As a result of the Financial Conduct Authority’s (FCA) review of firms sanctions arrangements since the Russia invasion it has identified key findings regarding governance, oversight, and the challenges faced by firms in managing sanctions risks. Let’s delve into their points:
Senior Management Oversight of Sanctions Risks
The FCA found instances where senior management lacked sufficient information, particularly when relying on systems and processes from other jurisdictions. One multinational firm used a sanctions solution across its global operations, but this had limited function within the UK sanctions regime. Some firms lack basic sanctions information, alerts and metrics. Senior management were not able to understand risks, screening performance, and therefore make effective decisions. Senior management need sufficient information and suitable systems to understand applicable sanctions risks.
Global Sanctions Policies
The FCA found that some global firms were not aligned with the UK sanctions regime. This was evident in instances where multinational firms were focused more on US sanctions and paid insufficient attention to the UK regime, especially in global centres of excellence or service centres. Global teams also showed poor communication with regional sanctions teams and unawareness of UK regulations.
Over-reliance on Third-Party Sanctions Screening Tools
The FCA found that firms lacked understanding of how their sanction screening tools were calibrated and when lists were updated, resulting in a failure to determine if they were screening against the correct lists, missing names that should be identified, or producing too many false positives. This hindered their ability to demonstrate effective risk management and the need for proper control and oversight of their sanction screening controls. Regular testing and agreed internal service-level agreements for list updates are essential.
Contingency Planning
The FCA found that firms which conducted risk assessments and developed contingency plans in response to Russia exposure were better prepared to implement risk reducing measures and respond to increased sanctions. Lessons learned from this response will further enhance their readiness for future events.
Skills and Resources
The FCA found that many firms had significant backlogs in assessing, escalating, and reporting alerts from name and payment screenings, hindering their ability to promptly identify and report exposures. These backlogs persisted due to a lack of appropriate resources. Additionally, resource strain in operational teams led to a lack of clarity in prioritizing alerts, increasing the risk of errors. The backlogs were often compounded by a lack of governance and internal SLAs. Furthermore, there were backlogs in ongoing due diligence reviews due to resource and staffing constraints.
Screening Capabilities
The FCA found that while some firms had effective control mechanisms to measure the efficiency of their sanctions screening tools, in some cases the calibration was not tailored well, leading to either excessive false positives or missed detections. It is crucial for firms to understand how their systems work and how they are calibrated. They also found that some firms were not adhering to SLAs when updating screening lists, and some systems were unable to generate alerts for certain names on the OFSI’s consolidated list of sanctioned individuals.
Customer Due Diligence and Know Your Customer
The FCA found backlogs in customer due diligence (CDD), and low quality assessments, which raised the risk of firms failing to identify sanctioned individuals. Some firms had not gathered complete and full ownership structures of entities. It is crucial for firms to gather sufficient information and conduct thorough KYC and CDD to comply with sanctions requirements and screen all relevant parties.
Breach Reporting
Firms must promptly report any breach of financial sanctions to OFSI and notify the FCA if they are dealing with a designated person or hold frozen assets. The FCA has identified firms who had delayed or failed to report breaches.
Conclusion
Firms should regularly evaluate and strengthen their measures to prevent sanctions breaches and adapt to changing risk exposures. Firms should review these latest findings and take steps where appropriate, review the UK sanctions regime and report breaches, and evaluate sanctions screening systems and controls.
EFI works with financial institutions to review their screening processes. Working with a recent client who were reviewing sanctions processes, EFI identified client due diligence gaps, made recommendations for the client’s sanctions screening process, and updated client data.