Shah v HSBC: Court of Appeal Says the Identity of Staff Making SARs in Good Faith is Not Disclosable
The Court of Appeal in London ruled on 13 October that HSBC Private Bank did not have to disclose the identity of employees who had made internal reports which had led to suspicious activity reports (“SARs”) being filed with the authorities unless there was a firm suggestion on bad faith on their part.
The judgment is the result of satellite litigation arising from the more famous 2010 case of Shah v HSBC, in which the Court of Appeal ruled that parties which had suffered loss as a result of SARs being filed were entitled to demand proof from the regulated institution responsible that the suspicion on which the SAR was founded existed.
On the particular facts of the original case, the High Court ordered HSBC to identify the employees by function, but not by name. The Shahs appealed the court’s refusal to order the disclosure of the names of the employees, and HSBC cross- appealed against the court’s finding that its obligation to make standard disclosure required their names to be revealed in the first place (with the names only being protected by PII, and not as of right).
The Judgement of the Court of Appeal
Within HSBC there were three stages of AML reporting:
1. The relationship manager with a particular client would report any AML suspicion to the compliance department;
2. The compliance department would report the matter internally to the MLRO;
3. The MLRO would then, if appropriate, file an SAR with SOCA.
HSBC had disclosed a series of memos, internal reports, and similar documents. With the exception of the MLRO, the identity of all employees concerned had been redacted; they were identified only by the department (client relationship, compliance or MLRO) that they worked for. The documents did however reveal the information based on which the MLRO formed his suspicion.
The Test for Disclosure
The court found that the redacted identities of the employees concerned was not material on which HSBC relied to prove its case. As a result, the relevant question was: is the material either material which would adversely affect HSBC’s case or material which would support the Shahs’ case?
In answering the question it was important to remember that the issue remaining in the wider case of Shah v HSBC after the previous decision of the Court of Appeal was a narrow one: did HSBC have a genuine suspicion at the time when the SARs were filed? Accordingly, the Shahs did not put forward a positive “case”; they simply sought to test the bank’s case that it did have such a suspicion. For that reason, the court ruled that the only circumstance in which the employee identities would be disclosable was if they adversely affected HSBC’s case.
The Shahs had stated that two employees of HSBC (“Ms S” and “Mr J”) might have had the motivation to make an internal AML report in bad faith. One had asked for a loan from Mr Shah and been refused; the other had received an abusive email from him after a transaction had been delayed. The Shahs submitted to the court that if any of the anonymous employees concerned in making an internal report turned out to be Ms S or Mr J, they might be able to allege bad faith.
Refusing disclosure, Lord Justice Lewison commented:
The more I listened to the explanation of why the claimants wanted the names, the more convinced I became that, to use the familiar cliché, this was a fishing expedition… [the Shahs] did not say that even if Ms S’s name was revealed as one of the sources [the Shahs] would be able to assert bad faith; merely that they might be able to do so. Even that possibility was only tentatively advanced. It is all speculation and surmise.
The court concluded that, absent a firm suggestion of bad faith by the Shahs, HSBC was entitled to withhold the identity of the staff concerned as being irrelevant to the matter under dispute. For that reason, the bank did not have to rely on the doctrine of public interest immunity.
Conclusion
This important judgment provides reassurance to employees of firms in the regulated sector of England and Wales that their identities will be protected if they make internal AML reports, unless there is a firm suggestion that in doing so they acted in bad faith. It also makes clear that there is no absolute requirement to disclose the identity of the MLRO who makes an external SAR, although as a regulated firm is now required to show that it had suspicion if its reporting is challenged, it may be that it will be necessary for the MLRO (if no one else) to come to court and explain why he made the report that he did.