FCA assesses the sanctions response of financial services firms to Russia’s invasion of Ukraine

On 6 September 2023, the FCA published* a summary of its findings on the adequacy of financial services firms’ sanctions systems and controls in the aftermath of Russia’s invasion of Ukraine. The FCA’s findings were mixed, with some good practice and numerous areas for improvement identified in the firms subject to review. The FCA intends that financial services firms should use the report as part of ongoing assessment and improvement of their sanctions systems and controls, taking remedial action where needed.

*Read the full report here.

The FCA’s Assessment

The FCA assessed whether firms within its regulatory scope are maintaining adequate systems and controls to mitigate the risk of breaching sanctions and facilitating sanctions evasion. The review was commissioned as part of the FCA’s intensified focus on sanctions in 2022 and 2023, following the unprecedented wave of UK sanctions restrictions introduced since February 2022. 

Acting on firm-specific intelligence and using its sanctions screening tool, the FCA assessed the sanctions systems and controls of over 90 firms in the banking, wealth management and insurance sectors to determine whether they are adequate and effective at addressing sanctions risk and appropriate to respond swiftly to changes to UK sanctions. 

The FCA’s Findings 

Good practices identified in the financial services industry include implementation of calibrated sanctions screening systems and a proactive approach towards sanctions risk assessment and scenario planning. 

The FCA indicated that this good practice can be cemented by firms conducting “lessons learned” exercises to analyse their sanctions response in the period since February 2022, which should in turn improve readiness to respond to any future events. 

The key failings that were identified in the report were:

• Insufficient management information being made available to senior management, which inhibited abilities to properly discharge responsibilities and make informed decisions 
• Global sanctions policies without a sufficient focus on the UK’s sanctions landscape and a lack of communication between global and regional sanctions teams, leading in some instances to a lack of awareness of UK sanctions risks 
• Over-reliance on sanctions screening tools without sufficient understanding as to the operation of these tools and how to calibrate them to the specific sanctions risks faced by the firm 
• A lack of contingency planning, which led to delays in introducing risk-mitigating measures in response to new UK sanctions restrictions 
• Insufficient resourcing of sanctions teams leading to backlogs and a lack of scope to respond effectively to new sanctions restrictions or conduct the requisite level of customer due diligence (CDD) or know your customer (KYC)
• Inconsistent reporting of sanctions breaches to the FCA, with some firms not investigating or reporting sanctions breaches and others delaying weeks or months between identifying a breach and submitting a report to the FCA

Follow-up Activities by the FCA

In conjunction with the report, the FCA has been in touch with firms identified as having areas for improvement in their sanctions systems and controls. In instances of serious misconduct, the FCA may intervene to impose business restrictions and take enforcement action where required.

In addition, the FCA has been engaging with governmental, industry and trade bodies to communicate its expectations on, and to increase awareness of, the requisite standard for sanctions systems and controls. 

Key Messages for Financial Services Firms

Going forward, the FCA suggests that firms within its regulatory scope should use the findings of the report as a basis to evaluate their approaches to identifying and assessing relevant sanctions risks with a view to improving measures to prevent sanctions breaches and evasion. 

In particular, regulated firms should review their existing policies and procedures on a periodic basis, and ensuring that:

• Compliance teams are adequately resourced and have access to the requisite, role-appropriate training 
• In cases where third party screening tools are used, that they are sufficiently tailored to the firm’s requirements. For example, ensuring that the UK and EU Consolidated Sanctions Lists are screened where the firm is subject to these jurisdictions, there is visibility as to any lag between designation of targets and updating of databases and discussion as to the screening settings (including employment of fuzzy logic)
• Communication between compliance personnel and senior-decision makers is regular and that information-flows are sufficient to ensure sanctions matters are resolved by senior management with the requisite level of context
• Record-keeping requirements around the sanctions screening and decision-making process are clear to all and complied with

In addition, if a potential sanctions breach is identified, it should be reported promptly to the FCA and the relevant governmental body (OFSI in the case of financial sanctions matters, HMRC in the case of trade sanctions matters). 

These steps should help to ensure that firms remain up to date and able to respond adequately to the changing sanctions landscape. Should you have any further questions as to best practices in the sanctions space, please reach out to one of the authors below or your usual contact at Clyde & Co.