Sanctions regime - firm-wide risk assessments
Sanctions regime - firm-wide risk assessments
Published: 23 January 2024
This guidance is to help you understand your legal and regulatory obligations, and how to comply with them. We will have regard to it when exercising our regulatory functions.
Who is this guidance for?
All firms, including:
- those who do not wish to provide advice on the UK's sanctions regime or to those subject to it
- those who wish to act in this area in a controlled and compliant way.
Purpose of this guidance
This guidance is aimed to help firms assess your exposure to risks associated with the UK's sanctions regime.
This guidance is a living document and we will update it from time to time.
This guidance addresses the UK's overall sanctions regime. It is, however, important to note that different requirements apply to different country's regimes. You should familiarise yourself with the requirements of any regime to which your firm may be exposed.
The sanctions regime has expanded rapidly since the invasion of Ukraine in February 2022, both in scope and scale. The obligation to abide by the sanctions regime - as set out in the Sanctions and Money Laundering Act 2018 - applies to all firms in all sectors.
Until recently, sanctions risk tended to apply only to a small number of specialist firms doing business with clients in affected jurisdictions. This is no longer the case and firms cannot afford to assume that sanctions do not pose a risk to them.
Sanctions apply to all sectors of legal work and operate under a strict liability regime. Breaches of the sanctions regime, even if unintentional, can have severe financial, reputational, and potentially regulatory consequences.
Having a sanctions risk assessment is not compulsory, but we consider it best practice, particularly for those firms which are at higher risk.
Who is at risk of becoming involved in a sanctions breach?
Financial sanctions restrictions apply to individuals, vessels and businesses (referred to as designated persons). Trade sanctions restrict certain activities and transactions. Every UK citizen, wherever in the world they may be, must comply with the sanctions regime at all times. A breach of the sanctions regime is a strict liability offence. The result is that all firms are at risk to some degree.
Designated persons are likely to want to circumvent sanctions to access and transfer their wealth. They might do this in a number of ways, for example by:
- concealing their ownership and control of corporate entities
- converting funds into assets, or vice versa, to disguise them
- holding assets in a variety of jurisdictions to make them difficult to trace
- investing in high-value, transportable assets.
Accordingly, those firms at heightened risk are likely to be involved in:
- multi-jurisdictional transactions, particularly those involving offshore jurisdictions
- arranging complex corporate structures which could have persons as ultimate beneficial owners
- dealing with high net-worth individuals, or those who hold or have held political office
- providing trusts and company services
- charities, particularly those based in, or providing services to, a jurisdiction subject to a sanctions regime
- high-value transactions including not only real property but assets such as artwork, vessels and aircraft
- shipping and aviation.
It is important to bear in mind that those seeking to circumvent sanctions may target solicitors who are inexperienced in dealing with sanctions. Layers of corporate ownership and intermediaries may also be used to obscure links to a designated person. You should be alert to the risk whatever the size and nature of your firm and your firm's work.
Why is it important to have a firm wide risk assessment?
The purpose of a firm-wide risk assessment is to assist in identifying potential or vulnerabilities to breaches of the regime, and to explore ways to mitigate these risks. While the sanctions regime is strict liability rather than risk-based, having this framework in place will help you to identify emerging risks and take preventative action.
The Office for Financial Sanctions Implementation (OFSI) has also indicated that, while the regime is strict liability, it will take a risk-based approach to enforcement. Where a breach has occurred, preventative measures are likely to provide considerable mitigation. It has published guidance explaining its enforcement approach (PDF).
Having a firm-wide risk assessment in place will also help you to develop appropriate policies, controls and procedures. This is not a legislative or regulatory requirement, but we strongly recommend that you do so to protect yourself and your firm. Fee earners may also need to refer to your firm-wide risk assessment when assessing risk at client and matter level.
Your firm-wide risk assessment is an important document, which should be regularly reviewed, kept up to date, and approved by senior management.
If you are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), you may wish to consider sanctions risks under your existing firm-wide risk assessment as part of a single document, rather than creating a separate risk assessment.
What should a sanctions risk assessment look like?
Generally, we consider it best practice to mirror the requirements of the MLR2017. This sets out various risk factors to consider. These are:
- your firm's customers
- the countries or geographic areas in which you operate
- the products or services which your firm provides
- your firm's transactions
- how your firm's products and services are delivered.
The risk assessment should also be appropriate to the size and nature of your business, taking into account any characteristics which might affect risk, such as:
- areas of work
- geographic location of offices
- supervisory structure – this might, for example, include whether your firm works remotely, whether you have overseas offices, and what level of oversight senior staff have of fee earners.
Next steps and further information
Breaches of the sanctions regime represent a financial, reputational and regulatory risk to your firm. We expect firms to be compliant and have provided this guidance to help you draft an effective firm risk assessment.
Tips for completing your risk assessment
1. Should I use a template risk assessment?
This is entirely up to you. Some firms find template risk assessments useful in helping assess sanctions risk. We have published a template (WORD 7 pages, 48KB) which you may find useful.
If you use a template, however, you must make sure that it is tailored to your practice. When considering sanctions risk assessments, we often find that they do not match a firm's profile and do not reflect the risks from its services and client demographic. To protect your firm, you should carry out a risk assessment relevant to the size and nature of your business. In this sense, you are the expert.
Remember, you cannot pass the regulatory risk of non-compliance on to a third party. If a consultancy gives you the wrong advice, the liability remains with you.
2. What is the difference between matter and firm-wide risk assessments?
Firms often confuse a matter or client risk assessment with a firm-wide risk assessment. These are different documents which do different jobs.
A firm-wide risk assessment should evaluate the sanctions risk that your whole business is exposed to and set out how you have arrived at that conclusion. It should then set out the steps which will be taken to help mitigate any risks.
A matter or client risk assessment is linked to a specific client file and should assess the sanctions risk associated with that particular client or matter. It should also then inform the level of customer due diligence and ongoing monitoring required.
The two documents should relate to each other, and client or matter risk assessments should be informed by the themes identified in the firm assessment.
If you are in scope of the MLR 2017, you may wish to integrate a sanctions risk assessment into your existing AML regime at both firm and client/matter level.
You should also factor in any ancillary services provided by your firm or linked entities, and consider whether these might be attractive to designated persons. Examples might include reputation management, asset or wealth management, concierge services or family office services.
3. Which clients pose a risk?
Although it is common to speak of jurisdictions being sanctioned, for example "sanctions against Iran", in general it is not these countries themselves which are sanctioned. Financial sanctions are directed against people and vessels, which are then grouped into a geographic regime. You can find an up to date list of jurisdictions with a geographic sanctions regime in place here.
The vast majority of people within these jurisdictions are not subject to sanctions.
This is different to trade sanctions, which prevent those in the UK taking specific actions against those from certain countries (for example all Russian citizens or persons connected with Russia under the Russia (Sanctions) (EU Exit) Regulations 2019.) You should, however, regard a client that approaches you with a connection to a country under a sanctions regime as a higher-risk situation. They are more likely to be subject to sanctions than someone who does not have such a connection.
Clients who are more likely to be designated persons may:
- be high net-worth individuals or corporate entities owned or controlled by them
- hold, or have held, political office in another country – though this could be interpreted more widely than the definition of a politically exposed person in the MLR 2017
- be connected to jurisdictions subject to a sanctions regime
- use multiple layers of corporate structures to obscure their involvement
- instruct you through third parties, such as family offices or concierge services.
It is, however, important to note that while the above factors increase risk, they are not in themselves determinative and you should not have a stereotypical view of what a designated person looks like. The OFSI consolidated list contains a significant number of people who are British citizens and have a last known address in the UK. Likewise, there are sanctions regimes in place against terrorist groups such as ISIL and al-Qaida. Designated persons under these regimes may not fit the stereotype of a designated person as a kleptocrat or oligarch.
4. What is licensing?
A licence from the appropriate government department will allow you to deal with sanctioned clients or assets in a way which would otherwise be prohibited. These are sub-divided into general and specific licences. Generally, licensing will involve OFSI or the Department for Business and Trade (DBT).
It is important to note that general and specific licences both present risks of their own. Both types of licence come with conditions – generally in the form of restrictions of activity (eg limits as to what is billable) and reporting conditions, either at the end of the licence period or once the licensed activity has concluded. Both kinds of licence are also usually time-limited, though they may be renewed at expiry. If you intend to apply for a licence, you should have procedures in place to monitor these restrictions and to make sure that you do not exceed any time limits or financial restrictions.
5. Counterparty risk
The strict liability of the sanctions regime does not distinguish between clients, counterparties or third parties. It is also possible to breach the sanctions regime in relation to a party who is not a client. If a counterparty or a third party is a designated person, the same considerations apply with regard to transfers as if they were your client.
You would, for example, breach the sanctions regime by transferring a payment of damages from your client to a designated person without a licence in place.
Relying on the other side in a transaction, or third parties, to have effective systems in place to screen for designated persons is unlikely to provide you with a complete defence if you breach the sanctions regime.
While the regime itself is strict liability, OFSI has produced guidance which sets out its attitude to enforcement. This includes measures which will mitigate the position of firms who find themselves in breach.
OFSI will consider it good mitigation where a decision was made in good faith and, on the basis of proper due diligence, was a reasonable conclusion to draw. OFSI will take into account the measures and checks undertaken, including due diligence and ongoing monitoring, taking into account:
- the facts of the case
- the degree of sanctions risk of the relevant entities involved.
As a basic measure, we recommend that your firm carries out basic checks on the counterparties in your matters, perhaps alongside your existing conflict checks. These are likely to be more limited than the checks you would carry out on your own clients, due to the more limited information available. To be effective they should include checking the counterparty against the consolidated list, including any ultimate beneficial owners. The level of checks should, however, increase with increased risk.
|Questions to ask
Clients and counterparties:
Products & services: