We set out key findings from our assessments of sanctions systems and controls in financial services firms. We include examples of good practice and areas for improvement, to help firms deliver even greater compliance with sanctions.
Summary
Ensuring the firms we regulate are effective in preventing financial crime, such as money laundering and sanctions evasion, remains a key priority.
The unprecedented size, scale, and complexity of sanctions imposed by the UK Government and international partners since Russia’s invasion of Ukraine, has further increased our focus on firms’ sanctions systems and controls.
We have been engaged in a substantial programme of work assessing the systems and controls relating to sanctions compliance for over 90 firms across a range of sectors. This has involved proactive assessments of firms’ controls, using a new analytics-based tool, as well as the use of specific intelligence and reporting.
Our work has identified examples of both good practice and areas for improvement under 5 key themes:
-
Governance and oversight: Firms that had taken advanced planning for possible sanctions before February 2022 were in a better position to implement UK sanctions at speed. The ability to monitor and review the effectiveness of sanctions implementation through management information (MI) is important, as is ensuring that sanctions reporting is calibrated to the UK regime. Some firms are still not able to show that they are providing senior management with sufficient information about their exposure to sanctions or are reliant on global sanctions policies which are not aligned with the UK sanctions regimes. In these cases we expect improvements to be made.
-
Skills and resources: Sanctions teams need to be properly resourced to avoid backlogs in dealing with sanctions alerts and enable a quick reaction to sanctions risks. Some firms still lack adequate resources to ensure effective sanctions screening. Firms that have significant backlogs are at greater risk of non-compliance with sanctions obligations.
-
Screening capabilities: Sanctions screening tools need to be adequately calibrated and include the necessary requirements under the UK regime. We found that certain firms demonstrated their sanctions screening tools were properly calibrated. However, we also saw poorly calibrated or tailored screening tools, with some firms also too reliant on third party providers with ineffective oversight over them. Screening tools, whether developed by firms or from third party providers, will be more effective if they are appropriate for the UK sanctions regime and calibrated to the risks faced by a firm.
-
Customer Due Diligence (CDD) and Know Your Customer (KYC) procedures: Effective CDD and KYC are a cornerstone of effective compliance with sanctions requirements. We have continued to find instances of low quality CDD and KYC assessments and backlogs. This can increase the risk of firms not identifying sanctioned individuals. For example, by a failure to identify connected parties or corporate structures that are sanctioned.
-
Reporting breaches to the FCA: We expect firms to make timely and accurate reporting to us on potential sanctions breaches. We found that the timeliness of reporting potential breaches or relevant sanctions information was inconsistent across firms.
We now expect firms to:
- Consider our findings, evaluate their approach to identifying and assessing sanctions risks, and take action where appropriate.
- Read our Financial Crime Guide[1] (in particular Chapter 7) and SYSC 6.3[2] of our Handbook, our Sanctions[3] webpages, and the guidance produced by the Joint Money Laundering Steering Group (JMLSG)[4].
- Engage with us in our testing of firms’ sanctions systems and controls, and report to us any significant deficiencies identified in such processes.
Why we are focusing on financial services firms’ sanctions systems and controls
We expect firms’ systems and controls to mitigate the risk of financial crime including the risk of financial sanctions evasion.
Since the Russian invasion of Ukraine in February 2022, the UK, together with international partners, introduced an unprecedented number of sanctions. It is important that financial services firms have appropriate systems and controls in place to prevent a breach of UK sanctions.
The Office of Financial Sanctions Implementation (OFSI) is responsible for implementing and enforcing financial sanctions in the UK. The FCA is responsible for supervising regulated firms to help ensure that they maintain adequate systems and controls to mitigate the risk of breaching sanctions and facilitating evasion.
Throughout 2022 and 2023, we have intensified our focus on sanctions. We have and will continue to work closely with OFSI and other key stakeholders on this key area.
The Office for Professional Body Anti-Money Laundering Supervision (OPBAS), housed within the FCA, has also worked with Professional Body Supervisors (PBSs) to help drive effective implementation of sanctions among the legal and accountancy sectors.
Who this applies to
This is relevant to all registered UK firms within the FCA’s regulatory and supervisory scope and is particularly targeted at Money Laundering Reporting Officers (MLROs), Nominated Officers and industry practitioners working in financial crime compliance roles. It is also relevant to the PBSs supervised by OPBAS.
What we did
We assessed the sanctions controls for over 90 firms across a range of sectors including retail banking, wholesale banking, wealth management, insurance, electronic money, and payments, to ensure firms’ financial sanctions systems and controls are:
- adequate and effective at addressing sanctions risk
- appropriate to respond swiftly to changes in UK sanctions regimes
We are achieving this by testing firms’ sanctions screening solutions, using our Sanctions Screening Tool (SST), and assessing firms’ controls to ensure they are robust and prevent firms from being used to breach or evade sanctions. SST is an analytics-based tool we have developed inhouse. It objectively tests how effective firms are at identifying sanctioned individuals and entities using test data.
We are also acting on firm-specific intelligence received from multiple sources, including self-reporting by firms, and, where appropriate, following-up on this intelligence with firms directly.
Where we identify issues with firms' systems and controls, we are providing feedback to them and, in some circumstances, using regulatory tools to remedy issues. Tools may include, but are not limited to, the use of independent skilled persons and interventions such as imposing business restrictions on firms or enforcement action where serious misconduct is identified.
Other actions we have taken
In addition to our firm assessment work, we have communicated our expectations on sanctions systems and controls with firms and trade bodies, by writing to approximately 10,000 firms and professional bodies and publishing information on our website. This included our expectation that firms should also notify us of reports made to OFSI in line with their legal obligations.
To help improve standards, we are engaging with industry through direct communications and using other channels such as our website and events. Our aim is to set clear expectations and share common themes and issues, as well as feeding back findings from our assessments to wider industry, helping firms learn from what we have seen.
We are also working with partner agencies to enhance collaboration and exchange information.
Our ongoing actions include:
- publishing a joint statement on crypto-asset-firms
- liaising with the Government about sanctions design and implementation
- developing and sharing intelligence
- developing and launching a dedicated sanctions reporting tool on our website
We have continued our dialogue with regulated firms though channels such as our MLRO forum to share details of our supervisory approach and our findings and to understand the challenges faced by firms.
Ultimately, our objective is to ensure UK financial services firms have robust sanctions systems and controls to make the UK inhospitable to sanctions evasion.
The role of OPBAS
Through roundtables and bilateral supervisory engagement, OPBAS ensured that PBSs quickly took appropriate steps to raise awareness and promote compliance with the financial sanctions regime within their supervised populations. PBSs responded positively, undertaking targeted sanctions work, thematic projects, and data collection, and issuing guidance and information to their supervised populations. There is scope to improve further sanctions risk monitoring as part of PBSs’ wider AML supervision and OPBAS will continue to work with stakeholders to look for opportunities to increase the flow of sanctions related information to PBSs. OPBAS will maintain their engagement with PBSs, OFSI, and other stakeholders to contribute to the effective implementation and enforcement of sanctions in the UK.
What we found
Good practice we identified
Proactive approach by firms to identify sanctions exposure to Russia
Several firms had conducted risk exposure assessments and scenario planning in advance of the Russian invasion of Ukraine. While the level of sanctions post invasion was unprecedented, we found that firms who conducted these exercises were better placed to manage the resulting demands. We consider this horizon scanning and scenario planning to be an important process for firms to adopt as part of their risk management procedures. It is also important that, where they have not done so already, firms conduct a ‘lessons learned’ exercise of their response to the Russian invasion of Ukraine to improve their readiness to respond to any future events.
Firms’ sanctions screening systems
We found that several firms were able to clearly articulate and show that their sanctions screening tools had been calibrated to ensure they were appropriate for the sanctions risks the firm was exposed to. They were also able to show the controls they had in place to measure the effectiveness of their sanctions systems thresholds and parameters which included, for example, sample testing and tuning. This helped firms to show the effectiveness of their sanctions screening capabilities and ensure risks within their business are being appropriately managed.
Tool calibration
Most firms we reviewed were able to show that their sanctions screening systems had fuzzy logic built into them to help identify name variations for sanctioned entities and individuals.
Firms should be continually seeking ways to enhance these systems to ensure that they are developing new ways to identify sanctions evasion.
Areas that need improvement
Governance and oversight
Senior management oversight of sanctions risks
We identified instances where senior management were not given sufficient MI to enable them to discharge their responsibilities appropriately. This included where multinational firms sought to rely upon systems and processes used in other jurisdictions. In one example, we identified that the firm demonstrated limited knowledge of the operation, configuration, and testing of a solution used in its wider group that was used to manage its sanctions risks in the UK. In another example, the firm had inadequate oversight and MI of the UK-related activities undertaken by globally run teams.
We have seen examples where the sanctions MI was limited and lacked basic metrics. For example, the number of sanctions alerts, number of alerts awaiting analysis, and reports submitted to OFSI. We also saw a lack of quantitative and qualitative MI to enable effective oversight, identification of risk, and trend analysis. This led to concerns that senior management were not able to understand the risks at the firm to aid effective decision making or understand how it was performing.
We look to firms’ senior management and, where applicable, those holding Senior Management Functions (SMFs) under the UK’s Senior Managers and Certification Regime, to have oversight of firms’ systems and controls to ensure compliance with UK sanctions. So it is important that senior management have appropriate MI to enable them to fulfil their responsibilities and allow them to understand the sanctions risks that are applicable to their firm.
Global sanctions policies
In some global firms, we saw evidence that global policies were not aligned with the UK sanctions regime. For example, some firms operating globally were focused on US sanctions and applied insufficient focus to the UK regime, particularly where firms’ sanctions controls were operated in global centres of excellence or service centres. We also found instances of poor communication between global and regional sanctions teams.
A lack of awareness on UK sanctions law, regulations, and guidance can increase the risk of potential non-compliance as UK legislation evolves and/or possibly diverges from that set by other authorities.
Over-reliance on third party sanctions screening tools
We saw several instances where firms lacked understanding of how their sanctions screening tools were calibrated and when lists were updated. This meant that firms were unable to understand whether:
- they were screening against the correct lists
- their systems were missing names that should be identified
- their systems were producing too many false positives
Ultimately, this resulted in firms not being able to show that they were adequately managing their risk of breaching sanctions appropriately. Like any outsourced service, firms need to ensure that they have appropriate control and oversight of their sanction screening controls. This could include regular testing and agreed internal service-level agreements (SLAs) for the time taken for lists to be updated following a designation.
Contingency planning
An important part of any risk management framework is appropriate contingency planning. While the level of sanctions issued by the UK Government following the Russian invasion of Ukraine was unprecedented, the potential risk of escalating tensions with Russia was known. We saw those firms who had conducted a risk assessment of their exposure to Russia and developed contingency plans, were generally better placed to introduce risk reducing measures, ie, enhancing high-risk and prohibited country lists, enhancing escalation policies and procedures, seeking advice from legal counsel, revising thresholds, or suspending payments to/from Russia. We have also seen firms conducting lessons learned of their response to the increased levels of sanctions and contingency planning for potential future events. This will put them in a better position should a future event or further escalation in sanctions occur.
Skills and resources
We identified that many firms had significant backlogs in the assessment, escalation, and reporting of alerts from the screening of names and payments. This affected firms’ ability to promptly identify and report exposures. These backlogs continued in some instances for a significant time due to a lack of appropriate resource.
While in many cases action had been taken to limit sanctions risk by blocking accounts or transactions at the point of alerting, we identified that resource strain in operational teams resulted in a lack of clarity on prioritisation of alerts. Increased volumes and pressure on sanctions teams can prevent firms’ taking appropriate and timely action for true positive alerts and increases the risk of errors.
Often backlogs in alert disposition, escalation and reporting were compounded by a lack of governance and appropriate internal SLAs.
We also identified backlogs in ongoing due diligence reviews due to resource constraints.
Some firms did not have adequate internal expertise to ensure effective timely screening, with some firms having to rely on external legal or consulting resource.
Screening capabilities
During our assessment of firms' sanctions screening tools, we found that some firms showed effective control mechanisms to measure the efficiency of their system thresholds and parameters. This included practices like sample testing and tuning, which were highly encouraging.
However, there were instances where calibration had not been adequately tailored. This resulted in it either being too sensitive, causing a high number of false positive names (putting increased stretch on already busy teams, making the alert review process operationally inefficient and increasing the risk of errors), or not sensitive enough, meaning that even minor variations in names led to sanctioned individuals not being detected. This delicate balancing act shows the importance of firms understanding how their systems work and how they are calibrated.
Our testing of firms’ sanctions screening systems found that some firms' systems were unable to generate alerts against certain names on OFSI’s consolidated list of persons subject to sanctions, and some firms were unable to provide reasonable justification for the omissions.
We saw that the updating of lists to screen against is often not subject to SLAs and some firms are not monitoring how quickly they update their lists.
Customer Due Diligence (CDD) and Know your Customer (KYC)
As well as backlogs in CDD and KYC assessments, created from the increased number of sanctions designations, we were concerned with the low quality of CDD and KYC assessments which increased the risk of firms not being able to identify sanctioned individuals. For example, CDD did not always articulate the full ownership structures of entities, leading to the risk that firms were unable to show that they were screening all relevant parties.
It is important that firms gather sufficient information and undertake sufficient KYC and CDD to ensure they are screening all relevant parties and do not breach relevant sanctions requirements.
Breach reporting to the FCA
Firms that know or have reasonable cause to suspect a breach of financial sanctions must report it to OFSI[5], and notify us[6] if: a person they are dealing with, directly or indirectly, is a designated person; they hold any frozen assets; and if they discover or suspect any breach while conducting their business.
Also, in line with Principle 11[7], SUP 15.3.8G(2)[8] and Chapter 7 of the Financial Crime Guide[1], firms must consider whether they need to notify us, for example, whether sanctions breaches resulted from a significant failure in their systems and controls.
We identified inconsistencies with regards to reporting with some firms taking weeks or even months from identifying a breach to reporting the issue to us.
Other firms fully investigated the breach and undertook remediation before informing us, whereas others failed entirely to report breaches to us.
Firms delaying breach reporting, or not reporting at all, undermines our ability to understand systems and controls issues as they occur and to work with firms to establish that those issues are being correctly remedied.
Next steps
Firms should continue to evaluate their approach to identifying and assessing the sanctions risks they are exposed to. They should actively strengthen their measures to prevent sanctions breaches and evasion, adapting to the evolving sanctions landscape and changing risk exposures. This is crucial in ensuring control frameworks remain effective and aligned with the current requirements.
Firms should read our Financial Crime Guide[9] (in particular Chapter 7), and SYSC 6.3[2] of our Handbook to understand their responsibilities under the Money Laundering Regulations (MLRs), in addition to our expectation of compliance with all UK regimes under the Sanctions and Anti-Money Laundering Act 2018[8], including the Russia (Sanctions) (EU Exit) Regulations 2019 (as amended)[9] and relevant guidance such as OFSI UK Financial Sanctions: general guidance[10] and the JMLSG guidance[11].
As next steps, you should:
- Consider how our findings could be applicable to your firm’s sanctions systems and controls and take steps to address where appropriate.
- See our Sanctions[3] webpages; these pages include our latest updates and details on how to report sanctions breaches to us.
- Be prepared to engage with us about our testing of firms’ sanctions screening systems and controls.
PBSs are encouraged to review our findings and look for opportunities to apply the recommendations within their own risk-based supervisory work.
We will continue our supervisory focus on sanctions with our objective of ensuring that firms have effective sanctions systems and controls. We will continue to refine our processes and look to develop and enhance our approach in line with developments in sanctions risks and issues.
We will continue to work closely with our partner agencies and industry to share information and coordinate where appropriate. Where we identify issues, we will seek out the root causes and ensure effective remediation, which could include the use of regulatory tools.