UK: OFSI Makes Use Of Disclosure Enforcement Power For The First Time Against UK Fintech Company

On August 31, 2023, OFSI made its first use of the disclosure enforcement power granted to it pursuant to the Economic Crime (Transparency and Enforcement) Act 2022 ("ECA") in relation to a case involving Wise Payments Limited ("Wise") making funds available to a company owned or controlled by a UK designated person contrary to the Russia (Sanctions) (EU Exit) Regulations 2019 ("Russia Regulations"). The exercise of OFSI's disclosure power was accompanied by a blog post from OFSI Director, Giles Thomson, as well as the publication of an update to the OFSI Enforcement and Monetary Penalties for Breaches of Financial Sanctions Guidance ("Monetary Penalties Guidance") outlining how OFSI intends to make use of the disclosure power and the process associated with its exercise of the power. Among other things, the updated Monetary Penalties Guidance sets out an evolution of OFSI's categorization of breach cases that includes additional categories to reflect this new enforcement tool and make good on OFSI's commitment to proportionate enforcement action for breaches of financial sanctions following the introduction of strict civil liability in June 2022.

The Disclosure Enforcement Power

Section 56 of the ECA introduced an amendment to Section 149 of the Policing and Crime Act 2017, which grants OFSI the power to "publish reports at such intervals as it considers appropriate in cases where – (a) a monetary penalty has not been imposed * * *, but (b) [OFSI] is satisfied, on the balance of probabilities, that a person has breached a prohibition, or failed to comply with an obligation, that is imposed by or under financial sanctions legislation."

The Wise Disclosure Report

Wise, a UK registered foreign exchange fintech company regulated by the Financial Conduct Authority, is the subject of OFSI's first exercise of its disclosure enforcement power. The report published by OFSI states that the disclosure was issued against Wise for breaching Regulation 12 of the Russia Regulations by making funds available to a company owned or controlled by a person designated under the Russia Regulations in relation to a cash withdrawal of £250 made from a business account held with Wise. The withdrawal was made using a debit card held in the designated person's name and took place on June 30, 2022, the day after the person was designated.

At the time of the transaction, Wise's sanctions compliance policy required all customer details (including ultimate beneficial ownership/directorship of a business account) to be screened against the OFSI Consolidated List using a third-party sanctions data provider and Wise's in-house screening software. The policy further mandated that, in the event the screening system detected a potential sanctions match, an alert was created and the customer's profile suspended to prevent the customer from sending or receiving any funds using the account. However, Wise's policy at the time of the breach was not to suspend the use of any debit card associated with the account as part of the initial profile suspension process. Instead, customers would retain access to their debit cards until potential sanctions profile matches were confirmed. Wise's screening system correctly raised an alert due to a possible name match with the designated person on June 30, 2022 and Wise followed the policy outlined above. Consequently, activity on the debit card associated with the account was not restricted while Wise investigated the potential match.

A Wise agent reviewed the alert on July 1, 2022 at 05:24 – a Friday – and determined that it was a likely true name match and, in accordance with Wise's escalation policy, further escalated the matter to Wise's sanctions specialist team. However, in the interim, an employee of the designated person's company successfully withdrew £250 in cash using the debit card at 07:25 on June 30, 2022.

The escalation was not reviewed on a same day basis and, at the time of the breach, Wise's sanctions specialist team did not operate weekend working. Consequently, it was not until 11:02 on July 4, 2022 that a Wise agent blocked the Wise-issued debit card, preventing it being used to purchase items or withdraw funds. OFSI viewed this as a "material delay [to] proper restrictions being placed on the Designated Person's account and debit card." Wise also exited the customer on the same day.

The report notes that, in the present case, OFSI did not consider the breach serious enough to warrant a civil monetary penalty, however, the nature and circumstances of the breach were considered "moderately severe" and warranted exercise of OFSI's disclosure enforcement powers.

In reaching that conclusion, OFSI considered Wise's systems and controls and, specifically, its policy surrounding debit card payments to be inappropriate. OFSI also took into account as mitigating factors that: (1) the breach was of low value; (2) Wise self-reported the breach; (3) Wise fully cooperated with OFSI's investigation; (4) there was no evidence of deliberate sanctions evasion; and (5) Wise had made efforts to remediate and strengthen those aspects of its sanctions compliance process that led to the breach occurring, including exiting the designated person as a customer, recruiting additional staff and introducing weekend working for the specialist sanctions team, and changing its policy with respect to debit cards so that both a customer's account and any associated cards are immediately blocked in response to a possible name match with a designated person.

The OFSI report underlines its expectation that companies should:

1. carefully consider what steps are appropriate to manage their sanctions risk exposure and, when a sanctions risk is identified, take steps to fully address the identified risk by promptly restricting "all forms of access to funds or economic resources";
2. maintain proportionate sanctions screening and alert review functions including, for example, at weekends when they conduct business at such times; and
3. carefully consider what resourcing is appropriate to manage sanctions risk exposure.

OFSI's apparent belief that potential matches arising from sanctions list screening should be treated as true matches unless/until they are deemed to be false positives has potentially significant ramifications for financial institutions and others whose regular sanctions screening may generate significant volumes of false positives.

Guidance on OFSI's Use of the Disclosure Enforcement Power

A blog post by OFSI Director, Giles Thomson, accompanying OFSI's first use of the disclosure enforcement power emphasized that OFSI views this enforcement tool as "a form of censure and deterrent while also enabling compliance lessons to be available to other companies and individuals."

OFSI also has updated its Monetary Penalties Guidance. In response to the introduction of strict civil liability for financial sanctions breaches, the updated Monetary Penalties Guidance has dispensed with the previous binary classification of cases as either "serious" or "most serious," instead adopting a three category model under which cases can be categorized as being of "lesser severity," "moderate severity," or "serious enough to justify a civil monetary penalty." The updated Monetary Penalties Guidance also outlines the enforcement options available to OFSI in order of severity, as follows:

A new Chapter 10 dealing with use of the disclosure enforcement power in cases where no civil monetary penalty is imposed has also been added to the Monetary Penalties Guidance. The new guidance in Chapter 10 has retrospective effect and applies to all cases where a financial sanctions breach has taken place since the adoption of strict civil liability for breaches of UK financial sanctions on June 15, 2022.

According to the updated Monetary Penalties Guidance, OFSI likely will make use of the disclosure enforcement power in cases it deems to be of "moderate severity" when OFSI considers that a warning letter would be too lenient, but a monetary penalty would be disproportionately punitive. When the disclosure enforcement power is used, the resulting reports will usually: (1) publicly name the company or individual that has committed the financial sanctions breach; (2) provide a summary of the facts of the case (including identifying the designated person, unless there are data protection or other strong reasons not to do so); (3) provide details of the aggregate value of the breach; (4) outline any pertinent compliance lessons; and (5) provide any other information necessary to give a true understanding of the case and OFSI's assessment of it.

Outside of this framework, OFSI may also make use of the disclosure enforcement power when it consider doing so to be a fair and proportionate outcome, for example, where there are valuable lessons to be learnt by industry. Such disclosures may focus on an individual case or deal with several similar cases in a single disclosure. OFSI's Director has indicated in a blog post that in such cases OFSI will usually anonymize the disclosure by not identifying the person that committed the breach. In exceptional circumstances, the power may also be used when it is not in the public interest to issue a monetary penalty (e.g., humanitarian cases where a breach is serious enough to justify a penalty but, on the particular facts, a monetary penalty would not be in the public interest).

When OFSI intends to make a disclosure, it will inform the person that it has assessed as committing a breach of its intention prior to publication if OFSI intends to name that person in the disclosure. OFSI will provide the person with 28 working days from the date of notification to make any representations in relation to the finding of a breach and intended publication of the disclosure. It will be possible to request that OFSI extends the period for making representations. Any such request should outline the reasons for the request and provide supporting evidence. When OFSI intends to make a disclosure without naming the person that committed the breach, it will inform the person of its intention to make a disclosure but will not give an opportunity for the person to make representations.

Following consideration of any representations that are made, OFSI can decide to: (1) publish details of the case; (2) publish amended details of the case; or (3) not publish details of the case. When OFSI upholds its decision to publish details of the case, it will share the written case summary in advance of publication with the person that it has assessed as committing a breach for the purpose of ensuring factual accuracy.