UK OFSI issues first 'disclosure notice' censuring sanctions breach
Published on 19th Sep 2023
Decision provides guidance on compliance as Financial Conduct Authority issues its own sanctions-compliance findings
Sanctions compliance continues to challenge businesses operating in the UK and particularly those in the payments and fintech sectors. Those challenges are likely to be amplified by the Office of Financial Sanctions Implementation (OFSI), which recently exercised new enforcement powers and the publication of guidance by the Financial Conduct Authority (FCA) following its review of the compliance across the financial sector.
Disclosure notice
The Economic Crime (Transparency and Enforcement) Act 2022 introduced new enforcement powers for OFSI to assist the UK regulator in encouraging compliance with the financial sanctions regime.
The UK's financial sanctions enforcement body exercised its disclosure enforcement power for the first time on 31 August 2023. Giles Thomson, the director of OFSI, indicated that “[the] intention is to use this power in response to moderately severe breaches, when an administrative warning letter would be too lenient on the facts of the case, but a civil monetary penalty would be disproportionately punitive.”
OFSI issued a disclosure notice deeming the breach "moderately severe" such that a disclosure was the "appropriate and proportionate" enforcement response.
Other than the novelty, this decision is likely to be of significant interest to financial services firms, and payments services providers in particular.
The breach related to an ATM cash withdrawal of just £250 by a "designated person" on 30 June 2022. The individual had only been added to the consolidated list the previous day. The company's sanctions screening software had even identified the potential sanctions match, created an alert, and suspended the individual's profile. However, due to the firm's policies and a lack of weekend resource, the card associated with the account was not blocked until a few days later.
ATM incident inferences
The facts relating to the breach highlight a number of key points:
- There is clearly no 'de minimis' level for sanctions enforcement. The sum in question was just £250. OFSI still categorised this as "moderately severe".
- There is no 'grace period' for sanctions implementation. The cash withdrawal occurred less than 24 hours after the designated person was added to the consolidated list. OFSI clearly expects firms to be responding immediately to changes. In fact, the firm identified the sanctions issue within a few hours – it just did not act on the alert effectively.
- The focus is very much on systems, controls, and resourcing. OFSI is very much focused on why this happened, rather than the amount. In particular, the disclosure notice highlighted the lack of weekend resource to review and act upon an automated sanctions alert to place a manual block on the account.
- Balancing regulatory obligations was no defence. The firm specifically relied on the fact that its policy (of not immediately blocking debit cards due to the high number of false positives) was designed to treat customers fairly under its FCA obligations. While that might have been a mitigating factor in OFSI's decision making, it clearly was not a defence. It will be particularly interesting to see how that holds up in the face of the Consumer Duty.
FCA expectations
The FCA published its findings relating to financial service firms response to the increased sanction over the past 18 months. The FCA has emphasised that firms need to have:
- Adequate governance and oversight over sanction compliance functions (including receiving sufficient management information in order to discharge their responsibilities appropriately).
- Sufficient skills and resources to assess potential sanctions breaches.
- Need to review quickly to avoid adverse impact on customers.
- Appropriate screening capabilities appropriately calibrated.
- Prompt reporting to FCA.
Having adequate, well-resourced financial crime mitigation measures in place has long been a prominent FCA requirement.
Screening and reporting
However, the last two points on appropriate screening and prompt reporting are perhaps the most interesting. In terms of appropriate screening capabilities, the FCA noted that too many false positives has a significant consumer impact, which it considered just as bad as not being sensitive enough. This was exactly the issue which the firm in the OFSI decisions had sought to address in the above decision. This is likely to cause firms considerable difficulty in the future – toeing the line between FCA and OFSI's differing expectations.
There has been some uncertainty in the financial services sector whether it is necessary to report a suspected breach of the financial sanctions regime to both OFSI and the FCA, the latter appearing in an ambiguous line on the FCA's website.
That obligation is now clear. The FCA states: "Firms that know or have reasonable cause to suspect a breach of financial sanctions must report it to OFSI, and notify us if: a person they are dealing with, directly or indirectly, is a designated person; they hold any frozen assets; and if they discover or suspect any breach while conducting their business."
Firms will also need to consider whether any sanctions breaches resulted from a significant failure in their systems and controls and report that as well.
Osborne Clarke comment
The disclosure notice and FCA guidance provide a number of clear learning points for financial services firms:
- Ensure company policies adequately manage sanctions risks. These may include, for example, sanctions screening and alert review functions. OFSI took into account the company's policy of not restricting debit cards where a possible name match to a designated person was identified.
- Ensure adequate resources are available to address sanctions issues. In this case, there was a lack of resource at weekends to review sanctions alerts, which led to a delay in placing restrictions on the customer account.
- Address all identified sanctions risks promptly.
- Make sure screening capabilities neither over nor under-include potential sanctions matches.
Our experienced team advises clients on all aspects of UK sanctions compliance and related issues, if you would like to discuss any of the above issues, please get in touch with our experts below or your usual Osborne Clarke contacts.
For more information on recent and upcoming regulatory developments please see our monthly Regulatory Outlook publication.
Michelle Tong, Paralegal with Osborne Clarke, contributed to this Insight.