Guidance

Guidance

Sanctions regime - firm-wide risk assessments

Sanctions regime - firm-wide risk assessments

Status

This guidance is to help you understand your legal and regulatory obligations, and how to comply with them. We will have regard to it when exercising our regulatory functions.

Who is this guidance for?

All firms, including:

  • those who do not wish to provide advice on the UK's sanctions regime or to those subject to it
  • those who wish to act in this area in a controlled and compliant way.

Purpose of this guidance

This guidance is aimed to help firms assess your exposure to risks associated with the UK's sanctions regime.

This guidance is a living document and we will update it from time to time.

This guidance addresses the UK's overall sanctions regime. It is, however, important to note that different requirements apply to different country's regimes. You should familiarise yourself with the requirements of any regime to which your firm may be exposed.

Introduction

The sanctions regime has expanded rapidly since the invasion of Ukraine in February 2022, both in scope and scale. The obligation to abide by the sanctions regime - as set out in the Sanctions and Money Laundering Act 2018 - applies to all firms in all sectors.

Until recently, sanctions risk tended to apply only to a small number of specialist firms doing business with clients in affected jurisdictions. This is no longer the case and firms cannot afford to assume that sanctions do not pose a risk to them.

Sanctions apply to all sectors of legal work and operate under a strict liability regime. Breaches of the sanctions regime, even if unintentional, can have severe financial, reputational, and potentially regulatory consequences.

Having a sanctions risk assessment is not compulsory, but we consider it best practice, particularly for those firms which are at higher risk.

Who is at risk of becoming involved in a sanctions breach?

Financial sanctions restrictions apply to individuals, vessels and businesses (referred to as designated persons). Trade sanctions restrict certain activities and transactions. Every UK citizen, wherever in the world they may be, must comply with the sanctions regime at all times. A breach of the sanctions regime is a strict liability offence. The result is that all firms are at risk to some degree.

Designated persons are likely to want to circumvent sanctions to access and transfer their wealth. They might do this in a number of ways, for example by:

  • concealing their ownership and control of corporate entities
  • converting funds into assets, or vice versa, to disguise them
  • holding assets in a variety of jurisdictions to make them difficult to trace
  • investing in high-value, transportable assets.

Accordingly, those firms at heightened risk are likely to be involved in:

  • multi-jurisdictional transactions, particularly those involving offshore jurisdictions
  • arranging complex corporate structures which could have persons as ultimate beneficial owners
  • dealing with high net-worth individuals, or those who hold or have held political office
  • providing trusts and company services
  • charities, particularly those based in, or providing services to, a jurisdiction subject to a sanctions regime
  • high-value transactions including not only real property but assets such as artwork, vessels and aircraft
  • shipping and aviation.

It is important to bear in mind that those seeking to circumvent sanctions may target solicitors who are inexperienced in dealing with sanctions. Layers of corporate ownership and intermediaries may also be used to obscure links to a designated person. You should be alert to the risk whatever the size and nature of your firm and your firm's work.

Why is it important to have a firm wide risk assessment?

The purpose of a firm-wide risk assessment is to assist in identifying potential or vulnerabilities to breaches of the regime, and to explore ways to mitigate these risks. While the sanctions regime is strict liability rather than risk-based, having this framework in place will help you to identify emerging risks and take preventative action.

The Office for Financial Sanctions Implementation (OFSI) has also indicated that, while the regime is strict liability, it will take a risk-based approach to enforcement. Where a breach has occurred, preventative measures are likely to provide considerable mitigation. It has published guidance explaining its enforcement approach (PDF).

Having a firm-wide risk assessment in place will also help you to develop appropriate policies, controls and procedures. This is not a legislative or regulatory requirement, but we strongly recommend that you do so to protect yourself and your firm. Fee earners may also need to refer to your firm-wide risk assessment when assessing risk at client and matter level.

Your firm-wide risk assessment is an important document, which should be regularly reviewed, kept up to date, and approved by senior management.

If you are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), you may wish to consider sanctions risks under your existing firm-wide risk assessment as part of a single document, rather than creating a separate risk assessment.

What should a sanctions risk assessment look like?

Generally, we consider it best practice to mirror the requirements of the MLR2017. This sets out various risk factors to consider. These are:

  • your firm's customers
  • the countries or geographic areas in which you operate
  • the products or services which your firm provides
  • your firm's transactions
  • how your firm's products and services are delivered.

The risk assessment should also be appropriate to the size and nature of your business, taking into account any characteristics which might affect risk, such as:

  • headcount
  • areas of work
  • geographic location of offices
  • supervisory structure – this might, for example, include whether your firm works remotely, whether you have overseas offices, and what level of oversight senior staff have of fee earners.

Next steps and further information

Breaches of the sanctions regime represent a financial, reputational and regulatory risk to your firm. We expect firms to be compliant and have provided this guidance to help you draft an effective firm risk assessment.

Tips for completing your risk assessment

1. Should I use a template risk assessment?

This is entirely up to you. Some firms find template risk assessments useful in helping assess sanctions risk. We have published a template (WORD 7 pages, 48KB) which you may find useful.

If you use a template, however, you must make sure that it is tailored to your practice. When considering sanctions risk assessments, we often find that they do not match a firm's profile and do not reflect the risks from its services and client demographic. To protect your firm, you should carry out a risk assessment relevant to the size and nature of your business. In this sense, you are the expert.

Remember, you cannot pass the regulatory risk of non-compliance on to a third party. If a consultancy gives you the wrong advice, the liability remains with you.

2. What is the difference between matter and firm-wide risk assessments?

Firms often confuse a matter or client risk assessment with a firm-wide risk assessment. These are different documents which do different jobs.

A firm-wide risk assessment should evaluate the sanctions risk that your whole business is exposed to and set out how you have arrived at that conclusion. It should then set out the steps which will be taken to help mitigate any risks.

A matter or client risk assessment is linked to a specific client file and should assess the sanctions risk associated with that particular client or matter. It should also then inform the level of customer due diligence and ongoing monitoring required.

The two documents should relate to each other, and client or matter risk assessments should be informed by the themes identified in the firm assessment.

If you are in scope of the MLR 2017, you may wish to integrate a sanctions risk assessment into your existing AML regime at both firm and client/matter level.

You should also factor in any ancillary services provided by your firm or linked entities, and consider whether these might be attractive to designated persons. Examples might include reputation management, asset or wealth management, concierge services or family office services.

3. Which clients pose a risk?

Although it is common to speak of jurisdictions being sanctioned, for example "sanctions against Iran", in general it is not these countries themselves which are sanctioned. Financial sanctions are directed against people and vessels, which are then grouped into a geographic regime. You can find an up to date list of jurisdictions with a geographic sanctions regime in place here.

The vast majority of people within these jurisdictions are not subject to sanctions.

This is different to trade sanctions, which prevent those in the UK taking specific actions against those from certain countries (for example all Russian citizens or persons connected with Russia under the Russia (Sanctions) (EU Exit) Regulations 2019.) You should, however, regard a client that approaches you with a connection to a country under a sanctions regime as a higher-risk situation. They are more likely to be subject to sanctions than someone who does not have such a connection.

Clients who are more likely to be designated persons may:

  • be high net-worth individuals or corporate entities owned or controlled by them
  • hold, or have held, political office in another country – though this could be interpreted more widely than the definition of a politically exposed person in the MLR 2017
  • be connected to jurisdictions subject to a sanctions regime
  • use multiple layers of corporate structures to obscure their involvement
  • instruct you through third parties, such as family offices or concierge services.

It is, however, important to note that while the above factors increase risk, they are not in themselves determinative and you should not have a stereotypical view of what a designated person looks like. The OFSI consolidated list contains a significant number of people who are British citizens and have a last known address in the UK. Likewise, there are sanctions regimes in place against terrorist groups such as ISIL and al-Qaida. Designated persons under these regimes may not fit the stereotype of a designated person as a kleptocrat or oligarch.

4. What is licensing?

A licence from the appropriate government department will allow you to deal with sanctioned clients or assets in a way which would otherwise be prohibited. These are sub-divided into general and specific licences. Generally, licensing will involve OFSI or the Department for Business and Trade (DBT).

It is important to note that general and specific licences both present risks of their own. Both types of licence come with conditions – generally in the form of restrictions of activity (eg limits as to what is billable) and reporting conditions, either at the end of the licence period or once the licensed activity has concluded. Both kinds of licence are also usually time-limited, though they may be renewed at expiry. If you intend to apply for a licence, you should have procedures in place to monitor these restrictions and to make sure that you do not exceed any time limits or financial restrictions.

Read more information about licensing.

5. Counterparty risk

The strict liability of the sanctions regime does not distinguish between clients, counterparties or third parties. It is also possible to breach the sanctions regime in relation to a party who is not a client. If a counterparty or a third party is a designated person, the same considerations apply with regard to transfers as if they were your client.

You would, for example, breach the sanctions regime by transferring a payment of damages from your client to a designated person without a licence in place.

Relying on the other side in a transaction, or third parties, to have effective systems in place to screen for designated persons is unlikely to provide you with a complete defence if you breach the sanctions regime.

While the regime itself is strict liability, OFSI has produced guidance which sets out its attitude to enforcement. This includes measures which will mitigate the position of firms who find themselves in breach.

OFSI will consider it good mitigation where a decision was made in good faith and, on the basis of proper due diligence, was a reasonable conclusion to draw. OFSI will take into account the measures and checks undertaken, including due diligence and ongoing monitoring, taking into account:

  • the facts of the case
  • the degree of sanctions risk of the relevant entities involved.

As a basic measure, we recommend that your firm carries out basic checks on the counterparties in your matters, perhaps alongside your existing conflict checks. These are likely to be more limited than the checks you would carry out on your own clients, due to the more limited information available. To be effective they should include checking the counterparty against the consolidated list, including any ultimate beneficial owners. The level of checks should, however, increase with increased risk.

Sanctions risk Questions to ask Good practice Bad practice

Clients and counterparties:

  • Risk profile
  • Know your client
  • What brought them here?
  • Effective counterparty checks
  • What kind of clients instruct my firm?
  • What is their usual pattern of business?
  • Do my fee earners know what is usual for our clients and counterparties?
  • Is there anything about my firm's client profile which makes them higher risk, for example, high-net worth individuals?
  • Do corporate clients and counterparties have multiple levels of ownership and control? If so, do we know why and who is involved?
  • How good are fee earners at collecting information about a client's background, include the source of their wealth?
  • How good are fee earners at carrying out checks on counterparties?
  • Are fee earners equipped to recognise risks and report them?
  • In what countries do my firm's clients and their counterparties have connections?
  • Do any my firm's clients or their counterparties come from jurisdictions with sanctions regimes in place?
  • Does my firm have repeat clients, walk-in clients, referral agreements or similar?
  • Effective use of the OFSI Consolidated List or an e-verification system which draws on it to check clients and counterparties.
  • A good knowledge of your client base's variance in wealth and typical funding sources.
  • Referring to due diligence you have stored on your clients and, where applicable, counterparties.
  • Considering the steps you take to authenticate a client's claim of identity.
  • Consider the ownership and control structures you typically encounter, describing any exceptions.
  • Robust measures in place to establish ownership and control.
  • Consider how clients are referred to your firm.
  • Making sure that fee earners are aware of how to spot changes in a client's usual activity.
  • Effective use of a client risk assessment which alerts fee earners to unusual transactions.
  • An assumption that designated persons would never instruct your firm.
  • Not involving fee earners in spotting unusual clients or counterparties or transactions.
  • Assuming that UK clients and counterparties would not be subject to sanctions.

Geographical area:

  • Jurisdictions
  • Connections
  • Local knowledge
  • Where does my firm operate?
  • Does my firm operate in jurisdictions which may be subject to a sanctions regime?
  • Does my firm operate in jurisdictions which could be used to obscure ownership and control by designated persons, for example, offshore jurisdictions?
  • Is my firm referred work from persons/entities based in jurisdictions outside of the UK?
  • Does my firm provide services to clients outside of the UK?
  • How does my firm check for geographic risk?
  • Do clients ever ask my firm to send a sum of money to another entity?
  • Considering where you have offices and where you offer services.
  • Including consideration of where your clients, client entities, counterparties or the transactions you are working on are based and where they are linked to.
  • Using reputable sources of information, such as the OFSI Consolidated List, to determine country risk.
  • Using your own knowledge of countries to inform your assessment.
  • Having a system for identifying high-risk countries which does not need constant updating.
  • Being vague, for example, dividing countries into 'UK' and 'worldwide', which misses any sense of the different risk posed by different countries.
  • Making unrealistic statements, for example, stating that 'the firm would never act for an overseas client'.
  • Being complacent, such as assuming clients in 'the local area' will not be designated themselves or have connections to those who may be.
  • Misinterpreting the regulations to exclude anyone from a jurisdiction subject to the sanctions regime from being a client.

Products & services:

  • Legal sectors
  • Activities
  • Client account
  • What sort of work does my firm carry out?
  • How risky are my firm's activities?
  • Do fee earners ever go outside our main practice areas, for example, as a favour to a client or a one-off?
  • Would any of the services my firm offers be of interest to designated persons?
  • Does my firm offer non-legal ancillary services such as reputation management, wealth management or accountancy services?
  • Describing your specific service offering within each area of law.
  • Assessing the risks that those represent in collaboration with the relevant subject matter experts (such as departmental heads).
  • Listing specific department risks and steps of mitigation (as appropriate).
  • Describing any exceptional cases relevant to your practice.
  • Ensuring any non-chargeable or pro bono work is properly risk assessed?
  • Not describing the services you offer or activities you undertake.

Delivery channels:

  • Remote clients
  • Combining Services
  • Third Party Payments
  • By what means does my firm deliver its services to our clients?
  • What safeguards does my firm employ internally to catch repeat clients?
  • Is my firm ever instructed by intermediaries such as concierge services, attorneys or family offices? If so, how what checks do we undertake on the underlying client?
  • In what circumstances does my firm accept payments from third parties?
  • In what circumstances does my firm send payments to third parties?
  • Who instructs my firm remotely and why?
  • Describing the means by which you deal with your clients (face-to-face meetings, telephone calls, emails, video calls, etc) and assessing the risks, in practice, that these represent.
  • Describing an effective process that ensures repeat clients instructing new departments are newly risk assessed in proportion to the risks relevant to the new service area.
  • Addressing the circumstances in which you deal with third-party payments and how you mitigate the associated risks.
  • Assessing the risks of remote instructions and describing the circumstances and basis on which this is usually permitted.
  • Having a process in place to identify and scrutinise the underlying client if you are instructed by a third party.
  • Omitting any consideration of the other day-to-day means by which you deliver services to your clients (excepting face-to-face).
  • Mentioning but not assessing remote delivery of services. Mentioning transacting with third parties, but not the basis on which this happens.
  • Failure to consider the risk of 'passporting' – where a client instructs a firm on a low-risk matter to avoid scrutiny on later, high-risk instructions.

Transactions:

  • Buying and selling
  • Transferring funds
  • Non-monetary transactions eg shares.
  • Are there adequate safeguards around my firm's client account?
  • Does my firm ever receive unsolicited payments?
  • Does my firm deal with transactions that are unusually large?
  • Does my firm deal with complex transactions?
  • Does my firm deal with alternative payment methods?
  • Does my firm deal with transactions that facilitate anonymity?
  • How does my firm ensure that any escrow work does not breach the prohibition on providing banking facilities?
  • Describing the size and frequency of transactions with which your firm deals.
  • Evaluating the circumstances in which you will deal with transactions that are unusually large, remarking on any notable cases.
  • Describing the service areas which might remove identifying detail from a payor or payee, and why this risk is tolerated.
  • Considering whether any payments other than GBP are typically used in the matters you deal with (including crypto assets, high value products, alternative fiat currencies), and evaluate the risks these present.
  • Considering the risks of cross-border transactions involving other jurisdictions.
  • training for accounts employees.
  • Providing no description of the monetary transactions you are engaged in.
  • Stating a generic list of transactional risk factors.
  • Failure to consider how the firm will monitor transactions, for example unexplained payments into the client.

Licensing

  • Does my firm need to apply for a general or a specific licence?
  • If a specific licence, will the work fulfil one of OFSI or the DBT's licensing grounds?
  • Does my firm factor the time taken to obtain a licence into our timescales for a matter?
  • If my firm looks like exceeding the limits of a general licence, should we cease all work or apply for a specific licence to continue?
  • Who works on, or could work on, matters under licence?
  • Describing the size and frequency of transactions with which your firm deals.
  • Evaluating the circumstances in which you will deal with transactions that are unusually large, remarking on any notable cases.
  • Describing the service areas which might remove identifying detail from a payor or payee, and why this risk is tolerated.
  • Considering whether any payments other than GBP are typically used in the matters you deal with (including crypto assets, high value products, alternative fiat currencies), and evaluate the risks these present.
  • Considering the risks of cross-border transactions involving other jurisdictions.
  • training for accounts employees.
  • Providing no description of the monetary transactions you are engaged in.
  • Stating a generic list of transactional risk factors.
  • Failure to consider how the firm will monitor transactions, for example unexplained payments into the client.