OFSI takes sanctions enforcement action and updates guidance
On 31 August 2023, OFSI published a Disclosure Notice containing details of a breach of the Russia (Sanctions) (EU Exit) Regulations 2019 (the "Russia Regulations").
The Disclosure Notice was published in relation to a breach of the Russia Regulations committed by Wise Payments Limited. The breach resulted from a cash withdrawal of £250 using a debit card associated with a business account which was held by a company owned or controlled by a person designated under the Russia Regulations. In permitting the withdrawal, Wise made funds available to a company owned or controlled by a designated person.
The cash withdrawal was made on 30 June 2022 using a debit card held in the name of a designated person. The designated person had been designated a day earlier, on 29 June 2022. Wise self-reported the suspected breach to OFSI less than a month later, on 20 July 2022.
In the Disclosure Notice, OFSI explains that it considered the breach to be "moderately severe" and sufficiently serious to warrant publication of a disclosure notice, although not serious enough to impose a monetary penalty.
The Disclosure Notice sets out the policy and procedures Wise had in place prior to the breach. Screening against OFSI's consolidated list using a third-party sanctions data provider was carried out on all customer details, including ultimate beneficial ownership/ directorship of a business account. In the event that the screening identified a potential sanctions match, an alert was generated, and the customer's account suspended. However, Wise's policy at the time was not to suspend use of any debit cards associated with the account until potential sanctions matches were reviewed and resolved. This meant that when an alert was generated on Thursday 30 June 2022 in relation to the customer, the debit card was not blocked until the alert had been reviewed by Wise's specialist sanctions team on Monday 4 July 2022.
Wise was criticised by OFSI for its inappropriate policy surrounding debit card payments. In addition, a press release issued by OFSI Director Giles Thomson called out "a lack of resource at weekends to review sanctions alerts" which led to a material delay in restrictions being put in place. The press release also stated that "when a firm identifies a sanctions risk, it should take steps to fully address that risk by promptly restricting all forms of access to funds or economic resources".
OFSI recognised that there were mitigating factors in this case, including: the low value of the breach, the voluntary disclosure, complete cooperation with OFSI's requests for information, a lack of deliberate sanctions evasion, and remedial actions taken by Wise following the breach. The remedial actions included exiting the designated person as a customer, recruiting additional staff, and introducing weekend working for the specialist sanctions team. Wise also changed its policy with respect to debit cards.
This Disclosure Notice highlights the considerations that OFSI will take into account when determining the appropriate level of enforcement action and demonstrates OFSI's high expectations regarding appropriate policies and procedures.
Concurrently, OFSI took the opportunity to update its Enforcement and Monetary Penalty Guidance. Chapter 10 sets out OFSI's approach to publishing details of breaches of sanctions where no monetary penalty is imposed. The guidance states that cases which OFSI deems to be of moderate severity are likely to be dealt with via a disclosure if OFSI considers a warning letter would be too lenient, but a monetary penalty would be disproportionately punitive. Additional circumstances in which OFSI may deem a disclosure to be a fair and proportionate outcome include where there are valuable lessons to be learnt for industry, and where it is not in the public interest to issue a monetary penalty.
Section 3.3 of the Guidance states that lesser severity cases are likely to be dealt with via a private warning letter provided there are no significant aggravating factors, and the breach does not form part of a wider fact pattern. In the case of Wise, no aggravating factors are mentioned in the Disclosure Notice and there is no indication that the breach formed part of a wider fact pattern (unless of course Wise's debit card policy meant that further, as yet un-published, breaches also occurred). We therefore must assume that the decision to publish this Disclosure Notice was also based on OFSI's view that the case demonstrated valuable lessons for the industry.
OFSI's first published disclosure notice should be considered a warning to the financial services industry that OFSI has high expectations of the policies and procedures financial services companies should have in place to manage sanctions risk.
It also comes hot on the heels of a Notice to Exporters published by the Foreign, Commonwealth & Development Office on 23 August 2023 that an un-named UK company has been fined £1million by HM Revenue & Customs in relation to the unlicensed trade of goods in breach of the Russia Regulations. We suspect that these are indications of an increased level of enforcement action to come.
If you have any questions or comments on the topics covered in this blog post, please do not hesitate to get in touch.