Firms failing to grasp domestic payments’ sanctions risk

Firms’ inadequate customer due diligence processes have translated into a failure to grasp that their domestic payments activity may be exposed to sanctions. Many UK firms, for example, assume their business is purely domestic but have no insight into their customers’ ultimate beneficial ownership by non-UK individuals and corporate entities.

Financial crime subject matter experts frequently find international activity when reviewing “domestic” payments data, and sometimes find payments linked to designated entities or individuals among so-called domestic payments.

The UK’s Office of Financial Sanctions Implementation (OFSI) and the Institute of Money Laundering Prevention Officers (The Institute) have both noted that firms must increase their understanding of customers’ ownership and control when screening for potential sanctions breaches. Professional service providers, also known as enablers, are “almost certainly” using UK payment firms for transactions related to sanctioned individuals, particular those subject to UK’s Russia sanctions regime, OFSI said.

Domestic payments screening

While firms should screen domestic payments for sanctions exposure, it is neither a universal practice nor a specific regulatory requirement. Many firms, however, assume their customer base and business activity is exclusively domestic and fail to recognise international activity, Simran Bharaj, managing director at GKSB Consultancy and an executive committee member at The Institute, told Compliance Corylated.

She said nowadays firms should be screening domestic payments for sanctions, adding: “It might have been understandable when the payments landscape was much simpler, but now it is much more complex, with open banking and many more small firms adding more complexity into the payment flow.”

The Institute recently published a domestic payment screening checklist to help its members better understand and detect exposure to sanctioned entities and individuals. The checklist sets out advice for risk assessments for understanding sanctions exposure in domestic payments products and services as well as in third-party relationships and suppliers. It emphasises the need to understand payment flows and where firms may be exposed to the higher risk transactions and anonymising technologies commonly found in crypto asset services.

“If youʼre not screening domestic payments and then you end up with a breach and itʼs strict liability, the obvious question is why werenʼt you doing it if you have the information and data? Reliance on the larger banksʼ [customer due diligence] is not going to be accepted as a valid reason,” Bharaj said.

A firm may have taken legal advice about sanctions, but other than that and trying to articulate their business strategy, they do not have a lot to show to demonstrate to OFSI that there was really nothing that could have been done to mitigate the risk and avoid a breach, she added.

New OFSI fine

The majority of OFSI fines levied for sanctions breaches have been related to payment firms and payments. In its annual review published in March, OFSI said it progressed a substantial number of investigations in 2023-24, recording 396 cases and closing 242 — more than tripling the number closed in the previous year. Some of those enforcement cases are expected to result in a public outcome in 2025, it added.

OFSI recently fined law firm Herbert Smith Freehills CIS LLP (HSF Moscow) £465,000 related to six payments it made to designated persons subject to an asset freeze. In a blog post setting out some of the lessons learned from that case, OFSI reiterated the importance of firms understanding sanctions risks, having relevant policies and processes, and fully considering customers’ ownership and control.  

“OFSI views failure to properly consider and identify clear ownership more poorly than an incorrect but good faith assessment of control. Firms should therefore take sufficient time and care to properly assess the applicability of sanctions to the specific legal entities they are dealing with,” it said.

Threat assessment

OFSI’s Financial Services Threat Assessment, published in February, indicates that while “most suspected [sanctions] breaches involve UK financial services firms in some capacity”, non-compliance is an issue and “timely identification and reporting of suspected breaches varies across the sector”.

It is highly likely “some UK financial services firms, including non-bank payment service providers (NBPSPs), have not self-disclosed all suspected breaches”, OFSI said. It found so-called enablers — law firms, accountants and other service providers — used by Russian designated persons have increased their activity “significantly” since 2023. Enablers are making payments through NBPSPs to maintain sanctioned Russians’ properties and superyachts, while some are seeking to claim ownership of frozen assets.

“Enablers have almost certainly used alternative payment methods, in particular crypto assets, to breach UK financial sanctions prohibitions on Russia,” OFSI said.

All this activity can occur domestically without firms understanding the touch points that indicate sanctions circumvention and evasion typologies. However, unless the government mandates domestic payments screening, it is unlikely to happen universally because of the costs involved, Bharaj said.