The Solicitors Regulation Authority wants to know how law firms are handling the sanctions regime

It’s time to look at how your firm handles designated persons

The Government’s financial sanctions regime is continually changing. It was created with national security objectives in mind and law firms play a critical role in its implementation. So much so that the sanctions regime applies to all firms that provide legal services, a broader bucket than just those that are covered by the anti-money laundering (AML) regulations.

The Solicitors Regulation Authority (SRA) just released a new questionnaire compelling law firms to report on their firm’s approach to financial sanctions.

The sanctions regime is complex, with regulations applicable to each set of sanctions – from transport to financial to immigration. They are essentially restrictive measures that are utilised to fulfil a range of purposes. In the UK, these include complying with UN and other international obligations, supporting foreign policy, maintaining international peace and security and preventing terrorism. 

The UK financial sanctions regime is operated by the Office of Financial Sanctions Implementation (OFSI). Strengthening the financial sanctions regime is an important part of the government’s response to the ongoing war in Europe.

Financial sanctions include restrictions on designated persons, such as freezing their financial assets, as well as wider restrictions on investment and financial services. A designated person is an individual, entity or ship, listed under UK legislation as being subject to sanctions. Don’t confuse politically exposed persons (PEPs) with a designated person. There are no lists of PEPs (which would be impossible) and these are part of two different regimes.

All SRA-regulated firms need to comply with sanctions legislation. One of the most significant elements of compliance is not receiving fees for work for a designated person, unless the firm gets a licence from OFSI. Breaching this and other requirements has real implications – a fine or even criminal prosecution. 

A firm will want to mitigate its risk of breaching the financial sanctions regime by looking at the services it provides, putting in strong policies, doing client due diligence (CDD), providing training to its staff and implementing a reporting mechanism. 

One of the most critical ways to ensure your firm’s compliance in not inadvertently working with a designated person is implementing best practices when doing client due diligence (CDD) of applying the same level of scrutiny to each client. OFSI has consolidated lists of financial sanctions targets that lets users find information across all financial sanctions regimes implemented in the UK. Automated tools are also effective at combing through sanctions lists. It could feel like overkill but the implications of dealing with a sanctioned or designated person are real.

A big risk with financial sanctions is determining ownership and control. The ownership threshold is 50% for financial sanctions but control refers to someone who can remove management. Being fully aware of who is actually in control of your client’s company is critical information. Counterparties should be included in these checks as the financial sanctions are a strict liability regime and there is a risk of breaching due to counterparties. 

Another key point: Don’t over rely on e-verifiers. They can be helpful to firms but sanctions can come out of nowhere. It’s more effective to go straight to the source. Law firms should sign up for OFSI alerts, which are out when the lists are updated. 

The fact that sanctions are continually changing should make it a key part of your firm’s ongoing monitoring program. You can never be sure someone will stay unsanctioned. Alerts can be set up and sanctions can be built into a firm’s AML regime so a sanctions search is done at each stage of the onboarding and ongoing checks. A firm’s accounts need to be carefully monitored, especially if they are working with a designated person. Significantly, someone from a firm’s senior management should be signing off on working with a designated person. 

And remember, while it seems that every time something happens in Russia, the sanctions list gets updated, financial sanctions are actually a global concern. Fun fact: 66 people on the sanctions register are British nationals.

A word of advice: The minute there’s a hint that your client might be sanctioned, get an  application into OFSI. The process can take a while.

Of course, all this leads to the question: What if things go wrong? The answer is contained in three words – stop, contain, report.

Stop working with that client, make sure everything is contained and there are no breaches and report the issue to OFSI and SRA. (Early reporting is highly valued by both organisations.) 

You can let a designated person know that you’re terminating the relationship but telling them that you’re filing a report could be constituted as tipping them off. Tread carefully here.

Sample questionnaire is here.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.