UK: Right To Inspect SARS Under The Civil Jurisdiction (Lonsdale V National Westminster Bank)

The High Court in Lonsdale v National Westminster Bank Plc considered the extent to which it was possible to obtain disclosure and/or inspection of suspicious activity reports (SARs) in civil proceedings. The case demonstrates the power of the court to order the disclosure of these otherwise confidential documents despite objections that to do so might constitute an offence under the Proceeds of Crime Act 2002 (POCA 2002). John Binns, partner, and Rosanna Cardona, solicitor, at BCL Solicitors LLP, consider the case.

Lonsdale v National Westminster Bank Plc [2018] EWHC 1843 (QB), [2018] All ER (D) 206 (Jul)

What are the practical implications of this judgment from a corporate crime perspective?

The case concerned the interaction of various individual rights—including the right of access to personal data (then governed by the Data Protection Act 1998 (DPA 1998)), as well as substantive rights under the laws of contract and defamation—with the provisions of the POCA 2002 relating to authorised disclosures (a type of SAR). Broadly speaking, it established that an individual may have rights to access such disclosures, and/or to inspect them under the Civil Procedure Rules (CPR), in appropriate circumstances.

Background to this judgment

The background to the case is one that many corporate crime practitioners will find familiar—the blocking of bank accounts associated with the claimant by the defendant bank, which had formed suspicions about the funds in them and made disclosures to the National Crime Agency (NCA), seeking consent to transact. The claimant initially sought access by way of a subject access request under section 7 of the DPA 1998 to all documents relating to the blocking of the accounts. The bank provided only limited and redacted material, which did not include the disclosures, but then referred to them in its defence to his subsequent claims (for breach of contract and defamation, as well as for breach of the DPA 1998). He then applied for inspection of the disclosures pursuant to CPR 31.14.

The bank opposed the application and applied to have the claims struck out, saying that:

• the disclosures and related documents (a) were not personal data, and (b) in any event were exempted by DPA 1998, s 29 (because access to them would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders)
• to permit access to or inspection of the disclosures would entail offences of tipping-off or prejudicing an investigation under POCA 2002 (ss 333A and 342 respectively)
• there was no real prospect of the breach of contract claim succeeding, as the bank had a genuine relevant suspicion about the funds, and the claimant had no evidence of malice (citing Shah v HSBC [2012] EWHC 1283 (QB), [2013] 1 All ER (Comm) 72)
• there was no real prospect of the defamation claim succeeding either, as the statements complained of (a) were not defamatory, (b) had not been published, (c) were subject to absolute or qualified privilege, and/or (d) did not cause serious harm to the claimant's reputation (citing section 1(1) of the Defamation Act 2013)

What did the court decide?

The court ordered inspection (subject to any objection from the NCA within 14 days) and declined to strike out any of the claims, saying that:

• the disclosures and related documents were (a) prima facie personal data and (b) not exempted by section 29, absent evidence of the risk of prejudice as asserted by the bank
• neither access under the DPA 1998 nor inspection under CPR 31.14 were prevented by the risk of offences under POCA 2002, absent evidence of such risk and given (a) the passage of time, which gave rise to doubts that any confidentiality in the disclosures was still required, and (b) the opportunity of the NCA to object. Inspection of the disclosures was necessary for the fair disposal of the claim
• though the bank had asserted that it had a genuine relevant suspicion, it had as yet provided no evidence of the same (which would be required to defend the breach of contract claim)
• the statements (a) were prima facie defamatory, (b) had been published (if only within the bank and to the NCA), (c) were subject to qualified rather than absolute privilege (an issue to be determined at trial), and (d) had caused harm to the claimant's reputation, whose seriousness could be readily inferred

Are there any additional learning points which you consider corporate crime practitioners should be aware of?

Corporate crime practitioners who advise banks' customers will be accustomed to giving gloomy advice about potential claims arising from blocked accounts (or, less commonly, where assets are otherwise blocked by someone else making an authorised disclosure). This judgment gives some new cause for hope for them, while making the defence of such claims (and advice on the same, to banks and others) rather more difficult than it was.

Dealing with data protection first, of course this is now governed by the Data Protection Act 2018 (DPA 2018), but both the right and the exemption (in section 45 and schedule 2, paragraph 2, respectively) are materially unchanged for these purposes. The bank's desire to establish a blanket application for the exemption to all disclosures made under POCA 2002—and/or a route to avoid their data protection obligations by reference to the offences in ss 333A and 342—was perhaps understandable, and mirrors most banks' blanket refusal to discuss these issues with their customers in any circumstances. The court's more nuanced approach, taking timing and the NCA's opportunity to object into account, arguably reflects common sense, but will be harder for the banks to navigate. The argument that such disclosures (and discussion about them) do not contain personal data is harder to understand, and the court's strident dismissal of it is surely correct.

The same common-sense approach is evident in the court's handling of substantive issues in breach of contract and defamation. It seems the contract claim may have been easily defeated if the bank had only put in a witness statement to confirm that there was a relevant genuine suspicion, which might also have served to establish a qualified privilege defence to the defamation claim. That said, the finding that inspection of the disclosures was necessary for the fair disposal of the claim is intriguing: would this still have been so had the bank done more to evidence its defence to those claims?

The court's demolition of the bank's more surprising arguments in the defamation context—that there had been no publication, that absolute privilege applied, or that there was no serious harm involved—is also surely welcome. The supposed distinction between a required disclosure (under POCA 2002, ss 330 or 331 of POCA, which would necessarily express a suspicion about an individual) and an authorised disclosure (under POCA 2002, s 338, which would express a suspicion about the funds) also seems weak in this context (unless, perhaps, the bank made it very clear in its disclosure that, while it suspected that the funds in the account represented the proceeds of crime, it believed the account holder had been diligent, but was nevertheless wholly unaware of that fact).

Notably, it seems that timing may well be all-important to the question of how to balance an individual's right to access or inspect a disclosure, on the one hand, with the risk that such access or inspection may prejudice an investigation, on the other. At one end of the scale, where a customer seeks access to a disclosure (or presses for confirmation that one has been made, perhaps in the context of a claim or a pre-action letter) as soon as it has been made, and while law enforcement are considering what action to take against him or his assets, the bank will have to take that risk seriously, and will most likely have to err on the side of relying on the exemption. (The tightened timescale for responding to requests under the DPA 2018, which may mean a deadline before the end of the POCA 2002 moratorium period, make this more of a live issue.) In the context of civil claims, this may entail leaving a conspicuous silence in pre-action correspondence or statements of defence, and (as in this case) an ex parte application to the judge to explain the situation.

At the other end of the scale, where the disclosures are of some age (those in this case, notably, were 16 and 7 months old), and there are no evident risks of prejudice, it would seem that the bank should prioritise its obligations to the customer and provide access to the disclosure/s it has made. The reality, of course, is that this ignores the calculation most banks' compliance staff make in these circumstances, that the risk of getting it wrong—in other words, the risk that they enable, even inadvertently, an offender to escape justice—is a much greater one than having to concede or settle a data protection claim at some point in the future. Nevertheless, the judgment in this case is a clear sign that adopting a blanket approach is no longer (if it ever was) the right answer.

Originally published in Lexis Nexis

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.