The Office of Financial Sanctions Implementation (“OFSI”) published an updated version of its “Monetary penalties for breaches of financial sanctions – guidance” (the “Guidance”) on 10 March 2021. The updated Guidance comes into force on 1 April 2021. Any breaches reported to OFSI after this date will be dealt with under the new guidance.
OFSI has made limited use of its powers to impose monetary penalties since they were introduced on 1 April 2017 by the Policing and Crime Act 2017 (the “PCA”), with its fourth monetary penalty imposed on 31 March 2020 (see our previous briefing here). However, in his introduction on 4 February 2021, new OFSI director Giles Thomson mentioned that OFSI will “continue to robustly but fairly and proportionately use the compliance tools available to [them], including monetary penalties”.
In this briefing, we have set out some of the key changes to the Guidance, in particular as regards: (i) the stated scope of OFSI’s jurisdiction; (ii) voluntary disclosure, and the impact of legal professional privilege on disclosures to OFSI; (iii) OFSI’s discretion in assessing the seriousness of cases; and overall, (iv) a potentially more aggressive approach to penalties. It remains to be seen how the updated Guidance will be used by OFSI and, in particular, whether this gives rise to a more extensive use of OFSI’s monetary penalty powers.
When the Guidance was first introduced in 2017, concerns were raised over the way that the draft guidance expressed OFSI’s jurisdiction and what may constitute a “UK nexus” (see HMT’s response to the 2017 consultation on a draft version of the Guidance (the “2017 Consultation”), and our previous briefing for more detail). For example, concerns were raised over statements indicating that OFSI would have the power to impose penalties on the non-UK subsidiaries of UK parent companies.
Those concerns were mitigated to some extent by statements in previous versions of the Guidance that:
- neither the Guidance nor the PCA extends or alters the reach of UK financial sanctions; and
- OFSI will “not artificially bring something within UK authority that does not naturally come under it”.
The above caveats have been deleted in the latest version of the Guidance.
Although there has been no corresponding change to the underlying law, this could be interpreted as an attempt by OFSI to position its jurisdiction as broadly as possible. In reality, it remains the case that (civil or criminal) penalties for breach of UK sanctions can only be imposed where the relevant jurisdictional tests are met; in summary, UK sanctions apply to the actions of UK nationals/UK incorporated companies (anywhere in the world) and acts by anyone within the territory of the UK.
From a compliance perspective, companies will wish to be aware of OFSI’s broad interpretation of its jurisdictional reach, and will likely act in accordance with that interpretation. From an enforcement perspective, if the amendments to the Guidance represent an attempt by OFSI to “redraw” the jurisdictional limits of the law and seek to impose penalties in a wider range of circumstances, this may be an area for challenge by the recipients of those penalties.
To date, the four penalties imposed by OFSI have been squarely within its jurisdiction, as they have all involved UK entities.
2. Legal Professional Privilege and Voluntary Disclosures
In its section on voluntary disclosure, the Guidance refers to the offence of failure to provide information to OFSI (there is a proactive reporting obligation imposed on certain types of businesses, and failure to comply with certain requests for information from OFSI can also be an offence). The Guidance notes that the offence of failing to comply with information requirements is only committed where a person fails to produce a document “without reasonable excuse”.
The previous version of the Guidance expressly confirmed that legal profession privilege could amount to a “reasonable excuse” not to disclose a document. However, the updated Guidance has deleted this wording. Instead, the new Guidance notes that protections for legally privileged materials “may apply even where not explicitly referenced” (emphasis added). It is important to note that there has been no change to the legal position in this regard. There is no indication that sanctions regulations were intended to override common legal professional privilege. Equally, OFSI has separately indicated that it expects legal professionals to approach their disclosure obligations with rigour and to ascertain carefully whether legal privilege applies, as well as which information it applies to.
Companies faced with questions regarding whether particular information is or is not disclosable (and in particular potentially privileged material) should therefore consider their legal obligations with care and should seek advice as appropriate; but would be unwise to rely on OFSI’s Guidance as a comprehensive articulation of their reporting obligations.
Some of the amendments to the Guidance may also indicate an increase in the standard required to benefit from the “voluntary disclosure” provisions discussed in more detail in section 3 below. From 1 April 2021, OFSI will require disclosures to “include all evidence relating to the facts of the breach” in order to qualify for the voluntary disclosure discount. This is as against the former requirement for disclosures to be “materially complete” which we believe (albeit the drafting is quite unclear) places a lesser burden on the reporting company. It remains to be seen whether this indicates a departure by OFSI from its previous stance (expressed in the context of the 2017 Consultation) that “we know it takes time to establish facts, and sometimes not all the facts will be available immediately. We are looking for good-faith disclosure and willingness to work with us, and will support approaches to these issues made in that spirit”.
Finally, in addition to the fact that an incomplete disclosure may not qualify for self-reporting credit, the updated version of the Guidance re-emphasises that a reduction in penalty will not be available if: (i) disclosure is only made because the party is already aware of the breach, or (ii) if a party refuses to provide information on request.
3. Case Assessment
The Guidance explains that OFSI will classify breaches as either “serious” or “most serious” when seeking to impose a monetary penalty. In addition to the fact that “most serious” cases will generally be subject to a higher penalty, this classification also impacts the reduction available where the breach has been the subject of voluntary disclosure: a reduction of up to 50% is available in “serious” cases, while the reduction in “most serious” cases is limited to 30%. This fundamental penalty structure remains unchanged from the prior Guidance.
What has changed is that the updated Guidance appears to suggest that OFSI is seeking to give itself greater discretion when assessing the seriousness of breaches of financial sanctions.
In relation to “most serious” cases, the updated Guidance now states that this category will include “particularly poor, negligent or intentional conduct”. The previous Guidance referred instead to “a blatant flouting of the law”. We do not suggest that the previous language was well drafted: the concept of a “blatant flouting” is amorphous and not an identifiable legal standard. However, the new drafting is both vague and suggests a broader scope to OFSI’s penalty powers than actually exists.
Specifically, the PCA provides that a penalty may be imposed where OFSI is satisfied (on the balance of probabilities) that the person concerned has: (a) breached a prohibition, or failed to comply with an obligation, imposed under financial sanctions legislation; and (b) knew or had reasonable cause to suspect that this was the case. If “poor” implies a lesser standard of knowledge than negligence (which might be the case given the use of the term before “negligent”), then it is not clear that the imposition of penalties for this type of conduct would be within OFSI’s powers.
It is also not clear why “particularly poor” or “negligent” breaches are considered “most serious”. This seems to leave only accidental, non-negligent breaches in the “serious” bracket. One would think that such breaches should in fact be dealt with other than by a civil penalty (if indeed a penalty is capable of being issued at all).
This may therefore be an area where companies seek to challenge OFSI’s imposition of penalties, depending on how it purports to define “particularly poor” and “negligent” conduct.
In addition, some changes have been made to the aggravating and mitigating factors that OFSI will take into account when assessing how seriously to view a case. The updated Guidance has removed the “direct provision of funds or economic resources to a designated person” as an aggravating factor. This means that OFSI is no longer obliged to treat breaches “directly and openly” involving designated persons as being more serious. (This is a positive change, as the rationale for the factor was difficult to understand and apply).
The amendments to the Guidance also suggest that OFSI may be seeking to limit the connection between the value of a breach and the available penalty amount, and to bolster its ability to impose penalties for low value breaches:
- In calculating a penalty, OFSI will have regard to what is reasonable and proportionate. The previous version of the Guidance states that “’proportionate’ means there is a clear relationship between the value of the proposed penalty and both the value of the breach (if known) and how seriously the breach undermined the sanctions regime” (emphasis added). The reference to the value of the breach has now been deleted and replaced by a statement that proportionality does not mean that a penalty should necessarily be either a specific percentage or a multiple of the breach amount.
- The previous version did observe that “there are circumstances where enforcement action for lower-value breaches is also justified – for example, if the action was a calculated and deliberate flouting of sanctions.” However, the new wording simply states that enforcement action may be taken on lower-value breaches where “it will be considered appropriate” by OFSI – presumably to allow more flexibility.
However, these amendments should be read with the PCA itself, which provides that OFSI has discretion to determine the amount of a penalty up to a maximum of the higher of £1 million or 50% of the estimated value of the funds or resources that were subject to the breach. On this basis, although the amendments to the Guidance may give OFSI additional flexibility within its discretionary bounds, they do not override the 50% limitation included within the PCA in cases where this applies.
4. A More Aggressive Approach?
In addition to the above, the tone used in the updated Guidance is broadly suggestive of a more aggressive approach in dealing with breaches of financial sanctions. Some examples include the following:
- With regard to the list of steps which OFSI may take in response to potential breaches, the updated Guidance states that OFSI may issue a “written warning”, rather than writing to require details of how UK companies propose to improve their compliance practices. The fact that issuance of a written warning is now the first (and therefore least aggressive) step in response to a breach, signals a stricter approach.
- Previously, OFSI stated that they “cannot impose a monetary penalty” where a person did not know and did not have reasonable cause to suspect that they were in breach, and gave the example of a request for more information as a potential response in such circumstances. As noted above, this reflects the position under the PCA. The updated Guidance moves away from this definitive use of language to state that OFSI “will not” impose a monetary penalty in such circumstances and that “more proportionate remedial action” may instead be applied (without any examples of what this may entail). Since the PCA provides that penalties can only be imposed on persons who know or have reasonable cause to suspect that they are involved in a breach, this amendment does not change the legal position – but appears to indicate a change of emphasis by OFSI, perhaps with a view to suggesting an expansive scope for their penalty powers.
- The updated Guidance also deletes wording which suggests that OFSI encourages “strong compliance cultures” and will consider whether it is proportionate to impose a penalty in circumstances where the person in question has “simply [fallen] below a high standard”, particularly where they have acted swiftly to remedy the cause of the breach.
It remains to be seen how the updated Guidance will be used by OFSI and, in particular, whether this will result in a more extensive use of OFSI’s monetary penalty powers. However, changes such as those highlighted above, whilst seemingly minor and textual in nature, seem to mark an attempt by OFSI to position its jurisdiction and powers as broadly as possible, and to give it maximum flexibility to impose penalties.
In one sense, the publication of more monetary penalties may assist companies in their compliance efforts, by giving guidance on OFSI’s expectations and approach to enforcement (particularly if they contain more substantive analysis of the breaches than has been the case to date). However, this will be of limited comfort to the targets of those penalties.
Companies which identify a potential breach of UK financial sanctions should carefully consider whether and how to report such issues to OFSI, particularly given the impact of self-reporting on penalties, and engage with their legal advisers at an early stage in relation to any voluntary disclosure and/or dialogue with OFSI. In that context, companies should also ensure that they carefully review the underlying provisions of the PCA regarding OFSI’s monetary penalty powers, and the legislation imposing the relevant sanctions restrictions (the Sanctions and Money Laundering Act 2018 and related secondary legislation) to ensure that they have a clear understanding of the relevant legal framework, in addition to OFSI’s interpretation of the same in the Guidance.