Sanctions Compliance for UK Financial Services Firms — A Practical Guide

The UK Sanctions Framework

The UK maintains an independent sanctions regime following Brexit, implemented through the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) and individual sanctions regulations for specific countries and themes (e.g., Russia, Iran, counter-terrorism, cyber).

Key authorities: - HM Treasury — maintains the consolidated sanctions list and publishes guidance on financial sanctions - Office of Financial Sanctions Implementation (OFSI) — the enforcement body responsible for investigating potential sanctions breaches and imposing penalties - FCA — supervises regulated firms' systems and controls for sanctions compliance

Types of financial sanctions: - Asset freezes — prohibiting the provision of funds or economic resources to designated persons or entities - Sectoral restrictions — prohibiting specific financial services to particular sectors of a sanctioned country's economy (e.g., Russian energy sector) - Investment bans — prohibiting new investment in sanctioned countries or sectors - Correspondent banking restrictions — prohibiting maintaining correspondent banking relationships with designated banks - Trade finance restrictions — prohibiting the provision of trade finance for sanctioned goods or commodities

Strict Liability

A critical feature of the UK sanctions regime is that breaching financial sanctions is a strict liability offence. This means: - No intent is required — a firm can be criminally liable even if the breach was accidental or resulted from a system failure - "Reasonable cause to suspect" is sufficient to trigger reporting obligations - The penalty for a criminal offence is up to seven years' imprisonment and/or an unlimited fine - OFSI can impose civil monetary penalties without proving criminal intent

This strict liability framework makes robust sanctions compliance systems and controls essential — not optional.

Designing a Sanctions Compliance Programme

1. Sanctions policy: Every firm must have a written sanctions policy approved by senior management. The policy should: - Define the scope of sanctions obligations (UK, EU, US where applicable) - Describe the firm's screening processes and technology - Establish governance arrangements and escalation procedures - Set out the process for handling potential matches and confirmed hits - Address the obligations to report to OFSI and to freeze assets

2. Screening technology: Sanctions screening technology should be capable of: - Name matching — comparing customer names, counterparty names and transaction parties against sanctions lists using fuzzy matching algorithms that account for transliterations, aliases and spelling variations - Real-time transaction screening — screening outgoing and incoming payments in real-time before processing - Batch rescreening — periodically rescreening the entire customer base against updated sanctions lists - List management — automatically updating sanctions lists when changes are published (HM Treasury, OFAC, EU, UN)

Technology selection should consider: - False positive rates (excessive false positives overwhelm compliance teams and create processing delays) - Matching algorithm sophistication (can the system handle non-Latin scripts, partial names, cultural naming conventions?) - Integration with existing systems (onboarding, payment processing, CRM) - Audit trail and reporting capabilities

3. Ownership and control analysis: Sanctions apply not only to designated persons and entities but also to entities owned or controlled by them. Under OFSI guidance, an entity is "owned or controlled" by a designated person if: - The designated person holds (directly or indirectly) more than 50% of the shares or voting rights - The designated person has the right to appoint or remove a majority of the board - It is reasonable to expect that the designated person would be able to ensure that the entity's affairs are conducted in accordance with their wishes

Firms must look beyond the immediate customer or counterparty and assess the ownership chain. This is particularly challenging for corporate customers with complex multi-layered ownership structures, holding companies in opaque jurisdictions or nominee arrangements.

4. Payment screening: All outgoing payments must be screened before processing. Incoming payments should be screened on receipt. Screening should cover: - Originator and beneficiary names - Originator and beneficiary banks - Payment references and narrative fields (which may contain sanctioned entity names) - Geographic indicators (country codes, addresses)

Handling Matches and Confirmed Hits

When screening generates a potential match: 1. Pause the transaction or activity — do not proceed until the match has been investigated 2. Investigate — compare the match against available customer information (full name, date of birth, nationality, address) to determine whether it is a true match or a false positive 3. Document the investigation — record the decision and the rationale, whether true match or false positive 4. Escalate true matches — refer confirmed or suspected matches to the MLRO or sanctions compliance officer immediately

When a match is confirmed: 1. Freeze the funds or economic resources — the firm must immediately freeze any funds or economic resources belonging to, owned, held or controlled by the designated person 2. Report to OFSI — the firm must report to OFSI as soon as practicable. The report should include details of the designated person, the funds or resources frozen and the circumstances of the match 3. Do not tip off — the firm must not disclose to the customer that a report has been or will be made (subject to certain exceptions for legal advice) 4. Apply for a licence if needed — if the firm needs to release funds or provide services that would otherwise breach sanctions, it must apply to OFSI for a specific licence

OFSI Reporting Obligations

Under the UK sanctions regime, firms have a legal obligation to report to OFSI if they: - Know or have reasonable cause to suspect that a person is a designated person - Hold funds or economic resources belonging to, owned, held or controlled by a designated person - Become aware that they have made funds or economic resources available to a designated person

Reports must be made to OFSI as soon as practicable. There is no prescribed format, but OFSI provides a reporting form on its website. Reports should include: - The identity of the designated person (name, designation reference) - The nature and value of funds or economic resources involved - The circumstances that gave rise to the report - Any action taken (e.g., freezing of funds)

Common Sanctions Compliance Failures

Screening gaps: - Failure to screen all relevant parties (e.g., screening the account holder but not the beneficial owner or the payment beneficiary) - Using screening technology that cannot handle non-Latin scripts or cultural naming conventions - Failure to rescreen the customer base when sanctions lists are updated

Ownership and control failures: - Failure to identify entities owned or controlled by designated persons — particularly through complex corporate structures or nominee arrangements - Applying an ownership threshold higher than the OFSI 50% standard

Delayed reporting: - Failing to report to OFSI "as soon as practicable" — OFSI expects reports within days, not weeks - Filing incomplete reports that lack sufficient detail for OFSI to assess the situation

Inadequate governance: - No designated sanctions compliance officer or unclear accountability - Insufficient board-level awareness of the firm's sanctions risk exposure - Failure to keep the sanctions policy updated when new sanctions regimes are introduced

Practical Recommendations

Invest in screening technology that matches your risk profile. The sophistication of your screening technology should be proportionate to your transaction volumes, customer base and geographic exposure. Firms with significant exposure to sanctioned regions need more sophisticated matching algorithms and real-time screening capabilities.

Train your staff on sanctions specifically. Sanctions training should be distinct from general AML training. Staff need to understand the strict liability nature of sanctions offences, the specific prohibitions that apply and the procedures for handling potential matches.

Monitor sanctions developments actively. Sanctions regimes change frequently — new designations, de-listings, licence conditions and sectoral restrictions are published regularly. Establish a process for monitoring OFSI publications and updating your screening lists and policies accordingly.

Conduct periodic sanctions risk assessments. Assess your firm's exposure to sanctions risk, considering your customer base, payment corridors, correspondent banking relationships and product range. Update the assessment when your business model changes or when significant sanctions developments occur.