An FCA assessment of sanctions compliance systems and controls in more than 90 firms across various UK sectors, including retail and wholesale banking, wealth management and insurance, used analytics-based and intelligence tools to proactively evaluate each firms’ ability to mitigate sanctions risks.
This comprehensive review underscores the critical importance of financial services firms' sanctions systems and controls in preventing financial crime, especially in light of the extensive sanctions imposed following the Ukraine crisis.
It is encouraging to see examples of good practice identified, such as proactive risk assessment and appropriate calibration of sanctions screening tools, but it is also clear that there's work to be done. Firms must heed the FCA’s findings, adapt swiftly, and engage with the FCA to enhance their sanctions readiness.
Notably, firms that had proactively prepared for potential sanctions prior to the Russian invasion of Ukraine in February 2022 demonstrated a more effective response to UK sanctions implementation. The ability to monitor and evaluate the efficacy of sanctions through management information was a pivotal factor, the FCA said, along with the alignment of sanctions reporting with UK regulations.
However, the regulator also found that some firms struggle to provide senior management with adequate information regarding their exposure to sanctions, relying on global sanctions policies that do not align with the UK's regime. While some firms demonstrated well-calibrated tools tailored to UK sanctions requirements, others relied excessively on third-party providers without sufficient oversight.
The review also found that resource allocation was a critical issue, with some sanctions teams understaffed and ill-equipped to prevent backlogs in handling sanctions alerts. The FCA said those firms with substantial backlogs face unacceptable risks of non-compliance with sanctions obligations.
Customer due diligence (CDD) and know your customer (KYC) procedures were also highlighted. The FCA reported instances of ineffective CDD and KYC assessments, which increase the risk of firms failing to identify sanctioned individuals or connected parties and corporate structures subject to sanctions. Furthermore, the regulator said the timeliness of reporting potential breaches or relevant sanctions information was inconsistent across firms.
A key theme emerging from the review showed that firms that anticipate the imposition of sanctions restrictions in response to “global events” are in a better position to assess exposure to risk.
An important aspect to mitigating financial sanctions risk is ensuring that data held by firms on customers, intermediaries, clients and service providers is current and comprehensive so that risk exposure can be assessed as and when sanctions are imposed.
This data should – on a risk-based basis – include the owners and controllers of corporate entities, so that sufficient sanctions screening can be conducted to identify entities caught by financial sanctions restrictions solely because of their ownership or control structure.
The FCA said it expects all regulated firms to consider the review’s findings seriously and to reassess their approach to identifying and mitigating sanctions risks, taking corrective measures where necessary.
Stacy Keen, Partner and compliance and sanctions expert at Pinsent Masons