer information’ relates to an individual and requires the company concerned to provide details of account numbers; a full name and date of birth; most recent addresses and previous addresses; the date on which the account was opened and closed; ID and verifying information; and, if a joint account exists, all the previously mentioned data of the account holder for the purpose of an investigation into the proceeds of crime.
Production orders
These are the most common type of order that the average MLRO sees. They are orders that compel MLROs to produce "special procedure material."
The application can be ex parte - a decision made by a judge without requiring all of the parties to the controversy to be present.
The institution that receives such an order always has the option of applying to a court for further time. Invariably, the officer behind the order will tell the MLRO that he is applying for an extension. The MLRO is allowed to go to court with him and apply for more time if he wishes. In most cases the judge will ask whether seven days is enough time for the order to be complied with. He can grant more time if necessary.
The order will specify exactly what must be produced and may specify a designated period. On this subject Price warned: “Ensure that you check exactly what is being asked for. Whatever is required should be produced in such a way that it can be taken away.”
Account monitoring orders
These can apply to all accounts in the suspect's name or to specified accounts. They can apply to particular types of account. Each order must set out the things that the MLRO must provide and must include the timescale. It might compel him to produce information every 24 hours. Each order lasts a maximum period of 90 days after a judge issues it.
Search and seizure warrants
On this subject, Price admonished the audience: "Get ready to panic if you've been served with one of these. They are only issued when a production order has not been complied with because it is not practicable to communicate with any person against whom the order has been made, or communicate with any person who would be required to grant entry to the premises, and immediate access is required. I'm pleased to say that not too many people have had these."
Restraint orders
A restraint order applies to all realisable property, whether specified or not in the actual order. It usually makes provision for reasonable living expenses and allows the suspect to carry on his business. Once a judge has made the order, neither he nor any other judge can reverse it. He can, however, change its terms on the application of anyone who is affected by it.
Overseas requests for data
The DPA says: “Personal data shall not be transferred to a country or a territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.”
This is the eighth data protection principle, but other principles of the Act will also usually be relevant to any effort to send personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require the MLRO to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to the way in which he sends the information and the necessity to have contracts in place when using sub-contractors abroad.
Mutual Legal Assistance (MLA) is a method of co-operation between states in the investigation or prosecution of criminal offences. They generally use it to obtain material that cannot be obtained on a law enforcement (police to police) to basis, particularly when enquiries require coercive means. The states send requests by formal international Letters of Request (ILORs or LORs). In civil law jurisdictions, these are also referred to as Commissions Rogatoires. Such assistance is usually requested by courts or prosecutors and is therefore also referred to as ‘judicial co-operation’. Central authorities have the job of receiving, acceding to and ensuring the execution of MLA requests.
This is a complicated issue and further guidance can be found at
Tackling the issue
Price concluded his advice to MLROs with some words of comfort: "Don't forget that the LEA is on your side! Nevertheless, you have a legal obligation to the NCA and to your company. Deal with the request promptly, only provide information that you have been asked for, read the order thoroughly and break it down into exactly what it says. It can be long, verbose and repetitive. It is easy for you just to glance at the order and miss something; it could be spelt incorrectly. An incorrect spelling of a name could invalidate the evidence.
"If you have a lot of work on, take that into account. Is the time-frame realistic? If not, contact that officer concerned immediately and ask for more time. His code of conduct specifies reasonableness. If he is unreasonable or does not believe that you need extra time, you can apply to a judge for extra time. To do that, you need to appear before the judge who granted the order OR you can apply to the court for a hearing in Chambers about the matter. But, most importantly, you must inform the officer in question. Do not take it for granted that you will be allowed extra time automatically. Failure to comply is a criminal offence."
* William Price can be reached on 07824 838282 or at william.price@ladbrokescoral.com