The UK case of David Lonsdale v National Westminster Bank  EWHC 1843 (QB) is a case which brings to light the interaction between tipping-off and data protection issues.
The Claimant was a customer of the Bank for many years and at the material time had 7 accounts with the Defendant Bank, including sole accounts and joint accounts which were used for both personal and business reasons. During March 2017, the Bank froze one of the Claimant’s accounts for eight working days, reflecting the time it would have taken the Bank to seek consent from the relevant authority following the making of one or more suspicious activity reports (“SARs”). Later in December 2017, the Bank froze all 7 accounts and so the Claimant was unable to access any funds.
The Claimant applied for an interim order, which was granted by UK Courts, that same month to access his accounts. In response, the Bank had informed the Court that it was liaising with the authorities and seeking consent to unfreeze the accounts, also confirming that a SAR had been filed. The Bank later proceeded to unblock the accounts however it also gave the Claimant 60 days’ notice to inform him that it was closing his accounts and advising him to seek alternative arrangements to transfer his funds elsewhere.
As a result of this termination notice, the Claimant sought a subject access request pursuant to the applicable data protection laws, requesting disclosure of all documents relating to the decision to freeze his accounts and the decisions made to re-open them. In response to this request, the Bank provided extracts of personal information, without however disclosing the SARs and any information relating thereto, which were considered to be exempt from disclosure under the applicable data protection laws. The Claimant proceeded to sue the Bank relying on three causes of action, namely breach of contract, breach of the applicable data protection laws and defamation. Implicit in all these claims was the Claimant’s belief that the defendant did not hold a genuine suspicion that the money in his accounts was the proceeds of crime and that therefore his accounts had been frozen unnecessarily.
The case in question was a summary judgement and is therefore of limited value; indeed, the case has settled and the issues that arose remain unresolved. Yet, the Judge made some interesting comments which may come to good use to banks when receiving data subject access requests for personal data relating to SARs. Firstly, the Judge held that there was a “strong case” that the Bank’s deliberations and decision to submit SARs and freeze accounts constituted personal data and, therefore, banks should thoroughly consider whether the aforementioned exemptions under the relevant data protection laws apply. Although the Court stopped short of specifically considering whether a request of this nature would fall within the scope of the restrictions provided under the data protection laws per se (for example, whether such restriction of access would be in the public interest or would otherwise be necessary for the purpose of the prevention, investigation, detection or prosecution of criminal offences), the Judge did conclude that the Bank’s assessment was “flawed” and ruled that the SARs in question must be disclosed after 14 days of its order. Interestingly, the Judge was of the view that there was no evidence that inspection would trigger tipping-off and that there was no evidence that the SARs are required to be kept confidential, particularly since they were clearly relevant to the assessment of whether the Bank genuinely held a relevant suspicion.
This case reminds us of the Shah v HSBC Private Bank (UK) Ltd saga, which similarly considered a request for damages following the raising of a SAR by HSBC Private Bank, which led to a transaction initiated by Mr Shah being blocked pending investigation. After four and half years, Mr Shah’s claim was dismissed in its entirety, which confirmed a bank's right to delay execution of a customer's payment instructions and refuse to provide information in circumstances where the bank has a suspicion of money laundering. Therefore, whilst it is true that the Courts have historically provided banks with considerable protection and discretion relating to SARs, the Lonsdale case is a reminder that banks should carefully evaluate their decision to submit SARs and make sure that, in doing so, they hold a genuine suspicion, rather than make reports in bad faith or otherwise just for the sake of protecting their own interests without reasonable grounds for suspicion; indeed, the saving grace for HSBC in the Shah case was the ability of the defendant bank to provide that its suspicion was founded on solid grounds and it was therefore able to demonstrate that it held a duty at law to block a transaction and report to the relevant authorities. Cases of this nature also bring to the fore the importance of human intervention in confirming the suspicion – rather than relying exclusively on automated alert systems – as well as the retention of clear and comprehensive written records evidencing the rationale of their suspicion together with supporting documentation. In order to limit the risk of being sued for breach of contract, banks should also consider updating their standard terms of business to expressly exclude liability where a customer suffers damages as a result of a delay in the execution of a transaction or otherwise as a result of a bank’s refusal to provide information in these circumstances.