Rachel Barnes, Saba Naqshbandi, Patrick Hill and Genevieve Woods, Three Raymond Buildings
This is an extract from the first edition of GIR's The Guide to Sanctions. The whole publication is available here.
Sanctions enforcement is now firmly placed within the United Kingdom’s broader economic crime regime. The Office of Financial Sanctions Implementation (OFSI) in HM Treasury was established in 2017. It aims to ‘develop as a world leader in financial sanctions implementation and enforcement’ and has signalled an intention robustly to enforce sanctions compliance and to impose significant financial penalties in appropriate cases. In 2017, the maximum term of imprisonment for financial sanctions breaches was increased from two to seven years. Under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), it is further increased to 10 years. Following Brexit, it is anticipated that the UK’s autonomous sanctions regime will expand both in scope and in the number and severity of enforcement actions.
Offences established under sanctions legislation
Regulations for each sanctions regime prohibit certain conduct (see Chapter 4), creating offences that arise when the prohibited activity is conducted with the requisite mental element (primary offences). In each sanctions regime there is also a set of secondary offences that can be committed in respect of (1) licences applied for or issued to permit otherwise prohibited conduct, and (2) requirements to report or requests to provide information or documents to OFSI.
Examples of primary offences include when a person deals with the funds of a designated person without a licence, knowing or suspecting, or having reasonable grounds to suspect that the relevant transaction is prohibited. A person may be guilty of a circumvention offence when they intentionally participate in activities, knowing that the object or effect is (directly or indirectly) to circumvent any sanctions prohibition or to enable or facilitate the contravention of any such prohibition.
- Licensing offences: (1) failing to comply with any condition of a licence; and (2) knowingly or recklessly providing false information or documentation for the purpose of obtaining a licence;
- Reporting offences: failing to inform HM Treasury as soon as practicable if a relevant person knows or has reasonable cause to suspect that a person is a designated person or has breached financial sanctions regulations and the information on which the knowledge or suspicion is based came to them in the course of carrying on their business.
- Information offences: (1) failing to comply with a request by OFSI for information or the production of documents without a reasonable excuse; (2) knowingly or recklessly providing materially false information or documentation in response to such a request; (3) destroying, mutilating, defacing, concealing or removing any document with intent to evade requirements under a request for information or documents; or (4) otherwise intentionally obstructing HM Treasury in respect of its powers to make such a request;
- Confidentiality offences: a person who is provided with specified confidential information or who obtains it commits an offence by disclosing it without lawful authority if that person knows or has reasonable cause to suspect that the information is to be treated as confidential.
The reporting offences can only be committed by the classes of persons specified in the legislation. These are persons subject to anti-money laundering compliance obligations and supervision, and include those carrying on regulated activity under the Financial Services and Markets Act 2000, currency exchange or funds transmission businesses, auditors, accountants and legal professionals.
The offences can only be committed if relevant persons fail to disclose information they are obliged to report. For example, if the suspicion of a sanctions breach arose solely from information obtained other than in the course of business, such as through media reporting, then neither the reporting requirement nor the offence would arise. The reporting requirement does not require the disclosure of information that is subject to legal professional privilege (LPP), or information that would be prohibited under data protection legislation or the Investigatory Powers Act 2016.
Liability for secondary parties, inchoate offences, corporates and company officers
The ordinary criminal law principles of accessorial liability, inchoate offences and corporate liability (the identification principle) apply. When an offence is committed with the consent or connivance of, or is attributable to the neglect of, any director, manager, secretary or other similar officer of the corporation or a person acting in such a capacity, that person is guilty of the offence in addition to the corporation and is liable to prosecution.
Jurisdiction is established on the basis of both territory and nationality (active personality). The sanctions regulations impose prohibitions and requirements and establish related offences in relation to conduct in the United Kingdom or its territorial sea by any person and conduct elsewhere by a ‘United Kingdom person’, defined as a ‘United Kingdom national’ (which includes British citizens, British subjects and British protected persons) or body incorporated or constituted under the law of any part of the United Kingdom.
Investigations into sanctions offences
Investigations may commence following voluntary self-disclosure by a natural or legal person, a report to OFSI or a UK law enforcement agency by a third party such as a whistle-blower, a person’s professional regulator, the filing of a suspicious activity report (SAR) to the National Crime Agency (NCA) under money laundering or counter-terrorism laws, or after a UK law enforcement agency receives information from an overseas counterpart or international organisation that violations have or are suspected to have occurred.
There is no general requirement to notify a suspect of an investigation. A suspect may not be made aware of a criminal investigation until some overt action, such as:
- arrests of individuals;
- service of production orders or information provision notices;
- execution of search warrants;
- if a third party that holds or controls the assets, such as a bank or a trustee, freezes the assets unilaterally by refusing to execute their directions;
- service of a subsequent court order, such as a restraint order issued in the Crown Court or a bank account freezing order by a magistrates’ court; or
- if a person has self-reported or disclosed a suspected sanctions breach to OFSI or some other enforcement authority, the authority’s response to that disclosure confirming that an investigation has commenced.
Only when OFSI has formed an intention to impose a civil monetary penalty upon a person is it required to inform the person of its intention to do so and provide the person with the opportunity to make representations.
Although OFSI is the primary organisation responsible for sanctions implementation, other relevant agencies include the NCA, the Crown Prosecution Service (CPS), the Serious Fraud Office (SFO), Her Majesty’s Revenue and Customs (HMRC), the Export Controls Joint Unit of the Department for International Trade, and also professional regulators and overseas enforcement agencies.
OFSI works closely with the NCA, whose sanctions investigations are conducted by its International Corruption Unit. Typically, the NCA refers cases for prosecution to the CPS. The SFO may investigate and prosecute cases in which sanctions offences intersect with international bribery or serious or complex fraud.
In 2009, the SFO prosecuted Mabey & Johnson Ltd and three executives for breaches of UN Iraq sanctions that were linked to the payment of bribes in exchange for oil contracts.
In a sanctions investigation, OFSI may use its powers to require persons to provide information to detect evasion and to investigate offences. Requests will be made in writing and will specify the period within which the information must be provided. Many NCA officers have the operational powers of a police constable, immigration and customs officers, for example, to gain entry to property, conduct searches, seize goods or detain and arrest suspects with or without a warrant.
Criminal prosecutors have powers to require the provision of information. The Director of Public Prosecutions in England and Wales, the Lord Advocate in Scotland and the Director of Public Prosecutions for Northern Ireland (collectively, the Prosecutors) may authorise a specified officer to issue disclosure notices in investigations into offences established in sanctions regulations promulgated under SAMLA 2018. These may require the addressee to answer questions, provide information or produce documents relevant to the investigation. The Director of the SFO can issue ‘Section 2 notices’, requiring persons under investigation and any other person that the Director has reason to believe has relevant information to answer questions or provide documents ‘in any case in which it appears to [the Director] that there is a good reason to do so for the purpose of investigating’. In both cases, the Prosecutors or the Director of the SFO may apply to a court for a warrant to enter and search premises to seize documents in cases where, for example, giving notice for the production of documents might seriously prejudice the investigation.
Civil or criminal investigations
In most cases, the investigation will gather evidence that would be admissible in criminal proceedings. A decision will be taken subsequently whether OFSI will use its civil enforcement powers (whether by monetary penalty or some other action) or will refer the case, usually to the CPS, for criminal prosecution. Since OFSI does not have the power to instigate criminal proceedings of its own accord, if it does refer a case for criminal prosecution, it is a matter for the prosecuting authority to determine whether the case should proceed in accordance with its policy.
Best practice for corporates in an investigation
Once a company becomes aware of a suspected sanctions breach, it should quickly decide on its response strategy. Enforcement authorities place considerable emphasis on timely voluntary disclosure, the extent of a company’s cooperation during an investigation and the remedial actions it puts in place to prevent future sanctions violations when deciding the nature and scope of any enforcement action. Companies may also be subject to industry regulatory regimes and shareholder or other disclosure requirements. Companies with operations overseas will need to consider whether regulators in those jurisdictions would expect to be informed.
Actions and issues to be considered after the discovery of suspected breaches or during a sanctions investigation include:
- notifying the board of directors;
- the board of directors’ role going forward and protocol for board communications;
- the role of in-house lawyers and the compliance function;
- appointing external counsel (and other consultants and experts);
- preserving all relevant material (e.g., documents, emails, telephone recordings) concerning both the suspected breaches and the response to their discovery;
- an internal investigation into the suspected breaches;
- reviewing other business and transactions for additional breaches;
- identifying remedial compliance measures;
- early engagement with relevant law enforcement authorities;
- disclosure to other parties (e.g., regulators, shareholders, lenders, insurers, auditors, overseas authorities);
- public relations strategy;
- accounting provision for any anticipated financial penalties and associated costs; and
- disciplinary action against specific employees.
In its first financial year (2017–2018), OFSI received 122 reports of suspected breaches of financial sanctions with a reported value of around £1.35 billion. In its second financial year (2018–2019), OFSI received 99 reports of suspected breaches with a reported value of £262 million.
The ability of sanctions authorities to perform their monitoring and enforcement roles depends, in large part, on the provision of information about potential sanctions violations by those within the private sector. Therefore, the UK sanctions framework both imposes reporting requirements on certain persons and rewards voluntary disclosure of suspected sanctions breaches.
Self-reporting should be considered by all putative defendants. It is a significant mitigating factor when enforcement authorities decide what action, if any, to take in relation to a sanctions breach and the extent of any penalties. To qualify as ‘self-reporting’, individuals or entities cannot rely on self-reporting by another party involved in the suspected breach. If multiple parties are involved, OFSI expects voluntary disclosure from each.
EU sanctions regulations require persons to report any information that would ‘facilitate compliance’ with the sanctions regulations, although a failure to do so will not necessarily constitute an offence under UK legislation. OFSI interprets the phrase ‘any information that would facilitate compliance’ as including information about suspected sanctions breaches.
Considerations before self-reporting
Whether to self-report
If a person has a legal duty to report to OFSI, failure to self-report is a criminal offence. OFSI, the CPS and the SFO identify in their respective guidance the potential weight they will attach to a genuine self-report as a mitigating factor in all their case disposal decisions.
When to self-report
OFSI expects suspected sanctions breaches to be reported reasonably promptly. It recognises that it may be reasonable for a person to take ‘some time’ to assess the nature and extent of the breach or to seek legal advice but emphasises that this should not delay an effective response. In the Standard Chartered Bank case, OFSI accepted that it was reasonable for the company to report initially the existence of a potential breach and then to provide further information in stages during its internal investigation.
Delaying a self-report risks the law enforcement authority (1) receiving prior notification of the breach from a third party, or (2) concluding that the delay has been unreasonably lengthy, with the result that it will not be a factor weighing against prosecution, in favour of entering into a deferred prosecution agreement (DPA), or justifying a civil penalty discount. If a breach was only discovered as a result of a separate regulatory or law enforcement investigation, the enforcement authority could, potentially, be persuaded that the reporting party should retain the mitigation benefit of voluntary disclosure if it can demonstrate that it quickly instigated a wide-ranging and thorough review of sanctions compliance, cooperated with any external investigation and implemented meaningful remedial actions.
How to self-report
OFSI and the SFO provide information about how to make a report on their respective websites. In both cases, there is a form to be completed and electronically submitted. In practice, an accompanying letter may set out greater detail than is contained within the standard form. The consequences of making an inaccurate disclosure or a disclosure that omits important information can be severe.
To whom else to self-report
Companies should consider whether disclosure should also be made to other domestic regulators or to sanctions authorities in other jurisdictions. This latter point is particularly important if an entity operates in multiple jurisdictions or the breaches took place outside the United Kingdom, since enforcement action in the UK may trigger corresponding investigations overseas and vice versa.
Where the suspected conduct would be in breach only of a non-UK sanctions regime, companies and relevant individuals should still consider whether there are relevant UK regulators to whom a report should be made. Such violations can be indicative of wider institutional control failures even though there has been no breach of applicable UK sanctions. UK anti-money laundering supervisors would expect to be informed of such situations by those they regulate.
Those regulated persons are obliged to make a SAR to the NCA under the UK’s anti-money laundering (AML) legislation if they have reasonable grounds to suspect assets are the proceeds of crime. This obligation may be engaged when they suspect sanctions breaches have occurred. Breaches of financial sanctions may also amount to or be linked to other criminal offending, such as the funding of terrorism or bribery and corruption. In such cases, individuals and corporations may have obligations to report information to the police under Section 19 of the Terrorism Act 2000, or reporting obligations under the Terrorist Asset Freezing Act 2010 or the Anti-Terrorism, Crime and Security Act 2001. In cases of international bribery and corruption, companies may consider it is in their best interests also to self-report to the SFO.
Other notification requirements
Companies may have contractual obligations to notify counterparties of their involvement in sanctions offences, or in suspected criminal conduct or criminal investigations more generally. These types of clauses are often included in insurance policies, loan and other facility agreements, bank covenants and contracts for international trade. When a company is considering notifying third parties, whether voluntarily or as a requirement, it should also consider informing OFSI and any other relevant law enforcement or regulatory agency of its intention to do so. This is to avoid an allegation of breaching the confidentiality of, or even unlawfully prejudicing, a sanctions investigation.
In a suspected sanctions breach, two AML questions arise: (1) has a money laundering offence also been committed? and (2) is the suspected sanctions breach evidence of failings in mandatory AML compliance standards?
The UK’s AML legislative regime:
- creates three principal money laundering offences, criminalising:
- ‘concealing, disguising, converting, transferring or removing criminal property from the jurisdiction’;
- ‘entering into or becoming concerned in an arrangement known or suspected to facilitate by whatever means the acquisition, retention, use or control of criminal property by or on behalf of another person; and
- ‘acquiring, using or possessing criminal property’;
- creates ‘supplementary’ money laundering offences for failing to disclose suspicious transactions, prejudicing an investigation and tipping off; and
- obliges specified private sector entities (e.g., banks and other financial institutions) to establish and maintain appropriate AML policies and procedures.
Money laundering offences
There are three questions that will determine whether a money laundering offence has been committed: (1) What predicate sanctions offence has been committed? (2) Has ‘criminal property’ been generated as a result of, or in connection with the sanctions offence? (3) Has there been any distinct or subsequent activity in respect of the ‘criminal property’, such that an offence under Sections 327 to 329 of the Proceeds of Crime Act 2002 (POCA) has been committed?
Fees received as payment for the unauthorised provision of goods or services to a designated person or otherwise in circumstances that constitute a sanctions offence will be criminal property. The subsequent use, transfer to a third party, or disposal of those fees with the requisite mens rea would constitute a money laundering offence under the appropriate provision of Sections 327 to 329 of the POCA.
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
UK financial sanctions law does not, directly, require the establishment of sanctions policies and procedures. Nevertheless, a sanctions breach may demonstrate a failure to comply with more general AML compliance obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) such as the obligation to conduct ordinary or enhanced customer due diligence or transaction monitoring. Failing to operate adequate compliance systems to address AML and to combat the financing of terrorism is a breach of Regulation 19 of the MLR, that is to say the requirement under the MLR to adopt ‘proportionate’ systems and controls. This, in turn, constitutes an offence under Regulation 86 of contravening a relevant requirement, which is punishable by an unlimited fine or imprisonment for two years (or both) following conviction on indictment and three months on summary conviction.
Rather than bring criminal proceedings, the designated supervisory authorities under the MLR, such as the Financial Conduct Authority (FCA), HMRC or various professional bodies, may elect to use their powers to impose civil penalties of fines and issue public statements of censure, prohibit individuals from having a management role in ‘a named relevant person or payment service provider’, suspend or remove a person’s permission to carry on a regulated activity, deny applications for authorisation or registration, or impose other limitations or restrictions on such persons.
The civil fines can be sizable.
In 2020, the FCA fined Commerzbank AG £37.8 million for failing to put adequate AML systems and controls in place between October 2012 and 2017. Although these failings were not specific to sanctions controls, the FCA did note that they occurred ‘against a background of heightened awareness within Commerzbank . . . following action taken by US regulators in 2015’ in relation to sanctions and AML failings, which the bank settled for a total of US$1.452 million
In 2010, the Royal Bank of Scotland Group was fined £5.6 million for failing to have adequate systems and controls in place to prevent breaches of UK financial sanctions, as required under the Money Laundering Regulations 2007.
Enforcement actions for breach of AML compliance requirements have extended to cases in which the sanctions issues have been breaches of US but not EU or UK sanctions law.
In 2019, Standard Chartered Bank was fined £102 million by the FCA for breaches of the MLR 2007, which was part of US$1.1 billion total financial penalties arising from breaches of US sanctions.
AML supervisory bodies will expect their regulated populations to notify them of suspected sanctions breaches.
In 2017, the Prudential Regulation Authority [PRA] of the Bank of England imposed a £17.85 million fine on The Bank of Tokyo-Mitsubishi UFJ Ltd [BTMU] and an associated fine of £8.925 million on MUFG Securities EMEA plc (MUS(EMEA)) for failing to be open and cooperative with the PRA in relation to sanctions enforcement action into BTMU by the New York Department of Financial Services.
This £26.78 million in total fines issued to UK Bank of Tokyo-Mitsubishi entities illustrates the importance UK financial regulators place on international financial institutions making them aware of overseas enforcement actions so that they may assess the implications for the systems and controls of UK affiliates.
Suspicious activity reports
POCA imposes reporting obligations on private entities in the regulated sector and creates offences for non-reporting. These arise when a relevant person knows or suspects or has reasonable grounds for knowing or suspecting that another person is engaged in money laundering when that knowledge came to them in the course of business. Failing to report suspicions of money laundering or terrorist funding to a firm’s nominated officer or to file a SAR as soon as practicable may also demonstrate AML compliance failings that amount to a breach of the MLR. Filing a SAR does not absolve a person in the regulated sector of their obligation to report suspected assets of designated persons or breaches of sanctions laws to OFSI. SARs are submitted to the NCA via the NCA SAR Online System.
Once a SAR has been filed, POCA prohibits the carrying out of any transaction in relation to the subject property without NCA consent, or the expiry of the prescribed time limits. A person in the regulated sector may not disclose that a SAR has been filed or that a related investigation is being contemplated or is being carried out. A disclosure that is ‘likely to prejudice’ an investigation amounts to a tipping off offence. Even if no SAR has been filed, if a person knows or suspects that a confiscation investigation, a civil recovery investigation or a money laundering investigation is being or about to be conducted, that person commits an offence by making a disclosure that is likely to prejudice the investigation. This offence is not limited to persons in the regulated sector.
Effect on investigations
The filing of a SAR may be the precursor to a range of investigative orders or civil or criminal asset recovery orders on the application of law enforcement authorities such as the NCA, the police, SFO, HMRC and FCA. These may include:
- Crown Court production orders, search warrants, restraint orders and, in post-conviction cases, confiscation orders;
- magistrates’ courts’ arrest warrants, search warrants, and bank and building society account freezing and forfeiture orders; and
- High Court property freezing orders, civil recovery orders and unexplained wealth orders.
Duties of counsel and privilege
The role of lawyers in sanctions and AML regimes requires special consideration. The starting point is that LPP applies. A professional legal adviser continues to be exempt from the reporting obligations (and related offences) under sanctions legislation and POCA if the information or other matter comes to him or her in legally privileged circumstances.
OFSI recognises that LPP may constitute a reasonable excuse for not disclosing information or documents when otherwise required under sanctions regulations. OFSI’s Guidance on Financial Sanctions notes that it ‘expects legal professionals to carefully ascertain whether legal privilege applies, and which information it applies to’ and observes that OFSI may challenge blanket assertions of privilege.
English law does not distinguish between in-house and independent external counsel for the purposes of LPP. LPP is subject to the ‘fraud exception’: it does not apply to information or any other matter that is communicated or given to the professional legal adviser with the intention of furthering a criminal purpose.
OFSI has the power to respond to breaches of financial sanctions by taking action with increasing levels of severity, ranging from low-level outcomes such as issuing correspondence about compliance practices, to imposing a civil financial penalty or, in the most serious cases, referring the case for criminal investigation and prosecution. Criminal prosecutions can only be brought where a prosecutor has determined that the proceedings would meet the ‘full code test’, namely that in respect of each defendant, there is sufficient evidence to provide a realistic prospect of conviction on each charge and that the prosecution would be in the public interest. In contrast, OFSI applies a civil standard to its enforcement actions.
This section starts with an overview of criminal proceedings relating to sanctions offences, including prosecution, DPAs and agreements that individuals may reach with prosecutors. It then describes OFSI’s civil penalty regime. It concludes by identifying some of the ancillary measures that may be imposed following a sanctions violation.
Primary sanctions offences and licensing offences are punishable upon conviction on indictment by a fine or imprisonment for up to seven years (increased to 10 years under SAMLA). Reporting and information offences are summary offences punishable by a fine or the maximum term of imprisonment that magistrates’ courts can impose (six months). Confidentiality offences may be punishable following conviction on indictment by a fine or up to two years’ imprisonment.
To secure a conviction, the prosecution must prove beyond reasonable doubt that the person has committed the actus reus (conduct) with the requisite mens rea (mental element) of the relevant sanctions offence, whether as a principal, a secondary party or as a conspirator. As described above, both companies and corporate officers may be liable for criminal offences.
Historically, UK financial sanctions enforcement by way of criminal prosecution has been limited. Two groups of prosecutions, the Mabey & Johnson and Weir Group cases, concerned bribes paid in the context of the UN Iraq Oil-For-Food programme.
In 2009, Mabey & Johnson Ltd pleaded guilty to charges including ‘making funds available’ in violation of Article 3 of the Iraq (United Nations Sanctions) Order 2000. The company was sentenced to total financial penalties, including costs, confiscation, reparations and monitoring costs, of about £6.6 million. Two ex-directors of the company were subsequently tried and convicted for their roles and were sentenced to terms of immediate imprisonment. An ex-sales manager cooperated with the SFO, pleaded guilty and gave evidence against the directors at their trial; he was sentenced to a suspended term of imprisonment.
In 2010, Scottish company Weir Group plc pleaded guilty to breaching sanctions in relation to Iraq through the payment of kickbacks in return for contracts from Saddam Hussein’s government. It was sentenced to financial penalties of £3 million and received a confiscation order for £13.9 million.
Deferred prosecution agreements
DPAs are a mechanism by which organisations (typically companies) make an agreement with either the CPS or SFO, under the supervision of a judge, that a criminal prosecution will be suspended for a defined period if the organisation meets certain conditions, which may include financial penalties, compensation, cooperation in the prosecution of individuals and the implementation of appropriate compliance programmes. Since 2017, DPAs have been available in respect of sanctions offences. There has been a small number of DPAs since they were introduced in 2013, most of which have related to significant corporate offending.
The financial penalty levied upon the defendant company must be broadly comparable to the fine that a court would have imposed following conviction after a guilty plea. The non-prosecution, however, may enable the company to avoid significant, consequential financial effects that might flow from a conviction. Airbus, for example, assessed the loss of global revenue that might follow from debarment from public tendering as US$200 billion.
The CPS and SFO DPA Code of Practice governs, among other things, the factors the prosecutor may take into account when deciding whether to enter into a DPA, the process for negotiations, terms of a DPA, including the financial penalty, applying for court approval of a DPA and overseeing a DPA after its approval. Voluntary self-reporting, subsequent cooperation and restorative measures are public interest factors tending away from prosecution and towards a DPA. The DPA Code will apply in sanctions breach cases, as will the Code for Crown Prosecutors, the CPS/SFO Joint Prosecution Guidance on Corporate Prosecutions and, where corruption offences may also have occurred, the Joint Prosecution Guidance on the Bribery Act 2010.
Arrangements between prosecutors and individual defendants
Frequently there are plea arrangements between defendants and prosecutors, which may take various forms. In some, the defendant pleads guilty to part of an indictment and the prosecution offers no evidence on the remaining counts on that indictment or asks the court to allow those counts to lie on the file. In others, the defendant pleads guilty to a lesser offence or to the indicted offence but on a less serious factual basis than that originally alleged against them.
When a defendant offers to provide information or to give evidence about the criminal activities of others, they may enter into a formal written arrangement with a specified prosecutor known as a ‘SOCPA agreement’. In return for providing information or giving evidence in accordance with the agreement, a defendant could potentially achieve immunity from prosecution but more likely would receive a reduced sentence in respect of his or her own criminality. The level of sentence reduction will depend on the timing, nature, extent and value of the assistance offered or provided. In cases of genuine and substantial assistance, it could be a reduction of between one-half and two-thirds of the sentence that they would otherwise receive.
Civil monetary penalties
When OFSI was established in 2017, HM Treasury was given a power to impose monetary penalties for sanctions breaches on companies and officers of companies. It may impose a monetary penalty if satisfied, on the balance of probabilities, that a person has breached a prohibition or failed to comply with an obligation imposed by or under financial sanctions legislation and that the person knew or had reasonable cause to suspect that he or she was in breach of the prohibition or had failed to comply with the obligation. When a monetary penalty is payable by a legal person, HM Treasury may also impose a monetary penalty on an officer of the body if satisfied, on the balance of probabilities, that the legal person’s breach or failure took place with the consent or connivance of the officer or was attributable to any neglect by the officer. If OFSI can estimate the value of the funds involved in the breach, the maximum penalty is the greater of £1 million or 50 per cent of the estimated value. In all other cases, the maximum penalty is £1 million.
OFSI must observe various procedural steps before imposing a monetary penalty. They include providing the target with (1) written notice of OFSI’s intention to impose a monetary penalty, (2) an opportunity to make representations about any relevant matters, including the circumstances of the breach, mitigation and the effect of a potential penalty and, if a penalty is imposed, (3) the right to a ministerial review. There is then a right of appeal to the Upper Tribunal.
When deciding how to dispose of a case and the size of any monetary penalty, OFSI applies a three-step process: (1) penalty threshold; (2) baseline penalty matrix; and (3) penalty recommendation. The penalty threshold is met if the statutory threshold for imposing a penalty has been met and a monetary penalty would be appropriate and proportionate. The ‘appropriate and proportionate’ limb will most likely be met if (1) funds or economic resources were made available directly to a designated person, (2) the sanctions prohibitions were circumvented, or (3) there was non-compliance with a requirement to provide information. If none of these factors is present, OFSI may still conclude that a monetary penalty is appropriate and proportionate.
A ‘baseline penalty matrix’ is used to calculate the appropriate penalty. First, OFSI will calculate the statutory maximum: the greater of £1 million or 50 per cent of the breach. Second, it will identify a ‘reasonable and proportionate’ penalty based on its view of the seriousness of the case. This is the ‘baseline penalty level’. This could be any amount between the maximum and zero. Third, it will consider whether a penalty reduction for ‘prompt and complete voluntary disclosure of the breach’ is warranted. In ‘serious’ cases, this reduction can be up to 50 per cent of the baseline penalty. In the ‘most serious’ cases, the potential reduction is capped at 30 per cent. ‘Most serious’ cases are those that have clear aggravating factors, such as deliberate or flagrant breaches, a high financial value or a severe impact on the purposes of the sanctions regime.
When assessing the seriousness of a case, deciding whether or what type of enforcement action is required and identifying aggravating or mitigating factors to determine an appropriate monetary penalty, OFSI will generally take into account the following:
- harm or risk of harm to the objectives of the sanctions regime;
- whether the breach is deliberate, negligent or the result of an error;
- whether the breach is the result of broader systems failures;
- repeated or persistent breaches;
- voluntary self-disclosure of suspected breaches; and
- the public interest in responding to the breaches.
In 2017 and 2018, OFSI did not impose any civil monetary penalties. Between January 2019 and March 2020, it imposed four monetary penalties, two of which were subject to a ministerial review.
In 2020, Standard Chartered Bank received penalties of £20.47 million from OFSI for breaches of Ukraine-related sanctions by granting loans worth £97.5 million to the subsidiary of a designated Russian entity.
Although caution must be exercised in drawing conclusions from this limited pool of cases, the Standard Chartered Bank case marks a significant step change and signals a preparedness by OFSI to issue substantial penalties. It also demonstrates the value placed by OFSI on self-reporting, cooperation and remedial action following suspected sanctions breaches. The Raphael Bank case suggests that even self-reported breaches of modest value may be considered sufficiently ‘serious’ for the OFSI to determine that a civil monetary penalty is ‘appropriate and proportionate’.
Ancillary orders and additional consequences of sanctions breaches
Recovery of property obtained as a result of sanctions offences may be pursued through confiscation proceedings following prosecution and conviction or in separate civil proceedings.
Monitors are independent third parties, generally law firms, risk consultancies or professional service firms, appointed by the court to oversee and report on a company’s internal controls and compliance functions following a criminal or regulatory investigation. A monitor may be appointed voluntarily by a company (e.g., to demonstrate cooperation during an investigation) or agreed between the company and the investigating agency as part of a negotiated settlement and presented for court approval. A monitor may also be appointed under the terms of a DPA or as part of a serious crime prevention order (SCPO) or civil recovery order.
Serious crime prevention orders
SCPOs are designed to prevent, restrict or disrupt involvement in serious crime. They may be made in respect of sanctions offences. SCPOs can be made against natural or legal persons and may, among other things, impose restrictions or requirements in relation to financial, property or business dealings or holdings, and require a person to answer questions or provide information. When a SCPO is made against a legal person (usually a company or a partnership), it can include the appointment of an authorised monitor, paid for by that legal person. SCPOs may be imposed for up to five years.
SCPOs can be made by the Crown Court during sentencing or in separate civil proceedings in which a conviction is not a prerequisite, if the court is satisfied that a person has been involved in serious crime, whether in the United Kingdom or elsewhere, and it has reasonable grounds to believe that the order would protect the public by preventing, restricting or disrupting involvement by the person in serious crime in the relevant part of the UK.
SCPO proceedings in both the Crown Court and the High Court are civil proceedings and the civil standard of proof is applied. Breach of an SCPO without reasonable excuse is a criminal offence punishable with imprisonment for a term not exceeding five years or a fine, or both.
A breach of sanctions may result in debarment from tendering for public sector contracts in the United Kingdom and elsewhere. In the UK, tendering for public sector contracts is governed by the Public Contracts Regulations 2015, which implement the EU Procurement Directive. Sanctions breaches may result in discretionary debarment.
Directors’ disqualification and regulatory measures
Upon conviction for an offence in connection with, inter alia, the promotion or management of a company, the court may make a disqualification order for up to 15 years. Breach of a disqualification order is a criminal offence.
Even without a conviction, a sanctions breach will be relevant to the FCA’s and HMRC’s assessment of the continuing ‘fitness and propriety’ of approved persons and may result in withdrawal of approval.