Since the invasion of Ukraine in February 2022, the Office of Financial Sanctions Implementation in HM Treasury, known as OFSI, has had its work cut out.
There has been a tsunami of designations and new rules made under the Russia (Sanctions) (EU Exit) Regulations 2019, which OFSI is responsible for implementing. This means that OFSI has to wear a number of hats:
- Issuing licenses for activities that would otherwise be prohibited under the regulations;
- Policing the operation of and compliance with those licenses; and
- Bringing civil enforcement action for breaches of the Russia regulations, with criminal enforcement being reserved to the U.K. National Crime Agency.
Of these hats, it is the latter, enforcement, which has seen the least activity to date. A question has therefore persisted: How will this raft of new regulations be enforced by OFSI? And perhaps more fundamentally, what will it be seeking to achieve through the use of its enforcement powers?
At the heart of this question has been a tension between two competing factors. On the one hand, the language and messaging coming from OFSI has been extremely strict. This is exemplified by the introduction, in June 2022, of a new power: to impose civil monetary penalties for breach of the Russia regulations on a strict liability basis, i.e. without proof of a person knowing or having reasonable cause to suspect they were in breach.
On the other hand, there was until recently a complete absence of any publicized enforcement action whatsoever by OFSI in respect of breaches of the Russia regulations. The result has been 18 months of uncertainty, and it is our experience that many businesses who have been trying their best to comply have resorted to erring on the side of overcompliance.
The position changed on Aug. 31, when OFSI carried out its first enforcement action under the Russia regulations. However, the nature of the action brings to light questions on OFSI’s approach to enforcement. OFSI chose to target Wise Payments Ltd., a medium-sized business, over a breach valued at only £250 ($302). No fine was issued; rather, OFSI utilized its so-called disclosure penalty for the first time, which is in effect a practice of naming and shaming, where a case does not merit the imposition of a monetary penalty.
Wise’s breach concerned its sanctions screening policy. In the event that its sanctions screening system detected a potential sanctions match against OFSI’s consolidated list, an alert was created and the customer’s profile suspended.
However, if that customer had a debit card, Wise’s policy was not to suspend the use of that card. This was a decision taken in order to pay due regard to the interests of its customers and treat them fairly, as per Principle 6 of the Financial Conduct Authority’s Principles for Businesses, in light of the high false positive rate for sanctions alerts. This resulted in a breach in the form of a £250 cash withdrawal, which Wise reported to OFSI.
This choice of first enforcement action came as a surprise to many observers, who were expecting OFSI to use this as an opportunity to demonstrate the seriousness with which it treats egregious breaches.
For instance, by issuing a significant fine, such as OFSI’s record £20.47 million ($24.67 million) penalty levied against Standard Chartered Bank in February 2020, where the penalty related to 21 unlawful loans, with an estimated transaction value of over £97
million ($117 million), being made by to a bank owned by a sanctioned entity.
The tiny size of the breach in the Wise case is plainly in stark contrast to this. In an attempt perhaps to preempt the questions that such a choice of first enforcement might precipitate, on the same day that the disclosure against Wise was announced, OFSI updated its enforcement and monetary penalties for breaches of financial sanctions guidance.
This shared, for the first time, that OFSI categorizes financial sanctions breaches as follows: lesser severity, moderate severity, or sufficiently serious to justify a civil monetary penalty.
Less severe cases are likely to be dealt with via a private warning letter, provided there are no significant aggravating factors, and the breach does not form part of a wider pattern. Moderate cases are likely to be dealt with via a publication without monetary penalty, using the disclosure power as in Wise’s case.
As stated in OFSI guidance, “Cases which OFSI deems to be of moderate severity are likely to be dealt with via a disclosure if OFSI considers a warning letter would be too lenient, but a monetary penalty would be disproportionately punitive.”
OFSI has therefore selected a moderately severe breach, by a relatively small company, for its first enforcement action under the Russia regulations. The choice to do so raises a number of questions about OFSI’s enforcement approach.
First, Wise is an example of a business that was forced to make a judgment call on whether to prioritize sanctions compliance over its obligations to the FCA; its breach was not negligent or malicious but the result of an attempt to balance its obligations in a
Had there been prescriptive advice from OFSI, Wise would not have been placed in a position where it needed to weigh up conflicting obligations internally. Wise’s breach occurred in July 2022; since then, the FCA’s new consumer duty has come into force, prescribing a higher standard than Principle 6, meaning that the balancing act between treating customers fairly and sanctions compliance is now even less clear.
While the FCA has undertaken an assessment of sanctions compliance systems and controls over the past year and emphasized the critical importance of these systems and controls, the FCA has not explicitly addressed these conflicting obligations.
Without more effective guidance from OFSI and the FCA, there will no doubt be further breaches as firms try to balance their considerable — and sometimes conflicting — obligations. Such breaches are more likely to occur in smaller businesses, which have
less access to sanctions compliance advice, and so may be more likely to make mistakes regarding their sanctions compliance.
This makes OFSI’s decision to name and shame a medium-sized business for a low-value breach, which was self-reported and arose out of the business’s desire to treat its customers fairly, as its first enforcement action, appear a little unfair.
This leads to a more fundamental question about the purpose of OFSI enforcement. Is it, as some of the rhetoric would imply, to punish those who breach the regime, or is it more concerned with educating businesses and lawyers to ensure future compliance?
The absence of any enforcement action in relation to major breaches of the Russia regulations, coupled with the fact that the first enforcement action was by way of a disclosure notice rather than a penalty, hints that it may be the latter.
In discussing the disclosure power on OFSI’s blog, OFSI’s director, Giles Thomson, appeared to support this interpretation, stating that: “Through publicizing details of breaches, this new enforcement tool will act as a form of censure and deterrent while also enabling compliance lessons to be available to other companies and individuals.”
However, the suggestion that OFSI’s approach is designed to be helpful and encourage compliance rings hollow when viewed in the context of the way it operates more generally. It is our experience that legal professionals who approach OFSI with questions as to the correct interpretations of licenses it has issued, and businesses that seek confirmation from OFSI that proposed actions would not breach the sanctions regime are invariably met with a wall of silence or, at best, a response that OFSI “will not confirm” the position.
This is not the approach of an organization that is prioritizing compliance support. No doubt there are important compliance lessons to draw from the disclosure notice against Wise — these lessons could have been drawn just as well if the facts of the breach had been disclosed to the public, but Wise was allowed to remain anonymous. All of this tends to suggest that education is not, in truth, a priority for OFSI.
The impression one is left with is that OFSI appears to be using its enforcement powers not in pursuance of stopping those who set out to deliberately breach the sanctions regime, but rather to frighten businesses that are seeking to comply into remaining in a
state of overcompliance.
This is unsatisfactory. If OFSI wants to educate, it should start engaging with the lawyers who seek clarification of licenses, including licenses it has itself issued, and legal provisions. If it wants to punish, it should take action against large, deliberate sanctions
breaches, of which it is hard to believe that none have occurred thus far. For now, the question of what is OFSI enforcement for remains unanswered.
This article was first published by Law360 on 4th October 2023.