Key messages from the FCA on sanctions compliance and controls

The FCA has indicated its focus on sanctions compliance and control measures in the UK regulated sector on a number of occasions since February 2022. That focus continues with the FCA publishing a “good and poor practice” notice deriving from its assessments of financial sanctions systems and controls in regulated firms.

This notice is a timely reminder for firms to revisit their controls frameworks and address the weaknesses that the FCA has identified, so as to mitigate the risk of supervisory intervention and enforcement as well as civil and criminal penalties and reputational harm arising from sanctions issues.

Here are the key points as well as important areas for your focus when assessing your own controls.

Weaknesses identified by FCA in a range of firms

1. Governance and oversight

The FCA found that in a number of instances senior management were not given enough MI to discharge their sanctions compliance obligations. This was so especially in multinational businesses.

The FCA emphasised that it expects senior management (including SMFs) to exercise appropriate oversight, including quantitative and qualitative MI, to understand the sanctions risks that impact their firms and the measures taken to mitigate them. If those holding SMFs fail to do so, they are exposed to meaningful regulatory risk.

The FCA also flagged concerns about:

• Reliance on global sanctions policies (primarily focussed on US sanctions concerns) which don’t take into account the specifics of the UK sanctions regimes, and associated concerns about a lack of familiarity with the UK sanctions regime.
• Reliance on automated sanctions screening tools operated by third parties without appropriate knowledge on the part of regulated firms as to calibration and operation of the screening lists.
• In some instances, a lack of contingency planning in advance of Russia’s invasion of Ukraine.

2. Skills and resources

The FCA raised concerns about failings in screening capabilities, CDD and KYC. The FCA is focused on effective calibration of screening systems to avoid either excessive hits and manual review, or omissions from alerting. Firms should discuss this with third party screening providers.

CDD and KYC are a perennial concern in financial crime controls more broadly but are particularly important for understanding ownership and control of entities so as to accurately assess if they may be subject to UK sanctions.

3. Breach reporting to the FCA

The FCA flagged regulated firms’:

• Obligation to report dealings with designated persons, frozen assets and breaches of sanctions to the Office of Financial Sanctions Implementation (OFSI) – the FCA expects you to provide any such report to the FCA too.
• Potential standalone reporting obligations for sanctions breaches or near misses if these evidence a significant failure in systems or controls.

The FCA noted variance in approaches to reporting breaches and that, while it is appropriate to investigate a breach to permit informative reporting to the FCA, reporting should be done in a timely way. It may be appropriate to make an initial report upon discovery and follow up with further details when known.

Recommendations for addressing weaknesses

The FCA’s expectations for regulated firms are set out in its notice and come through in the above areas of weakness. You might consider:

• Ensuring that adequate information around sanctions screening and compliance is made available to senior management, and that it is scrutinised and tested appropriately.
• Contingency planning for future sanctions in anticipation of potential future geopolitical challenges. A “lessons learned” exercise evaluating your firm’s response to the imposition of sanctions on Russia after February 2022 may be helpful here.
• Having a conversation with third party screening providers to ensure that your firm understands what – and what is not – being done in your screening. Topics for discussion can include:
• Jurisdictions and regimes covered.
• Ownership / control tests being applied.
• Sectoral sanctions screening.
• Timescales for list updates.