INTRODUCTION
Since the Russian invasion of Ukraine in February 2022 the UK has introduced an unprecedented number and variety of sanctions. The FCA has recently assessed the sanctions controls of over 90 financial service firms across a range of sectors in an effort to ensure firms’ sanctions systems and controls adequately address sanctions risks and respond swiftly to changes in UK sanctions regimes. In its assessment, the FCA reported on areas where firms are doing well and areas which need improvement.
We have set out below our analysis of the FCA’s findings and how firms should ensure they are meeting the FCA’s expectations.
WHAT ARE FIRMS DOING WELL?
- Some firms were found to have conducted effective horizon scanning and scenario planning which included anticipating the risk of rising Russian tension and assessing their risk exposure. These firms generally responded better to the Russian sanctions regime.
- The FCA was highly encouraged that some firms could clearly articulate the effectiveness of their sanctions screening tools and were measuring this through practices like sample testing and tuning.
- Most firms could display sanctions screening with built-in fuzzy logic (fuzzy logic allows for multiple truth values to be processed through the same variable - this can help identify name variations of sanctioned entities and individuals).
WHAT NEEDS IMPROVEMENT?
Management Information (MI)
- The FCA identified examples where senior management at firms were not given sufficient MI to discharge their responsibilities to understand and ensure compliance with the relevant sanctions regimes.
- Under the Senior Managers and Certification Regime, the FCA looks to firms’ senior management to have oversight of their firm’s systems and controls to ensure compliance with UK sanctions. Senior managers need proper MI to fulfil this responsibility. MI should include basic metrics such as the number of sanctions alerts and provide senior managers effective oversight, identification of risk, and trend analysis.
Skills and Resource
Some firms were found to have significant backlogs in their screening process meaning their ability to promptly identify and report exposures was impinged. These backlogs were found to be due to a lack of adequate resources dedicated to sanctions as well as a lack of internal expertise. This exposes firms to the risk of breaching sanctions requirements due to the potential delay in identifying designated or sanctioned parties.
Screening Capability
The FCA identified three problems with screening capabilities in their review.
- Improperly calibrated tools which produced too many false positives or were not sensitive enough when tested.
- Lists used by screening tools taking too long to update following a designation.
- Over-reliance on third-party screening tools wherein firms do not check or understand if these tools are properly calibrated.
Customer Due Diligence (CDD) and Know Your Customer (KYC) Procedures
The FCA found evidence of low quality CDD and KYC procedures. The FCA noted this can lead to firms not identifying the full ownership structure of entities and thus not screening all relevant parties.
Breach Reporting
Some firms took weeks or months to report breaches they had identified to the FCA. Other firms did not report breaches at all.
WHAT DO FIRMS NEED TO DO TO ENSURE COMPLIANCE GOING FORWARD?
- Ensure appropriate KYC and CDD is completed for all potential parties, including their controllers, shareholders, and Ultimate Beneficial Owners.
- Review current reporting procedures for potential sanctions breaches and ensure that all relevant staff are appropriately trained to meet their obligations under the relevant sanctions regimes.
- Continually enhance their tools to develop new ways to identify potential sanctions evasion.
- Measure the accuracy of screening tools and the speed at which they adopt new lists.
- Review the information on sanctions procedures and compliance provided to senior management and consider if the information provided is sufficient to enable effective decision making.
- Review their use of third-party sanctions screening tools and query if they have enough oversight to independently ascertain the efficacy of these tools such as through regular testing or internal service-level agreements for the time taken for lists to be updated following designation.
FINAL THOUGHTS
The FCA has acknowledged both the difficulty and importance of complying with the UK’s growing sanctions regime. Firms should consider the FCA’s findings as they apply to their own sanctions controls and continue to evaluate and strengthen these processes. The financial and reputational risks posed by sanctions breaches are increasing. The UK’s Office of Financial Sanctions Implementation (“OFSI”) recently used its new disclosure enforcement power for the first time to publicly report Wise Payments Limited for a breach of financial sanctions. It is expected that as the OFSI grows so will its propensity to bring enforcement actions against firms. This enforcement action will likely be increasingly in concert or co-operation between the FCA and OFSI.