End of the “No Consent Regime”? Implications for Cyber Fraud Victims and Financial Institutions

In Tam Sze Leung & Ors v Commissioner of Police [2021] HKCFI 3118, the Court of First Instance held that the Hong Kong Police’s practice of issuing “Letters of No Consent” (“LNCs”) to banks and financial institutions to informally freeze bank accounts suspected of containing proceeds of crime (“the No Consent Regime”) is unconstitutional.

Considering the prevalence of cyber fraud in Hong Kong, such judicial development may have far-reaching implications on how victims could seek recovery of funds and how financial institutions should manage financial crime risks.

Facts

The Applicants in Tam Sze Leung were subject to the Securities and Futures Commission’s investigation for suspected stock market manipulation. The Police informed the relevant banks of the suspected unlawful activity and requested the banks to file suspicious transaction reports (“STRs”) so that the Commissioner of Police (“Commissioner”) could issue LNCs. LNCs were then issued and remained in place for a period of roughly 10 months, causing the Applicants’ bank accounts to be frozen.

The Applicants challenged the constitutionality of the No Consent Regime by way of judicial review. The Court held that the Commissioner’s No Consent Regime as operated is (1) ultra vires; (2) not prescribed by law; and (3) a disproportionate interference with rights, in particular the right to the use of property.

What is the No Consent Regime?

Under s. 25 of the Organised Serious Crimes Ordinance (Cap. 455) (“OSCO”), it is an offence to deal with property known or reasonably believed to represent proceeds of crime. s. 25A of the OSCO requires any person to make a disclosure to the Joint Financial Intelligence Unit by STRs if they know or suspect the property to be proceeds of crime.

In practice, the filing of STRs would trigger the Commissioner to issue LNCs to banks and financial institutions, stating that the Commissioner does not give the financial institution consent to deal with the funds. The issuance of LNCs would in effect procure the financial institution to freeze the relevant accounts, and in doing so provide a cost-effective measure for cyber fraud victims to preserve traceable assets at an early stage of investigation.

The way forward following Tam Sze Leung

Despite holding the No Consent Regime to be unlawful, the Court has not yet granted any relief to the parties in Tam Sze Leung and the case may be subject to appeal. Furthermore, the legislature or the Law Reform Commission may suggest amendments to the No Consent Regime to render it compatible with the present constitutional framework. The full ramifications of Tam Sze Leung are yet to be seen.

Banks and financial institutions

Meanwhile, banks and financial institutions remain obliged to comply with the OSCO. Bearing in mind the possible criminal liability, following Tam Sze Leung, banks and financial institutions should continue to carry out stringent assessments on transactions, make disclosures on suspected proceeds of crime, and exercise independent judgment on whether to freeze suspicious bank accounts.

Victims of cyber fraud

It is important to seek prompt legal advice if you discover you (or your business) are the victim of a cyber fraud. Pending a decision from a higher court and/or amendments to the No Consent Regime, cyber fraud victims may no longer rely on the informal freeze under the issuance of LNCs. They should give due consideration in resorting to alternative means of preserving traceable assets at an early stage.

Experience shows that the first 24 hours after any unauthorised transfer is the “golden period” for recovery of funds. Victims of cyber fraud should consider taking the steps below immediately upon discovery of a fraud:

• Contact the transferring bank to request a stop on the transfer, or to request a recall of the transfer;
• Report the fraud to the police of where the transferring bank and receiving bank are situated;
• Obtain a mareva (or freezing) injunction order to preserve traceable assets (and if necessary, on a worldwide scale); and
• Commence civil proceedings without delay.

If you need any assistance on cyber fraud matters, please do not hesitate to get in touch.