Wise Payments Limited: A Sanctions Disclosure Case Study
Understanding the intricacies of sanctions regimes is akin to piecing together a complex puzzle. It’s crucial to decipher how these pieces fit together to gauge your organization’s exposure to sanctions risks. In today’s dynamic global landscape, regulators and legislators demand unwavering precision and responsiveness in navigating the ever-evolving terrain of global sanctions compliance.
Office of Financial Sanctions Implementation’s (OFSI) “Disclosure” Powers
Notably, the UK Office of Financial Sanctions Implementation (OFSI) made significant strides on the 31st August 2023 by utilizing its new “Disclosure” enforcement powers for the first time.
This empowers OFSI to publicly disclose details of financial sanctions breaches, including the identities of those responsible for the infractions.
Who Faced Disclosure?
Wise Payments Limited (“Wise”) found itself in the spotlight for breaching Regulation 12 of The Russia (Sanctions) EU Exit Regulations 2019.
Regulation 12 states that (1) A person (“P”) must not make funds available directly or indirectly to a ‘designated person’ (DP) if P knows, or has reasonable cause to suspect, that P is making the funds so available. (2) Paragraph (1) is subject to Part 7 (Exceptions and licences). (3) A person who contravenes the prohibition in paragraph (1) commits an offence.
Chronology of events
- On June 30, 2022, a £250 cash withdrawal occurred from a Wise business account owned by the DP using their debit card, a day after the sanction designation on June 29, 2022.
- Wise reported the suspected breach to OFSI on July 20, 2022, and cooperated fully during the investigation.
- Wise’s policy at the time involved screening customer details against OFSI’s sanctions list. Alerts led to account suspension but didn’t affect debit card usage, mainly due to a high false positive alert rate.
- The DP was listed by OFSI on June 29, 2022, at 11:05 AM, and Wise’s data provider updated their sanctions list on June 30, 2022, at 00:59 AM.
- On the same day, at 04:20 AM, Wise’s systems raised an alert due to a name match. The associated account was suspended, but debit card activity continued.
- At 07:25 AM, the DP’s company withdrew £250 in cash using the debit card.
- The information reported and otherwise obtained from Wise indicated that at the time of the cash withdrawal, Wise’s policy mandated that all customer details (including ultimate beneficial ownership/directorship of a business account) were screened against OFSI’s consolidated list of sanctioned persons and entities (using a third-party sanctions data provider and Wise’s in-house screening software). In the event that the screening system detected a potential sanctions match, an alert was created, and the customer’s profile suspended (preventing the customer from sending or receiving any funds from or to the account). If a customer had a debit card, Wise’s policy at the time however was not to suspend the use of the debit card as part of the initial profile suspension process. Instead, customers would retain access to their debit cards until sanctions profile matches were resolved.
- Wise explained to OFSI that this policy was in place because of a high false positive rate for sanctions alerts and was therefore intended to take into consideration both its regulatory requirement to pay due regard to the interests of its customers and treat them fairly, and its legal obligations to comply with financial sanctions.
- Wise escalated the matter on July 1, 2022, but the sanctions specialist team did not review it until July 4, 2022.
- On July 4, 2022, Wise blocked the debit card and fully suspended the account.
- OFSI informed Wise of its intention to disclose the breach, offering an opportunity for representations. Despite the low breach value, OFSI found Wise’s policy regarding debit card payments inappropriate. OFSI reviewed these representations and determined that they did not alter its assessment of the breach or the nature of the appropriate enforcement action.
- The inappropriate policy allowed funds to be available to a company owned or controlled by the DP. This factor made the case moderately severe overall and enabled funds to be made available to a company owned or controlled by the DP.
Wise’s Disclosure: Mitigating factors
OFSI took into account several mitigating factors in Wise’s case:
- The relatively low value of the breach (£250).
- Wise’s full and transparent disclosures to OFSI upon request for information.
- The absence of evidence suggesting deliberate sanctions evasion.
- Remedial actions taken by Wise, including terminating the DP as a customer.
- Augmented workforce and weekend operations for the specialist sanctions team.
- Revised policies, including immediate account and card blocks pending review by the specialist sanctions team in case of a potential match with a DP.
Key learnings from Wise’s Disclosure
- Prompt Reporting is Crucial: Wise reported the suspected breach promptly to OFSI, demonstrating the importance of timely reporting in compliance.
- Vigilant Monitoring: Even with established compliance policies, continuous monitoring of customer activities is vital to detect potential breaches in real-time.
- Comprehensive Cooperation: Full cooperation with regulatory authorities during investigations is essential to demonstrate commitment to compliance.
- Managing Alerts: Establishing a robust & resilient alert management system is vital, particularly when dealing with a high volume of alerts resulting from sanctions screening.
- Balancing False Positives: Balancing the need to minimise false positives with compliance obligations is a challenging aspect of sanctions screening.
- Customer Consideration: Balancing regulatory obligations with the interests of customers is a complex but necessary task for financial institutions.
- Escalation Policies: Having clear escalation policies for potential sanctions matches is essential, ensuring that alerts are promptly reviewed by specialists.
- Continuous Operations: Maintaining operational capabilities is crucial for timely response to compliance issues, especially in time-critical situations.
- Regulatory Impact: Even seemingly low-value breaches can have significant consequences if compliance systems and controls are deemed inappropriate by regulatory authorities.