The use of financial sanctions to deliver public policy objectives has risen rapidly up the political agenda in the UK, the EU and at the United Nations. The UK government issued its new anti-money laundering and terrorist finance strategy in 2007 and, as part of this exercise, the Treasury has set up a dedicated Asset Freezing Unit which has increased the expertise and operational focus that the government can use in asset freezing. It has also strengthened its work with regulators and other bodies to ensure a robust and proportionate approach to compliance with, and enforcement of, financial sanctions. Firms need to understand these changes and put in place appropriate systems and controls to ensure compliance with financial sanctions.
The UK financial sanctions regime
The regime lists individuals and entities (based in the UK, elsewhere in the EU, or the rest of the world) that are subject to financial sanctions. Each financial sanction is set out in a statutory instrument and/or EC regulation. These make up Her Majesty’s Treasury list (the HMT list). There are approximately 1,400 individuals and 500 entities on the HMT list and the law requires firms not to provide funds, or in the case of the Terrorism Order, financial services (including insurance) to those named individuals and entities unless a licence is obtained from HM Treasury (HMT). The penalties for a breach of UK financial sanctions are set out in each statutory instrument. Any person guilty of an offence is liable on conviction to imprisonment and/or a fine. The maximum term of imprisonment is currently seven years where the offence is imposed under the UK financial sanctions regime or two years where imposed under the EC regime.
The FSA’s role in UK financial sanctions compliance
Although HMT is responsible for implementing, administering and enforcing compliance with UK financial sanctions, it is also one of the FSA’s statutory objectives to reduce the extent to which it is possible for an authorised firm to be used for a purpose connected with financial crime.
Principle 3 of the FSA’s Principles for Businesses (together with SYSC 3.2.6R) requires firms to have adequate risk management systems and, in particular, to establish and maintain effective systems and controls for countering the risk that a firm might be used to further financial crime. These systems and controls must be ‘comprehensive and proportionate in nature, scale and complexity of its activities’. Firms must therefore have proportionate systems and controls in place to reduce the risk of a breach of UK financial sanctions occurring. Although there is no specific obligation in the FSA’s Handbook that requires firms to notify the FSA of a financial sanctions breach, in practice the FSA will expect firms to do so under its Principle 11 obligation to disclose to the FSA any relevant issues of which it would normally expect notice.
Financial services firms’ approach to UK financial sanctions – FSA review
In early 2009, the Financial Crime and Intelligence Division (FCID) of the FSA carried out a review of financial services firms’ approach to UK financial sanctions to assess current industry practice and to identify examples of good and poor practice. Information was obtained by the FCID using an electronic survey of 228 firms. In addition, 25 of those firms were interviewed and further discussions took place with relevant stakeholders to obtain information on industry practice and challenges firms face.
Overall findings from the FSA’s review
The FSA published its findings in April 2009 in a report entitled ‘Financial services firms’ approach to UK financial sanctions’. The report concluded that there are inadequacies in firms’ systems and controls to reduce the risk of a breach of UK financial sanctions in all size of firms across all financial sectors. The FSA acknowledged that some firms have appropriate systems in place but others, including some major firms, have inappropriate systems for their business. The FSA also found that there is widespread lack of awareness of the UK financial sanctions regime in small firms. The report highlighted areas where the FSA considers there is significant scope across the industry for improvements in firms’ systems and controls. It also provides some examples of good and poor practice observed at firms and common misconceptions held by firms. While the report does not provide formal guidance, the FSA expects firms to consider the findings and examples of good and bad practice and, where appropriate, to translate them into a more effective risk assessment and implement more effective systems and controls.
The FSA’s key findings and examples of good and poor practices
While all major financial groups surveyed had assessed the probability of their customer base containing persons on the HMT list, only two-thirds of medium-sized firms had carried out a similar risk assessment and just over a half of small firms had done so. The FSA also encountered a range of misconceptions of the UK financial sanctions regime including firms who believed they were somehow exempt from the financial sanctions regime if they processed only low-value transactions (when there is actually no minimum limit) and firms who believed that UK financial sanctions did not apply to insurance or that it is a low-risk area.
The FSA considers that it is essential that firms have a good understanding of the UK financial sanctions regime as, without this, risk assessments are likely to be inaccurate and the controls put in place to mitigate the risk of dealing with a person on the HMT list may be insufficient. Firm can use a risk-based approach to screening, however, they should be able to demonstrate why the approach taken is appropriate and sufficient.
- Good practice: includes conducting a comprehensive risk assessment, based on a good understanding of the financial sanctions regime, covering the risks that may be posed by clients, transactions, services, products and jurisdictions; taking into account associated parties, such as directors and beneficial owners; and formally documented risk assessment with a clearly documented rationale for the approach.
- Poor practice: includes not assessing the risks that the firm may face of breaching financial sanctions; and risk assessments based on misconceptions (discussed in more detail in Appendix 2 of the report).
Senior management responsibility and policies and procedures
All major financial groups surveyed had policies and procedures in place to provide for screening of the HMT list, but the FSA found some cases where country-specific and/or business unit policies and procedures did not meet the minimum standards set out in the group-wide policy. The FSA also found that although almost all firms with written policies and procedures in existence had been approved by senior management, most firms had not conducted a review of financial sanctions procedures during internal audits. Senior management also have a key responsibility to ensure that all relevant staff understand and act in accordance with their firm’s policies and procedures.
- Good practice: includes documented policies and procedures in place that clearly set out a firm’s approach to complying with its legal and regulatory requirements in this area; effective procedures to screen against the HMT list that are appropriate for the business, covering customers, transactions and services across all products and business lines; group-wide policies for screening across the group to ensure that business unit-specific policies and procedures reflect the minimum standard set out in the group policy; clear, simple and well-understood escalation procedures to enable staff to raise financial sanctions concerns with management; procedures that include ongoing monitoring/screening of clients; full senior management and/or board level involvement in approving and taking responsibility for policies and procedures; senior management being notified of all actual matches and – if it should arise – all breaches of UK financial sanctions, in an appropriate and timely manner.
- Poor practice: includes no policies or procedures in place for complying with the legal and regulatory requirements of the UK financial sanctions regime; internal audits of procedures carried out by persons with responsibility for the oversight of financial sanctions procedures, rather than an independent party; no senior management involvement or understanding regarding the firm’s obligations under the UK financial sanctions regime, or its systems and controls to comply with it; no, or insufficient management oversight of the day-to-day operation of systems and controls; and senior management not being aware of a target match for an existing customer or not being involved in cases where a potential target match cannot easily be verified.
Training and awareness
The FSA found a concerning lack of awareness of the UK financial sanctions regime, particularly among small firms. Most major financial groups and medium-sized firms provided training to staff on financial sanctions but this varied from training being incorporated within wider financial crime training to training on financial sanctions directed at staff involved in client take-on and monitoring.
- Good practice: includes regularly updated training and awareness programmes that are relevant and appropriate for employees’ particular roles; testing to ensure that employees have a good understanding of financial sanctions risks and procedures; ongoing monitoring of employees’ work to ensure they understand the financial sanctions procedures and are adhering to them; and training provided to each business unit covering both the group-wide and business unit-specific policies on financial sanctions.
- Poor practice: includes no training on financial sanctions; relevant staff unaware of the firm’s policies and procedures to comply with the UK financial sanctions regime; and changes to the financial sanctions policies, procedures, systems and controls not communicated to relevant staff.
Screening clients (and ongoing screening)
Weaknesses and issues were found repeatedly in the major financial groups and medium-sized firms surveyed. Some firms screened retrospectively, which led to their providing a service before screening had taken place. While most major financial groups surveyed had a method of screening their entire customer database periodically (ranging from daily to every three months) the majority of larger firms did not extend this to screening the directors and beneficial owners of corporate clients against the HMT list.
- Good practice: includes effective screening systems appropriate to the nature, size and risk of the firm’s business; screening against the HMT list at the time of client take-on before providing any services or undertaking any transactions for a customer; screening directors and beneficial owners of corporate customers; screening third-party payees where adequate information is available; screening the entire client base within a reasonable time following updates to the HMT list; and controls that require referrals to relevant compliance staff prior to dealing with flagged individuals or entities.
- Poor practice: includes screening retrospectively, rather than at the time of client take-on; screening only on notification of a claim on an insurance policy, rather than during client take-on; reliance, particularly by major insurance firms, on small firms or other authorised firms to carry out screening against the HMT list; failing to screen UK-based clients on the assumption that there are no UK-based persons or entities on the HMT list (or failure to screen due to any other misconception); firms calibrating their screening rules too narrowly or too widely so that they match only exact names with the HMT list or generate large numbers of resource-intensive false positives; failure to review the calibration and rules of automated systems or to set the calibration in accordance with the firm’s risk appetite; and controls on systems that can be overridden without referral to compliance.
The FSA’s report concludes that ‘Firms should consider all the findings set out in this report irrespective of the size of the firm to which the finding applies. This review highlights areas where improvements are needed if firms are to ensure compliance with our financial crime requirements’. The FSA’s findings are a clear reminder for firms to ensure that they have appropriate systems and controls in place to reduce the risk of breach of UK financial sanctions. The report also highlights areas where improvements are needed if firms are to ensure compliance with the FSA’s financial crime requirements. Senior management must take responsibility to ensure that effective and consistent systems and procedures operate across firms and appropriate resources are allocated. Given the report’s findings, it is important that firms review (and, where necessary, improve) their systems and controls in this area now, as failure to do so could result in FSA enforcement action.