SRA guidance on the UK sanctions regime
By Jessica Clay
Jessica Clay and Lucinda Soon examine the SRA's expectations on complying with the UK sanctions regime
The Solicitors Regulation Authority (SRA) has published guidance explaining its expectations on individuals and firms in respect of the UK’s sanctions regime. It applies to all firms given they are subject to the sanctions regime, regardless of the types of services they offer. That said, the guidance is primarily focused on the UK financial sanctions regime, which aims to prevent the flow of money to and from designated persons and is rooted in several pieces of legislation made under the Sanctions and Anti-Money Laundering Act 2018.
It seems that the risk for firms in relation to the UK sanctions regime is as follows: unwittingly providing services or funds to a designated person; breaching the legislation in any other way; and ensuring they fulfil their associated reporting obligations. What follows are some of the key takeaways from the SRA-issued guidance, which is itself detailed and comprehensive. We would still encourage firms to consider the guidance in full, particularly in light of the fact that, if a firm does not follow it, the SRA may consider it an aggravating factor in any enforcement action it takes if the firm breaches the sanctions regime.
Office of Financial Sanctions Implementation
HM Treasury implements and enforces financial sanctions in the UK through the Office of Financial Sanctions Implementation (OFSI). In addition to monitoring compliance and assessing suspected breaches of the financial sanctions regime, it produces guidance to help firms comply with their obligations. In specific circumstances, OFSI can also issue licences to allow for an activity that would otherwise be prohibited by financial sanctions regulations.
OFSI's legal fees general licence
Law firms and their employees must not undertake paid work for a designated person unless OFSI has granted them a licence to do so, or they are doing this under the terms of a general licence. On 28 October 2022, OFSI introduced the Legal Fees General Licence, which allows fees to be paid for legal advice to designated persons within certain limits and under certain conditions. The licence is limited in scope to providing legal advice and will expire on 28 April 2023 at which point it may, or may not, be renewed.
The devil is in the detail
Under the Legal Fees General Licence, if a law firm was already acting for a client when they became a designated person, the firm can receive payment owed in accordance with an obligation which was entered into by the designated person prior to their designation. If a firm intends to act for a client who is already designated, the general licence sets out specific maximum hourly rates for fee earners and counsel. In both scenarios, the global figure of fees, expenses (ie disbursements), counsel’s fees and VAT must not exceed a cap of £500,000, though in certain circumstances, the caps may be combined.
Expenses (ie disbursements) must also not exceed five per cent of the total cost of fees and counsel’s fees or £25,000, whichever is the lower amount. Any fees must be paid into a UK-based bank account and the firm must report to OFSI within seven days of the conclusion of the work, or by 5 May 2023. This report must contain certain information about the basis on which the legal services were provided. Firms must also retain accurate, complete and readable records about the activities under the Legal Fees General Licence for six years from the conclusion of the legal services provided.
What controls are firms expected to have in place?
Firms should understand who its clients are, who they are owned/controlled by, and be able to identify who the counterparties are and any third parties providing funding. If counterparties and third parties are designated persons, or are owned or controlled by designated persons, the funds they introduce into a transaction may need to be frozen.
Sanctions compliance and complying with anti-money laundering (AML) regulations are often mentioned in the same breath and the same individuals in a firm may have responsibility for ensuring compliance with both regimes. However, there are key differences between the sanctions and AML regimes. The SRA guidance includes a helpful comparison table of the two regimes. Some key differences include:
- a firm fulfils the mandatory legislative requirements under the AML regulations and follows the SRA guidance, and its approach to AML is appropriately risk-based, a firm may be able to avoid legal liability even if money laundering has occurred. In contrast, there is strict liability on behalf of a firm for complying with the UK sanctions regime.
- In defined instances, a firm may outsource customer due diligence (CDD) measures for AML purposes to a third party, as long as certain conditions are met and the firm remains liable for any failures to apply such measures. In contrast, firms are strictly prohibited from outsourcing their liability for complying with the sanctions requirement to a third party and cannot rely on a report by, for example, an e-verification provider.
- Whereas AML beneficial ownership is triggered where an individual owns (directly or indirectly) 25 per cent or more of the shares of a body corporate under the money laundering regulations, the shareholding trigger in the UK sanctions regime is set at 50 per cent share ownership, though an individual may have or exert control independent of their shareholding and firms are required to establish control as part of their due diligence.
Critical controls
CDD measures are emphasised in the guidance as being a critical control which firms are expected to have in place. It is not enough to rely on a client’s word as regards their identity, without further checks being carried out. Firms are expected to do these checks themselves and are not allowed to rely on reports of assurance generated by third parties. At the very minimum, firms should check the identities of clients (and for non-natural persons, establish who has control over the entity or at least a 50 per cent stake) and counterparties against the UK consolidated sanctions list. This can be done either:
- Using a digital screening tool to check against the list. The SRA will expect firms to show they have considered testing any new systems before implementation and on a relatively regular basis, for example, by running known or newly added designated persons through the tool. If such a tool is used, the SRA will expect the firm to have considered (and recorded their consideration of) the following:
- The frequency with which the tool pulls databases, for example, the consolidated list – a low frequency (anything less than daily) creates a risk the information used to screen is out of date;
- Whether the tool covers all jurisdictions to which you have exposure and how frequently it updates from these lists;
- The way in which the tool deals with names that have multiple spellings or may have been translated from a non-Roman script (for example Chinese or Russian scripts); and
- Where the tool facilitates a partial or ‘fuzzy’ match capability, firms should seek to understand the confidence level the tool uses when seeking a match and, if adjustable, you should consider what the right level is for your clients based on your identified sanctions risk.
- Using the screening platform which OFSI offers for free – this is an official screening platform, which is able to apply 'fuzzy logic’, ie it can find a partial as well as an exact match. This can be important where individuals may have multiple components to their name, alternative spellings or alternative names/aliases.
As well as checking names against the sanctions list, firms will be expected to consider the more challenging questions of ‘how’ and ‘why’ in relation to the matter, which may reveal a designated person is exercising control over the individual or entity that is the client or the transaction counterparty. Firms must not accept money from a client until due diligence has been thoroughly completed.
An effective sanctions system
Some examples of features of an effective sanctions system within a firm include:
- An assessment of the sanctions risks to which the firm may be exposed, for example, which work areas or client groups are most likely to result in a sanctions breach and how can the firm mitigate these risks and what is the firm’s exposure to other jurisdictions.
- A written and implemented set of policies, controls and procedures to identify all clients and counterparties, and to verify their identities using independent materials (for example, passports or other equivalent documentation). Where the client is not a natural person, this applies to ultimate beneficial owners of the client or individuals exerting ultimate control of the entity.
- A record of the firm’s assessment of sanctions risk for each client and/or matter which identifies any indicators of higher sanctions risk. This should determine how much work will need to be done to assess and verify the background of the client including appropriate checks as to where they have derived their wealth and relevant jurisdictions.
- A documented and implemented policy and procedure to monitor clients on an ongoing basis to ensure their sanctions status has not changed after they were originally screened, for example, after changes to the sanctions list, or after a significant period of time has passed, such as a year.
- Training on the sanctions regime and related internal compliance procedures for relevant staff including subscribing to the alerts OFSI issues on changes to the regime.
- Regular reports to senior management on the sanctions risks and performance of the controls in the firm including making sure senior management take decisions about work involving designated persons.
- A form of regular (for example annual) independent (whether internal or external) audit of the firm’s compliance regime. This should include reviews of the firm’s risk assessment, policies, controls, procedures and training with the results and recommendations reported to senior management and then acted upon.
- Specific controls and protocols on what to do if you identify a designated person or likely designated person to make sure correct reporting to OFSI, freezing of any client assets held and placing a halt on taking any payment from them occurs.
Other helpful controls include:
- Having a process whereby there is direct sign-off by senior management to onboard higher risk clients or matters. This should be accompanied by increased monitoring of these clients and matters throughout the life of the work.
- Adding appropriate high-risk flags to the firm’s case management system, so the higher risk is visible to all that work at the firm.
What should the firm do if an existing client is sanctioned?
If a client becomes a designated person before it is possible to terminate the retainer, and the ongoing work is not covered by a general licence, the firm is expected to:
- Make a report to OFSI that it has a client who is a designated person. The firm should also consider making the SRA aware regardless of whether this relates to any reportable conduct, so the SRA has a record of what has happened and why, in case of any future queries or concerns.
- Put a freeze on paid work done for the designated person and communicate clearly to them the reason why. Non-paid work may be able to continue, as long as it does not circumvent the sanctions regime, for example, facilitating transactions would likely involve circumvention, but advice about a matter of family law that does not involve a transfer of funds or settlement monies would be less likely to.
- Take steps to ensure the firm will not make any transfers of their client funds, for example, confirm this with the firm’s compliance officer for finance and administration (COFA) and communicate to all staff and ensure unauthorised staff cannot unblock access to frozen accounts/assets.
- If the client already has the firm’s client account details, communicate clearly to them that they should not send any funds until further notice.
- Engage with the firm’s bank and insurers to see whether they will continue to provide services in this instance.
- Consider the risk of continuing the firm’s relationship with the client, for example, reputational and regulatory risk as well as the risk your firm may ultimately not be paid for work done (without a licence from OFSI and willing participation by your bank).
After following these steps, a firm can consider whether it wishes to (or is able to) request either guidance from OFSI as to how to proceed or a specific licence to act for the designated person from OFSI.
There is no ‘tipping off’, unlike in relation to AML under the Proceeds of Crime Act 2002, so the firm can explain to the client why it is taking these steps, or while it seeks a specific licence to continue to act.
Where a firm does not have a licence to continue to act for the designated person, it must not act for them in any way that might circumvent the sanctions regime or accept payment for work done.
If the firm is owed payment by a designated person and does not have or does not expect to receive a licence, the firm should avoid writing off the money owed as this may amount to providing a financial advantage to the designated person. To write off nonpayment as a bad or uncollectable debt would likely require a licence from OFSI.
Is there a duty to report to the SRA as well as OFSI?
In addition to the usual reporting and notification obligations on individuals and firms under the SRA Standards and Regulations, the SRA expects firms to self-report to the SRA if they are self-reporting a breach to OFSI or if the firm is under investigation by OFSI.
Concluding remarks
The UK sanctions regime is complex and carries strict liability for non-compliance. Firms will need to take active steps to ensure their suite of policies align with the SRA guidance on the UK sanctions regimes and any further developments that arise in this space. At an entity level, immediate steps should be made to review the firm’s processes and controls and identify and implement any changes if necessary. Such a review should include processes the firm has in place for CDD, considerations in respect of digital screening tools, and steps that should be taken if a client becomes a designated person under the sanctions regime
Jessica Clay is a partner and Lucinda Soon is a professional support lawyer in the legal services regulatory team at Kingsley Napley LLP: kingsleynapley.co.uk