OFSI Financial Services Threat Assessment: Key Insights and Implications

Written By Stefania Cirignano

The Office of Financial Sanctions Implementation ("OFSI") recently published its Financial Services Threat Assessment, providing a detailed analysis of the current threats and vulnerabilities facing the UK financial sector. This report is part of OFSI's commitment to enhance sanctions compliance.

The report focuses on threats handled by UK financial or credit institutions, including banks (retail and wholesale) and non-bank payment service providers ("NBPSPs"). OFSI identified that since February 2022, UK financial services firms are responsible for reporting over 65% of suspected breaches received by OFSI and of those, over 80% are reported by NBPSPs. Throughout the report, various case studies are used, providing examples as to how firms are failing to meet its reporting obligations.

The Sanctions Landscape

OFSI have produced this threat assessment focused on Russia-based sanctions as over 75% of sanctions designations made by the UK government since February 2022 have been Russia related. However, it is important to recognise that sanctions and sanctions related risks are not new, and they extend beyond any single country. UK financial services firms must remain vigilant and apply the lessons learned from this report to ensure robust compliance with all UK sanctions regimes. This includes staying informed about global sanctions developments and continuously updating risk management strategies to address emerging threats.

Key Judgements: Six key sanction threats relevant to UK financial services firms from February 2022:

  1. It is likely that some UK financial services firms have not self-disclosed all suspected breaches to OFSI.

  2. It is highly likely that most non-compliance by UK financial services firms has occurred due to issues such as the improper maintenance of frozen assets and licence conditions breaches.

  3. It is almost certain that Russian designated persons ("DPs") have found new enablers in their attempts to breach UK financial sanctions prohibitions. OFSI outlined that it has observed significantly increased enabler activity since 2023.

  4. It is highly likely that enablers have made payments through NBPSPs relating to the maintenance of Russian DPs’ lifestyles and assets.

  5. It is likely a small number of enablers have attempted to front for Russian DPs and claim ownership of frozen assets.

  6. Enablers have almost certainly used alternative payment methods, particularly cryptoassets, to breach UK financial sanctions prohibitions on Russia.

Real Risks and Business-Wide Risk Assessments (BWRAs)

The key judgements outlined by the OFSI report are sources that should be used to help identify real sanctions risks for your organisation. Incorporating these findings into your risk assessment is crucial to ensuring your risk assessment is useful and that it: informs policies and procedures, drives change, enhances decision making, influences senior management around resource and investment and identifies emerging risks. 

A lot of work we have recently been undertaking with clients has been regarding the structure of risk assessments and the corresponding outcomes that they are seeking to deliver. Risk assessments should be purpose led. By this, we mean that they should enable your organisation to fully understand the type of financial crime risks and extent of the exposure that it actually faces. So how should firms be leveraging these insights within their sanctions risk assessment?  

  1. In terms of the real risks, how can third party enablers use your products and services to circumvent sanctions requirements to maintain the lifestyles of Russian DPs? 

  2. Similarly, how can your onboarding or ongoing monitoring processes be abused to allow related parties to operate on behalf of these Russian DPs?   

  3. Make sure that control descriptions are specific and clear in what risks they are designed to manage. For example, how effective are your arrangements to maintain assets that have been frozen, assuming relevant DPs have been identified through your screening capability.  

As a result, residual risks in risk assessments are more meaningful and insightful. They are not about showing how little risk you have, but are based on your organisations ability to effectively identify and manage your risk exposure that is inherently required to meet your broader strategic goals as a business.  

Questions to ask yourself regarding sanctions risks (but also broader FC risks)

  • How do you ensure that your organisation self-discloses suspected OFSI breaches in a timely manner?

  • What steps are in place to ensure the correct handling of frozen assets or license condition breaches? Have you implemented additional due diligence measures surrounding payments / assets to capture publicly available links to DPs?

  • How comfortable are you that relevant staff understand the OFSI reporting process? How clear are your policies and procedures relating to freezing or segregation of funds where necessary?

  • How have you taken steps to identify, assess and report varied attempts by DPs to breach UK sanctions?

  • How have you considered (and documented) sanctions risk in relation to the use of any new products / services your organisation launches?

  • How have you gained comfort that you have adequate coverage of sanctions risk in your BWRA or standalone sanctions risk assessment? What changes have you made since February 2022?

  • How do you demonstrate that changes in the sanctions landscape trigger a review or amendments to your risk assessment? 

  • How have you gained comfort that the risks in your risk assessment are true risks and that they underpin the financial crime framework in your organisation?

  • When devising your risk assessment, how do you tailor the risks to your business profile?

  • How do you gain comfort that your likelihood and impact ratings are logic driven and not just given arbitrary ratings?

  • To what extent have you clearly documented the rationale for your risk ratings?

  • To what extent have your control ratings considered several types of controls and different effectiveness weightings for the different types of controls?

 

Want more information on managing sanctions risks and risk assessment? Check out some of our other blogs:

Managing sanctions risk, e-money and payments firms

Sanctions in the UK: enforcement and proactive supervision

Preparing for a Thematic Review: Financial Crime Business Wide Risk Assessments

Stefania Cirignano
Previous

UK AML Supervision 2023/2024: Are firms keeping pace with regulators?
Next

Updated FATF standards and financial inclusion – IYKYK