On 31 August 2023 the UK’s Office of Financial Sanctions Implementation (OFSI) issued a “Disclosure” against Wise Payments Limited (Wise), a UK-registered company, regulated by the Financial Conduct Authority, for breaching Regulation 12 of The Russia (Sanctions) (EU Exit) Regulations 2019 (the Regulations) by making funds available to a company owned or controlled by a designated person (DP). This is the first instance of OFSI using its powers to issue such a Disclosure since the power became available under the Economic Crime (Transparency and Enforcement) Act, in force from 1 August 2022. This is also the first example of a published violation of the Regulations.
Background
The breach related to a cash withdrawal of £250 made, on 30 June 2022, by a company employee from a Wise business account, using a company debit card in the DP’s name. The DP appeared on the UK Sanctions List on 29 June 2022.
Wise’s sanctions policy in place at the time screened against the Consolidated List of sanctioned persons and entities and if a potential sanctions match was detected, the customer’s profile was suspended, preventing the sending or receiving of funds from or to the account. However, the use of any debit cards associated with the account was not part of the initial suspension process (due to the high false positive rate) and so access to funds in the account remained available. In this instance, Wise suspended the account associated with the DP on the day of the cash withdrawal, on 30 June 2022. Having escalated the potential sanctions match to Wise’s sanctions team on the Friday morning, 1 July, the escalation was not reviewed until after the weekend, as Wise did not operate weekend monitoring, and as a result five days elapsed before Wise blocked the debit card.
‘Moderately Severe’ Breach
Wise’s breach was assessed as insufficiently serious to impose a civil monetary penalty, OFSI concluding the breach was “moderately severe” and that a Disclosure was an appropriate and proportionate enforcement response.
Notably, OFSI has updated its Monetary Penalty and Enforcement Guidance (also on 31 August 2023), setting out further information concerning how it categorises breaches: from “lesser severity” to “moderate severity” and “serious enough to justify a civil monetary penalty”. A matter falling into the moderate severity, and therefore Disclosure, category will be one where a warning letter would be considered too lenient, and a civil monetary penalty is considered to be disproportionately punitive.
Compliance Lessons
In reaching its decision, OFSI took account of the following factors:
1. | Wise’s systems and controls regarding the management of sanction risks, specifically its policy regarding not restricting debit cards where a possible name match to a DP was identified, were inappropriate. A company should promptly restrict all forms of access to funds or economic resources. |
|
2. | The Disclosure notes the importance of ensuring sufficient and appropriate staff resourcing is available to manage sanctions risk exposure. |
|
3. | Wise took the initiative to self-report the breach to which the Disclosure relates on 20 July 2022, making complete disclosures and fully cooperating with the investigation. |
|
4. | Wise took remedial steps to improve the aspects of its sanctions compliance process which allowed the breach to occur. |
Takeaways
OFSI’s decision to publish Wise’s breach demonstrates that no sanctions violation is too small. The Disclosure report emphasises the reputational implications for the offending corporate, and the recently updated guidance shows that OFSI can use its disclosure power for breaches of lesser severity but where there are compliance lessons to be learned. It also demonstrates the speed at which a company is expected to respond to sanctions changes and new designations, and therefore stresses the need for companies to have a system of continuous monitoring in place.
This Disclosure decision by OFSI underlines its continuing approach to encourage corporates to develop and implement appropriate risk-assessed due diligence and know-your-customer policies and procedures to prevent the risk of sanctions violations, and to keep these under review.