Speed read: On 3 October 2019 the UK and US signed a new data sharing agreement. So far, its benefits to the fight against terrorism and child exploitation have been in the spotlight. The agreement, however, casts the net widely when defining ‘serious crime’.
Offences of money laundering, fraud, tax evasion and market abuse are squarely captured. This piece assesses the potential of the agreement to be relied upon to further financial crime investigations with a cross-border dimension.
A new UK-US data sharing agreement signed on 3 October 2019 after four years of negotiation has implications for international money laundering and wider financial crime investigations. Although awaiting ratification by US Congress and UK Parliament, when implemented it will enable UK enforcement authorities including the Serious Fraud Office, HM Revenue and Customs, Financial Conduct Authority and accredited financial investigators, such as those at the National Crime Agency, to bypass the protracted Mutual Legal Assistance (MLA) system and directly request from US communication service providers (CSPs) electronic data to further an investigation into a ‘serious crime’. Defined as a crime with a maximum of at least three years’ imprisonment, offences of money laundering, fraud, tax evasion and market abuse are squarely captured.
Until now, enforcement authorities have had little choice but to rely on the MLA pathway, a process which, the Explanatory Memorandum to the agreement highlights, ‘can be years’ and may yield nothing. A frequent barrier is that access to data in the US is possible where there is an ‘exigent threat to life’, typically not the case even in the most complex of financial crime cases.1
The dawn of data sharing?
In the future, data that will be able to be sought directly from US CSPs such as Apple, Facebook and WhatsApp will include any data stored electronically, such as information identifying a customer or subscriber of a CSP, telephone records, electronic communications and records of payment means. The value of this information to a financial crime investigation is immense and the ability to approach CSPs directly will see investigations expedited. Still, there is a clear limit to the usefulness of the agreement and it is not carte blanche for enforcement authorities. Nothing compels a CSP in either jurisdiction to comply with the request. Enforcement authorities in the UK must also to seek judicial approval under the Crime (Overseas Production Orders) Act 2019 before a request is made. Approval will only be granted by a judge if there are reasonable grounds to believe that the information to be sought will be of ‘substantial value’ to the investigation.2 It follows that the enforcement authority must specify in the application the data that is sought. Further, there is potential for judicial review of the decision to grant the order that underpins a subsequent data request. ‘Any person’ affected by the order, which would include the American CSP itself, may apply to revoke the order.3
The agreement is also explicitly neutral when it comes to the thorn in the side of law enforcement and does not compel CSPs to remove encryption. The tension between privacy protection and investigation of crime remains. Important measures aimed at protecting the privacy of individual users, which Facebook and the applications it controls are set to enhance following a March 2019 proposal to expand end-to-end encryption, will continue to serve as a barrier to data sharing.
Continuing impediments
A spike in data-driven financial crime investigations therefore is not on the horizon even though CSPs could hold vital evidence. In March 2017, for example, the Financial Conduct Authority imposed a regulatory penalty on a former investment banker for sharing confidential information over WhatsApp. That case, however, did not require WhatsApp to share any data as full admissions were made at an early stage during an interview under caution and access to the device in question was provided.4 In August 2017, an IT professional pleaded guilty in the US to participation in a US $3 million insider trading scheme based on his provision to a group of traders of material non-public information that he misappropriated from his investment bank employer. The information had often been sent via encrypted self-destructing messages using a smartphone messaging application.5 His cooperation was similarly pivotal to the wider insider trading investigation which has since concluded. These two cases suggest that in the context of a financial crime investigation, data held by CSPs could be crucial but in the absence of cooperation by the suspect, will be very difficult to obtain.
Future developments
Negotiation of a similar data alliance between the US and Australia is underway. But, if the alliance is forged, the stakes for US CSPs are likely to be higher if the passage of recent Australian legislation is an indicator. In December 2018, Australia passed the highly controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 which granted enforcement authorities sweeping powers to issue CSPs, including those not based in Australia but who provide services to an end-user in Australia, with notices requiring the provision of decrypted data. Civil penalties apply in the event of non-compliance. The Act is an early model for decryption legislation but its reach in practice is untested.
In the UK, discussion of the new data sharing agreement has focused on the benefits to anti-terrorism and anti-child exploitation efforts. Its potential use in financial crime matters, however, should not be overlooked. There is a limit to the value of the bilateral agreement whilst the tensions between privacy and law enforcement continue but the future bypassing of MLA processes is a step forward in cross-border financial crime investigations.
[1] Paragraphs 2 and 3.
[2] Section 4.
[3] Section 7.
[4] See Final Notice to Christopher Niehaus published by the Financial Conduct Authority on 29 March 2017.
[5] See US Department of Justice press release published on August 16 2017 and relatedly US Securities and Exchange Commission v Rivas et al complaint.
To read original article please click here