UK/US data sharing and the impact on financial crime
Speed read: On 3 October 2019 the UK and US signed a new data sharing agreement. So far, its benefits to the fight against terrorism and child exploitation have been in the spotlight. The agreement, however, casts the net widely when defining ‘serious crime’.
Offences of money laundering, fraud, tax evasion and market abuse are squarely captured. This piece assesses the potential of the agreement to be relied upon to further financial crime investigations with a cross-border dimension.
A new UK-US data sharing agreement signed on 3 October 2019 after four years of negotiation has implications for international money laundering and wider financial crime investigations. Although awaiting ratification by US Congress and UK Parliament, when implemented it will enable UK enforcement authorities including the Serious Fraud Office, HM Revenue and Customs, Financial Conduct Authority and accredited financial investigators, such as those at the National Crime Agency, to bypass the protracted Mutual Legal Assistance (MLA) system and directly request from US communication service providers (CSPs) electronic data to further an investigation into a ‘serious crime’. Defined as a crime with a maximum of at least three years’ imprisonment, offences of money laundering, fraud, tax evasion and market abuse are squarely captured.
Until now, enforcement authorities have had little choice but to rely on the MLA pathway, a process which, the Explanatory Memorandum to the agreement highlights, ‘can be years’ and may yield nothing. A frequent barrier is that access to data in the US is possible where there is an ‘exigent threat to life’, typically not the case even in the most complex of financial crime cases.1
The dawn of data sharing?
In the future, data that will be able to be sought directly from US CSPs such as Apple, Facebook and WhatsApp will include any data stored electronically, such as information identifying a customer or subscriber of a CSP, telephone records, electronic communications and records of payment means. The value of this information to a financial crime investigation is immense and the ability to approach CSPs directly will see investigations expedited. Still, there is a clear limit to the usefulness of the agreement and it is not carte blanche for enforcement authorities. Nothing compels a CSP in either jurisdiction to comply with the request. Enforcement authorities in the UK must also to seek judicial approval under the Crime (Overseas Production Orders) Act 2019 before a request is made. Approval will only be granted by a judge if there are reasonable grounds to believe that the information to be sought will be of ‘substantial value’ to the investigation.2 It follows that the enforcement authority must specify in the application the data that is sought. Further, there is potential for judicial review of the decision to grant the order that underpins a subsequent data request. ‘Any person’ affected by the order, which would include the American CSP itself, may apply to revoke the order.3
The agreement is also explicitly neutral when it comes to the thorn in the side of law enforcement and does not compel CSPs to remove encryption. The tension between privacy protection and investigation of crime remains. Important measures aimed at protecting the privacy of individual users, which Facebook and the applications it controls are set to enhance following a March 2019 proposal to expand end-to-end encryption, will continue to serve as a barrier to data sharing.
A spike in data-driven financial crime investigations therefore is not on the horizon even though CSPs could hold vital evidence. In March 2017, for example, the Financial Conduct Authority imposed a regulatory penalty on a former investment banker for sharing confidential information over WhatsApp. That case, however, did not require WhatsApp to share any data as full admissions were made at an early stage during an interview under caution and access to the device in question was provided.4 In August 2017, an IT professional pleaded guilty in the US to participation in a US $3 million insider trading scheme based on his provision to a group of traders of material non-public information that he misappropriated from his investment bank employer. The information had often been sent via encrypted self-destructing messages using a smartphone messaging application.5 His cooperation was similarly pivotal to the wider insider trading investigation which has since concluded. These two cases suggest that in the context of a financial crime investigation, data held by CSPs could be crucial but in the absence of cooperation by the suspect, will be very difficult to obtain.
Negotiation of a similar data alliance between the US and Australia is underway. But, if the alliance is forged, the stakes for US CSPs are likely to be higher if the passage of recent Australian legislation is an indicator. In December 2018, Australia passed the highly controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 which granted enforcement authorities sweeping powers to issue CSPs, including those not based in Australia but who provide services to an end-user in Australia, with notices requiring the provision of decrypted data. Civil penalties apply in the event of non-compliance. The Act is an early model for decryption legislation but its reach in practice is untested.
In the UK, discussion of the new data sharing agreement has focused on the benefits to anti-terrorism and anti-child exploitation efforts. Its potential use in financial crime matters, however, should not be overlooked. There is a limit to the value of the bilateral agreement whilst the tensions between privacy and law enforcement continue but the future bypassing of MLA processes is a step forward in cross-border financial crime investigations.
 Paragraphs 2 and 3.
 Section 4.
 Section 7.
 See Final Notice to Christopher Niehaus published by the Financial Conduct Authority on 29 March 2017.
 See US Department of Justice press release published on August 16 2017 and relatedly US Securities and Exchange Commission v Rivas et al complaint.
To read original article please click here
Meet the team of industry experts behind ComsureFind out more
Keep up to date with the very latest news from ComsureFind out more
View our latest imagery from our news and workFind out more
Think we can help you and your business? Chat to us todayGet In Touch
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email firstname.lastname@example.org.