Legal development

Thought for the Week: FCA review of sanctions systems and controls - the good, the bad and how to make sure it doesn't turn ugly

Insight Hero Image

    The FCA expects financial services firms to have appropriate systems and controls to prevent a breach of UK sanctions. During 2022 and 2023, the FCA assessed the systems and controls of over 90 firms across a range of sectors using its own "Sanctions Screening Tool" (SST), alongside specific intelligence and reporting. The FCA published its key findings on 6 September 2023.

    The good

    • Firms which had carried out risk assessments / scenario planning in advance of the invasion were better-placed to cope with the increase in demand. Likewise, firms which have conducted lessons learned since the invasion will be better placed to address future escalations.
    • The FCA praised firms which could show that their sanctions screening tools had been calibrated to the specific risks the firm was exposed to, as well as having control mechanisms to measure the efficiency of their system thresholds and parameters, including sample testing and tuning. We think firms should also think about how to calibrate their tools to their particular risk tolerance.
    • Although most of the screening systems used fuzzy logic to identify name variations (which, in our view, is the bare minimum for any screening tool), firms should be continually looking to enhance their screening to identify sanctions evasion, which is an issue which has seen increasing focus over the past few months.

    The bad

    • Senior management were often given insufficient information about sanctions issues to enable them to discharge their responsibilities. Senior management need enough information to ensure that they understand the sanctions risks applicable to their firm.
    • The FCA highlighted the dangers of global policies which are not aligned to UK sanctions, and/or sanctions screening based outside the UK which was too focussed on, for example, US sanctions. This increases the risk of potential non-compliance where UK legislation differs from that in other jurisdictions.
    • Over-reliance on third party screening tools resulted in a lack of understanding of how screening tools worked. Even when screening tools are outsourced, firms need to ensure that they have the appropriate control and oversight to ensure effective calibration. In our experience, this requires specialist skills, and firms should look to build their in-house expertise so that they are in full control of their screening model, be able to continuously test it, and explain to regulators how and why their solutions are configured the way they are.
    • Many firms experienced significant back-logs in the assessment, escalation and reporting of alerts from name and payment screening. These backlogs often continued for a significant time due to a lack of internal resource and governance issues. In our experience, inefficient processes and poor technology can be as much to blame.
    • The FCA found that screening tools were often not properly calibrated meaning systems were either too sensitive (so generated high numbers of false positives), or were not sensitive enough (so did not pick up designated persons – a particular challenge where names may be transposed from one alphabet to another, in a variety of forms). The FCA acknowledged that this is "a delicate balancing act", but emphasised the importance for a firm of understanding how its system works. In our experience, continuous testing for false positives and false negatives1, together with effectiveness and efficiency tests enable firms to calibrate this balance and target specifical gaps.
    • The FCA called out backlogs in, and poor quality, customer due diligence (CDD) and know your customer (KYC) checks. Such checks should consider the full ownership structures of entities to ensure no breaches of sanctions requirements.

    A number of the issues called out by the FCA (poor calibration, lack of skills and resources, and backlogs) were what led to the recently publicised sanctions breach by Wise Payments (read more here).

    Interestingly, the FCA did not refer to sanctions circumvention, despite other (European) authorities warning organisations to be vigilant for this. Regardless, financial institutions need to consider the role of their compliance testing/monitoring (beyond the sanctions screening) in managing their circumvention risk.

    And how to make sure it doesn't turn ugly: what should firms do?

    Firms should: 

    1. Ensure they notify the FCA where appropriate, whether (i) in parallel with a notification to OFSI (in accordance with the relevant sanctions regulations), or (ii) if a sanctions breach has resulted from a significant systems and controls failure (in line with Principle 11, SUP 15.3.8G(2) and Chapter 7 of the Financial Crime Guide).
    2. Continue to engage with the FCA's testing of firms’ sanctions screening systems and controls. Sanctions remains an area for supervisory focus for the FCA.
    3. Consider the FCA's findings against their own systems and controls, and take action where appropriate. This should involve evaluating existing processes and identifying any areas where those measures need strengthening. In particular, firms should continually review their systems, controls and in-house competencies to ensure that they remain aligned with the evolving sanctions landscape.

    By combining market-leading legal, risk advisory and technology capabilities, Ashurst is uniquely positioned to support clients in navigating these unprecedented sanctions compliance challenges. Our team can supplement robust legal advice with proportionate operational insights. Please contact any of the individuals below to find out how Ashurst's unique legal-led Risk Advisory team can help you navigate any of the issues outlined above.

    Authors: Tom Cummins, Partner; Sophie Law, Senior Associate; Matthew Russell, Partner; Joao Marques, Director; and Tristan Bramble, Executive.

    Footnotes

    1. Known as above and below the line testing.

    This is a joint publication from Ashurst LLP and Ashurst Risk Advisory LLP, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group. Ashurst Risk Advisory LLP services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services. For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.