Disclosure orders in financial crimes
If your money has gone to a bank account, a payment processor or a crypto exchange that you do not recognise, and the name on the account means nothing to you, you are in the right place. The bank cannot tell you who is behind the account without a court order. This page sets out how we get that order for you, and what we do alongside it to find out who is actually behind the money.
There are three routes to the solution. The first is a Norwich Pharmacal order against a UK bank, where your funds landed in a UK account. The second is the same order against a UK payment processor or digital wallet such as Stripe, Wise, Revolut or PayPal. The third is the US route, where your money has crossed over into a US bank, processor or crypto exchange and we need a US subpoena to reach it. Whichever route applies, the most important thing you can do is to get in touch with us early. The earlier we hear from you, the more options we have. The same identification toolkit drives our wider note on how to unmask someone behind anonymous online posts.
What it looks like when the trail goes cold
It usually plays out in a familiar way. You are tricked into transferring money to an account you believed was genuine. The instruction looked completely normal at the time. The trick might have been a fraudulent email about a "new" bank account for a supplier you regularly pay (invoice redirection), a spoofed message from a senior colleague at your own company (CEO impersonation), an investment platform that looked legitimate up to the moment you tried to withdraw, or a marketplace transaction where your buyer's payment landed with someone who never sent the goods.
By the time you realise, the money has gone. You know the account it was paid into, and sometimes the next account the funds were moved on to. The name on the account either means nothing to you or is clearly a front. The bank, the processor or the exchange holds the information that would tell you who is behind the account, but it cannot share it with you without legal authority.
That legal authority is a court order. Each of the three routes below uses one.
Norwich Pharmacal orders against UK banks
If your money landed in a UK clearing bank (HSBC, Barclays, Lloyds, NatWest and the rest), this is the first route we look at with you. The Norwich Pharmacal jurisdiction is the main civil tool for getting information out of a bank that has become innocently mixed up in someone else's wrongdoing. The principle comes from Norwich Pharmacal Co Ltd v Customs and Excise Commissioners [1974] AC 133 and has been developed by the courts in many cases since.
We have done this work many times. The UK banks have specialist teams that respond to these applications routinely, and where we have drafted yours properly, the bank tends not to oppose. The order is then granted on the documents rather than at a hearing, which keeps your cost down and the turnaround time short. For the general framework (what the court looks for, what the bank typically discloses, how the application is run on paper rather than at a hearing), see our note on Norwich Pharmacal orders.
What we ask the bank to disclose is the name and address it has on file for the account, the date the account was opened, the identification documents the bank holds, the record of where your money went after it arrived, and any other contact details on file. What the bank gives back is what sets up the next step for you. If the money has been moved on to another account, that next account becomes the next disclosure target.
UK payment processors and digital wallets
If your funds landed at a payment processor or a digital wallet rather than at a clearing bank, the route is the same in shape but the institution will respond differently. Stripe, Wise and Revolut are the names that come up most often in our matters, and PayPal and the smaller e-money institutions feature regularly too. The underlying authority is still the Norwich Pharmacal jurisdiction.
Payment processors and e-money institutions tend to take longer to respond than the clearing banks, and their disclosure schedules sometimes need pushing on. We ask for the account holder data, the verification documents (where the institution did proper KYC at all), the IP and device fingerprint of the account opening and the onward transactions. Where the processor is regulated in the UK, the order binds it in the usual way. Where the entity sits in another EU jurisdiction or in the US, the route shifts to the US side, which is the next section.
The smaller e-money institutions are the ones to watch. Lighter KYC at account opening, faster transfers, easier onward routing into crypto. We draft the application knowing the account holder details on file may already be partial or stale by the time the disclosure comes back, and we plan around that.
The US side: § 1782(a) and direct subpoenas against US banks, processors and crypto exchanges
If your money has moved into a US institution, the English order does not reach it directly. We then have two routes.
The first is an application under 28 U.S.C. § 1782(a) in the relevant US District Court. The § 1782(a) jurisdiction is the federal mechanism for US court assistance to support foreign proceedings: it takes your English court order or your English civil claim and supports it with US legal process directed at the US institution. The second is a direct US subpoena in existing American proceedings, used where you already have, or are willing to begin, an action in a US court that can issue subpoenas in the normal course. For a fuller treatment of the US-side mechanics, see our note on disclosure from USA websites and companies.
US banks, US-side processors (Stripe US, PayPal US, Wise US) and the major US crypto exchanges (Coinbase, Kraken, Gemini and others) all respond to properly served subpoenas. The exchanges have specialist legal-process teams and a documented disclosure path. Our colleagues in California handle the US filing on a referral basis where your matter requires it.
Tracing crypto theft
If your money has been moved into a cryptocurrency wallet, the first thing to know is that it is not necessarily gone. As you may be aware, the public blockchain is visible by design. Every transaction in BTC, ETH and the major stablecoins (USDT, USDC) is recorded permanently and can be traced through the addresses the funds pass through.
The first thing for you to do is to get in touch with us early. Once we have an idea of where the funds have travelled and which exchange they have ended up at, we then consider together with you whether an emergency freezing element directed at the exchange is needed to hold the funds in place while the rest of the steps catch up. Every hour matters once crypto starts moving.
We act on the range of crypto theft scenarios that reach us. Investment-platform scams where the platform looked legitimate up to the moment you tried to withdraw. Romance and pig-butchering scams that route through stablecoin wallets. Compromised exchange accounts where the funds were swept onward by an attacker. Rug-pull tokens where the developer empties the liquidity pool the moment the price is high enough. We then run three things in parallel: on-chain analysis to follow the funds through addresses and mixers (and the trail can often be picked up again on the other side of a mixer), court orders against the exchange where the funds eventually cashed out, and the OSINT layer that connects the address clusters and the exchange-account data to the people behind the operation.
How OSINT and court orders work together for you
The court order is what authorises the disclosure. Open-source intelligence is what turns the disclosure into actionable identification for you. The full method is set out on our note on how we identify anonymous internet users using open-source intelligence. The two are paired tools, and neither on its own gets you all the way.
The order produces the formal record: the name on the account, the address given at opening, the KYC documents, the onward transaction trail. That is the starting point. The name may belong to a money mule recruited online. The address may be a short-term let or an accommodation address. The KYC documents may be authentic for the named holder, but the holder may have nothing to do with your fraud beyond accepting a small fee to receive funds.
OSINT is what bridges from the disclosed record to the people who actually took the decisions. We cross-reference the disclosed data against what is publicly available: Companies House records, directorship history, registered addresses, social media profiles, the registration footprint of any associated domain, the onward transactional trail. Each data point is checked against the others until the picture of who is behind your matter is firm enough to act on.
The bank disclosure identifies the account. The open-source work identifies the people. The two together are the difference between knowing where your money went and knowing who took it.
Many firms that do follow-the-money disclosure get the court order and stop there. The OSINT layer we run alongside the order is the part that makes the difference between a name on a piece of paper and a picture of the operation behind your fraud.
A worked example: international invoice fraud against an HSBC account
For a fuller worked example of these three routes in action against a single matter, see our case study on how we combined a Norwich Pharmacal order against HSBC with OSINT to identify the people behind an international email fraud. The short version is that our US-based client was tricked into paying more than US$200,000 into a UK HSBC account on the strength of a fraudulent email about "new" UK subsidiary banking details. We obtained the Norwich Pharmacal order against HSBC on paper, took the disclosure that came back, ran it through the OSINT layer (Companies House, social media, domain registration history, onward transaction trails) and built the wider picture of who was behind the scheme. The matter is now with the Metropolitan Police, where the criminal investigation is ongoing.
That case sits in the first of the three routes (UK banks). The same approach scales to the second (payment processors and digital wallets), to the third (US institutions) where the trail crosses jurisdiction, and to crypto where the funds have moved into a wallet.
What it costs
The figures below are the floors we work to across our disclosure cluster. Every matter varies, and a precise quote follows the initial assessment with you.
| Stage | From | What it covers |
|---|---|---|
| Initial assessment | Fixed fee on enquiry | A one-hour call (or video call) with a solicitor: what has happened, what you have tried, what the realistic options are, an honest costs range and a recommendation on whether to proceed. |
| OSINT identification work | £2,500 | Structured open-source pass on what is publicly available: usernames, profile footprints, reverse image, public registers, Companies House, regulated investigative databases. |
| Disclosure application where the platform or institution does not oppose | £5,000 | Drafting and filing of the Norwich Pharmacal application, engagement with the platform or institution's legal-process team and progression to a consent order on paper. |
| Contested Norwich Pharmacal application | £10,000 | Part 8 application, witness statement, exhibits, draft order, contested hearing, service on the platform or institution. |
| US side: § 1782(a) or direct subpoena | £12,000 | Coordination with our US counsel in the relevant District, supporting English witness statement, downstream English action plan once the US disclosure is received. |
You will usually also pay the platform's or institution's reasonable costs of compliance on top of our fees, which is worth factoring into the budget at the outset.
Lawyers' thoughts on follow-the-money disclosure
The financial-fraud landscape has changed in the last few years. The classic invoice-redirection and CEO-impersonation frauds are still the bulk of the matters that reach us, but the money trails behind them are more often routed through fintech and crypto than through the high-street clearing banks. That has two practical consequences for what we do for you.
The first is that the application has to be drafted with the specific institution in mind. A Norwich Pharmacal application against HSBC is one thing. The same application against Wise, Revolut or a US-based crypto exchange is drafted differently because the institution's compliance posture, its KYC depth and its disclosure path are different. The schedule of disclosure has to map to what the institution can realistically produce.
The second is that the response has to start quickly. Stolen funds rarely sit in the recipient account for long. The longer the gap between you discovering the fraud and the application going in, the more likely it is that the money has moved on, been withdrawn or dissipated into a chain of accounts that becomes harder to follow. Where the cross-border element is serious, time-sensitive evidence such as IP and telephone metadata can fall outside the window in which it is still accessible. Speed matters more than almost any other factor in this kind of matter, which is why we keep saying it: get in touch early.
The point that ties it all together is that the civil disclosure leads the criminal investigation, not the other way round. The criminal route follows once the picture is firm enough to be useful to the police, the prosecutors or, in cross-border matters, the foreign authorities. The civil work is what builds that picture. For the wider pattern of choosing the right disclosure instrument across platforms and routes, see our notes on how to unmask someone behind anonymous online posts, on how to get a disclosure request through to Google and on what to expect when you instruct a disclosure lawyer.
