Mistaken breach of UK Financial Sanctions: possible exposure and what to do

Breach of UK financial sanctions

Breaching a financial sanction can be a criminal offence.  There are different types of offences depending on the type of breach.

• Primary offences:  this is engaging in conduct which is prohibited under the relevant sanction.  Examples include:

• making funds available to, or dealing with the funds or assets of a ‘designated person’ without a licence, knowing or suspecting, or having reasonable grounds to suspect that the relevant transaction is prohibited.

• intentionally participating in activities, knowing that the object or effect is (directly or indirectly) to circumvent any sanction.  This could include any arrangement designed to bypass sanctions, such as structuring a transaction as an equity deal in an effort to disguise the fact that it is actually a loan.

• Secondary offences:

• failing to comply with any condition of a licence or knowingly or recklessly providing false information or documentation to obtain a licence.

• a failure by certain types of business to inform the UK Government  that the business knows or has reasonable cause to suspect that a person is a designated person or has breached a financial sanction. Types of business in scope of these reporting offences include UK-regulated financial institutions, as well as currency exchanges or funds transmission businesses, auditors, accountants and legal professionals.

• information offences relating to failure to provide information to the UK sanctions enforcer, the Office of Financial Sanctions Implementation (OFSI), when requested, or providing false information, or destroying evidence.

These offences can be committed by both companies and individuals.

Is it an offence if a sanction is breached by mistake?

Yes, in some circumstances. These criminal offences can be committed by a person (including a company) who knew or had reasonable cause to suspect that they were committing a breach of the sanction¹.  This means that a person can commit an offence even if they did not have actual knowledge, but should have suspected or known based on information that was available to them (ie ‘reasonable grounds to suspect’).

Prior to the passing of the Economic Crime (Transparency and Enforcement) Act 2022 (Act) on 15 March,  the same was true of OFSI’s power to impose a civil penalty for a breach. A civil penalty could be imposed where OFSI could show that the person or entity knew or had reasonable cause to suspect.

The Act makes it easier for OFSI to impose a monetary penalty by replacing the knowledge/reasonable cause to suspect test with a “strict liability” test. Under the Act, it will no longer be necessary for OFSI to show that a person knew of, or had reasonable grounds to suspect, a sanctions breach, to be liable for a civil fine. It will be enough to show, on the balance of probabilities (ie more likely than not) that there was simply a breach.

This change may not alter greatly the risk analysis for regulated individuals and entities in financial services or other regulated sectors, who are already expected to have a high degree of sanctions compliance awareness.

Possible enforcement for breach of UK financial sanctions

OFSI is responsible for enforcing financial sanctions in the UK. This may include one or more of the following:

• Warnings & referral to regulators: It can issue correspondence requesting details of how firms propose to improve their compliance practices or refer them to their professional regulators. It may also pass details to relevant authorities overseas, including overseas sanctions enforcers.

• Publicity: Under changes made in the Act, OFSI can publish a report on a sanctions breach, even where no monetary penalty has been imposed.

• Monetary penalty:  OFSI can impose a civil monetary penalty (see above). The penalty may range from 50% of the value of the breach to GBP1 million, whichever is higher. Separate penalties can be imposed on a legal entity and the officers who run it. A monetary penalty is normally accompanied by a public notice with details of the breach and the penalty.

• Criminal prosecution: OFSI can refer cases to law enforcement agencies for criminal investigation and potential prosecution, with possible prison sentences and fines.  Deferred prosecution agreements are available for financial sanctions offences.

In deciding what action to take and the level of any penalty, OFSI considers the nature and severity of the breach and the conduct of the individuals involved.  The more serious the breach, and the worse the conduct of individuals, the more likely it is that OFSI will impose a penalty, and the higher any penalty is likely to be.

Here are examples of ‘aggravating’ factors (ie these will make the penalty more likely and/or higher):

• High value of transactions/resources affected.

• Repeated breaches.

• Circumvention (treated ‘very seriously’² ).

• Risk of harm to sanction regime’s objectives.

• Deliberate, negligent breach.

• Regulated sector (held to a higher bar).

• Funds/economic resources made available to a designated person.

• Failure to provide requested information.

OFSI also takes into account mitigating factors such as whether the conduct was self-disclosed, the extent to which a person cooperated with any enquiries, and actions taken to improve future compliance.

There has historically been a low level of sanctions enforcement in the UK, compared to, for example, by the US Office of Financial Assets Control (OFAC). We have not yet seen any criminal convictions for sanctions breaches since OFSI was formed in 2016.  Its primary method of enforcement has been publicly reported monetary penalties. It has levied just six fines against businesses, including banks, a telecoms provider and Fintech firms - some of whom attracted enforcement action despite the value of the transactions being no more than GBP200.³   In February 2020, OFSI imposed its most significant penalty to date by fining a large bank GBP20.47 million for breaching sanctions imposed over Russia’s annexation of Crimea in 2014.

OFSI recently signalled its ambition to take a more aggressive enforcement approach by modifying its guidance on monetary penalties, and the UK Government has announced the formation of a new “Kleptocracy” team within the National Crime Agency to assist in the investigation of sanctions breaches.

OFSI is not the only ‘enforcer’ in the financial sanctions space. The FCA expects regulated firms to have comprehensive systems and controls in place to counter the risk of a sanctions breach occurring. Firms are expected to have effective policies and procedures for sanctions compliance and dealing with politically exposed persons (PEPs).  Where the FCA identifies failings in financial crime systems and controls, it can impose restrictions or take enforcement action. In recent years it has imposed large fines on a number of banks for poor AML and sanctions controls.

How does OFSI find out about sanctions breaches?

OFSI can become aware of a sanctions breach through a number of channels, including:

• Firms reporting suspected breaches.

• Referrals by the FCA, which may detect breaches during the course of its supervision of firms.

• Reports made by third parties, for example those involved in the same transaction – one of the parties may have a positive duty to report, even if others do not.

• Intelligence sharing between authorities.  A recent joint statement by the UK FCA and UK Prudential Regulation Authority states that they are working closely with partners in government and law enforcement both in the UK and abroad, to share intelligence and act to prevent sanctions evasion, including through the use of cryptoassets.

Between  2020- 2021, OFSI considered 132 reports of potential sanctions breaches.

What to do if there has been a breach of UK financial sanctions – early steps

Check there has been a breach

Check carefully whether there has in fact been a breach. Consider:

• Timing, scope and application of the applicable sanctions, including any exemptions. Some sanctions issues involve complicated structures or relationships which will need careful analysis, eg to determine ownership issues or whether there is (or is not) a UK nexus. To fall within the OFSI enforcement regime, the breach needs to have some connection to the UK. Examples of what constitutes a UK-nexus include:

• a UK company or UK national working overseas.
• action by a local subsidiary of a UK company (depending on governance).
• action taking place overseas but directed from within the UK.

• Who knew what and when?  This will help assess exposure particularly as regards some of the reporting offences.   It will also help to assess the duration of a known/suspected violation – was it very short whilst screening systems aligned with a change in the rules, or a longer period?

• Whether there is an applicable licence that authorises the conduct in question.

Some breaches will be clear cut and easy to identify.  Others may require a more technical analysis and require specialist advice.

Early steps on discovering a breach

• Stop the breach: Take immediate steps to ensure that no further breaches occur either under the Sanctions Regulations, any licences or under any non-UK sanctions. Document those steps.

• Investigate: Assess the nature and extent of the breach. Also consider whether there is a systemic failing which means that there may be other breaches.

• Consider reporting options or obligations: These will vary according to which sector your business is operating in. Firms operating in the regulated sector have more onerous reporting obligations concerning reporting to OFSI. The FCA would also expect to be informed from a supervisory perspective. All types of business will want to consider making a self-disclosure to OFSI, as it is a significant mitigating factor when deciding the nature of any enforcement.  OFSI recognises that a person will need some time to assess the nature and extent of a breach, and to seek legal advice, but expects timely reporting.  If OFSI is already aware of the breach (for example by having already been informed by a third party) it still expects a person to self-report. There may be a reduction of up to 50% of a fine for voluntary disclosure.

• Consider money laundering implications: Any proceeds from conduct which constitutes a sanctions offence (eg interest payments made on a loan to a designated person) may constitute criminal property for the purposes of the UK anti-money laundering laws and regulations.  There are separate exposure and reporting considerations which will need to be carefully considered for individuals and companies.

Finally

Breaching financial sanctions can have severe legal, monetary and reputational consequences for businesses and individuals. Businesses should have appropriate systems in place, including clear policies and training, to adhere to their obligations under the expanding global web of sanctions.

Navigating laws driven by national security and geopolitics was one of the ten key challenges for in-house counsel this year identified in the 2022 Allen & Overy Cross-border White Collar Crime and Investigations Review.

If you require sanctions enforcement advice please contact your normal Allen & Overy contact or one of our sanctions investigations specialists.

Footnotes:

_{1 See, for example, Russia (Sanctions) (EU Exit) Regulations 2019, Regulations 11 to 19.
2 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1051875/Monetary_Penalties_Guidance__Jan_2022_.pdf 
3 For example, in January 2019 the OFSI fined Raphaels Bank GBP10,000 for a transaction in breach of Sanctions Regulations worth GBP200.00. Similarly, in May 2019, it fined Travelex (UK) Ltd GBP10,000 for a non-compliant transaction worth GBP204.00.}