The UK Financial Conduct Authority (FCA) has assessed the systems and controls relating to sanctions compliance for over 90 firms across a range of sectors and summarised its findings of good and poor practice. Acknowledging the size, scale and complexity of sanctions imposed since Russia’s invasion of Ukraine, the FCA continues to increase its focus on firms’ sanctions systems and controls and hopes that its findings will help firms to deliver greater compliance with sanctions.
FCA focus on sanctions
In addition to traditional data gathering the FCA has used its new analytics-based tools, which will have provided it with a deep understanding of firms’ current practice. Publication of clear guidance with examples also sets a clear message about its expectations for the future.
Historically, the FCA has considered sanctions risk management (including screening) as part of the FCA’s enforcement focus on anti-money laundering systems and controls. This has resulted in only a few enforcement actions with a specific focus on sanctions over the past 15 years. The FCA has however now put down a clear marker that enforcement action is well within its toolkit if it identifies serious misconduct in the context of sanctions systems and controls, which is a growing area of regulatory interest.
Experience teaches us that firms all face different challenges when designing and implementing a risk-based and proportionate framework. However, identifying parallels among peers can help firms find a bespoke solution for success. To that effect, we have collated some practical learnings on where things have gone well, as well as wrong, to bring to life some of the FCA’s thematic findings.
The right framework pays off
One of the keys to minimising the risk of sanctions non-compliance is a robust framework that demonstrates clear channels of communication and routes of escalation, appropriate senior oversight at team and function level (as well as at Board level), and that provides employees with the tools to “do the right thing”. This includes sufficiently clear delegation, desktop procedures, and training tailored to its audience.
In previous enforcement action, the FCA has emphasised the need for targeted sanctions training suited to its audience (for example, those with direct responsibility for considering sanctions and related money laundering risks). In our experience, the strongest sanctions risk management training programmes are those that incorporate role-specific training, including general training to Boards, as well as scenario-based training to teams dealing with clients and transactions.
Resources to deliver
Ensuring adequate and appropriate allocation of resources to meet regulatory obligations is not a new area of focus for the FCA. We anticipate that this will be an area of continued interest and scrutiny in enforcement investigations that touch on firms’ sanctions systems and controls, especially as the FCA expects firms to have reviewed their systems and controls in this area in light of the unprecedented sanctions package imposed in relation to Russia and Belarus.
Resourcing considerations should include not only capacity, but also expertise, seniority and allocation of work. Bottom-up resourcing considerations should form a core part of senior leadership reporting, alongside other information. Senior Managers with responsibility for sanctions, such as SMF17s, should ensure that adequate time is apportioned to overseeing sanctions risk management, and involvement in the right areas. This becomes particularly acute in smaller firms where individuals often undertake multiple Senior Management Functions (commonly SMF4 or SMF16 in addition to SMF17).
Manual checks can be effective and proportionate
A number of firms rely on manual screening checks to manage their sanctions risks, which may be workable for firms which deal with smaller numbers of clients and transactions. Know Your Customer (KYC) and Know Your Transaction (KYT) information should be comprehensive, and firms must ensure that all relevant sanctions lists are screened, and that sources used are reliable and up-to-date.
In a recent enforcement action, the FCA emphasised a firm’s failure to create a documented process for staff to follow when they performed manual sanctions screening during the onboarding of customers. This can increase the risk of inconsistency and error, or even failure to perform checks, particularly where individual staff members are forced to interpret the screening requirements themselves. Firms should therefore ensure they have relevant process documents and appropriate training in place.
Good record-keeping controls are key to ensuring steps taken can be clearly traced. Internal management reporting should consider the cost of manual screening relative to other activities that could be undertaken.
Third party outsourcing can work – if done right
If firms rely on a third party outsourcer, they must ensure an adequate articulation of specifications and supporting governance framework is agreed with the provider. This must be bespoke to the firm, and will stem from a robust business risk assessment. Outsourced activities must be designed and overseen in a way that ensures they meet the needs of the business appropriately. Adequate oversight over activities performed is key and should include, at a minimum: verification of lists screened against, the review of fuzzy logic implemented (such as ensuring that its focus sufficiently reflects the client base), the timing of list updates and screening frequency.
More complex reporting requirements
Overlapping, but distinct, sanctions-related reporting requirements can be challenging to navigate. Known or suspected sanctions breaches may need to be reported to the Office of Financial Sanctions Implementation (OFSI) on a mandatory basis. Other authorities may also need to be notified in certain circumstances. For example, the FCA expects authorised firms to notify it of any such breaches, as well as other information such as weaknesses in sanction systems and controls. A breach or suspected breach may also trigger a money laundering reporting requirement and where the actual or potential breach relates to trade sanctions it may be advantageous to notify HMRC. A failure to report can constitute an offence in certain circumstances.
In its recently published guidance on good and poor practices, the FCA highlights inconsistencies between various firms’ timeliness in notifying the FCA of sanctions breaches. Adopting a proactive approach towards identifying sanctions issues should help to ensure that reports are made in a timely manner and in accordance with the relevant reporting regime.
As expectations and obligations snowball, it is easy to lose sight of the bigger picture. We strongly encourage firms to periodically re-assess both the presently implemented framework as well as the external horizon to ensure the sanctions framework implemented is adequate, proportionate, and effective.
With thanks to Josh Wilkins who helped to research and draft this article.