Sanctions update: strict liability test comes into force with revised guidance from OFSI

As  previously reported, the Economic Crime (Transparency and Enforcement) Act 2022 introduced a new strict civil liability test for imposing monetary penalties for breaches of the UK financial sanctions regime. Previously, businesses only faced liability when they had knowledge (or reasonable cause to suspect) that a transaction to which they were a party was in breach of sanctions.

Under the new rules, the knowledge/suspicion requirement is removed. Although this brings the test for financial sanctions more into line with that used for the import and export of arms, the new test will be of concern to firms in the financial sector – particularly, payments services providers – given the level of automation and interdependency between different firms in the sector.

In light of these concerns, the office of Financial Sanctions Implementation (OFSI) has updated its guidance on its approach to imposing monetary penalties to explain how it will use these powers. This new guidance applies to all cases where the breach took place on or after 00:00 on 15 June 2022 (the date when the changes mentioned above come into force). 

OFSI guidance

The guidance makes clear that, under the new strict liability rules, it is possible for a mere mistake to result in a breach of sanctions regulations and to render firms liable, in principle, for a financial penalty.  Under the rules, the maximum size of the penalty remains £1 million or 50% of the size of the funds involved in the transaction, whichever is the higher.

However, OFSI will take into account all relevant factors and the public interest when determining what action should be taken.

These relevant factors include: 

• Value of the breach: OFSI will look at the financial value of the transactions or resources involved in the breach (and may make a reasonable estimate of this value) when assessing a case. While a high value breach will generally be more likely to lead to enforcement action, that does not mean that action would never be taken in relation to a lower-value breach. There is, unhelpfully, no definition of what constitutes a high or low value breach.
• Harm/risk of harm to objectives of the sanctions regime: where there is this risk, it will be treated more seriously by OFSI. However, it is difficult to see how that will be interpreted and implemented in relation to financial sanctions where, presumably, the making of any financial benefits available to designated persons represents risk of harm to the objective. 
• Knowledge of sanctions and compliance systems: OFSI will take into account the level of actual and expected knowledge of sanctions held by an individual or company, considering the kind of work they do and their exposure to sanctions risk. Regulated professionals should meet regulatory and professional standards. OFSI may consider their failure to do so an aggravating factor.
• Degree of failure: other factors will include whether a breach was deliberate, whether there was a failure in systems, whether there was an incorrect legal interpretation, whether there was a simple mistake.
• Aggravating factors will include: knowing that a breach was taking place; repeated, persistent or extended breaches by the same person (who is unresponsive to previous warnings); and failure to provide requested information to OFSI.
• Mitigating factors will include: voluntary disclosure of a breach of sanctions, but not where OFSI or another regulator or public authority has already started to investigate.

Naming companies

The new rules also allow OFSI to publicly name organisations that have breached financial sanctions even if no fine is to be imposed, raising further concerns about the reputational risks for firms of non-compliance.

Summaries of breach cases will be made available if OFSI considers there are valuable compliance lessons for industry. This will include details of who performed the breach. Companies at risk of this may ask OFSI not to publish this information, but it appears likely that this will be difficult to achieve in practice.

Information sharing

The guidance also re-confirms and emphasises that if OFSI comes across breaches of financial sanctions in another jurisdiction, it may use its information-sharing powers to pass details to relevant authorities if this is appropriate and possible under UK law. 

Osborne Clarke comment

In publishing the revised guidance, OFSI has suggested that this does not represent a change to its overall enforcement approach. However, it is clear, from the number of revisions to its enforcement policy (five time in the past two years) and the increasing reach of the powers available to it, that OFSI is taking an increasingly robust approach to enforcement.

Firms may be comforted by OFSI's statement that it will continue to impose penalties only if it is appropriate, proportionate and in the public interest to do so. Given the recent high-profile extension of Russian sanctions, OFSI will no doubt be under political pressure to ensure that sanctions breaches are enforced, and that any misconduct is subject to appropriate fines and publicity to deter others from a lax approach to sanctions compliance.

In those circumstances, firms should be conscious of the emphasis on the importance of self-disclosure: it is always better to address potential breaches of sanctions law (even if they were entirely inadvertent) as soon as they become aware of them.