Last month the FCA published a report on the findings of its recent review of sanctions systems and controls in over 90 financial services firms. The review found that, while many firms have made significant improvements in their compliance with the sanctions regime, since the Russian invasion of Ukraine, there are still a number of weaknesses that need to be addressed.
FCA concerns
One of the main FCA concerns is that senior management in some cases was not sufficiently aware of the risks posed by sanctions breaches, and that there was a lack of clear ownership of sanctions compliance within firms. Governance issues have long been flagged by the FCA, not least in the Dear CEO letter outlining priorities for payments firms, so this is clearly an area that should be at the forefront of the agenda of all firms within the FCA’s regulatory and supervisory scope.
The report highlighted a number of areas where firms need to strengthen their sanctions compliance, including:
- Governance and oversight: Senior management must understand and actively oversee sanctions programmes. They must ensure they are receiving and reviewing appropriate management information based on smart metrics.
- Global firms: Global firms need to ensure they comply with UK regulations, not (for example) just implement US programmes globally. One size does not fit all.
- Customer Due Diligence (CDD) and 'Know Your Customer' (KYC): The FCA was concerned with the extent of poor-quality CDD and KYC assessments which increased the risk of firms not being able to identify sanctioned individuals.
- Sanctions screening tools: Sanctions screening tools must be properly calibrated eg. screen the right lists, include fuzzy logic, re-screen at appropriate frequencies and do not generate too many false alerts.
- Skills and resources: Firms must have adequate skills and resources with regards to compliance personnel. It is important that firms are properly resourced to avoid backlogs in dealing with sanctions alerts and to enable a quick reaction to sanctions risks.
- Escalation and reporting: Firms must ensure there is appropriate and prompt escalation and reporting both internally and externally. It is important to note that the FCA expect firms that know, or have reasonable cause to suspect, a breach of financial sanctions to report it to the Office of Financial Sanctions Implementation (OFSI) (read our update on this here) along with a notification to the FCA.
The FCA has warned that if firms fail to comply with sanctions regulations, they could face enforcement action, including fines and criminal prosecution. The report also noted that the sanctions landscape is constantly evolving, so firms need to be prepared to adapt their compliance programmes accordingly.
What actions should firms take?
The UK authorities expect firms to do their part to support the UK's sanctions regime and to cut off financial support to those who are undermining Ukraine's sovereignty and territorial integrity. The FCA's report provides a valuable roadmap to achieve just that.
In addition to the steps outlined in the FCA's report, firms can also take the following steps to improve their sanctions compliance:
- Conduct regular independent testing of their sanctions systems and controls;
- Conduct regular training for staff on sanctions regulations;
- Implement a whistleblowing policy to encourage staff to report any suspected sanctions violations;
- Monitor the sanctions landscape closely and make changes to compliance programmes as needed; and
- Work with other firms and industry bodies to share best practices.
The publication of the FCA's review is a timely reminder of the importance of sanctions compliance. Sanctions against Russia are still on top of the UK agenda, and, given the risks posed by sanctions breaches, firms need to take steps to ensure that they have robust systems and controls in place to mitigate those.
Remember that no matter how small, the UK authorities are determined to take enforcement action for sanctions violations. Recently the OFSI used its Power of Disclosure against Wise for a suspected breach, a withdrawal valued at 250 pounds. At Cosegic, we are experienced in assisting firms with their ongoing sanctions obligations if your firm needs support, please do get in contact; we would be happy to help.
Related resources
All resourcesPayment Services Regulatory Compliance Forum 2025
Webinar: Operational Resilience – the final countdown
The dust is far from settling on the motor finance fiasco
FCA announce limited temporary flexibility on the ‘Naming and Marketing’ rules