How much do businesses that operate in the UK need to worry about financial crime? Traditionally, the answer has been very different depending on  whether that business is in  the 'regulated sector' – which includes financial institutions, accountants, estate agents and others – for the purposes of the Proceeds of Crime Act 2002 (POCA). But increasingly, even those outside that sector have to keep financial crime in mind and may find themselves having to report suspicious activity.

The Proceeds of Crime Act Part of the reason for that is that POCA imposes criminal liabilities on everyone – not just the regulated sector – for handling 'property' (very broadly defined) that represents the proceeds of 'criminal conduct' (also very broadly defined), or from becoming involved in arrangements that relate to such property. There is an important exception where the property is received for 'adequate consideration', though not where the goods or services might themselves assist in crime. A marketing firm may receive fees from someone they know to be a fraudster, but not if their work has helped him find and defraud his victims.

The arrangements offence What that means in practice is that, unless your business handles others' assets for them, the key POCA provision to be aware of is likely to be the 'arrangements' offence, which can create problems for those who finance or play another, even peripheral, part in a transaction that they suspect may involve the proceeds of 'criminal conduct'. Lest that prospect seem remote, it's worth bearing in mind that this can include, for instance, a pecuniary advantage arising from tax evasion, or a failure to obtain a proper licence, or even conduct that is lawful overseas, but would be unlawful if it happened here (such as Canadian cannabis sales).

Disclosures and consents

Fortunately, POCA provides for the scenario where a business finds itself in circumstances where a suspicion has arisen and wants either to exit the transaction, or go ahead with it. Depending on the circumstances, the answer may be to make a disclosure to, and request consent from, the National Crime Agency (NCA). The NCA receives such requests on a regular basis, mainly from banks, and has a statutory period within which to respond, otherwise consent is deemed granted.

Assisting with investigations

Other than banks and other large regulated-sector firms, most businesses will not be accustomed to spotting such scenarios or making disclosures, and the first sign they may have of a problem is a request for information from the NCA (or other investigative body), perhaps in the form of a production order or disclosure notice. That may be in connection with a criminal investigation, or one to do with civil recovery, confiscation, frozen funds or seized cash, either in the UK or overseas.

Peripheral vision

It would be understandable in those circumstances for a business to comply with any orders made against it, but not to concern itself unduly with the problems of others. But the risk of course is that investigations spread and can have consequences, particularly where assets are frozen, or requests are made in multiple jurisdictions. Some peripheral vision of financial crime risks can often be beneficial.

'Failure to prevent'  and sanctions

Beyond POCA, there are a small but increasing number of offences for which a corporate can be liable on the basis of 'failure to prevent' – currently bribery, and the facilitation of tax evasion – unless they can show they had reasonable preventative procedures in place. And there are financial, trade and transport sanctions, traditionally a foreign policy measure, which increasingly target private individuals and firms, and those who deal with them. Sanctions laws can impose criminal and monetary penalties on firms that deal with the assets of, or provide resources to, 'designated persons', on the basis that they had 'reasonable grounds to suspect' that this was the case. The list of 'designated persons' is ever expanding and contained on a government website ( government/publications/ financial-sanctionsconsolidated-list-of-targets).

Risk assessment

What, then, should a responsible business do to mitigate its risks from financial crime? To borrow an idea from the regulated sector, the sensible starting point is to undertake a risk assessment (or refresh one that has already been done), looking at the nature of your business, the countries and sectors in which you operate, and the partners you deal with, and consider  the scenarios in which you might come into contact with bribery, sanctions breaches, tax evasion, money laundering, terrorist financing and other acquisitive offending.

Policies, controls  and procedures

From there, the challenge is to create (or refresh) a set of policies, controls and procedures that ensure risks are avoided, escalated where appropriate, managed and mitigated in a way that doesn't impact unnecessarily on  your business's legitimate activity. A set of preventative procedures may well involve  a process for escalating issues and reporting them to the authorities, while also being mindful of confidentiality obligations to third parties.

The risk-sensitive approach

A good rule of thumb is to adopt the mindset of a stranger to your business – perhaps the mindset of an individual working in law enforcement – in order to sense check the facts as you know them, but with a cynical or suspicious eye. In practice, this can lead to difficult conversations in which reasonable questions aimed at complying with the law can clash with personal or cultural reticence about financial privacy. In practice, due-diligence processes that are sensitive to the heightened risks associated with certain sectors are essential, and cultural reticence about the provenance of wealth cannot be allowed to be a barrier.

Dealing with a crisis

Diligent preparation notwithstanding, of course there will always be the risk of encountering scenarios that are unexpected. Where that occurs, the first questions to ask are who is aware of the facts, where the evidence lies and whether there are risks of ongoing or future offences or harms. Where the concern is about past actions, the question of whether there are proceeds of that conduct, and where the proceeds currently are, could be important. Judgements will need to be reached on the level of concern or suspicion, which could be a moveable feast. Contact with the authorities could be necessary and may otherwise be desirable. There may also be civil, employment or private remedies to  consider against people identified as responsible.

A shared responsibility

Whether these issues are tackled in advance or when they arise, the guiding principle of a responsible business towards financial crime is to recognise that it is not, if it ever was, solely the concern of law enforcement and the regulated sector. Any business can find itself caught up as a victim, a witness or on the periphery of arrangements that concern its proceeds. None, therefore, can afford to ignore it.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.