Compliance with financial sanctions has made its way up the UK financial regulatory agenda. The Financial Services Authority (FSA) has increased its focus on preventing financial crime by focusing not only on money laundering and market abuse, but also on bribery and most recently financial sanctions controls. In this article Emma Radmore and Tom Dunn of Denton Wilde Sapte look at the effects of the UK’s financial sanctions regime on financial institutions and regulatory expectations for the regulated sector.
What is the UK regime about?
The UK financial sanctions regime lists individuals and entities that are subject to financial sanctions. These can be in the UK, elsewhere in the EU or the rest of the world.
The UK Government oversees the UK’s financial sanctions regime. Her Majesty’s Treasury (HMT) is responsible for implementing, administering and enforcing compliance with UK financial sanctions. It keeps the list of sanctioned parties in the UK (the HMT list), which currently includes about 1,400 individuals, about 50 of whom are UK residents, and 500 entities, 12 of which are in the UK.
The HMT list stems from financial sanctions orders. Each financial sanctions order comes from a statutory instrument and/or EC Regulation. The relevant legislation will specify the services a firm may or may not provide to the named individuals and/or entities.
In general terms, without a licence from HMT firms may not provide funds or, in certain cases, financial services, to those on the HMT list. A firm must tell HMT’s Asset Freezing Unit as soon as practicable where it has identified an actual match with a person or entity on the HMT list, or where it knows or suspects that a customer or a person with whom the firm has had business dealings has committed a breach. A firm must also supply any information that would help compliance.
A failure to comply with these obligations can carry serious consequences. For example, it carries the risk of the Government seeking criminal penalties against the firm and, in certain circumstances, against the firm’s management. A breach of the regime may also result in reputational damage to firms. Where a firm is regulated by FSA, breach of the regime is likely to involve also a breach of FSA’s rules which can lead to FSA enforcement action.
Who must comply with financial sanctions in place in the UK?
One should assume the financial sanctions regime applies to everyone, not only those who carry on business in certain sectors.
The relevant UK statutory instruments apply to:
- any person in the UK;
- any person elsewhere who is a British citizen, a British Overseas territories citizen, a British Overseas citizen, a British subject, a British National (Overseas), or a Britishprotected person; and
- any body incorporated or constituted under the law of any part of the UK or a Scottish partnership, including banks, financial institutions, charitable organisations and non-governmental organisations, in the UK or established under UK law.
The UK statutory instruments do not apply to subsidiaries operating wholly outside the UK which do not have legal personality under UK law.
EC Regulations imposing and/or implementing sanctions are part of Community law, are directly applicable and have direct effect in the Member States. The measures apply to:
- nationals of Member States;
- entities incorporated or constituted under the law of one of the Member States; and
- all persons and entities doing business in the EU, including nationals of non-EU countries.
UK statutory instruments enable Treasury to impose penalties for a breach of a Regulation.
Why is the UK sanctions regime particularly relevant to UK financial institutions?
One of FSA’s statutory objectives is reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime. Providing funds or, in certain cases, financial services, to those on the HMT list comes within the financial crime objective. This entitles FSA to impose rules on firms in respect of prevention of financial crime by whatever means.
FSA’s Handbook of Rules and Guidance places specific responsibilities on firms regarding financial crime. So authorised firms are also subject to regulatory requirements relating to the UK’s financial sanctions regime.
Principle 3 (Management and control) states:
“A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”.
SYSC 3.6.6R states:
“A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime”.
The FSA Handbook also sets out that firms’ relevant systems and controls must be “comprehensive and proportionate in nature, scale and complexity of its activities”. Firms should therefore have proportionate systems and controls in place to reduce the risk of a breach of UK financial sanctions occurring. To do this it is essential that firms have a good understanding of the UK financial sanctions regime. Without this, risk assessments are likely to be inaccurate and systems and controls put in place to prevent a breach of UK financial sanctions may not be enough.
What does FSA expect of regulated firms?
FSA recently published a paper reporting on the findings of a review conducted by its Financial Crime and Intelligence Division (FCID). The review highlights areas firms need to improve to ensure compliance with FSA’s financial crime requirements and gives examples of good and poor practice. To get information FCID electronically surveyed 228 firms, interviewed 25 of the firms surveyed and had discussions with relevant stakeholders about industry practice.
Scope of Review and FSA expectations
Policies and procedures
Senior management should be fully involved in developing and implementing effective and appropriate financial crime policies and procedures. These should include written policies and procedures for financial sanctions screening. Firms should properly assess and mitigate the risk of dealing with a person on the HMT list and staff should understand their responsibilities and the firm’s own procedures. These procedures should include continuing monitoring/screening of clients.
Firms should conduct reviews of financial sanctions procedures during internal audits. It is good practice for staff who are not involved in overseeing the firm’s systems and controls to periodically carry out an independent review of procedures.
Where firms operate in several countries, a consistent group wide policy is likely to help local business units ensure their local procedures meet minimum group requirements.
These firms may face challenges in dealing with multiple financial sanctions regimes and FSA encourages firms to seek legal advice if any conflict between them arises.
Staff training and awareness
It is good practice for firms to give specialised training on the UK financial sanctions regime to relevant staff and, if suitable, to provide more general training to other staff.
Firms should consider setting up effective arrangements to ensure that:
- training, appropriate for different groups of staff, is accessible and routinely provided;
- this training includes refresher training to ensure knowledge remains current and up to date;
- staff are tested, as appropriate, to ensure that they have understood the training;
- reference material containing the firm’s financial sanctions policies and procedures is readily available and simple to understand.
Screening clients at take-on
Firms should first screen against the HMT list when they take on clients, rather than screening retrospectively, so firms do not provide a service before screening has taken place. A firm would need good reasons, which it should document, to justify not screening some or all of a firm’s clients. Firms should extend screening to the directors and beneficial owners of corporate clients against the HMT list. Firms should consider covering changes to direct or indirect ownership in their overall risk-based approach.
FSA identified a key general weakness among all major and medium-sized firms, when they dealt with customers who were already clients of other FSA-authorised firms. In those circumstances, many firms assumed the first firm had screened the client against the HMT list but had taken no steps to verify that screening was actually taking place. When another authorised firm refers a client, firms should satisfy themselves the client has been screened against the HMT list. One firm’s risk-based approach may not be suitable for another firm with a different risk profile, even if both firms are authorised by FSA. Firms should also consider if they need to re-screen the client screened by the referring firm against the HMT list, as the list may have been updated since the original screening.
Firms should monitor the continuing effectiveness of automated systems used for financial sanctions screening, including making sure the calibration of screening rules remain appropriate and effective. If they are not, there is a risk that potential matches will not be raised as alerts.
About half the major financial groups surveyed and a few medium-sized firms surveyed used “fuzzy matching”. Fuzzy matching is the process of searching for words or names that are likely to be relevant, even when search words and spellings may not match exactly. The FSA considers the use of fuzzy matching to be good practice for firms using automated screening systems. However, if using fuzzy matching, firms should ensure the matching criteria they use are relevant and appropriate for the size and nature of their business. This will avoid generating large numbers of false positives (as explained below in “Treatment of potential target matches”).
Firms need to recognise in the systems and controls they put in place for ongoing screening that financial sanctions regimes change because of national and international political developments and names are added to (and removed from) the HMT list.
The FSA review refers to paragraph 5.3.42 of the JMLSG Guidance 2007 which states:
“All firms to whom this guidance applies, therefore, whether or not they are FSA regulated or subject to the ML Regulations, will need either:
- for manual checking: to register with the HM Treasury update service (directly or via a third party, such as a trade association); or
- if checking is automated, to ensure that relevant software includes checks against the relevant list and that this list is up to date.”
Flagging systems need to be robust enough so the flags raised when a target match comes up are prominent enough to be clearly identified. Otherwise there is a risk that staff may miss the flag and process transactions or provide a service to a target on the HMT list. FSA review highlighted as an example of good practice instances where firms had controls that would not allow staff to deal with flagged individuals and entities unless authorised by the compliance department. This practice brings in a second line of defence that could not be overridden and reduces the risk of a breach of UK financial sanctions.
Treatment of potential target matches
A match found during screening does not necessarily mean the firm is dealing with an actual target on the HMT list. The HMT defines a target match as follows:
“A target match is where you are satisfied that the account held is that of the target of the financial sanctions. A name match is where you have matched the name of an account holder with the name of a target included on HM Treasury’s consolidated list. This does not necessarily mean that the account holder is one and the same as the target”.
HMT requires that, if a firm finds an actual target match or freezes an account because of suspicion that an individual or entity is acting on behalf of a listed individual or entity, the firm must report the matter, as soon as reasonably practicable, to HMT’s Asset Freezing Unit (AFU).
Firms should therefore have appropriate systems and controls:
- to enable investigation of a potential target match to decide if it is a actual target on the HMT list; and
- for freezing/blocking accounts.
Firms should also have clear internal and external reporting processes for reporting actual target matches to HMT as soon as reasonably practicable. It is good practice for firms to ensure there is a clear rationale for deciding that a potential target match is a false positive and to document this.
Most listed individuals and entities are aware that they are on the HMT list, which is publicly available. The financial sanctions regime is legally distinct from the anti-money laundering regime under POCA. It is unlikely that freezing funds subject to a financial sanctions order, would be POCA tipping off. However, firms should be aware that in certain cases there may be some cross-over between the two regimes and they should seek legal advice if in any doubt about whether tipping-off issues arise in any particular case.
FSA stated that among the firms they surveyed they found various misconceptions about the UK financial sanctions regime including:
- firms who believed they were somehow exempt from the financial sanctions regime if they processed only low value transactions – there is no minimum limit;
- firms who believed that individuals and entities on the list were all based overseas. There are some UK-based individuals and entities on the list;
- firms, particularly small firms, who believed financial sanctions screening was not necessary as they did not hold client money, did not make payments or dealt in products they assessed as low risk for financial crime. This is not the case. Under the Terrorism Order11 the prohibition extends to financial services as well as funds. Firms need to be careful when including product risk in their risk-based approach;
- firms, including one major retail firm, that failed to understand the difference between financial sanction targets and politically exposed persons (PEPs). Most PEPs are not the subject of financial sanctions (although they may be);
- firms who believed that insurance is a no or low risk area for financial sanctions and others who believed that UK financial sanctions did not apply to insurance. In fact the Terrorism Order bans providing financial services, including insurance, to a target on the HMT list. HMT also runs a licensing regime;
- there is a misconception among some small firms that checks carried out for AML purposes will cover sanctions checks. Checking client identity will not ensure the individual is not on the HMT list. Only screening against the HMT list will cover the possibility;
- firms who believed they cannot freeze funds of sanctioned individuals because it may be “tipping off” (discussed above);
- some small firms who believed that Financial Sanctions was a form of FSA enforcement action. They did not appreciate it is HMT that implements, administers and enforces the regime.
The UK financial sanctions regime applies to everyone in the UK, whether an individual or not and irrespective of their business. Authorised firms are also subject to regulatory requirements. FSA expects firms to take a proportionate, risk-based approach when assessing where and how financial sanctions breaches (or any other financial crime risks) are likely to occur, and to focus resources and tailor systems and controls accordingly. However, firms should be able to show why their approach is appropriate and sufficient.
FSA has taken action against firms over the past year for failings in systems and controls that led to firms being exposed to the risk of money laundering or bribery and corruption. This latest review should warn firms to review their sanctions controls so they are confident they can justify their approach.
This article originally appeared in Financial Regulation International