On 6 September 2023, the UK Financial Conduct Authority (the FCA) published the findings of its review of the sanctions systems and controls in place at over 90 financial services firms operating in a range of sectors (the Review).

This briefing summarises the FCA’s findings on good practices currently being followed by firms, as well as several areas for improvement identified in the Review.

Good practices identified

The Review identified a number of good practices, including:

1. Proactive approach to identifying sanctions exposure to Russia – as part of their risk management procedures, some firms had conducted risk exposure assessments and scenario planning in advance. The FCA found that those firms were better placed to implement UK sanctions at speed.
2. Sanctions screening systems – the FCA found that several firms were able to clearly articulate and demonstrate that their sanctions screening tools had been calibrated to ensure they were appropriate for the sanctions risks that the firm was exposed to. They were also able to demonstrate the controls they had in place to measure the effectiveness of their sanctions systems thresholds and parameters which included, for example, sample testing and tuning. Having a mechanism in place to measure the effectiveness of sanctions screening capabilities ensures that risks within the business are appropriately managed. 
3. Tool calibration – most firms had sanctions screening systems which were able to help identify name variations for sanctioned entities and individuals. Firms should be continually seeking ways to enhance these systems to ensure that they are developing new ways to identify sanctions evasion.

The FCA is encouraging firms to consider these examples in the context of their own business, to assess whether enhancements can be made to systems and processes.

Areas that need improvement

The Review also identified a number of areas that would benefit from enhancement, including:

1. Senior management oversight of sanctions risk – the FCA noted instances where senior managers were not provided sufficient management information (MI). The FCA also saw a lack of quantitative and qualitative MI to enable effective oversight, identification of risk, and trend analysis. A failure to provide adequate MI impacts senior managers’ understanding of the sanctions risks that the firm is exposed to as well as their ability to fulfil their responsibilities.
2. Global sanctions policies – the FCA identified misalignment in some firms’ UK and global policies and instances of poor communication between global and regional sanctions teams. Firms need to be globally coordinated, so that all business and individuals fully understand the sanctions regimes to which they need to comply.
3. Over-reliance on third party sanction screening tools – the FCA found several instances where firms lacked understanding of how their sanctions screening tools were calibrated and how frequently lists where updated. This led to a failure to understand if screening was being done against the correct lists and therefore if the firm was effectively complying with its obligations.  
4. Skills and resources – the Review identified that resource constraints led many firms to have significant backlogs in the assessment, escalation, and reporting of alerts from the screening of names and payments. These issues were compounded by a lack of governance and appropriate internal service level agreements. A lack of adequate resourcing has also led to a lack of clarity on prioritisation of alerts, due diligence reviews and greater reliance on external legal and consulting resources. It is important for firms to ensure that they are adequately resourced to allow for timely action to true positive alerts.
5. Screening Capabilities – whilst some firms were identified as having effective sanction screening tools, there were instances where calibration had not been adequately tailored and this resulted in the systems either being too sensitive (causing a high number of false positive names) or not sensitive enough (resulting in sanctioned individuals not being adequately detected). The FCA’s testing of firms’ sanctions screening systems also found that some firms’ systems failed to generate alerts against certain names on the Office of Financial Sanctions Implementation’s (OFSI) consolidated list of persons subject to sanctions. This could lead to firms breaching sanctions requirements.
6. Customer Due Diligence (CDD) and Know Your Customer (KYC) – the FCA were concerned that the low quality of CDD and KYC assessments increased the risk of firms not being able to identify sanctioned individuals. It is important that firms gather sufficient information and undertake sufficient KYC and CDD to ensure they are screening all relevant parties and do not breach relevant sanctions requirements.
7. Breach reporting to OFSI and the FCA – the FCA identified ineffective reporting practices – both long delays between identifying an issue and reporting that issue, and failures to report in some cases. Firms need to ensure that they are appropriately reporting sanctions breaches to the FCA and OFSI.

Next steps

There are a number of key takeaways from the Review, with the issues identified by the FCA regarding adequate governance and alignment of global policies being particularly important in a sanctions context. To address this, firms should continue to evaluate their approach to identifying and assessing the global sanctions risks they are exposed to. They should actively strengthen the processes and systems that are in place to prevent sanctions breaches and evasion, adapting to the evolving sanctions landscape and changing risk exposures. This is crucial in ensuring control frameworks remain effective and aligned with the current requirements.

If you would like to discuss this Review or require assistance navigating some of these complex issues, please contact us.

With thanks to Saaraa Alimahomed for her assistance with this post.