Fintech firm's fine for Russian payments highlights breadth of UK sanctions regime

The Office for Financial Sanction Implementation (OFSI) has published its first financial penalty for breach of financial sanctions regulations in over 16 months. OFSI fined TransferGo Limited £50,000 for effecting 16 payments (totalling just £7,764.77, over an 18 month period) to account holders at the Russian National Commercial Bank (RNCB).

The decision demonstrates the, sometimes unexpected, breadth of what the sanctions regime covers and is an important reminder of the need for all firms, but especially fintechs and other non-banks and non-traditional financial institutions, to be pro-active in screening for potential sanctions risks and to respond effectively to any breaches.

Sanctions regime

The UK sanctions regime is very broad and set out in numerous country specific regulations under the umbrella of the Sanctions and Anti-Money Laundering Act 2018 (the Sanctions Act).

In summary, UK citizens or firms are prohibited from providing funds or economic resources to a 'designated person' if they know (or have reasonable grounds to suspect) that they are doing so. This prohibition includes the provision of "financial services" which is defined very broadly (and non-exhaustively) in the Sanctions Act. For example, in 2019, Telia Carrier UK Limited was fined £147,000 just for facilitating telephone calls so a designated person could authorise wire transfers.

A "designated person" is any individual or entity who is listed on the UK autonomous financial sanctions list and/or the United Nations' sanctions list. Together these are referred to as the Consolidated List, which is published and updated by OFSI.

There are further obligations on certain types of firm, including those regulated by the Financial Conduct Authority (FCA): if such a firm knows (or has reasonable cause to suspect) that it is dealing with a designated person's assets, they must freeze those resources, and/or not deal with them or make them available to, or for the benefit of, a designated person. Again, these prohibitions are very broad in scope. The firm must also inform OFSI as soon as practicable if it knows or suspects there has been a breach.

Breaches of the restrictions carry criminal penalties, including imprisonment or a fine. Under s.146 Police and Crime Act 2017, OFSI has the power to impose a financial penalty of up £1,000,000 or 50% of the value of the "economic assets", whichever is the higher, instead of a criminal penalty.

Financial penalty

TransferGo Limited is an authorised payment institution with the FCA providing international money transfer services.

OFSI identified that, between March 2018 and December 2019, TransferGo issued instructions to make 16 payments to account holders with RNCB – a designated person since 2014 – with a total value of just £7,764.77.

Despite being a regulated firm, TransferGo did not voluntarily disclose these transactions to OFSI. Indeed, it appears from OFSI's report that TransferGo did not appreciate that what it was doing amounted to a breach of the relevant regulations. As OFSI noted in the report, "TransferGo demonstrated a poor understanding of financial sanctions throughout its engagement with OFSI".
TransferGo's position was that the payments were being made to the account holders with RNCB rather than to RNCB per se and that, as those account holders were not themselves subject to financial sanctions restrictions, the payments were not breaches. This was not OFSI's view: a payment into a bank is making economic resources available to that bank (even if the bank is contractually obliged to account to its customers for those funds). OFSI took the view that TransferGo was aware that it was making economic resources available to RNCB (rather than just the account holders) as each payment instruction used a code that identified the RNCB as the receiving financial institution.

OC Comment

Although OFSI's report is brief, it provides a number of significant warning signs.

• Focus on fintech firms: OFSI emphasised the fact that TransferGo was a regulated FinTech company and observed that "all persons […] not just traditional financial institutions, must make sure they comply with the restrictions in place." Given the significant growth of FinTech firms in the payments space, this may well be a warning sign that further scrutiny and enforcement action against such firms is forthcoming.We have not yet seen any enforcement action by OFSI in relation to cryptoassets but there can be no doubt that a transfer of bitcoin or ethereum would fall within the meaning of making economic resources available. Given the potential anonymity of Blockchain-based transactions, digital currency service providers are going to need to be very careful if they have reason to suspect they may be dealing with a designated person.
• Need to properly assess risk of breach: OFSI emphasised that TransferGo's poor understanding of the sanctions regime was an aggravating factor. That is consistent with its revised guidance on its approach to financial penalties earlier this year and is no doubt intended as a further warning to firms that they need to take these matters seriously: ignorance will be no defence. TransferGo believed its actions were compliant because it was not transferring funds 'directly' to RNCB. As OFSI made clear in its report, firms must "carry out due diligence on the banks and financial institutions involved in transactions, as well as all other parties in the transaction" to avoid breaches. This emphasises the need for firms to take proper advice and put in place appropriate risk-assessment safeguards, and regularly re-assess those measures, where there is any risk of potential breaches.
• Potential escalation in financial penalties: OFSI's approach demonstrates it will continue to take all breaches, regardless of their value, very seriously. Unlike the anti-money laundering regime, there is no 'de minimis' threshold for the breach of a sanction, and the fines imposed by OFSI often represent significant multiples of the sums involved, as part of its deterrence policy objective. However, even considering that approach, the £50,000 fine imposed on TransferGo is significantly higher than the previous "baseline" fines (of £5,000 and £10,000) issued in 2019, which suggests that OFSI is taking a more punitive approach to financial penalties.
• Business disruption from enforcement: However, it is likely that the financial impact on TransferGo was only a small part of the cost to the business. The transactions first came to the attention of OFSI as early as April 2018, which means that its investigation and decision-making process (including the appeal to the economic secretary to the treasury) took over three years and, apparently, revealed further breaches by TransferGo. That investigation and enforcement process was clearly protracted, and no doubt caused significant disruption to TransferGo's business and imposed a drain on management time. This disruption, and the impact of the financial penalty, could no doubt have been avoided or lessened, had TransferGo taken a more pro-active approach to assessing its sanctions risk.

In conclusion, this decision is an important reminder that the scope of financial sanctions is very broad and activities that a firm may believe are "safe" are, in fact, breaches. It is important to ensure that all firms – but particularly FinTechs and other disruptive regulated firms ensure that sanctions policies and procedures are regularly reviewed to ensure full compliance.