On September 6, 2023, the Financial Conduct Authority (“FCA”), the UK regulator for financial services firms and markets, published a review of its assessment of sanctions systems and controls in place at financial services firms in the UK. The review sought, in particular, to assess firms’ response to the rapid expansion in the size, scale, and complexity of sanctions following Russia’s invasion of Ukraine. The FCA’s review considered sanctions compliance systems and controls at over 90 firms spanning various aspects of the financial services sector, including payments, retail banking, wholesale banking, wealth management, insurance, and electronic money. The objective of the review was to assess the adequacy and effectiveness of firms’ systems and controls in addressing sanctions risks and their ability to respond promptly to changes in the UK’s sanctions regime.
Key Review Findings
The scope and complexity of the sanctions imposed by the UK in the wake of Russia’s invasion of Ukraine is unprecedented. As a result of those developments, the FCA “has further increased [its] focus on firms’ sanctions systems and controls” as part of its ongoing efforts to ensure that “the firms [it] regulate[s] are effective in preventing financial crime, such as money laundering and sanctions evasion.”
The FCA review has identified a number of examples of good practice by financial services firms, as well as a number of areas requiring improvement.
Examples of Good Practice
The FCA review identified the following examples of good practice:
- Horizon Scanning and Scenario Planning – Firms taking pro-active steps prior to the Russian invasion in February 2022 to assess their exposure to Russia and plan for possible sanctions, which assisted those firms in implementing UK sanctions at speed;
- Sanctions Screening Systems – Some firms demonstrated that their sanctions screening tools are appropriately calibrated to the sanctions risks they are exposed to and had implemented sample testing, tuning, and other controls designed to measure the effectiveness of their sanctions systems thresholds and parameters; and
- Tool Calibration – Most firms had incorporated “fuzzy logic” into their sanctions screening systems to assist in detecting name variations for sanctioned persons.
Areas in Need of Improvement
The FCA review also identified a number of areas in need of improvement, as follows:
- Senior Management Oversight of Sanctions Risks – One of the prominent deficiencies identified in the review involved a failure to provide senior management with sufficient management information about sanctions exposure to understand the firm’s sanctions risks, aid effective decision-making, or understand how the firm’s sanctions controls were performing. For example, some firms’ management information does not include the number of sanctions alerts, number of alerts awaiting analysis, or number of reports submitted to HM Treasury’s Office of Financial Sanctions Implementation (“OFSI”). The FCA also observed a lack of quantitative and qualitative information that would enable effective oversight, risk identification, and trend analysis.
- Global Sanctions Policies – Some firms placed reliance on global sanctions policies that focussed on US sanctions and were not sufficiently aligned with the requirements of the UK sanctions regime, increasing the risk of potential non-compliance with UK sanctions when they diverge from the approach adopted by other countries’ sanctions regimes.
- Over-Reliance on Third-Party Tools – Some firms did not understand how their sanctions screening tools were calibrated and when sanctions lists were updated, meaning that those firms did not understand whether they were screening against the correct lists, names were missing from their systems that should be identified, and/or their systems were producing too many false positives. As a result, firms could not show that they were adequately managing their risk of sanctions breaches appropriately. The FCA review called on firms that use outsourced screening tools to ensure that they have appropriate control and oversight of these tools through regular testing and agreed internal service level agreements for the time take to update screening lists following new designations.
- Backlogs in Alert Assessment – The review uncovered substantial backlogs in the assessment, escalation, and reporting of alerts related to the sanctions screening of names and payments. As a result, firms were not identifying, prioritising, and reporting potential breaches timely. The FCA review attributed these backlogs to a range of factors, including lack of appropriate resourcing and internal expertise.
- Absence of Contingency Planning – Some firms are failing to engage in robust contingency planning such as enhancing escalation policies and procedures, seeking external legal advice, or suspending payments to/from high risk countries (e.g., Russia), resulting in their being slow to introduce risk mitigation measures when new sanctions are introduced.
- Screening Capabilities – Some firms had not adequately tailored the calibration of their sanctions screening tools, resulting in the tools being too sensitive and returning high numbers of false positive hits that placed additional strain on already stretched teams or insufficiently sensitive leading to failures to detect sanctioned persons. Some firms’ systems also were not able to generate alerts against some names of OFSI consolidated list of financial sanctions targets. Additionally, some firms were not monitoring how quickly sanctions screening providers were updating the sanctions lists that they screen against.
- Customer Due Diligence (“CDD”) and Know Your Customer (“KYC”) – The FCA review identified a concern with respect to the quality of CDD and KYC assessments being conducted by some firms, which increased the risk of firms failing to identify sanctioned persons. For example, CDD did not always outline the full ownership structures of entities, resulting in firms being unable to demonstrate that they had screened all relevant parties.
- Breach Reporting to the FCA – In addition to financial services firms’ mandatory reporting obligations to OFSI under individual UK sanctions regimes, they are required to notify the FCA if a person they are dealing with, directly or indirectly, is a designated person, they hold any frozen assets, and/or if they discover or suspect any breach while conducting their business. Additionally, firms are required to consider notifying the FCA under the requirements of SUP 15.3.8G(2), for example, whether sanctions breaches resulted from a significant failure in their systems and controls. The FCA review identified inconsistencies in reporting, with some firms failing to report or taking weeks or months to report to the FCA after identifying a breach.
Key Action Items for FCA-Regulated Firms
The FCA has responded to these findings with a call to action. Firms are urged to proactively bolster their compliance measures to mitigate the risk of sanctions breaches and evasion. This includes adapting to the constantly evolving sanctions landscape and shifting risk profiles.
The FCA has made it clear that it will employ its regulatory tools to address deficiencies in firms’ systems and controls. These tools encompass a range of interventions, including the imposition of business restrictions and, where serious misconduct is identified, enforcement action.
The key takeaways from the review are that firms should:
- review the FCA’s review and consider how the review’s findings are applicable to their sanctions systems and controls, taking steps (where appropriate) to identify and address gaps in their controls and enhance the controls that they currently have in place;
- regularly evaluate their sanctions systems and controls to ensure that they remain appropriate as the sanctions landscape evolves and responsive to new sanctions measures and requirements as they are implemented;
- read the FCA’s Financial Crime Guide (in particular Chapter 7), and SYSC 6.3 of the FCA’s Handbook to understand their responsibilities under the Money Laundering Regulations, as well as the FCA’s expectation of compliance with all UK sanctions regimes and relevant guidance, including that promulgated by OFSI and the Joint Money Laundering Steering Group;
- familiarise themselves with the latest updates and details from the FCA on how to report sanctions breaches; and
- be prepared to actively engage with the FCA regarding it testing of firms’ sanctions screening systems and controls.
The UK’s increased use of complex sanctions measures is a trend that appears likely to continue. In this dynamic regulatory environment, it is imperative that UK financial services firms adopt a pro-active stance to the management of their sanctions risks and satisfaction of regulatory obligations relating to sanctions (and related financial crime) compliance. For more information on these developments, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Economic Sanctions team in London.