The UK sanctions regime has expanded substantially in recent years, with the large volume of designations on Russia since 2022 and the more recent initiation of snapback of sanctions on Iran driving this expansion. The sanctions being imposed are increasingly sectoral and targeted, which can make compliance more challenging.
The increasing divergence in the approach to sanctions between the UK, EU and US since the beginning of President Trump’s second term, exacerbated further by the conflict in the Middle East, presents an additional challenge for compliance programmes.
If your firm receives an enquiry from the regulator – whether as part of a thematic or targeted review, either anticipated or otherwise – here are some key considerations to support your response.
It is important to have a strong understanding of all the components of your sanctions compliance programme and how they operate collectively. Keeping on top of your sanctions compliance programme on an ongoing basis will ensure you are well prepared to respond to any unexpected enquiries. That said, when a request comes in it is still worth reviewing (or commissioning an independent review of) the key elements of your compliance programme to ensure that everything is up to date.
Consider the core components of your programme – senior management commitment, risk assessment, internal controls and screening, testing and training. For example, can you evidence senior oversight of the programme, with regular updates being provided to senior management? Is there anything anomalous in your regular management information that needs to be explained? Is your risk assessment up to date and have any areas of residual risk exposure been addressed? Have you recently performed testing of your screening systems, to ensure that they remain calibrated correctly and are operating as you expect? Are internal and external escalation processes documented and adhered to? Have you made any recent disclosures?
Even if you are in a strong position, preparing your response to the regulator needs careful consideration and should not be rushed. Carve out dedicated resources who will take responsibility for leading the response and allow them sufficient time to carry it out effectively, without underestimating the time and effort required. Ensure that all relevant stakeholders are involved from the outset and have the chance to contribute. Dedicate time to checking the accuracy of your assertions, as well as collating the supporting evidence. Consider an independent review to check the overall readability of your response. Above all, plan your timeline to ensure any deadlines are comfortably met.
The FCA has published guidance for firms, clearly setting out its expectations on sanctions compliance, which are invaluable points of reference for informing and shaping your response. This includes a thematic review on sanctions compliance published in 2023.
The review found that programmes that were not appropriately resourced were more likely to have backlogs, and result in breaches. Screening tools were not always well calibrated and there could be an overreliance on third party providers. While outsourcing screening may be a practical approach adopted by many firms, the responsibility for compliance cannot be outsourced and it is crucial that you fully understand and test the service that you are employing.
The review also noted challenges where poor customer due diligence (CDD) data formed the basis for screening - when the underlying data is incomplete or out of date, screening cannot be effective. If your firm has a complex data model, with information kept on different systems, ensure that they are effectively mapped into the screening tool to ensure the data set is complete.
A recent Penalty Notice issued by the FCA also reinforced expectations regarding sanctions compliance, finding Principle 3 breaches where a firm had (amongst other things) failed to adequately assess sanctions risk, failed to test the configuration of name or payment screening and had no operational MI through which to assess effectiveness.
Reviewing FCA guidance and proactively benchmarking your programme against those expectations will position you strongly in the event of a review.
Read the question carefully and respond accordingly, with relevant information that is clearly articulated. It is important that you are helpful and transparent and answer all aspects of the question. If there are differences across your business model, it is helpful to draw that out in the response.
If you are struggling for the right response, you should acknowledge that. Adding information to fill the page which doesn’t address the question will suggest that you don’t recognise the importance of that element of the compliance framework, rather than acknowledging there is a gap and demonstrate that you are being proactive to remediate that.
It is always possible that a response could provoke further questions. You should ensure that you preserve information and documentation that fully supports your submission (whether or not the regulator has asked for that to be shared). Ensure that it is well organised and accessible, so if queries are received some time later, you are not left searching or relying on key individuals that may have already left your organisation.
Sanctions are a key political tool and sanctions compliance is central to the regulator’s strategy. Staying informed and proactive helps to ensure you meet regulatory obligations. Should you find yourself the subject of a review, taking a structured and methodical approach will help ensure the best possible outcome.
If you would like to talk to someone about your sanctions compliance programme or are preparing for an FCA review, please get in touch with Sarah Wrigley or Tom Townson.
Explore anti-circumvention sanctions and downstream compliance risks, and what businesses must do to stay ahead of evolving global regulations.
How can businesses navigate their responsibilities in the increasingly complex world of sanctions compliance?