UK OFSI Uses Disclosure Power as FCA Reviews Sanctions Compliance Systems
On 31 August 2023, the UK Office of Financial Sanctions Implementation (OFSI) used its new disclosure enforcement power for the first time, issuing a report against Wise Payments Limited for breach of financial sanctions. The use of this power is a significant step in OFSI’s efforts to ensure compliance with the UK’s financial sanctions regime and deter future breaches. In addition, OFSI has updated its monetary penalties guidance, shedding further light on how it will use the disclosure power in the future.
The UK Financial Conduct Authority (FCA) also has published a review assessing the systems and controls relating to sanctions compliance for more than 90 financial services firms in a range of different sectors, including banking, wealth management, insurance, electronic money and payments.
OFSI’s disclosure power
OFSI’s disclosure power was introduced as an enforcement tool last year under the Economic Crime (Transparency and Enforcement) Act 2022. It allows OFSI to publish information about financial sanctions breaches – including details of those who committed the breaches and the circumstances of the breach – where OFSI considers that the breaches are not serious enough to justify a civil monetary penalty.
Wise’s sanctions breach
In July 2022, Wise reported a suspected breach of financial sanctions to OFSI following a £250 cash withdrawal made from a Wise business account held by a company owned or controlled by a designated person, using a debit card held in the designated person’s name.
Wise explained that after the designated person was added to the UK sanctions list, Wise’s systems raised an alert, and the account associated with the designated person was suspended. However, at the time when the money was withdrawn, activity on the debit card was not restricted, allowing the £250 withdrawal. Wise clarified that the lack of restrictions imposed on debit card access was due to the high number of false positives for sanctions alerts – and Wise’s desire to balance its regulatory requirement to consider its customers’ interests with its legal obligation to comply with financial sanctions.
By permitting the withdrawal and making funds available to an entity owned or controlled by a designated person, Wise was in breach of financial sanctions. Furthermore, OFSI explained that there was an internal alert raised with Wise’s sanctions specialist team on a Friday, but that team did not operate on the weekend, so the customer was not exited until the following Monday.
Disclosure in Wise case
OFSI determined that no monetary penalty was warranted. However, despite the low value of the breach (£250), the disclosure of this case was justified as the case was considered ‘moderately severe’ overall. Additionally, OFSI found that Wise’s policy regarding debit card payments was inappropriate. The lack of staff operating at the weekend also caused a significant delay in proper restrictions being placed on the designated person’s account and debit card.
In making the disclosure and the lack of imposition of monetary penalties, OFSI considered several mitigating factors, including the voluntary disclosure, the low value of the breach, the remedial actions taken (such as introducing weekend working for the sanctions team and exiting the designated person as a customer), and a lack of evidence of deliberate sanctions evasion.
Notes on compliance
In the report, OFSI highlights the importance of addressing identified sanctions risks promptly, as well as maintaining proportionate sanctions screening and alert review functions. OFSI further underlines the value of voluntary disclosure, which may be considered a mitigating factor. The notes also reiterate the need to freeze funds, not deal with them, and report them to OFSI as quickly as possible where such funds or economic resources belong to a designated person.
Following publication of its first disclosure, OFSI has updated its guidance on monetary penalties and enforcement to provide more detail on how OFSI categorises breaches, noting that moderately severe cases where no monetary penalty has been imposed are likely to be dealt with via a disclosure, if a warning letter would be too lenient. It also highlights that a disclosure may be made in cases where there are valuable lessons for industry or where it is not in the public interest to issue a monetary penalty.
In parallel, the FCA also recently published a review assessing the sanctions systems and controls of more than 90 financial services firms. The review identifies good practice carried out by several of the firms, including risk exposure assessments and scenario planning in advance of the Russian invasion of Ukraine and appropriate calibration of sanctions screening tools. The FCA also identified the key areas for improvement, as summarised below.
- Senior management’s oversight of sanctions risks: Managers often were identified as having insufficient management information to discharge their responsibilities.
- Global sanctions policies: In some international firms, global policies lacked sufficient focus on the UK sanctions regime.
- Over-reliance on third-party sanctions screening tools: Firms often lacked an understanding of how their sanctions screening tools worked and were updated.
- Contingency planning: Firms which had conducted a risk assessment of their exposure to Russia and developed contingency plans were better placed to introduce risk-reducing measures.
- Sanctions screening backlogs: Many firms had significant backlogs in the assessment, escalation and reporting of alerts from sanctions screening.
- Screening capabilities: Some firms had incorrectly calibrated sanctions screening tools so that they were either too sensitive or not sensitive enough.
- Assessment quality concerns: Many firms’ Customer Due Diligence and Know Your Customer assessments were found to be of low quality.
- Reporting to the FCA: Inconsistencies were identified in reporting to the FCA, including delays and failure to report at all.
Whilst focused on the financial sanctions sector, the FCA’s report has wider application and provides useful guidance for all companies on how to avoid potential vulnerabilities in their sanctions compliance measures. It reinforces that designing effective sanctions compliance policies and processes need to be carefully calibrated to the risks and needs of the relevant organisation.
- The disclosure represents a significant step in OFSI’s enforcement of financial sanctions.
- It highlights that businesses should be aware that, even if there is a low-value breach of sanctions, they may suffer reputational costs due to the publication of information regarding the breach.
- Businesses can seek to avoid this risk by adopting robust sanctions policies and screening procedures that are reviewed and updated regularly to ensure full compliance with UK and international sanctions regimes.
- Where a sanctions breach is detected, businesses should consider disclosing it promptly to OFSI to mitigate any monetary penalties and associated reputational impact.
- All firms – especially FCA-regulated businesses – should consider the FCA’s review findings to identify areas for improvement in their sanctions systems and controls and ensure compliance.