On 31 August 2023, HM Treasury's Office of Financial Sanctions Implementation (OFSI) used its power for the first time to publish a report about a violation of sanctions by a company, Wise Payments Limited (Wise), without also imposing a civil monetary penalty on the company – what OFSI calls a "Disclosure". Wise, a regulated UK fintech company, violated sanctions by making funds available to a company owned or controlled by a UK sanctions target in contravention of UK sanctions against Russia.
The root cause of the violation was a deficiency in the company’s systems and controls: Wise’s policy at the time permitted its customer (which was subject to UK asset freeze restrictions) to withdraw £250 from a business account via a debit card while a potential sanctions match was being investigated. This case illustrates that a violation of UK sanctions, no matter how small, may still attract enforcement attention from OFSI, and also offers some insight into some of the factors OFSI might consider in assessing the adequacy of a company’s systems and controls.
Background: OFSI’s Disclosure Enforcement Powers
As part of OFSI’s expanded enforcement toolkit, in 2022 OFSI was granted the power to publish reports of financial sanctions breaches even in cases where OFSI determines that a breach is not serious enough to justify imposing a civil monetary penalty (Disclosures).1 OFSI categorises enforcements cases as being of lesser severity, moderate severity, or serious enough to justify imposition of a civil monetary penalty. OFSI's guidance on civil monetary penalties states that cases of moderate severity are likely to be dealt with by way of a Disclosure if OFSI determines that an administrative warning letter would be too lenient, but that a civil monetary penalty would be disproportionately punitive. In such cases, the offender will be identified. The guidance also indicates that Disclosures may be used in cases of lesser severity, in which case the offender will not normally be identified.2
As well as being used as a punitive measure, the OFSI guidance further states that a Disclosure may be deemed a fair and proportionate outcome where (i) there are valuable lessons to be learnt for industry; and (ii) exceptionally, where it is not in the public interest to issue a monetary penalty.3
According to OFSI’s 31 August Disclosure, this case relates to a cash withdrawal made from a business account with Wise held by a company owned or controlled by a designated person under the Russia Regulations (the Designated Person). Notably, the Designated Person is not identified – the abovementioned OFSI guidance states the Disclosures will identify the relevant designated person "unless there are strong reasons not to", including for data protection reasons.
The Designated Person was designated on 29 June 2022. The following day, a £250 cash withdrawal was made from the account by an employee of the Designated Person's company using a debit card in the name of the Designated Person.
At the time of the withdrawal, Wise’s internal policies mandated that all customer details be screened against the UK sanctions list and that a customer’s account be suspended in the event of a potential sanctions match. However, Wise’s policy allowed customers to retain use of their debit cards until a potential match was confirmed as a true match by Wise’s specialist sanctions team. The Disclosure notes that Wise explained to OFSI that the policy was in place because of a high number of false positive sanctions alerts and was therefore intended balance the company’s regulatory requirements to treat customers fairly with its obligations to comply with sanctions.
At the time of the withdrawal, Wise's screening system had identified the Designated Person (who had only been sanctioned approximately 20 hours before), and the account had been suspended, but it was still possible to make a withdrawal using the debit card. The matter was not closed by the sanctions team until some days later, in part because this team did not work at weekends, and it was only then that the debit card was blocked.
Despite the low value of the breach, OFSI considered that Wise's systems and controls, specifically its policy surrounding debit card payments, were inappropriate. This factor made the case “moderately severe,” as it enabled funds to be made available to a company owned or controlled by the Designated Person. That said, OFSI recognised a number of mitigating factors in this case, including:
- the low value of the breach;
- the voluntary disclosure made by Wise and its cooperation with OFSI’s enquiries;
- a lack of evidence of deliberate sanctions evasion; and
- remedial actions taken by Wise following the breach, including exiting the Designated Person as a customer, updating its policy so that both an account and associated cards are immediately blocked pending sanctions review, recruiting additional staff and introducing weekend working for the specialist sanctions team.
1. A violation of UK sanctions, no matter how small, may still attract enforcement attention from OFSI.
This is not the first OFSI enforcement action to relate to a low-value breach: OFSI’s first two enforcement cases in 2019 (which were connected) against Raphaels Bank and Travelex (UK) Ltd respectively, related to a failure by Raphaels Bank to freeze a payment of approximately £200.4 It is notable that these case involved a similar amount of money to the Wise case, and also that Raphaels Bank (but not, it appears, Travelex) made a disclosure to OFSI, for which it received a discounted penalty.
In the Wise case, OFSI acknowledged the “low breach value” of £250 and determined that Disclosure was the “appropriate and proportionate” enforcement response. In the Disclosure, OFSI highlighted that Wise’s policy was “inappropriate” in managing sanctions risk and that the lack of staff availability over a weekend led to a “material delay” in the debit card being blocked. Ultimately, this enabled funds to be made available to an entity that was owned or controlled by a UK assets freeze target.
From a compliance perspective, companies should note that a violation of UK sanctions, no matter how small, may still attract enforcement attention from OFSI. Therefore, it is important to take steps to review and enhance (where appropriate) a company’s sanctions compliance programme to ensure that it remains effective at ensuring and maintaining compliance with UK sanctions, as well as at identifying potential breaches so that they can be disclosed to OFSI, where appropriate.
2. OFSI again demonstrates the value of voluntary disclosure and remedial action.
OFSI guidance is clear in stating that voluntary disclosure, among other things, may act as a mitigating factor in assessing a breach of UK sanctions. In this case, the Disclosure expressly referred to voluntary disclosure, the completeness of disclosures made by Wise, and a number of remedial actions taken by Wise subsequent to the breach as relevant mitigating factors in its assessment. While it is not possible to predict OFSI’s assessment absent these mitigating factors, given the emphasis on these factors in the Disclosure, we expect that a Disclosure-only enforcement action would have been much less likely had Wise not made a voluntary disclosure and taken remedial actions.
3. Sanctions compliance policies and processes should “fully address” sanctions risks.
OFSI considered that Wise’s systems and controls were inappropriate, focusing on the ability for the Designated Person to be able to access funds even days following his or her designation and the delay in the review by the specialist sanctions team, which was in part occasioned by the lack of weekend availability.
Separately, OFSI stated inter alia that this case demonstrates that firms should (i) carefully consider what resourcing is appropriate to manage sanctions risks exposure; (ii) take steps to “fully address” sanctions risks by "promptly restricting all forms of access to funds or economic resources”; and (iii) maintain “proportionate sanctions screening and alert review functions” whenever business is being conducted.5 OFSI did not suggest that “balancing” sanctions compliance against customer service or other concerns was appropriate.
Subsequent to this enforcement action, on 7 September 2023 the UK’s Financial Conduct Authority (FCA) published a review of sanctions systems and controls in place in more than 90 financial services firms.6 Among other things, the review found that (i) governance and oversight needed to be improved in many firms, (ii) there was an over-reliance on third party screening tools, and (iii) in some firms, global policies were not aligned with the UK sanctions regime.
2 Chapter 10, OFSI enforcement and monetary penalties for breaches of financial sanctions, OFSI, August 2023, available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1181296/Monetary_Penalty_and_Enforcement_Guidance__Aug_2023_.pdf.
4 What can we learn from OFSI's first civil monetary penalty? Available at: https://www.mayerbrown.com/en/perspectives-events/publications/2019/03/what-learn-from-ofsi-first-civil-monetary-penalty; OFSI's Penalty Against Travelex – More than Meets the Eye, available at: https://www.mayerbrown.com/en/perspectives-events/publications/2019/06/ofsis-penalty-against-travelex-more-than-meets-the-eye.
6 Sanctions systems and controls: firms’ response to increased sanctions due to Russia’s invasion of Ukraine, FCA, 6 September 2023, available at: https://www.fca.org.uk/publications/good-and-poor-practice/sanctions-systems-and-controls-firms-response-increased-sanctions-due-russias-invasion-ukraine#:~:text=The%20FCA%20is%20responsible%20for,intensified%20our%20focus%20on%20sanctions