The UK Office of Financial Sanctions Implementation (OFSI) announced on 31 March 2020 that it had levied a £20.47m penalty on Standard Chartered Bank for violations of UK financial sanctions. The penalty is by far the largest of its kind since the OFSI was given the power to impose civil monetary penalties in 2017 (the runner-up being the £146,341 action against mobile operator Telia Carrier in 2019). Since that time, many have wondered whether OFSI would pursue high-value cases like its better-known American cousin, the Office of Foreign Assets Control (OFAC). While the Standard Chartered case is only one point of reference, and its scope and value still pale in comparison to many OFAC cases, it signals OFSI's arrival as a serious enforcement agency and the only one of its kind outside the US.

We know from the OFSI's annual reports that it has maintained a heavy caseload since it began its civil enforcement duties: further penalty announcements are surely in the pipeline. Financial institutions and corporates will therefore turn increased attention to UK sanctions enforcement. As many have not yet had direct interaction with OFSI, we share below some guidance drawn from official guidance and our own experience.

Our company is not based in the UK: does OFSI matter to us?

UK sanctions apply to any actions taken in the UK, regardless of where your company is based. If you conduct business in the UK, that business must comply with UK sanctions. UK nationals and UK companies must comply with UK sanctions, even when acting outside the UK and on behalf of a non-UK employer.

In fact, UK sanctions jurisdiction is very similar to US sanctions jurisdiction and is likewise broad. In its official guidance, OFSI has written that "a breach does not have to occur within UK borders for OFSI's authority to be engaged". Rather, there need only be a "connection to the UK", or "UK nexus".

Examples OFSI gives of a UK nexus include the actions of a UK company overseas, financial products or insurance purchased on UK markets, and transactions using clearing services in the UK (raising the possibility that sterling-denominated transactions involving non-UK parties will typically fall within UK jurisdiction).

OFSI also notes that the actions of non-UK subsidiaries of UK companies may create a UK nexus "based on governance". Unlike US sanctions, UK sanctions do not automatically apply to local subsidiaries. In practice, however, it may be difficult to demonstrate that a non-UK entity acts entirely independently of its UK parent.

OFSI also notes that the actions of non-UK subsidiaries of UK companies may create a UK nexus "based on governance".  Unlike US sanctions, UK sanctions do not automatically apply to local subsidiaries.  In practice, however, it may be difficult to demonstrate that a non-UK entity acts entirely independently of its UK parent.

We have been contacted by OFSI: do we need to answer?

This depends on who you are and where you are located. UK sanctions typically include provisions empowering OFSI to request information from "persons in or resident in" the UK. Failure to respond, or to respond in the time and manner instructed by the OFSI, is a criminal offence.

We are aware of instances in which OFSI has requested information from non-UK actors under these 'Paragraph 2' powers. Those requests have included questions about the actors' UK subsidiaries, presumably in an attempt to determine whether UK jurisdiction exists. Strictly speaking, non-UK actors may not be required to reply to OFSI's requests. If a non-UK company, however, is under investigation for violating UK sanctions, it may be well-advised to respond to OFSI's requests to present a rebuttal or case in mitigation.

We are also aware of OFSI making informal requests of companies to notify it when they become aware of UK sanctions violations generally. Such an obligation already exists for regulated entities, such as financial institutions, accountants and lawyers. Additionally, some EU sanctions regulations contain a general mandate to report information to competent authorities (in the UK, OFSI) that would "facilitate compliance" with sanctions, although failure to do so is not an offence in the UK (OFSI guidance states that failure to report may be an "aggravating factor" in penalty determinations). OFSI's Paragraph 2 powers do not include authority to create indefinite, proactive obligations on other entities, however. While a Paragraph 2 request can be broad and include a "continuing obligation", the regulations do not appear to empower OFSI to mandate reporting unrelated to the subject of an OFSI inquiry.

We will respond to OFSI: how should we do that?

The first thing to note is the return date. We have seen requests giving deadlines of between two and five weeks. Filing is by email. In our experience, OFSI has been forthcoming with extensions where requested (there should be a good reason for making such a request), but we recommend doing so as soon as possible and at least a week prior to the return date to ensure that OFSI has time to review and reply. Be sure that you understand the questions and information requests and ask for clarification if not.

Considering the questions in context rather than as an isolated request will enable you to respond in a way that is more useful to OFSI and more efficient and strategically effective for you. The best way to achieve that is to scope an adequate internal investigation. What is 'adequate' can vary greatly, but it normally should be somewhat broader than the set of facts you are currently aware of. If you find additional data of concern in that initial scope, you may need to broaden your inquiry somewhat. A phased approach is best: there is no need to 'boil the ocean' as a first step.

Remember that even though OFSI's enforcement powers are civil, sanctions violations can also result in criminal enforcement. Consider the importance of legal privilege and specialist advice. Carefully craft your legal arguments as to whether a violation has occurred and, if so, whose responsibility it is. This analysis may have legal implications for the individuals involved.

In our experience, OFSI is chiefly concerned with ensuring that any violations are not ongoing and that measures have been taken to prevent violations in the future. Explain to OFSI the scope of your investigation, present your findings, identify the root cause of any failings and explain what remedial actions have been taken and what improvements have since been made to your compliance programme.

Do not assume that OFSI understands your business: take time to provide explanations of complex corporate structures, sophisticated financial instruments, funds flows, shipping arrangements, new technology, non-UK legal and regulatory requirements, or any other aspect that is required to set the scene. This step is vital to preventing misunderstandings and to reducing the number of follow-up questions required.

Consider also what other parties may be involved in the matter. Are they likely to have been contacted already? Could they have voluntarily self-disclosed to OFSI, or are they regulated entities and required to report? What might OFSI already know?

What can we expect to happen next?

After you reply to OFSI's information requests, it may reply in a variety of ways.

The OFSI often sends multiple, successive information requests during an investigation. Typical follow-ups include questions that clarify matters of fact and test the thoroughness of the investigation, as well as questions about compliance measures, root causes, remedial actions and application of foreign laws.

If OFSI closes the investigation, it may do so by concluding that you did not violate UK sanctions. If it finds that a violation has occurred, OFSI may still close the investigation without a penalty, likely with an admonition to ensure compliance in the future. Or OFSI may close the matter without saying whether it believes a violation has occurred or not. OFSI may refer matters to sanctions regulators in other jurisdictions or to other UK regulators, such as the Financial Conduct Authority (FCA) or to HM Revenue & Customs (HMRC) for trade sanctions matters. Serious breaches may be referred to the National Crime Agency (NCA) for criminal investigation.

None of these responses takes place according to any statutory timetable. If, however, OFSI recommends a penalty, it will do so via letter, providing you with 28 days to make representations as to why a penalty should not be imposed, or why the recommended penalty should be reduced. OFSI then has a further 28 days to respond and you thereafter have a further 28 days to request that a government minister review OFSI's determination. This first level of appeal has been used in two of the four cases reported thus far, namely in Telia Carrier and Standard Chartered.

OFSI has not contacted us, but we are aware of a violation: should we voluntarily disclose? And how?

While there is generally no positive obligation to voluntarily disclose suspected violations to the OFSI, there are benefits to doing so, particularly for regulated entities which would benefit from a cooperative relationship with OFSI and the FCA or their sectoral regulator.

Voluntary self-disclosures also bring with them reduced monetary penalties: up to 50 percent or, for cases deemed 'most serious', up to 30 percent. Of the four civil cases announced by OFSI thus far, two involved voluntary disclosures, namely Standard Chartered and Raphaels Bank. In the latter case, the other penalised entity – Travelex – did not voluntarily disclose and received a fine twice that of Raphaels Bank.

OFSI expects voluntarily disclosures to be made early. Taking time to assess the nature and extent of the issue and to seek legal advice is reasonable, but if your investigation will take some time, OFSI recommends you make an initial partial disclosure, followed by a supplemental disclosure.

The disclosure itself should be approached in the same way as responding to an OFSI information request: based on an adequate investigation supported by specialist legal advisers, identification of root causes, and implementation of robust remedial measures. Disclosures should be made in good faith and be materially complete.

Originally published by Financer Worldwide on June 2020

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.