The Solicitors Regulation Authority (SRA) recently held a live webinar on sanctions compliance. You can find the official recording on YouTube – it is worth a watch for anyone interested in sanctions compliance.
And of course, that should be everyone. Since the regulator has made it clear through its recent guidance notes, keynote speeches and mandatory questionnaire that the profession’s compliance with sanctions is near the top of the regulatory agenda.
The message is that all firms are exposed to sanctions legislation and therefore steps need to be taken to demonstrate appropriate systems and controls are in place.
The problem with strict liability and legal services
One of the key differences between AML and sanctions is the lack of grey area.
The Money Laundering Regulations require lawyers to take a ‘risk based approach’ to compliance. That means assessing risk and applying proportionate controls. Risk is not an easy concept to get to grips with, but at least it is familiar.
Sanctions are different. A client is either a ‘designated person’ or they are not. You either need a licence from OFSI to act or you do not. You either are in breach of a financial sanction or you are not.
Risk has nothing to do with it.
And the legislation applies regardless of the practice area. We are not just talking about ‘transactional’ legal services. Litigation, general advice and all other legal services are within scope.
This poses a conundrum for lawyers: what if the other side is a designated person? How do we know and how far do we have to go to find out?
An unsatisfactory position
To be fair to the regulator, this is not an easy area to provide guidance on and they have to work within the restraints of the legal framework.
However, what we have ended up with appears to be the following requirements:
- All firms need to incorporate sanctions risk into their firm wide risk assessment (FWRA).
- Those who are not within scope of the Money Laundering Regulations (and therefore are not obligated to do a formal FWRA) should do a standalone sanctions risk assessment in any event.
- That risk assessment should inform the extent to which you need sanctions policies, procedures and controls. This would include formal policies as well as onboarding systems, supervision and training.
- All clients should be subject to sanctions checks. It is really important that solicitors understand the beneficial ownership and control of a client, in case there is a designated person sitting somewhere in the corporate structure. Or ‘controls’ an entity without appearing on official records.
- Clients also need to be subject to some form of ongoing monitoring, given that new government sanctions are added without notice and can change from day to day.
- Firms should use e-verification tools, but not rely on the results at face value. The regulator advocates manually checking clients against the OFSI consolidated list. Arguably, only e-verification is able to conduct ongoing monitoring at scale – law firms cannot possibly manually check all their clients on a daily basis.
- Third parties may need to be checked. This is the blind spot. On the one hand, the position seems to be that you should take a ‘proportionate but risk averse’ approach to third parties. On the other hand, if you miss something there is a potential legal and regulatory issue.
Wait, what? Do we have to sanctions-check third parties?
Yes, according to the SRA. From the official guidance:
“In order to make sure you are complying with the sanctions regime, you should understand who your clients are, who they are owned/controlled by, and potentially the counter-parties and any third parties providing funding. Counter-parties and third parties present a risk because if they are designated persons, or are owned or controlled by designated persons, the funds they introduce into a transaction may need to be frozen.
You cannot rely on other parties to assure you they are not designated persons. At the most basic level you should check the identities of clients (and for non-natural persons anyone with control over the entity or at least a 50 per cent stake) and counter-parties against the UK consolidated sanctions list.”
That is pretty definitive, although the use of ‘potentially’ avoids it being accused of being prescriptive.
When pushed in the webinar, the message is diluted to the ‘proportionate but risk averse’ position.
Translation: you might only have to sanctions check a third party if the risk profile of the matter at hand suggests you should. For example, a commercial contract involving a counterparty with owners established in BVI is likely to be a higher sanctions risk than UK-based personal injury proceedings.
This is clearly a bit of a fudge. The sanctions regime is either strict liability or risk based. It cannot be both. And it cannot be right to say you only need to investigate a third party if it turns out with hindsight that it was necessary.
What we can take away from this is that sanctions compliance has two elements:
- Legal liability is strict. Get it wrong and you could be on the hook, even if the designated person was not your client. Even if the sanctions risk looked low on paper and you took proportionate steps to check the parties’ sanctions status. That is reason enough to take this seriously. However, the likelihood of a breach could be very low depending on your practice area and client base.
- Regulatory liability is not so clear cut. It is likely that the SRA will come down hard on a firm that breaches sanctions legislation as a result of its failure to put any compliance systems in place. If, on the other hand, the firm takes ‘proportionate but risk averse’ steps and still ends up committing a sanctions breach, the firm could find itself being able to put forward mitigation to a regulatory investigation (if not to the offence itself).