The UK Office of Financial Sanctions Implementation (OFSI) recently issued its first “disclosure notice” and, on the same day, updated its guidance on UK financial sanctions enforcement.
In this blogpost, we look briefly at these developments and the key takeaways in relation to UK sanctions risk and compliance.
OFSI’s first use of its disclosure enforcement power: low value transactions may still be treated as ‘severe’ breaches; systems and controls are expected to be robust and well-resourced.
On 31 August 2023, OFSI for the first time used its “disclosure notice” powers to publish details of a financial sanctions breach by a named party, rather than imposing a monetary penalty (the Disclosure Notice). OFSI found that Wise Payment Limited (Wise) violated the prohibition on making funds available to a UK designated person, by permitting a £250 debit card cash withdrawal by a company owned or controlled by a UK designated person (the Designated Person). The withdrawal was made on 30 June 2022, the day after the Designated Person had been added to the UK sanctions list.
At the relevant time, Wise had a sanctions screening system in place and an initial profile suspension mechanism that was triggered by any sanctions screening alert in respect of a customer. However, when triggered, this mechanism did not extend to suspending the use of the customer’s debit card. Wise explained to OFSI that this approach was taken in light of its experience of a high false positive rate for sanctions alerts and that its “intention was to take into consideration both its regulatory requirement to pay due regard to the interests of its customers and treat them fairly, and its legal obligations to comply with financial sanctions”. Following the identification of the sanctions alert as being a likely true match to the Designated Person, there was a delay of a few days before Wise implemented a full blocking of the card and termination of the customer relationship. This was attributed to Wise’s sanctions team not operating a weekend service.
OFSI did not consider the breach to be sufficiently serious to impose a monetary penalty. However, the nature and circumstances of the breach were assessed as “moderately severe” and meriting the Disclosure Notice. In particular, OFSI considered that “Wise’s systems and controls, specifically its policy surrounding debit card payments, were inappropriate”. In explaining its decision to issue a disclosure notice rather than impose a monetary penalty, OFSI noted (among other things) that Wise had taken remedial actions including exiting the Designated Person as a customer, recruiting additional staff, introducing weekend working for its sanctions team, and changing its policy with respect to debit cards, such that both a customer’s account and any associated cards are immediately blocked upon receipt of a sanctions screening alert. Other mitigating factors in favour of Wise included the low value of the breach, the presence of voluntary disclosure and a lack of deliberate sanctions evasion.
A link to the Disclosure Notice is here. The Disclosure Notice is OFSI’s 9th published enforcement action (by way of penalty or notice) since 2019, of which 4 have been in relation to payments services businesses.
Guidance on OFSI’s disclosure enforcement powers: OFSI develops its guidance on enforcement; more granular compliance lessons may follow through further notices.
Shortly after publishing the Disclosure Notice, OFSI updated its Enforcement Guidance to include a chapter on OFSI’s powers to publish breaches where no monetary penalty is imposed. The guidance applies to all cases where a financial sanctions breach has taken place on or after 15 June 2022. The new Chapter 10 provides that:
- OFSI categorises financial sanctions breaches as being of lesser severity, moderate severity or sufficiently serious to justify a civil monetary penalty.
- Moderately severe cases are likely to be dealt with via a disclosure notice if OSFI considers a warning letter to be too lenient but a monetary penalty to be disproportionately punitive. Such disclosure notices will usually name the firm or individual who has committed the breach and provide a summary of the breach.
- A disclosure notice may be used where there are valuable lessons to be learnt for the industry and, exceptionally, where it is not in the public interest to issue a monetary penalty (e.g. humanitarian cases).
- Where OFSI intends to make a disclosure notice naming the party who committed the breach, OFSI will inform them prior to publication. OFSI will provide the party with 28 working days to make any representations in relation to the finding of a breach and intended publication of the case summary.
Takeaways
OFSI’s first Disclosure Notice and its updated Enforcement Guidance indicate OFSI’s intention to use the range of its available enforcement powers to cast a wider net against financial sanctions breaches, taking a rigorous approach to assessing breaches arising even from low-value transactions and closely scrutinising the robustness of sanctions compliance systems and controls.
OFSI’s disclosure notices will provide compliance lessons, providing helpful insights to businesses about the systems and controls OFSI expects to be in place. For example, the Disclosure Notice against Wise offers lessons in relation to the implementation of responses to sanctions screening alerts (even confirmation of ‘true matches’) and that alerts may need to be swiftly actionable throughout business operating times.
Businesses should consider the collateral consequences of even an inadvertent breach of the UK sanctions regime leading to OFSI enforcement, such as a disclosure notice. A disclosure notice brings reputational risk for businesses where the company and details of the breach are published. A disclosure notice may also trigger, or breach, terms of a company’s other contracts (e.g. covenants under financing agreements that require sanctions compliance). A company’s reporting obligations to other UK regulatory or enforcement agencies, such as the FCA and/or the NCA should also be kept in mind.
For regulated firms in the financial services sector, the FCA also takes a concurrent interest in sanctions evasion and controls as a key priority in its financial crime agenda. This is reflected in the FCA’s recent assessment of over 90 firms’ sanctions systems and controls. The FCA published its findings of good and poor practice here. The FCA’s key findings include the need for sanctions screening tools to be properly calibrated to the UK sanctions regime and to the level of risk faced by a firm. In some cases, the FCA noted an overreliance on third party sanctions screening providers with ineffective oversight over them. It also emphasised the need to make timely and accurate reporting on potential sanctions breaches to the FCA.