FCG 7.2 Themes

2The guidance in FCG 2.2.1G on governance in relation to financial crime also applies to sanctions.

We expect senior management to take clear responsibility for managing sanctions risks, which should be treated in the same manner as other risks faced by the business. There should be evidence that senior management are actively engaged in the firm’s approach to addressing the risks of non-compliance with UK financial sanctions. Where they identify gaps, they should remediate them.2

Self-assessment questions:

1. • Has your firm clearly allocated responsibility for adherence to the sanctions regime? To whom?

2. • How does the firm monitor performance? (For example, statistical or narrative reports on matches or breaches.)

3. 2• How are senior management kept up to date with sanctions compliance issues?

4. 2• Does the firm’s organisational structure with respect to sanctions compliance across different jurisdictions promote a coordinated approach and accountability?

5. 2• Does the firm have evidence that sanctions issues are escalated where warranted?

6. 2• Where sanctions controls processes rely on resource external to the firm, is there appropriate oversight and understanding of that resource?

Examples of good practice		Examples of poor practice
•	An individual of sufficient authority is responsible for overseeing the firm’s adherence to UK2 sanctions2.	•	The firm believes payments to sanctioned individuals and entities are permitted when the sums are small. Without a licence from the OFSI2, this could be a criminal offence.
2		•	Multinational firms lack the communication between global and regional sanctions teams necessary to manage compliance with UK sanctions laws, regulations and guidance.
•	It is clear at what stage customers are screened in different situations (e.g. when customers are passed from agents or other companies in the group).	•	No internal audit resource is allocated to monitoring sanctions compliance.
•	There is appropriate escalation of actual target matches and breaches of UK sanctions. Notifications are timely.	•	Some business units in a large organisation think they are exempt.

The offence will depend on the sanctions provisions breached.

1The guidance in FCG 2.2.4G on risk assessment in relation to financial crime also applies to sanctions and proliferation financing (PF) (see FCG 7.2.5G for PF)2.

A firm should consider which areas of its business2;

1. • 2are most likely to provide services or resources to individuals or entities on the Consolidated List2;

2. 2• are owned and controlled by individuals or entities on the Consolidated List;

3. 2• engage in services or transactions prohibited under UK financial sanctions; or

4. 2• rely on prohibited suppliers, intermediaries or counterparties.

Self-assessment questions:

1. • Does your firm have a clear view on where within the firm potential sanctions breaches 2 are most likely to occur? (This may cover different business lines, sales channels, customer types, geographical locations, etc.)

2. • How is the risk assessment kept up to date, particularly after the firm enters a new jurisdiction or introduces a new product or where it has identified new sanctions risk events2?

3. 2• Has senior management set a clear risk appetite in relation to its sanctions risks, including in its exposure to sanctioned persons, activities and jurisdictions?

4. 2• Does your firm have established risk metrics to help detect and manage its sanctions compliance exposure on an ongoing basis?

5. 2• Are there established procedures to identify and escalate new sanctions risk events, such as new sanctions regimes, sanctioned activities and evasion typologies?

6. 2• Is your firm utilising available guidance and resources on new and emerging sanctions evasion typologies?

Examples of good practice		Examples of poor practice
•	A firm with international operations, or that deals in currencies other than sterling, understands the requirements of relevant local financial sanctions regimes.	•	There is no process for updating the risk assessment.
•	A small firm is aware of the sanctions regime and where it is most vulnerable, even if risk assessment is only informal.	•	The firm assumes financial sanctions only apply to money transfers and so has not assessed its risks.
• 2	The firm conducts contingency planning, taking a proactive approach to identifying sanctions exposure and is conducting exposure assessments and scenario planning. The firm updates business-wide and customer risk assessments to account for changes in the nature and type of sanctions measures.
• 2	The firm performs lessons learned exercises following material sanctions developments to improve its readiness to respond to future events.
• 2	The firm engages with public-private partnerships and private-private partnerships to gather insights on the latest typologies and additional controls that might be relevant and share its own best practice examples.

2As well as being relevant to other financial crime controls, effective customer due diligence (CDD) and know your customer (KYC) assessments are a cornerstone of effective compliance with sanctions requirements.

1A firm should have effective, up-to-date screening systems appropriate to the nature, size and risk of its business. Although screening itself is not a legal requirement, screening new customers, counterparties to transactions 2 and payments against the Consolidated List, and screening existing customers when new names are added to the list, helps to ensure that firms will not breach UK2 sanctions2.

Self-assessment questions:

1. • When are customers screened against lists, whether the Consolidated List, internal watchlists maintained by the firm, or lists from commercial providers? (Screening should take place at the time of customer take-on. Good reasons are needed to justify the risk posed by retrospective screening, such as the existence of general licences.)

2. • If a customer was referred to the firm, how does the firm ensure the person is not listed? (Does the firm screen the customer against the list itself, or does it seek assurances from the referring party?)

3. • How does the firm become aware of changes to the Consolidated List? (Are there manual or automated systems? Are customer lists rescreened after each update is issued?)

4. 2• Does your firm have a clear policy on which customers, counterparties and payments are subject to screening, and what related data is subject to screening?

5. 2• Does your firm have service level agreements that cover how quickly it updates its sanctions screening lists following updates to the Consolidated List and that are appropriate to the sanctions risks of its business?

6. 2• Does your firm evaluate its screening capabilities so that its screening system is adequately calibrated for its needs and to monitor UK sanctions? Do you regularly test/measure the effectiveness of the system?

7. 2• Is the team responsible for sanctions compliance properly resourced and skilled to effectively perform sanctions screening and alert management?

8. 2• If using an outsourced service, does your firm have appropriate control and oversight of its sanctions screening controls?

Examples of good practice		Examples of poor practice
•	The firm has considered what mixture of manual and automated screening is most appropriate.	•	The firm assumes that an intermediary has screened a customer, but does not check this.
•	There are quality control checks over manual screening.	•	Where a firm uses automated systems, it does not understand how to calibrate them and does not check whether the number of hits is unexpectedly high or low.
•2	The firm understands its automated screening tool and how it is calibrated, and is able to demonstrate that it is appropriate to the firm’s risk exposure.	•	Calibration is not adequately tailored and the system is either too sensitive or not sensitive enough. This may result in name variations not being detected, for example.
•2	The firm is able to show the controls in place to measure the effectiveness of its automated system, thresholds and parameters – for instance, with sample testing and tuning.	•	There is limited or no understanding by the firm about how a third-party tool is calibrated and when lists are updated.
•	Where a firm uses automated systems these can make ‘fuzzy matches’ (e.g. able to identify similar or variant spellings of names, name reversal, digit rotation, character manipulation, etc.). The firm continually seeks ways to enhance the system to help identify potential sanctions breaches.2	•	An insurance company only screens when claims are made on a policy.
•	The firm screens customers’ directors and known beneficial owners on a risk-sensitive basis.	•	Screening of customer databases is a one-off exercise.
•	Where the firm maintains an account for a listed individual or entity2, the status of this account is clearly flagged to staff.	•	Updating from the Consolidated List is haphazard. Some business units use out-of-date lists.
•	A firm only relies on 2other firms’ screening (such as outsourcers or intermediaries) after taking steps to satisfy itself 2 this is appropriate.	•	2The firm is overly reliant on a third-party provider screening solution, with no oversight. The firm has no means of monitoring payment instructions.
•2	The screening tool is calibrated and tailored to the firm’s risk and is appropriate for screening UK sanctions. Customers and their transactions are screened against relevant updated sanctions lists and effective re-screening is in place to identify activity that may indicate sanctions breaches.
• 2	Where blockchain analytics solutions are deployed, the firm ensures that compliance teams understand how these capabilities can be best used to identify transactions linked to higher risk wallet addresses, including those included on the Consolidated List.
• 2	The firm’s sanctions teams are adequately resourced to avoid backlogs in sanctions screening and are able to react to those at pace.	•	The firm lacks proper resources and expertise to ensure effective screening and investigation of alerts. It has significant backlogs and faces the risk of non-compliance with its obligations.
2		•	Increased volumes and pressure on sanctions teams following changes in the sanctions landscape prevent firms from taking appropriate and timely action for true positive alerts and increase the risk of errors. There is a lack of clarity around prioritisation of alerts, internal service level agreements and governance.

2A firm should have effective, up-to-date screening systems appropriate to the nature, size and risk of its business. However, simple screening of names against the Consolidated List may not always identify potential sanctions evasion involving third parties and alternative detection techniques may be needed. Potential red flags for sanctions evasion are set out in alerts issued by the National Economic Crime Centre (NECC).

Self-assessment questions:

1. • Does your firm understand potential sanctions evasion typologies relevant to its business and has it considered how to detect them?

2. • Has your firm considered whether additional procedures are needed to identify potential sanctions evasion?

Examples of good practice		Examples of poor practice
• 2	The firm is using techniques, such as data analytics, to identify customers who may be close associates or dependents or have transactional links with designated persons, and so may represent a higher risk of sanctions non-compliance.

2Relevant firms are required to report to OFSI where they know or have reasonable cause to suspect a breach of financial sanctions, and notify OFSI if:

1. • a person they are dealing with, directly or indirectly, is a designated person;

2. • they hold any frozen assets; or

3. • they discover or suspect any breach while conducting their business.

In line with Principle 11, SUP 15.3.8G(2) and FCG 7, firms must consider whether they need to notify us – for example, whether potential breaches of sanctions resulted from a significant failure in their systems and controls.

Self-assessment questions:

1. • Is there a clear procedure that sets out what to do if a potential sanctions breach is identified? (This might cover, for example, alerting senior management, OFSI and the FCA, and giving consideration to whether to submit a Suspicious Activity Report).

2. • Does your firm consider the root causes of any potential sanctions breaches and consider the implications for its policies and procedures?

Examples of good practice		Examples of poor practice
• 2	The firm undertakes a root cause analysis of potential sanctions breaches and uses them to update its sanctions controls.	•	The firm does not report a breach of financial sanctions to OFSI when required to do so. This could be a criminal offence.
• 2	After a breach, as well as meeting its formal obligation to notify OFSI, the firm reports the breach to the FCA. SUP 15.3 contains general notification requirements. Firms are required to tell us about significant rule breaches (see SUP 15.3.11R(1)), such as a significant failure in their financial crime systems and controls.
• 2	Significant deficiencies in the firm’s systems and controls resulting in potential sanctions breaches are reported to the FCA.

1When a customer’s name matches a person on the Consolidated List it will often be a ‘false positive’ (e.g. a customer has the same or similar name but is not the same person). Firms should have procedures for identifying where name matches are real and for freezing assets where this is appropriate.

Self-assessment questions:

1. • What steps does your firm take to identify whether a name match is real? (For example, does the firm look at a range of identifier information such as name, date of birth, address or other customer data?)

2. • Is there a clear procedure if there is a breach? (This might cover, for example, alerting senior management, the Treasury and the FCA, and giving consideration to a Suspicious Activity Report.)

Examples of good practice		Examples of poor practice
•	Sufficient resources are available to identify ‘false positives’.	•	The firm does not report a breach of the financial sanctions regime to OFSI: this could be a criminal offence.
•	After a breach, as well as meeting its formal obligation to notify OFSI, the firm considers whether it should report the breach to the FCA. SUP 15.3 contains general notification requirements. Firms are required to tell us, for example, about significant rule breaches (see SUP 15.3.11R(1)). Firms should therefore consider whether the breach is the result of any matter within the scope of SUP 15.3, for example a significant failure in their financial crime systems and controls.	•	An account is not frozen when a match with the Consolidated List is identified. If, as a consequence, funds held, owned or controlled by a designated person are dealt with or made available to the designated person, this could be a criminal offence.
		•	A lack of resources prevents a firm from adequately analysing matches.
		•	No audit trail of decisions where potential target matches are judged to be false positives.

The offence will depend on the sanctions provisions breached.

1Alongside financial sanctions, the government imposes controls on certain types of trade in order to achieve foreign policy objectives. The export of goods and services for use in nuclear, radiological, chemical or biological weapons programmes is subject to strict controls. Firms’ systems and controls and policies and procedures should address and mitigate the proliferation risks they face. Firms are also required to carry out proliferation financing risk assessments under regulation 18A of the Money Laundering Regulations, either as part of the existing practice-wide risk assessment or as a standalone document.2

Self-assessment questions:

1. • Does your firm finance trade with high risk countries? If so, is enhanced due diligence carried out on counterparties and goods? Where doubt remains, is evidence sought from exporters that the trade is legitimate?

2. • Does your firm have customers from high risk countries, or with a history of dealing with individuals and entities from such places? If so, has the firm reviewed how the sanctions situation could affect such counterparties, and discussed with them how they may be affected by relevant regulations?

3. • What other business takes place with high risk jurisdictions, and what measures are in place to contain the risks of transactions being related to proliferation?

Examples of good practice		Examples of poor practice
•	A bank has identified if its customers export goods to high risk jurisdictions, and subjects transactions to enhanced scrutiny by identifying, for example, whether goods may be subject to export restrictions, or end-users may be of concern.	•	The firm assumes customers selling goods to countries of concern will have checked the exports are legitimate, and does not ask for evidence of this from customers.
•	Where doubt exists, the bank asks the customer to demonstrate that appropriate assurances have been gained from relevant government authorities.	•	A firm knows that its customers deal with individuals and entities from high risk jurisdictions but does not communicate with those customers about relevant regulations in place and how they affect them.
•	The firm has considered how to respond if the government takes action under the Counter-Terrorism Act 2008 against one of its customers.	•	[deleted]