On September 6, 2023, the UK’s Financial Conduct Authority (FCA) – which is responsible for supervising regulated firms to help ensure they maintain adequate systems and controls to mitigate the risk of breaching sanctions and facilitating evasion - published the findings from its in-depth work assessing the sanctions systems and controls in over 90 UK financial services firms across a range of sectors. The aim of the review was to assess whether their systems and controls are:
- adequate and effective at addressing sanctions risk; and
- appropriate to respond swiftly to changes in UK sanctions regimes.
The FCA notes that in response to “the unprecedented size, scale, and complexity of sanctions imposed by the UK Government and international partners since Russia’s invasion of Ukraine,” it has further increased its focus on such systems and controls, and that “ensuring the firms [the FCA] regulates are effective in preventing financial crime, such as money laundering and sanctions evasion, remains a key priority.”
The review identified examples of both good practice that has been adopted by regulated firms as well as a number of areas for improvement.
Good practices identified by the FCA
1. A proactive approach to risk management. Several firms took a proactive approach ahead of the Russian invasion of Ukraine by conducting a risk assessment of their exposure to Russia and scenario planning. The FCA found that such firms were better placed to respond when UK sanctions against Russia were subsequently brought in.
2. Effective sanctions screening systems. Several firms demonstrated that their sanctions screening tools are appropriately calibrated for the sanctions risks that they are exposed to. Further, some firms measure the effectiveness of their systems thresholds and parameters, adopting practices such as sample testing and tuning.
3. Appropriate tool calibration. Most firms have built so-called “fuzzy logic” into their sanctions screening systems. This ensures that minor variations in names will not result in sanctioned individuals going undetected.
Areas for improvement identified by the FCA
1. Governance and oversight:
- Senior management may lack oversight of sanctions risks. Some firms cannot demonstrate that they provide their senior management with sufficient information about the firm’s sanctions exposure. For example, some firm’s management information lacks basic metrics such as the number of sanctions alerts, or number of reports submitted to OFSI – which can lead to concerns that senior management are not able to understand the risks at the firm to aid effective decision-making and/or understand how the firm is performing.
- Global sanctions policies. Some firms may rely on global policies - for example, policies focused on U.S. sanctions - which may not address the specificities of UK sanctions regimes. This can increase the risk of UK sanctions breaches.
- Over-reliance on third party tools. Many firms lack understanding of how their sanctions screening tools were calibrated, which meant that they were unable to understand: whether they were screening against the correct lists; whether their systems were missing names that should be identified; and/or whether their systems were producing too many false positives. Ultimately, such firms will be unable to demonstrate that they are successfully managing their risk of breaching UK sanctions. Like any outsourced service, firms need to ensure that they have appropriate control and oversight of their sanction screening controls.
- Contingency planning. Some firms are failing to engage in contingency planning and, consequentially, may be slow to introduce risk reducing measures when sanctions are brought in, such as seeking advice from legal counsel, enhancing escalation policies and procedures, suspending payments to/from Russia etc.
2. Skills and resources. Many firms suffer from backlogs in the assessment, escalation, and reporting of sanctions alerts from the screening of names and payments, meaning they are not efficiently identifying, prioritising, and reporting potential breaches. This may result from such factors as resource constraints, a lack of governance and appropriate service-level agreements, and/or a lack of adequate internal expertise.
3. Screening capabilities. Some firms’ sanctions screening tools are inadequately calibrated, resulting in the tool causing either being overly sensitive (causing a high number of false positive alerts which makes the review process unmanageable and inefficient), or not sensitive enough (meaning the system risks missing sanctioned individuals). Further, some firms are not monitoring how quickly screening providers update the lists that they screen against.
4. Customer Due Diligence (CDD) and Know Your Customer (KYC) procedures. General findings of low quality CDD and KYC assessments (e.g., failing to identify full ownership structures of entities) and backlogs are a concern to the FCA as they increase the risk of firms breaching sanctions, by failing to accurately identify sanctioned parties. Inadequate policies and procedures around CDD can lead to broader financial crime issues under the UK’s money laundering regime which is another key focus for the FCA.
5. Reporting breaches to the FCA. Many firms are slow to notify the FCA of breaches of financial sanctions (in line with SUP 15 requirements); some take months to do so; while others fail to report the breach at all.
Potential next steps for FCA regulated financial services firms
1. Firms should review the FCA’s report in full and consider how its findings could be applicable to its own sanctions systems and controls. Where appropriate, they should actively take steps to address any potential gaps and strengthen the measures they currently have in place.
2. Firms should ensure they regularly evaluate their sanctions systems and controls, and are prepared to effectively adapt their framework to an ever-evolving sanctions landscape in order to align with new measures and requirements that may be implemented.
3. As part of general housekeeping, Firms should review the FCA’s Financial Crime Guide (in particular Chapter 7), and SYSC 6.3 of the FCA’s Handbook to understand their responsibilities under the UK’s money laundering regime and ensure their policies and procedures are fit for purpose. The FCA highlighted its focus on financial crime risk in a recent speech emphasising the importance of risk calibration in this area. This is in addition to the FCA’s expectation of compliance with all UK sanctions regimes as well as relevant sanctions guidance such as OFSI’s General Guidance for Financial Sanctions and relevant guidance issued by the Joint Money Laundering Steering Group.
4. The FCA also expects firms to be prepared to engage with the FCA regarding its testing of firms’ sanctions screening systems and controls.
Subscribe to Ropes & Gray Insights by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.