The recent sanctions breach involving Wise Payments Ltd has highlighted the importance of robust compliance measures in the financial industry. The breach, which involved a £250 cash withdrawal by a designated person, has prompted the Office of Financial Sanctions Implementation (OFSI) to issue a disclosure notice, marking the first use of this enforcement power.
The OFSI’s disclosure framework allows them to publish the names and details of
a sanctions breach and this indicates that OFSI considers the breach serious enough to be formally made known. In this article, we will delve into the details of the breach, examine the weaknesses in Wise’s processes, and provide insights on how firms can avoid similar penalties.
Background of the Sanctions Breach
On the 29th June 2022, an individual was designated by OFSI and subjected to an asset freeze under regulation 12 of the OFSI Russia Regulations. On the 30th of June 2022, this designated person withdrew £250 cash from their business account at Wise using a debit card.
Wise had been using a third-party sanctions screening solution, which added the designated individual to their system on 30th June 2022. The Wise screening system raised an alert on the designated individual’s business account. Wise’s policy was to suspend account transfers, but to allow debit card withdrawals. Because of this policy, the designated person was able to withdraw funds.
This cash withdrawal was a sanctions breach, which Wise reported to OFSI on the 20th July 2022.
Lessons Learned from the Breach
This breach and disclosure highlighted key weaknesses – firstly, Wise’s reliance on timely updates from a third-party screenings provider; secondly, Wise’s policy to continue to allow debit card withdrawals on suspended accounts; and thirdly, Wise did not have sufficient analyst staffing to review sanctions alerts over the weekend, which further delayed the investigation into the breach.
This serves as a valuable lesson for firms in the financial industry. To avoid similar penalties, it is crucial to establish robust compliance measures and adhere to industry best practices. Here are some key takeaways:
1. Ensure Compliance with Legal and Regulatory Requirements
Firms must regularly review and update their sanctions policies and procedures to align with current legal and regulatory requirements. Conducting self-assessments against relevant guidance, such as HMT’s UK Financial Sanctions guidance, can help identify any gaps or areas for improvement. Seeking an independent opinion on compliance measures can provide valuable insights and ensure adherence to best practices.
2. Conduct Comprehensive Sanctions Risk Assessments
A thorough understanding of potential risks is essential for effective sanctions compliance. Firms should conduct insightful sanctions risk assessments that identify potential vulnerabilities and assess the consequences of breaches. This assessment should encompass both internal processes and external factors, enabling firms to implement robust controls and mitigation strategies.
3. Provide Adequate Staff Training
Proper training is crucial to ensure that staff members understand the intricacies of sanctions screening controls and the implications of non-compliance. Firms should invest in comprehensive training programs that educate employees on the importance of sanctions compliance and equip them with the necessary skills to identify and respond to potential breaches.
4. Test and Review Systems Regularly
Frequent testing of systems is vital to identify any weaknesses or gaps in sanctions screening processes. Firms should establish robust testing procedures to evaluate the effectiveness of their systems and controls. This testing should be conducted at regular intervals to ensure ongoing compliance and to promptly address any issues that may arise.
5. Verify Data Sources for Accuracy and Currency
Effective sanctions screening relies on accurate and up-to-date data sources. Firms should have a clear understanding of the key data sources used in payment and customer screening, and understand the publishing timeframes. Regular verification of these sources is essential to ensure their accuracy and currency. Establishing mechanisms to monitor and update data sources will help maintain the integrity of sanctions screening processes.
6. Schedule Sufficient Qualified Staffing
Prompt response to sanctions regime updates requires sufficient staffing across business hours to keep sanctions screening up to date. Firms should carefully plan out resourcing and maintain a workforce that is equipped to manage risk exposure.
Steps to Avoid Sanctions Penalties
To mitigate the risk of sanctions penalties, firms should take proactive steps to strengthen their compliance measures. Here are some recommended actions:
Review and Enhance Suspended Account Controls: Firms should revisit their controls on suspended accounts to ensure that comprehensive automated suspensions are in place when a potential sanctions hit occurs. This will prevent unauthorized transactions and mitigate the risk of breaches.
Establish Weekend and Evening Coverage for Sanctions Alerts: Having analyst coverage for sanctions alerts over weekends and holidays is crucial to ensure timely investigations and response to potential breaches. This will help prevent any delays in addressing sanctions-related issues.
Recruit Additional Staff and Enhance Training: Firms should consider recruiting additional personnel to ensure their staffing is appropriate for their business needs. Furthermore, ongoing training programs should be implemented to keep employees updated on the latest regulations, industry best practices, and the evolving sanctions landscape.
Revisit Policies and Procedures: Regularly reviewing and updating sanctions policies and procedures is essential. Firms should seek expert guidance to align their policies with industry best practices and their risk appetite.
Engage Independent Assurance Reviews: Undertaking independent assurance reviews can provide valuable insights into the design and effectiveness of screening tools. These reviews can help identify any gaps or weaknesses in compliance measures and provide recommendations for improvement.
By implementing these steps and maintaining a strong focus on compliance, firms can minimize the risk of sanctions breaches and avoid penalties and disclosure notices.
Conclusion
The Wise sanctions breach serves as a wake-up call for firms in the financial industry, particularly larger firms with more complex operational processes and teams. It highlights the importance of understanding regime updates, timeframe constraints, and staffing capability. Firms must maintain robust compliance measures, thorough risk assessments, and effective training programs. By learning from the lessons of this breach and taking proactive steps to strengthen compliance, firms can protect themselves from sanctions penalties and maintain the integrity of their operations.
EFI offers managed screening services, independent reviews and expertise in screening management and policy implementation.