Introduction

Enforcement and legal risks relating to sanctions compliance remain high and all firms should continue to exercise care in meeting regulatory expectations. The promulgation of new sanctions relating to Russia has slowed but geopolitical events point to the extension of sanctions in other areas. Firms also continue to grapple with new issues as relationships and transactions are restructured over time and it becomes less tenable to maintain the ossified state that prevailed in the immediate aftermath of the early wave of Russia sanctions in 2022. The recent enforcement case brought against Wise by the U.K. Office of Financial Sanctions Implementation (“OFSI”) is a reminder of the enforcement risks. In addition to this both the Financial Conduct Authority and the European Commission have issued guidance on their expectations for the financial sector.

This client alert looks at systems and controls requirements and due diligence procedures that financial institutions should be considering. We have broken this down into two parts with due diligence procedures to follow in Part 2.

It is worth noting that while much of the focus in recent months has understandably been on Russia, the lessons learnt from the Russia sanctions experience should be applied across all sanctions regimes, including stress testing firms’ exposure to the potential expansions of sanctions compliance requirements to other jurisdictions such as in relation to China.

OFSI’s role and new enforcement powers

Armed with its new powers under the Economic Crime (Transparency and Enforcement) Act 2022 (the “Economic Crime Act”), and with the number of breach cases on an “upwards trajectory”,^[1] OFSI has been “scaling up” to over 100 full-time employees, “accelerating and enhancing the ambitious transformation programme OFSI already had underway”.^[2]

OFSI gained powers under the Economic Crime Act to issue fines for breaches of sanctions on a strict liability basis. Prior to the changes introduced under the Economic Crime Act, in order to impose a financial penalty for a breach of financial sanctions, OFSI had to be satisfied that the offender knew or had reasonable cause to suspect that their conduct involved a contravention of sanctions. Under the changes introduced by the Economic Crime Act, OFSI can impose a civil penalty merely on the basis that a person has performed an act that constitutes a sanctions contravention and there is no requirement to prove knowledge or intent.

In relation to the Wise enforcement matter, on 31 August 2023 the OFSI issued a Disclosure Report. This is a type of formal enforcement action disclosing matters constituting a breach of sanctions but not imposing a financial penalty. The enforcement action has attracted criticism given that the Disclosure related to a cash withdrawal of only £250 owned or controlled by a designated person. The matter was self-reported to OFSI. The nature and circumstances of the breach were assessed as moderately severe and in OFSI’s view justified the issue of the Disclosure.

The Financial Conduct Authority (“FCA”)

The FCA has “increased [its] assessment work on sanctions controls to pro-actively test compliance”,^[3] equipped with a new analytics-based big data tool.^[4] Last year, the FCA reviewed nearly 100 suspected sanctions breaches and conducted 38 proactive assessments looking at firms’ systems and controls.^[5] It is also worth noting that the National Crime Agency (“NCA”) has “surged” officers into its Combating Kleptocracy Cell.^[6] In addition, OFSI, the FCA, and the NCA are “working . . . more closely than ever to provide joined-up enforcement across government”.^[7]

A central focus of this enforcement agenda is on whether regulated firms have in place appropriate systems and controls. On the same day that the Prime Minister announced the first tranche of sanctions in response to Russia’s invasion of Ukraine on 22 February 2022, the FCA issued a statement which emphasised that firms must have established systems and controls to counter the risk that they might be used to further financial crime and that “this includes compliance with financial sanctions obligations”.^[8] The FCA has subsequently confirmed that, whilst OFSI is responsible for enforcing breaches of the sanctions regimes (which may arise from a failure to have appropriate systems and controls), the FCA may consider taking action “outside” any potential enforcement action taken by OFSI where there is a material weakness of a relevant financial crime system and/or control.^[9] A number of systems and controls should be in place, including appropriate: governance, management information, organisational structure, risk assessment, policies and procedures, training, and reporting.

FCA—Good and Bad Practice

On 6 September 2023 the FCA issued guidance on Good and poor Practice relating to sanctions systems and controls: firms’ response to increased sanctions due to Russia’s invasion of Ukraine (the “Guidance”). This set out key findings from the FCA’s assessments of sanctions systems and controls in financial services firms.

In the Guidance the FCA recognises that the sanctions promulgated since February 2022 have been of “unprecedented size, scale and complexity” and the Guidance suggests some sympathy for firms in having to adapt rapidly to a changing environment. At the same time, well over a year has elapsed since the most recent wave of sanctions relating to Russia’s conflict with the Ukraine and the calling out of poor practice by FCA-regulated firms suggests that the FCA will have limited tolerance for deficient systems and controls.

While the FCA’s work has been driven by the recent Russia-related sanctions, the Guidance sets out important feedback across all sanctions regimes. Given the dynamic geo-political environment and the use of financial and trade sanctions as a policy tool, firms should ensure that they operate compliantly across all sanctions regimes. Some of the key issues focused on by the FCA are set out below.

Governance and oversight

Senior management of firms are of course ultimately responsible for compliance with sanctions and other legal and regulatory requirements. The FCA notes that it looks to firms’ senior management and, where applicable, those holding Senior Management Functions under the SMCR to have oversight of firms’ systems and controls to ensure compliance with U.K. sanctions. The FCA clearly signposts the potential for individual liability for systems and controls failings.

In relation to specific requirements, the FCA expects senior management of regulated firms to be provided with appropriate management information (“MI”) and to have a detailed understanding of sanctions compliance processes. The FCA identified instances where senior management were not given sufficient MI to enable them to discharge their responsibilities appropriately. This included where multinational firms sought to rely on systems and processes used in other jurisdictions. The FCA’s concerns extended to limited understanding by U.K. management of sanctions screening and risk management tools used in the wider group and inadequate oversight of U.K.-related functions undertaken by globally run teams outside the U.K.

Stress testing and horizon scanning

It is clear from the Guidance that the FCA expects firms to horizon scan and to assess their potential sanctions exposure both to the expansion of existing sanctions regimes and to the extension of sanctions to new jurisdictions and regimes.

The FCA noted in the Guidance that several firms had conducted risk exposure assessments and scenario planning in advance of the Russian invasion of Ukraine. The FCA considered this horizon scanning and scenario planning to be an important process for firms to adopt as part of their risk management procedures.

Skills and resources

An area of focus of the FCA was on resourcing.

The FCA identified that many firms had significant backlogs in the assessment, escalation, and reporting of alerts from the screening of names and payments. The FCA said that these backlogs continued in some instances for a significant time due to a lack of appropriate resources. The Wise case brought by OFSI, referred to above, involved the withdrawal of cash in the period between the firm’s systems generating an alert for a sanctions hit and the firm identifying that alert as a positive match. It is clear that the U.K. authorities expect firms to resource their compliance functions appropriately to be able to process sanctions alerts promptly.

Screening capabilities

The Guidance states that the FCA saw several instances where firms lacked understanding of how their sanctions screening tools were calibrated and when lists were updated. It is clear from the Guidance and enforcement action that the FCA has previously taken that the FCA expects firms to have a detailed understanding of settings on screening and other automated monitoring tools and to ensure that these settings are appropriate for the firm.

Customer Due Diligence (“CDD”) and Know Your Customer (“KYC”)

CDD and KYC are key foundations to sanctions compliance. If firms fail to obtain the right information as part of these processes, sanctions screening will be ineffective. For example, if firms do not collect appropriate beneficial ownership information for CDD, there is a risk that a client that the firm services is owned or controlled by a designated person.

The FCA identified in its guidance weaknesses in sanctions processes caused by low quality CDD and KYC assessments and backlogs.

Reporting breaches to the FCA

The FCA emphasised the need for firms to make timely and accurate reporting to it on potential sanctions breaches. Firms that know or have reasonable cause to suspect a breach of financial sanctions must report to OFSI and notify the FCA.

European Commission

It is clear that these matters are of concern to EU authorities as well. The European Commission has recently issued Guidance for EU Operators: implementing enhanced due diligence to shield against Russia sanctions circumvention. Similar themes emerge from this including for firms to identify threats and vulnerabilities, perform a risk assessment, design mitigating measures, implement these measures and perform regular updating.

Firms should therefore continue to monitor they systems and controls for sanctions compliance. Regulatory expectations are high.