This Note is the second part of our look at regulatory expectations for sanctions compliance in the U.K. The first part of our review looked at Financial Conduct Authority (“FCA”) systems and controls requirements. The focus of this second part is on due diligence. A link to our first Note is here: FCA Systems and Controls

Due diligence for sanctions compliance purposes throws up particular challenges. Screening your immediate client is just the starting point. There is increasing focus in the sanctions world on circumvention issues so that greater scrutiny needs to be applied in higher risk situations. The use of proxies or enablers to front relationships and transactions or to hold assets for designated persons means that firms need to take a more rigorous approach to sanctions due diligence.

We set out below Ten Key Principles for Due Diligence based on the guidance that has been issued. We first of all set out the background to U.K. regulatory expectations.

FCA, NCA, and OFSI expectations

The need to perform due diligence for sanctions compliance purposes arises in a number of different contexts. This can be to screen clients or prospective clients to ensure that they are not (and are not owned or controlled by) a designated person under applicable sanctions regimes. However, diligence can also arise in other contexts including with respect to trading counterparties and businesses involved in M&A transactions.

The FCA has clarified that wilful blindness in relation to sanctions checks will be considered a “red flag for complicity” in sanctions offences.^[1] Firms must therefore be able to demonstrate a proactive approach to avoid an inference that they have deliberately failed to ask the right questions.

The FCA has identified the issue of screening, at onboarding and on an ongoing basis, to be an area of particular concern.^[2] In addition to screening, it is important for firms to understand methods commonly used to circumvent sanctions so that processes are in place to identify these fact patterns and additional scrutiny can be applied. The recent U.K. Red Alert on “Gold-based Financial and Trade Sanctions Circumvention”,^[3] for example, states that traders in the gold market should ensure that as part of their due diligence they are aware of the common circumvention techniques as well as the risks and obligations in relation to Russia sanctions and gold.

The FCA’s expectations are echoed by other authorities with responsibility for sanctions compliance.

In March 2023 the U.K. Office of Financial Sanctions Implementation (“OFSI”) amended its Guidance to make it clear that, where there has been a breach of sanctions legislation, a failure to carry out appropriate due diligence will be an aggravating factor when determining the appropriate enforcement response. The National Crime Agency (“NCA”) has also issued guidance which emphasises the importance of undertaking appropriate due diligence.

Challenges to performing adequate diligence

The implementation of due diligence measures faces two main challenges.

The first is that, as recognised by the NCA, designated persons can go to considerable lengths to conceal their association with entities and assets, often retaining control through trusted proxies and enablers.^[4] This makes their identification a much more difficult task. Whilst effective screening should detect straightforward cases, it may not detect cases where ownership and control are indirect and more nebulous. As noted later in this alert, there is judicial support for the view that “it is not the intent for complex investigations to have to be made or evidence gathered”. On the other hand the introduction of strict liability for sanctions offences creates an incentive for firms to ensure that sufficiently rigorous diligence processes are in place to mitigate the risk of inadvertently contravening requirements.

The second challenge is that there is no single reference point for assessing which specific due diligence measures are or might be required. As recognised by the Joint Money Laundering Steering Group (“JMLSG”), “[t]he international and U.K. legislative frameworks for financial sanctions do not prescribe the processes which firms have to adopt to achieve compliance with their legal obligations”.^[5] This can be contrasted with the AML regime where the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR”) set out prescriptive requirements for due diligence.

Absent clear legal rules, it is necessary to turn to the applicable guidance. This is multifaceted and comprises a number of different layers, including: OFSI’s General Guidance for Financial Sanctions and Enforcement and Monetary Penalties for Breaches of Financial Sanctions Guidance (“the Penalties Guidance”); Chapters 1, 2 and 7 of the FCA’s Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks (“the FCG”); Section 4 of Part III of the JMLSG’s guidance on the Prevention of Money Laundering/Combating Terrorist Financing (described in the FCG as “a chief source of guidance for firms on this topic”)^[6] (“the JMLSG Guidance”); the Joint Statement from U.K. Financial Authorities on Sanctions and the Cryptoasset Sector (“the Joint Statement”); and the NCA’s Red Alert on Financial Sanctions Evasion Typologies: Russian Elites and Enablers (“the Red Alert”).

A further challenge is that the guidance provided by regulators and law enforcement is broadly worded and in qualified terms. For example, the Penalties Guidance emphasises that “OFSI does not prescribe the level of due diligence to be undertaken to ensure compliance”.

Similarly, the JMLSG Guidance seeks to provide “an indication” of the types of controls and processes which firms might adopt but it is not intended to prescribe the manner in which firms must comply with the sanctions regime “as much will depend on the nature of the customer base and business profile of each individual firm”.^[7]

Ten key principles for due diligence

OFSI’s amendment to the Penalties Guidance has nevertheless provided some helpful clarification in this regard and presents a good opportunity to stand back and extract some principles:

1. A risk assessment is an essential starting point for all financial crime compliance programmes. In the FCA’s Financial Crime Thematic Reviews (or “FCTR”) part of the FCA Handbook, the FCA recommend as good practice “Conducting a comprehensive risk assessment, based on a good understanding of the financial sanctions regime, covering the risks that may be posed by clients, transactions, services, products and jurisdictions” (FCTR at 8.3.2G). As already mentioned above, due diligence needs to be considered at different stages of the client and transactional relationship. A risk assessment will assist in identifying trigger points for performing diligence.
2. Effective and up-to-date screening measures must be used which are appropriate to the nature, size and risk of the business. Several examples of good practice are provided in FCG 7.2.3G and paragraphs 4.62 – 4.85 of the JMLSG Guidance. It is clear from guidance feedback provided by regulators and law enforcement that a broad approach needs to be taken to screening. For example, merely screening shareholders of a client will not be sufficient for sanctions compliance given concerns around circumvention and use of proxies by designated persons.
3. Screening alone is not sufficient. Nor is it permissible to rely on assurances from others that a person is not a designated person or owned or controlled by a designated person.
4. Due diligence measures which have been developed to identify persons and monitor transactions under the MLR can assist with compliance, but firms will need to implement additional sanctions-specific controls as appropriate.^[8] There are important differences between the two regimes. For example, the test for whether a person exercises control over an entity for the purposes of the sanctions regime is different to the test for whether a person is a beneficial owner for the purposes of the MLR.
5. There are two overarching questions which are common across both regimes: “am I sure all parties are who they say they are?” and “does the matter make sense?”^[9]
6. A record should be kept of the decision-making process. The Penalties Guidance identifies (at paragraph 3.25): “OFSI would expect to see evidence of a decision making process that took account of the sanctions risk and considered what would be an appropriate level of due diligence in light of the risk”.
7. Particular care must be taken with corporate entities.^[10] Due diligence on non-natural persons is inherently more difficult. The Penalties Guidance confirms (at paragraph 3.25) that “OFSI expects careful scrutiny of information obtained as part of any ownership and control assessments” and (at paragraph 3.26) that “[d]epending on the circumstances, OFSI may consider demonstration of any and/or all of following efforts as potentially mitigating”:

• An examination of the formal ownership and control mechanisms of an entity. Paragraph 3.29 of the Penalties Guidance lists some specific areas of enquiry (although OFSI emphasises that the list is not exhaustive and “each case will depend on its individual circumstances”), including examination of: percentage of shares and/or voting power of shareholders; ownership and distribution of other shares in a company; whether ownership/shareholding has recently been altered or divested; composition and split of shares; whether changes to ownership and/or control were part of a pre-planned or wider business or financial strategy; commercial justification for complex ownership and control structures; and constitutional documents and shareholder agreements.
• An examination of the actual (or the potential for) influence or control over an entity by a designated person. Again, paragraph 3.29 of the Penalties Guidance lists some specific (non-exhaustive) areas of enquiry, including examination of: indications of continued influence (e.g., through personal connections and financial relationships); involvement of proxies and trusts associated with a designated person; if shares or ownership interests of a designated person have been divested, the nature of any relationships and prior involvement of the person benefitting; funding and valuation of any recent share transfers; operational steps taken to ensure that the designated person cannot exercise control or benefit from assets; information relating to the circumstances of board and/or management appointments and the running of board meetings and governance processes; ongoing financial liabilities directly related to a designated person (e.g., personal loans, loan guarantees, property holdings); any shareholding or voting agreements, put or call options, or other coordination agreements with a designated person; and any benefits conferred to the designated person by the entity or transactions between the entity and the designated person.
• Open-source research on the entity and “any persons with ownership of, or the ability to exercise control over” the entity, together with an examination of whether such persons are, or have links to, designated persons.
• Direct contact with the entity and/or other relevant entities to “probe” into indirect or de facto control (including, where appropriate, seeking commitments by U.K. persons as to the role of any designated person or person with links to a designated person).

8. Reference should be made to common typologies of sanctions evasion, including the list of “indicators” in the Red Alert and the “red flags” in the Joint Statement. The Penalties Guidance emphasises (at paragraph 3.25) that particular care must be taken where “efforts appear to have been made by designated persons to avoid relevant thresholds”.
9. Where relationships or activities are ongoing, due diligence must be reviewed at appropriate times. As emphasised at paragraph 3.30 of the Penalties Guidance, “[o]wnership and control is not static” and OFSI will consider the regularity of checks and/or monitoring.
10. Whilst it is essential that due diligence is carried out carefully and thoroughly, it has been judicially emphasised that “it is not the intent for complex investigations to have to be made or evidence gathered—because the list should generally set out the persons targeted”: PJSC National Bank Trust v Mints [2023] EWHC 118 (Comm) at [244].

It remains to be seen how, and how often, OFSI, the FCA, and the NCA will enforce compliance in this area. However, given the importance of effective due diligence measures in upholding the sanctions regime, it can expected that enforcement will be pursued with increasing vigour.