Thought for the Week: FCA review of sanctions systems and controls - the good, the bad and how to make sure it doesn't turn ugly

The FCA expects financial services firms to have appropriate systems and controls to prevent a breach of UK sanctions. During 2022 and 2023, the FCA assessed the systems and controls of over 90 firms across a range of sectors using its own "Sanctions Screening Tool" (SST), alongside specific intelligence and reporting. The FCA published itskey findingson 6 September 2023.

The good

• Firms which had carried outrisk assessments / scenario planningin advance of the invasion were better-placed to cope with the increase in demand. Likewise, firms which have conductedlessons learnedsince the invasion will be better placed to address future escalations.
• The FCA praised firms which could show that their sanctions screening tools had beencalibrated to the specific risksthe firm was exposed to, as well as having control mechanisms to measure the efficiency of their system thresholds and parameters, including sample testing and tuning. We think firms should also think about how to calibrate their tools to their particular risk tolerance.
• Although most of the screening systems usedfuzzy logicto identify name variations (which, in our view, is the bare minimum for any screening tool), firms should be continually looking toenhance their screeningto identify sanctionsevasion, which is an issue which has seen increasing focus over the past few months.

The bad

• Senior managementwere often given insufficient information about sanctions issues to enable them to discharge their responsibilities. Senior management need enough information to ensure that they understand the sanctions risks applicable to their firm.
• The FCA highlighted thedangers of global policieswhich are not aligned to UK sanctions, and/or sanctions screening based outside the UK which was too focussed on, for example, US sanctions. This increases the risk of potential non-compliance where UK legislation differs from that in other jurisdictions.
• Over-reliance onthird party screening toolsresulted in a lack of understanding of how screening tools worked. Even when screening tools are outsourced, firms need to ensure that they have the appropriate control and oversight to ensure effective calibration. In our experience, this requires specialist skills, and firms should look to build their in-house expertise so that they are in full control of their screening model, be able to continuously test it, and explain to regulators how and why their solutions are configured the way they are.
• Many firms experiencedsignificant back-logsin the assessment, escalation and reporting of alerts from name and payment screening. These backlogs often continued for a significant time due to a lack of internal resource and governance issues. In our experience, inefficient processes and poor technology can be as much to blame.
• The FCA found that screening tools were oftennot properly calibratedmeaning systems were either too sensitive (so generated high numbers of false positives), or were not sensitive enough (so did not pick up designated persons – a particular challenge where names may be transposed from one alphabet to another, in a variety of forms). The FCA acknowledged that this is "a delicate balancing act", but emphasised the importance for a firm of understanding how its system works. In our experience, continuous testing for false positives and false negatives¹, together with effectiveness and efficiency tests enable firms to calibrate this balance and target specifical gaps.
• The FCA called out backlogs in, and poor quality,customer due diligence (CDD) and know your customer (KYC) checks. Such checks should consider the full ownership structures of entities to ensure no breaches of sanctions requirements.

许多的FCA(贫穷的问题calibration, lack of skills and resources, and backlogs) were what led to the recently publicised sanctions breach by Wise Payments (read morehere).

Interestingly, the FCA did not refer to sanctions circumvention, despite other (European) authorities warning organisations to be vigilant for this. Regardless, financial institutions need to consider the role of their compliance testing/monitoring (beyond the sanctions screening) in managing their circumvention risk.

And how to make sure it doesn't turn ugly: what should firms do?

Firms should:

1. Ensure theynotify the FCAwhere appropriate, whether (i) in parallel with a notification to OFSI (in accordance with the relevant sanctions regulations), or (ii) if a sanctions breach has resulted from a significant systems and controls failure (in line with Principle 11, SUP 15.3.8G(2) and Chapter 7 of the Financial Crime Guide).
2. Continue toengage with the FCA's testingof firms’ sanctions screening systems and controls. Sanctions remains an area for supervisory focus for the FCA.
3. Consider the FCA's findingsagainst their own systems and controls, and take action where appropriate. This should involve evaluating existing processes and identifying any areas where those measures need strengthening. In particular, firms should continually review their systems, controls and in-house competencies to ensure that they remain aligned with the evolving sanctions landscape.

By combining market-leading legal, risk advisory and technology capabilities, Ashurst is uniquely positioned to support clients in navigating these unprecedented sanctions compliance challenges. Our team can supplement robust legal advice with proportionate operational insights. Please contact any of the individuals below to find out how Ashurst's unique legal-ledRisk Advisoryteam can help you navigate any of the issues outlined above.

Authors:Tom Cummins, Partner; Sophie Law, Senior Associate; Matthew Russell, Partner; Joao Marques, Director; and Tristan Bramble, Executive.

Footnotes

_{1. Known as above and below the line testing.}

This is a joint publication from Ashurst LLP and Ashurst Risk Advisory LLP, which are part of the Ashurst Group.

艾舍斯特bob正常玩会被黑吗集团由艾舍斯特LLP多么浅薄ustralia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

bob正常玩会被黑吗艾舍斯特Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group. Ashurst Risk Advisory LLP services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services. For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visitwww.hschangyihong.com.