Legal development

First OFSI enforcement action for breach of UK's Russia sanctions: a £250 cash withdrawal

Insight Hero Image

    On 31 August 2023, OFSI used its new disclosure enforcement powers for the first time to publish details of a breach of financial sanctions by Wise Payments, a UK fintech firm. Wise had allowed a customer to withdraw £250 in cash from a business account held by an entity owned or controlled by a person subject to Russian sanctions, the day after the individual became a Designated Person (DP). OFSI did not impose a civil monetary penalty, but despite the low value of the breach, OFSI deemed it to be "moderately severe" due to the inadequate systems and controls in place at the time of the breach.i

    This serves as a reminder to firms of the importance of having robust systems and controls in place. However, firms may also take some comfort from the mitigating factors which were applied by OFSI in this case. 

    Events Leading to the Breach

    The DP was added to the consolidated list on the morning of 29 June 2022 and Wise's third-party sanctions data provider added the DP to its sanctions list. Soon after, Wise's system raised an alert due to a possible match, leading to the suspension of the account and prevention of transfers into and out of the account. However, activity on the debit card associated with the account was not restricted while the potential match was being investigated, in line with Wise's policy at the time. 

    Early the next morning, an employee of the newly DP's company made a cash withdrawal of £250, meaning that Wise had made funds available to an entity owned or controlled by a DP. 

    Although the issue was reviewed and escalated to Wise's sanctions specialist team on the morning of Friday 1 July, the sanctions team did not operate on weekends so the escalation was not reviewed (and the card blocked) until the morning of Monday 4 July 2022. Wise then self-reported the breach to OFSI. 

    OFSI's First Enforcement Action

    This enforcement action is a first in many ways. 

    • It is the first use of OFSI's disclosure powers since they were brought in through the Economic Crime (Transparency and Enforcement) Act 2022. These powers allow OFSI to publish details of financial sanctions breaches where OFSI decides that the breaches are not serious enough to justify a civil monetary penalty.
    • It is the first enforcement action since strict liability for breach of financial sanctions was introduced in June 2022 (although this was not an issue in this case). 
    • It is also the first enforcement action by OFSI for a breach of financial sanctions under the UK's Russia regime since additional measures were imposed following Russia's invasion of Ukraine in February 2022.ii

    Key Takeaways

    1. Firms should carefully consider what steps are appropriate to manage their particular sanctions risk exposure. Systems and controls should be appropriate for a firm's particular circumstances. For example, sanctions screening and alert review functions should operate at weekends. In this case, Wise did not have staff working at weekends, and this led to a material delay.

    2. Firms should ensure that their sanctions screening solutions are calibrated appropriately.  Here, a high number of regular false positives meant that Wise's policy at the time was not to suspend the use of the debt card until potential sanctions profile matches were resolved. OFSI said that this was inappropriate.

    3. Despite the low value of the breach, this enforcement signals that OFSI is willing to take enforcement action and use its new disclosure powers to name and shame firms which breach financial sanctions, even where the value is low. OFSI has stated that although full disclosure was proportionate in this case, breaches of lesser severity can also be published where there is a useful compliance lesson to the industry, but OFSI will usually anonymise the party in breachiii. OFSI has updated Section 10 of its Enforcement and Monetary Penalty Guidance to provide further details on how it assesses the severity of breaches and how it intends to use its disclosure powers.iv

    4. Firms may take some comfort from the fact that OFSI considered a number of mitigating factors in this case, including:

    (a) The low value of the breach;

    (b) Wise's voluntary disclosure;

    (c) Complete disclosures made to OFSI by Wise in response to requests for information;

    (d) A lack of evidence of deliberate sanctions evasion; and

    (e) Remedial actions taken by Wise following the breach, including exiting the DP as a customer, recruiting additional staff, introducing weekend working of the specialist sanctions team and changes to its policy with respect to debit cards.

    5. It is also notable that HMRC – which enforces UK trade sanctions, while OFSI enforces UK financial sanctions - recently imposed a £1 million fine on a UK company in relation to the unlicensed trade of goods in breach of The Russian (Sanctions) (EU Exit) Regulations 2019. Although no details are available, this may signal an uptick in Russian sanctions enforcement across the board in the UK.

    Although a low value breach of this nature might seem a surprising choice for the first enforcement action for a breach of financial sanctions on Russia since the invasion, it would be unwise for firms to ignore the key lessons and reminders from this case. 

    To keep track of all the latest Russian sanctions developments, access our Russia Sanctions Tracker here.

     

    Co-Author: Yaeno Fernandez Amano, Trainee

     

    i. OFSI Publication of a Report – Wise Payments Limited
    ii. Enforcement of financial sanctions, GOV UK
    iii. OFSI blog - OFSI uses disclosure power for the first time
    iv. OFSI Enforcement and Monetary Penalties for Breaches of Financial Sanctions

     

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.