OFSI Demonstrates Willingness To Pursue UK Sanctions Violations, No Matter How Small, In First “Disclosure” Enforcement Action – Financial Services

On 31 August 2023, HM Treasury’s Office of Financial
Sanctions Implementation (OFSI) used its power for
the first time to publish a report about a violation of sanctions
by a company, Wise Payments Limited (Wise),
without also imposing a civil monetary penalty on the company
– what OFSI calls a “Disclosure”. Wise, a regulated
UK fintech company, violated sanctions by making funds available to
a company owned or controlled by a UK sanctions target in
contravention of UK sanctions against Russia.

The root cause of the violation was a deficiency in the
company’s systems and controls: Wise’s policy at the time
permitted its customer (which was subject to UK asset freeze
restrictions) to withdraw £250 from a business account via a
debit card while a potential sanctions match was being
investigated. This case illustrates that a violation of UK
sanctions, no matter how small, may still attract enforcement
attention from OFSI, and also offers some insight into some of the
factors OFSI might consider in assessing the adequacy of a
company’s systems and controls.

Background: OFSI’s Disclosure Enforcement Powers

As part of OFSI’s expanded enforcement toolkit, in 2022 OFSI
was granted the power to publish reports of financial sanctions
breaches even in cases where OFSI determines that a breach is not
serious enough to justify imposing a civil monetary penalty
(Disclosures).¹ OFSI categorises enforcements cases as
being of lesser severity, moderate severity, or serious enough to
justify imposition of a civil monetary penalty. OFSI’s guidance
on civil monetary penalties states that cases of moderate severity
are likely to be dealt with by way of a Disclosure if OFSI
determines that an administrative warning letter would be too
lenient, but that a civil monetary penalty would be
disproportionately punitive. In such cases, the offender will be
identified. The guidance also indicates that Disclosures may be
used in cases of lesser severity, in which case the offender will
not normally be identified.²

As well as being used as a punitive measure, the OFSI guidance
further states that a Disclosure may be deemed a fair and
proportionate outcome where (i) there are valuable lessons to be
learnt for industry; and (ii) exceptionally, where it is not in the
public interest to issue a monetary penalty.³

Wise Payments

According to OFSI’s 31 August Disclosure, this case relates
to a cash withdrawal made from a business account with Wise held by
a company owned or controlled by a designated person under the
Russia Regulations (the Designated Person).
Notably, the Designated Person is not identified – the
abovementioned OFSI guidance states the Disclosures will identify
the relevant designated person “unless there are strong
reasons not to”, including for data protection reasons.

The Designated Person was designated on 29 June 2022. The
following day, a £250 cash withdrawal was made from the
account by an employee of the Designated Person’s company using
a debit card in the name of the Designated Person.

At the time of the withdrawal, Wise’s internal policies
mandated that all customer details be screened against the UK
sanctions list and that a customer’s account be suspended in
the event of a potential sanctions match. However, Wise’s
policy allowed customers to retain use of their debit cards until a
potential match was confirmed as a true match by Wise’s
specialist sanctions team. The Disclosure notes that Wise explained
to OFSI that the policy was in place because of a high number of
false positive sanctions alerts and was therefore intended balance
the company’s regulatory requirements to treat customers fairly
with its obligations to comply with sanctions.

At the time of the withdrawal, Wise’s screening system had
identified the Designated Person (who had only been sanctioned
approximately 20 hours before), and the account had been suspended,
but it was still possible to make a withdrawal using the debit
card. The matter was not closed by the sanctions team until some
days later, in part because this team did not work at weekends, and
it was only then that the debit card was blocked.

Despite the low value of the breach, OFSI considered that
Wise’s systems and controls, specifically its policy
surrounding debit card payments, were inappropriate. This factor
made the case “moderately severe,” as it enabled funds to
be made available to a company owned or controlled by the
Designated Person. That said, OFSI recognised a number of
mitigating factors in this case, including:

• the low value of the breach;




• the voluntary disclosure made by Wise and its cooperation with
  OFSI’s enquiries;




• a lack of evidence of deliberate sanctions evasion; and




• remedial actions taken by Wise following the breach, including
  exiting the Designated Person as a customer, updating its policy so
  that both an account and associated cards are immediately blocked
  pending sanctions review, recruiting additional staff and
  introducing weekend working for the specialist sanctions team.

Key Learnings

1. A violation of UK sanctions, no matter how small, may
still attract enforcement attention from OFSI.

This is not the first OFSI enforcement action to relate to a
low-value breach: OFSI’s first two enforcement cases in 2019
(which were connected) against Raphaels Bank and Travelex (UK) Ltd
respectively, related to a failure by Raphaels Bank to freeze a
payment of approximately £200.⁴ It is notable that
these case involved a similar amount of money to the Wise case, and
also that Raphaels Bank (but not, it appears, Travelex) made a
disclosure to OFSI, for which it received a discounted penalty.

In the Wise case, OFSI acknowledged the “low breach
value” of £250 and determined that Disclosure was the
“appropriate and proportionate” enforcement response. In
the Disclosure, OFSI highlighted that Wise’s policy was
“inappropriate” in managing sanctions risk and that the
lack of staff availability over a weekend led to a “material
delay” in the debit card being blocked. Ultimately, this
enabled funds to be made available to an entity that was owned or
controlled by a UK assets freeze target.

From a compliance perspective, companies should note that a
violation of UK sanctions, no matter how small, may still attract
enforcement attention from OFSI. Therefore, it is important to take
steps to review and enhance (where appropriate) a company’s
sanctions compliance programme to ensure that it remains effective
at ensuring and maintaining compliance with UK sanctions, as well
as at identifying potential breaches so that they can be disclosed
to OFSI, where appropriate.

2. OFSI again demonstrates the value of voluntary
disclosure and remedial action.

OFSI guidance is clear in stating that voluntary disclosure,
among other things, may act as a mitigating factor in assessing a
breach of UK sanctions. In this case, the Disclosure expressly
referred to voluntary disclosure, the completeness of disclosures
made by Wise, and a number of remedial actions taken by Wise
subsequent to the breach as relevant mitigating factors in its
assessment. While it is not possible to predict OFSI’s
assessment absent these mitigating factors, given the emphasis on
these factors in the Disclosure, we expect that a Disclosure-only
enforcement action would have been much less likely had Wise not
made a voluntary disclosure and taken remedial actions.

3. Sanctions compliance policies and processes should
“fully address” sanctions risks.

OFSI considered that Wise’s systems and controls were
inappropriate, focusing on the ability for the Designated Person to
be able to access funds even days following his or her designation
and the delay in the review by the specialist sanctions team, which
was in part occasioned by the lack of weekend availability.

Separately, OFSI stated inter alia that this case
demonstrates that firms should (i) carefully consider what
resourcing is appropriate to manage sanctions risks exposure; (ii)
take steps to “fully address” sanctions risks by
“promptly restricting all forms of access to funds or economic
resources”; and (iii) maintain “proportionate sanctions
screening and alert review functions” whenever business is
being conducted.⁵ OFSI did not suggest that
“balancing” sanctions compliance against customer service
or other concerns was appropriate.

Subsequent to this enforcement action, on 7 September 2023 the
UK’s Financial Conduct Authority (FCA)
published a review of sanctions systems and controls in place in
more than 90 financial services firms.⁶ Among other
things, the review found that (i) governance and oversight needed
to be improved in many firms, (ii) there was an over-reliance on
third party screening tools, and (iii) in some firms, global
policies were not aligned with the UK sanctions regime.

Footnotes

1. Pursuant to Section 56 of the Economic Crime
(Transparency and Enforcement) Act 2022 grants OFSI the power to
publish report.

2. Chapter 10, OFSI enforcement and monetary penalties
for breaches of financial sanctions, OFSI, August 2023, available
at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1181296/Monetary_Penalty_and_Enforcement_Guidance__Aug_2023_.pdf.

3. Ibid.

4. What can we learn from OFSI’s first civil
monetary penalty? Available at: https://www.mayerbrown.com/en/perspectives-events/publications/2019/03/what-learn-from-ofsi-first-civil-monetary-penalty;
OFSI’s Penalty Against Travelex – More than Meets the
Eye, available at: https://www.mayerbrown.com/en/perspectives-events/publications/2019/06/ofsis-penalty-against-travelex-more-than-meets-the-eye.

5. OFSI uses disclosure power for first time, OFSI blog,
31 August 2023, available at:
https://ofsi.blog.gov.uk/2023/08/31/ofsi-uses-disclosure-power-for-first-time/

6. Sanctions systems and controls: firms’ response to
increased sanctions due to Russia’s invasion of Ukraine, FCA, 6
September 2023, available at: https://www.fca.org.uk/publications/good-and-poor-practice/sanctions-systems-and-controls-firms-response-increased-sanctions-due-russias-invasion-ukraine#:~:text=The%20FCA%20is%20responsible%20for,intensified%20our%20focus%20on%20sanctions

Originally published 14 September 2023.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising
associated legal practices that are separate entities, including
Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP
(England & Wales), Mayer Brown (a Hong Kong partnership) and
Tauil & Chequer Advogados (a Brazilian law partnership) and
non-legal service providers, which provide consultancy services
(collectively, the “Mayer Brown Practices”). The Mayer
Brown Practices are established in various jurisdictions and may be
a legal person or a partnership. PK Wong & Nair LLC
(“PKWN”) is the constituent Singapore law practice of our
licensed joint law venture in Singapore, Mayer Brown PK Wong &
Nair Pte. Ltd. Details of the individual Mayer Brown Practices and
PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks
of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights
reserved.

This Mayer Brown article provides information and
comments on legal issues and developments of interest. The
foregoing is not a comprehensive treatment of the subject matter
covered and is not intended to provide legal advice. Readers should
seek specific legal advice before taking any action with respect to
the matters discussed herein.