On 6 September 2023, the FCA published a new webpage – Sanctions systems and controls: firms’ response to increased sanctions due to Russia’s invasion of Ukraine. The new webpage sets out key findings from the FCA’s assessments of sanctions systems and controls in financial services firms. It includes examples of good practice and areas for improvement, in order to help firms deliver even greater compliance with sanctions.
The FCA sets out examples of both good practice and areas for improvement under 5 key themes, including:
- Governance and oversight – The FCA found firms that had planned in advance for possible sanctions before February 2022 were in a better position to implement UK sanctions at speed. The ability to monitor and review the effectiveness of sanctions implementation through management information is important, as is ensuring that sanctions reporting is calibrated to the UK regime. Some firms are still not able to show that they are providing senior management with sufficient information about their exposure to sanctions or are reliant on global sanctions policies which are not aligned with the UK sanctions regimes. In these cases, the FCA expects improvements to be made.
- Skills and resources – Sanctions teams need to be properly resourced to avoid backlogs in dealing with sanctions alerts and enable a quick reaction to sanctions risks. The FCA notes that some firms still lack adequate resources to ensure effective sanctions screening, and firms that have significant backlogs are at greater risk of non-compliance with sanctions obligations.
- Screening capabilities – Sanctions screening tools need to be adequately calibrated and include the necessary requirements under the UK regime. The FCA found that certain firms demonstrated their sanctions’ screening tools were properly calibrated. However, it also saw poorly calibrated or tailored screening tools, with some firms also too reliant on third party providers with ineffective oversight over them. Screening tools, whether developed by firms or from third party providers, will be more effective if they are appropriate for the UK sanctions regime and calibrated to the risks faced by a firm.
- Customer due diligence (CDD) and know your customer (KYC) procedures – Effective CDD and KYC are a cornerstone of effective compliance with sanctions requirements. The FCA flags that it has continued to find instances of low quality CDD and KYC assessments and backlogs, which can increase the risk of firms not identifying sanctioned individuals. For example, by a failure to identify connected parties or corporate structures that are sanctioned.
- Reporting breaches to the FCA – The FCA expects firms to make timely and accurate reporting to the FCA on potential sanctions breaches. It found that the timeliness of reporting potential breaches or relevant sanctions information was inconsistent across firms.
Firms are now expected to:
- Consider the FCA’s findings, evaluate their approach to identifying and assessing sanctions risks, and take action where appropriate.
- Read the FCA’s Financial Crime Guide (chapter 7 in particular), SYSC 6.3 of its Handbook, its sanctions webpages and the guidance produced by the Joint Money Laundering Steering Group.
- Engage with the FCA in its testing of firms’ sanctions systems and controls, and report any significant deficiencies identified in such processes.