UK sanctions enforcement: fintech in the spotlight
HM Treasury’s Office of Financial Sanctions Implementation (OFSI) is responsible for administering the UK’s financial sanctions and has the power to impose civil monetary penalties for violations.
On 5 August 2021, the OFSI announced the imposition of a £50,000 civil monetary penalty against fintech company TransferGo for breaches of financial sanctions relating to Ukraine.
This case may reflect a growing sanctions enforcement focus beyond “traditional” financial institutions to fintech companies and payment services providers.
In March 2014, the European Union (including the UK) imposed asset freezes on various persons alleged to be responsible for undermining the territorial integrity, sovereignty and independence of Ukraine, under Council Regulation (EU) No 269/2014 (the EU Regulation).
In July 2014, the Russian National Commercial Bank (RNCB) was designated as an asset freeze target under the EU Regulation.
These sanctions prohibit making funds or other assets available to asset freeze targets. Between 20 March 2018 and 18 December 2019, the OFSI says TransferGo issued instructions to make payments of nearly £8,000 on behalf of non-sanctioned clients to accounts held at RNCB by non-sanctioned beneficiaries.
The OFSI determined that TransferGo knowingly made funds available to RNCB in contravention of the asset freeze restrictions: TransferGo mistakenly believed that the payments were not prohibited because they were being made for the benefit of RNCB’s non-sanctioned account holders.
Sanctions enforcement focus on non-traditional financial services providers
This enforcement action is interesting given the apparent recent focus of the US sanctions authorities on non-traditional financial services companies.
In 2021, the US Office of Foreign Assets Control has already imposed civil penalties on three payment services companies. The OFSI’s penalty notice emphasises that financial sanctions do not merely apply to “traditional” financial institutions.
The OFSI may be suggesting here that there is less familiarity with sanctions in the fintech sector, and service providers may not yet have the same compliance infrastructure as traditional corporate and retail banks.
The importance of sanctions compliance
This case reinforces the importance for fintech companies of having an appropriate sanctions compliance programme to identify, assess and mitigate sanctions risks. Without such a programme, fintech companies may be exposed to costly regulatory investigations and enforcement.
The TransferGo case shows how even relatively low-level payments can lead to enforcement action. The relevant transactions in TransferGo’s case totalled just under £8,000. While the penalty itself amounted to only £50,000, the costs of investigation, remediation and reputational impact compound that penalty significantly.
The case also highlights the OFSI’s position that poor understanding of sanctions regulation, or even bona fide mistakes, will not escape enforcement action.
This, too, is part of a trans-Atlantic trend of sanctions regulators expecting higher compliance standards, particularly at financial institutions.
The blockbuster US cases of the past against European banks often involved deliberate attempts to evade US sanctions: today’s sanctions enforcement actions are instead littered with honest mistakes, poor decision-making and failures of compliance procedures.
Responding to regulatory enquiries
The OFSI’s notice states that TransferGo did not voluntarily disclose the relevant transactions, and some were only disclosed in response to information requests from the OFSI.
The OFSI has broad powers to request information relating to sanctions compliance, and failure to respond is a criminal offence. Any company that receives such a request must therefore treat it seriously and act promptly. This will involve an appropriately scoped internal review to determine the relevant facts, assess whether a violation has occurred and any associated exposure for the company and serve as a basis for a response to the OFSI.
Ultimately, the company should aim to present its findings, identify the root cause of any failings and explain what remedial actions have been taken, including any improvements to the company’s compliance programme.
A company should adopt a similar approach if it independently becomes aware of a potential violation. Voluntary disclosures of potential violations can lead to discounts of up to 50% of any penalty ultimately imposed by the OFSI, and often a robust voluntary disclosure can lead to no enforcement action at all.
Separate from voluntary disclosures, it should be noted that regulated entities also have an obligation to proactively report certain information to the OFSI, including whether a person is subject to an asset freeze. The OFSI claims TransferGo also failed to comply with this obligation.
In summary, therefore, the TransferGo case provides a timely reminder that fintech companies cannot afford to neglect sanctions compliance. Instead, they should ensure they understand what their obligations are, assess their risks and design their compliance programmes accordingly, taking advice where appropriate from external counsel.