Sanctions and KYC following the Russian Invasion of Ukraine

New Link Editor Anti-Financial Crime

“Businesses need to take basic steps to investigate their own potential links to sanctioned Russian businesses and individuals, or else face the potential for what should be an avoidable worst-case scenario…You are supposed to be screening absolutely everyone you do business with — suppliers, customers and partners. This is a strict liability, and it doesn’t matter if you didn’t know.”  Doreen Edelman, Partner & Chair of Lowenstein Sandler’s Global Trade and National Security Practice.

The UK has, at the time of writing, sanctioned 1,279 Russian individuals and 151 Russian entities [1], with a significant proportion of these coming into force within the last three months. The equivalent numbers for Belarus are 108 individuals and 16 entities. The heavy burden of implementing these ever more complex sanctions falls largely on private sector firms, of which are predominantly banks. Sanctions are increasingly difficult to interpret and sanctions and financial crime teams, together with their legal teams, are being stretched to capacity.

In May 2022, the FCA encouraged firms and individuals to report any information about sanctions evasion or weaknesses in sanction controls. The effectiveness of sanctions controls will clearly be an area of focus for the FCA, as well as other regulators.

Furthermore, the legal framework for UK sanctions has just been beefed up significantly. From 15th June 2022 the Economic Crime (Transparency and Enforcement) Act 2022 introduced major changes to the enforcement of UK sanctions laws that mirror enforcement powers held by the Office of Foreign Assets Control (‘OFAC’) in the US. The two major developments introduced by the Act include the introduction of a strict liability test and the power to publish breaches. 

Up until now, the UK’s Office of Financial Sanctions Implementation (‘OFSI’) had to prove that a person had knowledge or reasonable cause to suspect that they were in breach of financial sanctions. Now the OFSI just needs to establish that a UK sanction was breached. The OFSI now also has the ability to publish details of financial sanctions breaches where a monetary penalty has not been imposed. Publication will be considered on a case-by-case basis for breaches committed after 15th June 2022. The publication of such breaches will include a summary of the case. These are significant new powers that will focus minds.

At senior management level sanctions compliance is now seen as a critical issue because if they get it wrong, from the US side in particular, the impacts can be very significant. Aside from potential financial penalties, the reputational risks of failure to comply with sanctions are much greater than ever before. An endless list of global brands including McDonalds, Nike, and Starbucks are now also ‘self-sanctioning’ against Russian individuals and entities and exiting business in Russia altogether to avoid potential regulatory action and reputational damage.

Where Next for Sanctions?

The European Commission has estimated that Russia was the 11th largest foreign investor in the EU between 2015 and 2021. The 2020 EU data indicates that Russian individuals or entities control approximately 17,000 companies in the EU and UK, have potentially controlling stakes in a further 7,000 entities, and minority stakes in 4,000 [2]. The sectors with the largest exposure to Russian control are wholesale, real estate, professional scientific and technical activities, and finance and insurance. Belarusian individuals and entities control about 1,550 EU and UK companies, have potentially controlling stakes in another 600, and minority stakes in 400. There are many more potential targets for sanctions in this group alone. Of course, some of these investments may be perfectly legitimate and involve individuals with no political exposure and who are not oligarchs or kleptocrats.

As the situation in Ukraine continues to deteriorate, and sanctions are ratcheted up, it is highly likely that more individuals, entities, and jurisdictions will come within their scope. For example, if Moscow pressurises the countries of the Collective Security Treaty Organisation (CSTO) – a Russian-led military alliance that includes Armenia, Kazakhstan, Kyrgyzstan, and Tajikistan alongside Belarus – to support its war efforts, will western governments make it clear that any direct or indirect assistance to Moscow for its war will be met with primary sanctions applied directly to those countries?

What about other countries? Dubai has emerged as a haven for wealthy Russians fleeing the impact of western sanctions over the war in Ukraine. Russian billionaires and entrepreneurs have been arriving in the United Arab Emirates in unprecedented numbers, according to the BBC [3]. Property purchases in Dubai by Russians are said to have surged by 67% in the first three months of 2022. The UAE has not placed sanctions on Russia or criticised its invasion of Ukraine. It is also providing visas to non-sanctioned Russians while many Western countries have restricted them. Could action be taken against the UAE for potentially undermining US, EU and UK sanctions?

KYC Considerations

The other theme that needs to be carefully considered alongside sanctions compliance is the question of how well banks know their individual customers and the ultimate beneficial owners of customer entities. How confident are they that they understand (and have documented) beneficial ownership and the source of wealth and funds involved in the client relationships? Firms should continue to focus on KYC for new customers but, perhaps more importantly, the information they hold about existing customers.

Senior Management Self-Assessment Checklist

New Link Consulting recommends that senior management and financial crime teams consider the following critical questions:

  1. Are we confident that we have adequate resources, both in terms of numbers and knowledge/experience, to manage the significant increase in sanctions compliance work?
  2. Systems and Controls. Are we confident that we have robust systems and controls to identify sanctioned individuals and entities, and PEPs, when we on-board them? And how do we know?
  3. Identifying Targets. Are we sure that we can identify individuals and entities (and their beneficial owners) as soon they are added to the sanctions lists? Again, how do we know?
  4. Has there been a recent audit of existing sanctions compliance procedures to identify risks, weaknesses, and potential exposures?
  5. Hidden Ownership. The situation is more complicated for firms with corporate customers. How do we deal with a situation in which a sanctioned company or individual (or an oligarch or kleptocrat) is hiding under several ownership layers in a corporate structure? Do our procedures adequately mitigate these risks?
  6. Ongoing Screening. Do we have a robust approach to ongoing monitoring, screening, and periodic reviews – for sanctions, PEPs, and adverse media?
  7. Prioritising Periodic Reviews. Should compliance teams prioritise and perform full KYC reviews of business clients, regardless of what review date had been previously set?
  8. Risk Categorisation. Have we reviewed the rationale for the risk categorisation of existing clients in the light of the current situation in Ukraine? Does our definition of ‘high’ and ‘higher risk’ customers reflect the changing geopolitical backdrop?
  9. Data Quality. Are we confident that the quality of our client data will enable us to identify sanctioned subjects without delay – and to discount ‘false positive’ matches?
  10. Potential Exposure to Future Sanctions. Do we understand our exposure to the current sanctions lists – and to those jurisdictions and individuals that might be added to sanctions lists?
  11. Source of Wealth. Do our current (and historic) KYC requirements enable us to identify clients with exposure to higher risk jurisdictions and to robustly assess the source of wealth of higher value clients?
  12. Adverse Media. Do we have clear systems and controls to identify adverse media concerning our clients?
  13. Managing Sanctions Hits. Are client and payment screening platforms able to detect relevant risks? Once detected, are they able to manage these risks? For example, blocking transactions and/or freezing funds when required.
  14. Training and Communications. Do we provide appropriate training and guidance for compliance and other staff to help them understand the latest sanctions measures, how to handle affected clients and/or transactions, along with updated communications as the situation changes?
  15. Clients’ Russian Exposure. Can we identify clients that might still have significant business dealings with Russia to determine whether to apply enhanced monitoring to transactions of those clients? Do our clients have any exposure to deals in the energy, transport and construction sectors where clients may have a deal in place with a Russian counterpart?
  16. Potential Russian Ownership and Control. Can we identify entities that may not be directly sanctioned but are owned and/or controlled by a sanctioned entity / person?

Our Anti-Financial Crime practice comprises seasoned practitioners with extensive global experience across a wide variety of jurisdictions. If you would value an exploratory conversation with us to find out how we can help you address your key priorities, please email our practice lead, Peter Brooke, at pbrooke@new-linkconsulting.com.

References:

[1] Consolidated List of Financial Sanctions Targets in the UK – Updated 16/06/2022

[2] Communication From the European Commission – Guidance to the Member States concerning foreign direct investment from Russia and Belarus in view of the military aggression against Ukraine and the restrictive measures laid down in recent Council Regulations on sanctions April 2022

[3] https://www.bbc.co.uk/news/business-61257448