Skip to main content

The FCA’s supervisory approach to sanctions

Taking proactive steps to enhance your firm’s sanctions systems and controls

Introduction

Since the expansion of the UK sanctions against Russia, the effectiveness of firms’ systems and controls to deter breaches and circumvention of sanctions has become a top priority for the Financial Conduct Authority (FCA). Throughout 2022/2023, the FCA has assessed over 90 firms’ sanctions systems and controls and has recently published a report setting out the key findings from its assessments. The FCA expects all firms to consider those findings and take proactive steps in enhancing their sanctions controls.1

This blog sets out the areas the FCA focuses on as part of its sanctions supervisory approach, the FCA’s expectations for some of these areas in line with the report it has recently published, and additional key steps firms should be considering in proactively enhancing their sanctions systems and controls.


What has changed in FCA’s supervisory approach since the expansion of UK sanctions against Russia?

The speed and scale of new sanctions introduced as a result of the war in Ukraine brought new challenges and sanctions risks for FCA regulated firms. Throughout 2022/2023, the FCA has taken several actions indicating that firms’ sanctions systems and controls have become a key priority in its supervisory approach:

  • Communicating sanctions controls’ expectations: In February 2022, after the introduction of new sanctions against Russia, the FCA reiterated its sanctions controls expectations to 10,000 firms operating in sectors such as wealth management, asset management, payments, insurance, wholesale and retail banks2. Following the assessment of over 90 firms’ sanctions systems and controls, the FCA has now published key findings and expects firms to demonstrate how these findings have been considered in enhancing their own sanctions systems and controls.
  • Launching a sanctions reporting tool: The FCA has launched a new platform for firms to report instances of sanctions breaches or evasion. The FCA also expects firms to report weaknesses they identify in other firms’ sanctions systems and controls. The FCA analyses the information/intelligence it receives to inform its supervisory approach.3
  • Strengthening collaboration with the Office of Financial Sanctions Implementation (OFSI): The FCA has increased its collaboration and information sharing with OFSI, including sharing intelligence on suspected sanctions breaches and weaknesses in firms’ controls.
  • Rolling out its proactive and reactive supervisory approach to sanctions: Under its proactive approach, the FCA assesses firms’ sanctions systems and controls under its Modular Assessment Proactive Programme (MAPP) using its own Sanctions Screening Tool (SST). The FCA rolled out MAPP to enable deep dive assessments of firms’ controls whilst also making it easier to compare and benchmark firms in a shorter period of time.4 The FCA also acts on firm-specific intelligence indicating weaknesses in sanctions systems and controls.5
  • Increasing the use of intervention and enforcement powers: The FCA uses its regulatory tools to address weaknesses identified in firms’ sanctions systems and controls. This could include for example, the appointment of a Skilled Person, Voluntary Applications for Imposition of Requirement (VREQ), or the initiation of enforcement investigations, in addition to any OFSI enforcement actions, when serious and persistent weaknesses are identified.6


What are the areas the FCA is focusing on as part of their sanctions assessments?

1. Risk assessments – The FCA expects firms to clearly demonstrate how they identify and manage sanctions risks inherent in their business activities. Firms must be able to elaborate how they consider and weigh sanctions risk factors as part of their Business Wide Risk Assessments (BWRA) and Customer Risk Assessments (CRA).

We suggest considering the following to ensure adequacy of your BWRA and CRA methodologies and application:

  • is your approach to identifying and managing sanctions risks proactive? how do you identify the areas of your business activities with higher sanctions risk exposure and/or emerging sanctions risks? what proactive measures or contingency planning do you develop as a result?
  • for firms operating in multiple jurisdictions and adopt a group wide sanctions framework, are sanctions risks inherent in your UK business activities reflected in your BWRA?
  • are controls implemented to manage the sanctions risks inherent in your UK business activities aligned with the UK sanctions regime and regulatory requirements?
  • in case you have identified gaps or weaknesses in sanctions controls, for example during assurance or audit testing, are these gaps adequately reflected in controls’ effectiveness and residual risk as part of the BWRA?
  • are customers’ direct or indirect sanctions exposures considered as part of the CRA and reflected in the customers' risk ratings? Does this include conducting business in countries with close proximity with sanctioned countries?

2. Governance and oversight – The FCA requires accountability at senior management level, with clear ownership of sanctions controls. The FCA expects firms to proactively identify current and emerging sanctions risks, and to remediate in a timely manner any gaps or weaknesses exposing them to sanctions evasion or breaches.

We suggest considering the following as part of enhancing the governance and oversight of your firm’s sanctions systems and controls

  • do senior management receive adequate Management Information (MI) on sanctions risks and controls’ effectiveness enabling them to understand the risks and decide on corrective actions?
  • is there challenge of the sanctions related MI presented to senior management to ensure continuous improvement?
  • do you adequately identify and escalate emerging sanctions risks to senior management to enable a proactive approach to sanctions risk management and contingency planning?
  • how robust and frequent is the independent audit testing of your sanctions controls?
  • do you communicate across the firms ‘lessons learnt’ when you self-identify controls’ gaps or weaknesses?
  • do you consider the key messages and ‘lessons learnt’ arising from the FCA’s Guidance, Enforcement Notices, OFSI’s Monetary Penalties or Disclosure Notices?
  • can you demonstrate how any recent ‘lessons learnt’ have been considered and whether any enhancements have been made to your systems and controls as a result?

3. Policies and procedures – Firms tend to align their global policies to OFAC requirements on the assumption that this will also meet the legal and regulatory requirements of other regimes. The FCA expects firms operating in the UK to have policies and procedures aligned to the UK sanctions regime.

We suggest considering whether your policies and procedures meet the following regulatory expectations:

  • for firms operating in the UK, have you aligned your sanctions policies and procedures to UK requirements, including incorporation of changes to the control and ownership approach adopted by OFSI and expectations in establishing ‘formal ownership and/or control’ and ‘indirect or de facto control’7?
  • have you updated your sanctions policies and procedures to incorporate the reporting requirements and expectations introduced by the FCA in relation to sanctions breaches, evasion and weaknesses identified in other firms’ controls8?
  • have you reviewed your sanctions screening procedures to ensure they clearly document the firm’s processes and escalation protocols?
  • are there documented internal SLAs for alert escalation and dispositioning?
  • what quality controls are in place to ensure review of sanctions screening alerts before dispositioning?
  • do you maintain adequate records of sanctions screening alerts’ reviews, escalation, and decisions?

4. Due Diligence measures – The FCA expects firms to be able to provide clear evidence of the due diligence measures they have taken to identify and mitigate any sanctions risks posed by their customers. This includes the steps firms have taken to identify and verify the ultimate beneficial owners and/or controllers of their customers.

We suggest considering the following due diligence measures to identify and mitigate any sanctions risks associated with your customers:

  • how do you ensure that the degree of due diligence measures is commensurate with the level of sanctions risk posed by customers and nature of transactions?
  • is the level and quality of due diligence applied in line with OFSI’s expectations as set out in its revised Enforcement Guidance9?
  • can you demonstrate that ‘event driven reviews’ have been conducted when there was a change in customers’ beneficial ownership or control, or other triggering catalyst in the customer’s profile?
  • can you demonstrate that changes in customers’ beneficial ownership or controls have been considered as part of customers’ periodic reviews?
  • in case you experience backlogs in sanctions screening alerts and ongoing due diligence reviews, have you identified the root causes for these backlogs? (e.g., lack of resourcing or sanctions expertise) and can you demonstrate that remedial plans to address the root causes are in place?

5. Sanctions screening – The FCA has created a synthetic data set of sanctioned entities to test firms’ sanctions screening solutions. As part of its assessments, the FCA sends a list of 100,000 entities and tests whether firms’ sanctions screening solutions effectively identify sanctioned entities.

We suggest considering the following to ensure effectiveness of your sanctions screening systems:

  • are your sanctions screening systems appropriately calibrated and tailored to the sanctions risks inherent in your UK business activities?
  • are your sanctions screening systems effectively screening against the UK Sanctions List? Are there SLAs in place to ensure timely updates of sanctions lists?
  • are there any strategic remedial plans and interim controls in place to address any identified weaknesses or limitations?
  • how do you ensure that customer and third-party data used for sanctions screening is accurate and up to date?
  • how do you maintain control and oversight over third party sanctions screening tools?
  • are your sanctions teams adequately resourced to avoid backlogs in dealing with sanctions screening alerts?


Conclusion

In its recently published report on key findings from its sanctions assessments, the FCA communicated that sanctions systems and controls will continue to be a priority for the FCA. The FCA expects all regulated firms to take a proactive approach in identifying sanctions risks and ensure that their sanctions control framework can adopt to the evolving sanctions landscape. The FCA stressed that all regulated firms should be prepared to engage with the regulator as part of its sanctions assessments10. Is your firm prepared for demonstrating a proactive approach in identifying and managing sanctions risks?

________________________________________________________
References

1 Sanctions systems and controls: firms’ response to increased sanctions due to Russia’s invasion of Ukraine | FCA

2 FCA’s response to Treasury’s Committee’s Inquiry on Russia: Effective Economic Sanctions – 4 July 2022

3 Reporting sanctions evasions (fca.org.uk)

4 HM Treasury – Anti money laundering and countering the financing of terrorism supervision report 2022 -2022 (December 2022)

5 Ibid 1

6 Ibid 1

7 March_2023_Monetary_Penalty_and_Enforcement_Guidance.pdf (publishing.service.gov.uk)

8 Ibid 3

9 Ibid 6

10 Ibid 1