The UK’s Office of Financial Sanctions Implementation (OFSI) announced on 24 May that it had levied its second-ever civil monetary penalty, against Travelex (UK) Ltd. in the amount of £10,000. This enforcement action is related to OFSI’s previous (and first) civil monetary penalty of £5,000 against Raphaels Bank in January of this year, which we previously reported on. Whilst the amounts involved are not large and the facts are relatively straightforward, like a Magic Eye picture these cases yield useful insights, if you stare at them hard enough.
OFSI found that Raphaels Bank violated asset freeze restrictions by dealing in £200 belonging to an individual designated under sanctions relating to Egypt. OFSI determined that £10,000 was an appropriate penalty but discounted this by 50% because Raphaels Bank disclosed the violation and co-operated with the investigation. 50% is the maximum discount for "serious" cases, dropping to 30% for "most serious" cases (OFSI will not issue a civil monetary penalty if it regards a case as less than "serious").
The action against Travelex appears to relate to the same individual and transaction as the Raphaels Bank matter. Both Travelex and Raphaels Bank had access to the passport of the individual, and Travelex also met them in person. However, in Travelex’s case no discount was applied for voluntary disclosure, and it was hit with the full £10,000.
Keeping your disclosure "voluntary"
It is not a requirement that OFSI receive a disclosure before it learns about the matter from another source for it to be "voluntary". Whilst OFSI considers the facts and timing of each investigation, "The mere fact that another party has disclosed first will not necessarily lead to the conclusion that later disclosure has any lesser value"1 Furthermore, a disclosing party will have “automatic access” to a reduction once they affirm that their disclosure is materially complete2. That said, OFSI does "expect breaches to be disclosed in a timely fashion, as soon as reasonably practicable after discovery of the breach"3.
We do not know whether Travelex failed to disclose at all, or whether it made a disclosure that was somehow deficient. It may be that OFSI mandated disclosure by Travelex using its statutory powers, as a result of learning about the breach from Raphaels Bank.
Corporates in particular should bear in mind that banks and other regulated entities have express obligations under UK financial sanctions regulations to report suspected violations of asset freezes. Banks tend to have streamlined reporting processes due to the frequency with which they make regulatory reports, and so banks often report to OFSI long before their corporate client has investigated the matter.
It is possible then that a party could get a discount even if OFSI is aware of the issue before they disclose to OFSI. This is somewhat different to the position of the US Office of Foreign Assets Control (OFAC). OFAC's guidance specifically defines a voluntary disclosure as a "…self-initiated notification to OFAC of an apparent violation…prior to or at the same time that OFAC, or any other federal, state, or local government agency or official, discovers the apparent violation or another substantially similar apparent violation"4.
That said, a company does not want to be waiting for OFSI to knock on its door. OFSI recognises that a party may need some time to assess a potential violation and possibly take legal advice, and does not believe there should be any conflict between timeliness and making sure that a disclosure is materially complete. Therefore, where full disclosure is not possible in the first instance, OFSI recommends making an early disclosure with partial information, subject to making a full disclosure as soon as possible.
The moral that OFSI draws from these cases is that “Companies should take care to make sure they carry out appropriate financial sanctions screening or checks, and act on the results in the correct way.” This will not be news to any company that takes its responsibilities under financial sanctions seriously. What OFSI have not made clear, however, is the root cause of these violations.
For any party investigating a potential violation with a view to making a disclosure, it is essential to find out why the violation occurred. Only then will it be possible to devise corrective actions that effectively remediate the problem and prevent the same violation from occurring again in future. It is all too easy, especially under time pressure, to conduct a shallow analysis that only looks at the immediate cause of the violation, and not the underlying causes. In particular, attributing a violation to "human error" often (though not always) indicates a superficial analysis. If a human made an error, why did they make an error: insufficient training, an unclear procedure, a poorly designed tool?
In the case of Travelex and Raphaels Bank, the problem appears to have been that they had access to information about the designated person, which ought to have led them to freeze the funds at issue, but failed to do so. It is not clear whether they failed to screen the passport information, or whether they did screen it but then failed to take appropriate action. But even if they failed to screen it, and so did not know that they were dealing with a designated person this sort of ignorance is not an excuse as far as OFSI is concerned. OFSI takes the view5 that the list of sanctioned persons is publically available, and therefore if a company fails to conduct appropriate screening and deals with a designated person, it effectively has "reasonable cause to suspect" that it is in possession of or dealing with the assets of a designated person.
Travelex and Raphaels Bank should have asked themselves (not to say that they haven't) why either the individual was not screened or appropriate action was not taken. Was there some deficiency in the screening or escalation procedures, perhaps in relation to individuals physically located in the UK? Or if the procedures were sufficient, why were they not followed by the relevant employees? Was there a lack of training? Was it unclear who was responsible for what under the procedures? Was there a lack of attention because of the small value of the transaction? It is imperative to conduct a searching analysis of what has gone wrong.
OFAC typically provides more illumination about the root causes of the violation in its published information about enforcement actions. It has also provided a typology of root causes in its recently published "A Framework for OFAC Compliance Commitments", which is recommended reading for everyone concerned with sanctions compliance. This sort of information is extremely helpful for businesses (and their legal advisors!) and it is hoped that OFSI includes more of it in its published enforcement information going forwards.
A clear message
Notwithstanding the relatively low level of penalties in the Travelex and Raphaels Bank cases, these cases communicate OFSI's readiness to exercise its civil monetary penalty powers wherever this is appropriate, and not just on large cases. Moreover, the fact pattern they involve – compliance failures as opposed to deliberate breaches – will undoubtedly re-emerge, and may well be the dominant theme, in future OFSI enforcement actions, especially those involving banks and payment service providers, which have to deal with large volumes of transactions on a daily basis.
When companies do face compliance failures that may lead to voluntary disclosures, it is critical that they think through both the timing but also the completeness of their disclosure, to preserve their entitlement to a discount from any penalty, and that they devote sufficient attention to what went wrong, so that it does not happen again in future.