The Solicitors Regulation Authority (SRA) has issued guidance on conducting firm-wide sanctions risk assessments, which sits alongside its general guidance on complying with the UK sanctions regime. The regulator sees the risk assessment process as an important part of navigating the complex landscape of sanctions compliance.
While sanctions are not new, they have come to the fore since the Russian invasion of Ukraine in 2022. Sanctions compliance is especially important for law firms because, unlike AML, there is no “out of scope” legal work. All firms are caught.
Therefore, solicitors have to be aware of their duties in relation to sanctions.
Despite this, almost half of firms failed to check whether existing clients are sanctioned, according to the SRA’s annual AML report. Only a fifth of those firms audited by the regulator ran sanctions checks on counterparties, and the vast majority did not know what to do if they came across a sanctioned individual. This has to be improved, says the SRA.
In our recent sanctions webinar, we considered these issues in depth.
Understanding Sanctions Risk
The guidance underscores the importance of identifying and assessing the risk posed by clients, counterparties, and third parties. A key aspect is the recognition that certain factors, such as conducting business with high-net-worth individuals, politically exposed persons (PEPs), or those residing in high-risk jurisdictions, could elevate a firm’s sanctions risk profile. However, the SRA cautions against making assumptions based solely on these factors, advocating for a nuanced approach to risk assessment.
Licensing and Compliance
Firms dealing with sanctioned entities or individuals may require specific licences from the relevant government department, which are typically categorised as general or specific licences, each with its conditions and limitations. Understanding and adhering to these licensing requirements is crucial for legal practitioners to ensure compliance and avoid penalties.
Firm-Wide Risk Assessments
The guidance highlights the necessity of a firm-wide risk assessment that evaluates the entire business’ exposure to money laundering and sanctions risks. This assessment should inform the level of customer due diligence and ongoing monitoring required for each client or matter. It’s also advised to incorporate considerations of proliferation financing risks into this assessment, especially for firms operating in sectors like trade finance, shipping, and military/defence.
A sanctions risk assessment is not a legal obligation, but it is clearly a regulatory expectation. Sanctions risk can sit within your overarching financial crime/AML risk assessment document.
Dealing with Politically Exposed Persons (PEPs)
The guidance offers insights into dealing with PEPs, urging firms to be realistic about their policies and avoid overly restrictive practices that could lead to unnecessary rejection of clients. Understanding the broad definition of PEPs and implementing appropriate due diligence measures is emphasised for effective compliance.
Implementing Effective Sanctions Compliance
Recent updates to the SRA’s guidance encourage firms to undertake thorough sanctions risk assessments using the provided template and to establish a sanctions policy for staff. A crucial aspect of compliance involves conducting basic checks against the OFSI Consolidated List for all counterparties, underscoring the importance of independent verification to ensure parties are not designated persons.
Although there is no such thing as a ‘risk based approach’ in sanctions compliance, we take the view that firms must take a common sense and proportionate approach to sanctions checks. The firm-wide sanctions risk assessment should help to identify higher risk areas, where greater care is warranted.
Key Questions and Controls
Firms are advised to critically assess the identity and background of clients (and their counterparties, where relevant), looking beyond mere names to understand the true nature of their business and financial dealings. This involves asking critical questions about the parties’ identities, their control over entities, and the legitimacy of their transactions.
Sectoral Risks and AML Overlap
There is a notable overlap between sanctions compliance and anti-money laundering (AML) considerations, particularly concerning jurisdictions, PEPs, and complex corporate structures. Firms are encouraged to incorporate sanctions considerations into their AML risk assessments, especially if they operate in sectors like international trade, shipping, and aviation, which are more susceptible to sanctions risks.
Sanctions Webinar
In our recent free live webinar (recording available to newsletter subscribers), we went into sanctions compliance in depth. We concluded that there are a number of practical considerations for solicitors:
- Firms must have a firm-wide sanctions risk assessment: The SRA expects you to have one, and it would not be surprising to see the usual escalation of: guidance, thematic review, Warning Notice, enforcement action.
- The risk assessment needs to shape your wider sanctions systems and controls: This will cover ground that will be similar to your AML policy, but specifically related to sanctions compliance.
- Decide who is responsible for sanctions compliance: There is no statutory officer, so should responsibility best sit with the COLP, MLRO or someone else entirely?
- Keep up to date: Sanctions is a fast-moving area of compliance and firms must be able to keep up the latest developments. Bear in mind that a client or third party may become subject to a sanction during the course of the retainer, so the due diligence must be kept up to date.
- Record keeping is a must: For self-protection, the file needs to show evidence of sanctions checks (“if it isn’t written down, it didn’t happen”).
- Sanctions training must be provided: This can be a complex area of compliance, but staff need to be aware of the sanctions regime, the red flag associated with sanctions evasion, and the safeguards in your internal policies.
- Consider updating terms of retainers: Some firms include terms that make it easier to exit the retainer if the client becomes subject to a sanction, or if the sanctions checks cannot be completed to the firm’s satisfaction.
- Produce internal guidance on who should be sanctions-checked: In what circumstances do we check other solicitors’ clients, UBOs, beneficiaries and so on?
- Be aware of other jurisdictions’ sanctions regimes: For firms that have, or plan to have, exposure to other jurisdictions (particularly the US), careful consideration will need to be given to other sanctions regimes. Sanctions can have extraterritorial effect.
Q&A – Answers to questions received during the live webinar
How long do records need to be kept?
As long as you would usually keep file records. Bear in mind that (a) you should not keep personal data longer than necessary and (b) if relying on a sanctions licence, it will usually have its own terms about record keeping.
If one becomes aware the other party or a beneficial owner of that other party may be sanctioned – is there a requirement to report although we are not asking for a licence?
Yes.
What would the obligation be for ownership investigation when sanctions screening – particularly for entities with ownership in other jurisdictions, where it may not be possible to identify individual shareholders?
That’s where CDD comes in. You should be seeking to establish a full understanding of the ownership and control structure. You will recall that the trigger point for beneficial ownership under sanctions legislation is generally 50% (unless the person has some other measure of significant control).
Checks on counterparties. Where the other side is represented by an SRA regulated firm, my view is that you still should be carrying out sanctions checks on that third party and cannot rely on any checks that may have been carried out by the third party solicitor. Agree?
You certainly can’t rely on anyone else to do sanctions checks, there is no equivalent to the ‘reliance’ procedure in the Money Laundering Regulations. I would still suggest taking a common sense, proportionate, approach to this. From that point of view, the SRA is probably onto something with the firm-wide risk assessment – it forces you to think about where the real sanctions risks sit. I don’t think anyone is suggesting that (for example) every buyer and seller of property is separately sanctions-checked by their respective solicitors. How far up and down the chain would you go?
How does the sanctions regime interact with source of wealth? E.g. employees of sanctioned entities; owners of formerly sanctioned entities; persons connected with entities sanctioned by the EU/US but not the UK.
Insofar as they are both a form of client due diligence, I suppose they are closely linked. They may both require a certain amount of detective work. Great care should be taken with employees of sanctioned entities. If you are dealing with EU/US sanctions, a UK firm without exposure to those jurisdictions would not technically be required to comply in all likelihood. However, US sanctions can apply beyond US borders, which could be an issue e.g. if you intend to do business in the US or if you have US nationals who are partners.
How can I view that OFSI spreadsheet?
Search the consolidated list.
Can the Sanctions RA be part of your firm wide risk assessment for AML purposes?
Yes.
So can they fine you?
The SRA can fine you (or worse) if you breach the Standards and Regulations. For example, the principals of upholding the rule of law, and maintaining the public’s trust in the profession. You also have the requirement for individual solicitors to keep up to date with the law applicable to their practice. And firms are required to have compliance and risk management systems in place.
So yes, even if you do not breach a sanction the SRA could potentially take an interest.
How often would you recommend to redo the checks on the same client?
Depends on the risk. I would say at the start of every new matter you do for that client as a minimum.
What about counterparty checks – if they become designated?
Yes, this is a risk that you will need to consider when deciding how often to re-run sanctions checks during the course of the retainer.
And against Other Parties in the onboarding process?
That appears to be the accepted practice now (but on a common sense, proportionate basis).
Should we be doing spousal checks?
Routinely? No. In higher risk cases? Yes.
We use Thirdfort which checks Sanctions and it will provide any changes for 12 months after that check. I assume these are sufficient.
Thirdfort is an excellent tool and comes highly recommended, partly for this reason.
Can you do a deep session on PEP’s – Domestic PEP’s?
Watch this space!
How often should my firm issue a sanctions policy and FWRA?
Annually might be overkill for some firms (but probably not for the larger, high risk firms). Schedule a review for every two years? Think about updating it sooner if something fundamentally changes at the firm e.g. you take on a new practice area or client base, or are involved in a merger.