February 24th marked the first anniversary of Russia’s invasion of Ukraine. A humanitarian crisis impacting the lives and livelihood of millions, the conflict has also sent shockwaves across businesses and financial service firms. After a challenging few years, coming out the other end of the Covid-19 pandemic and now the cost-of-living crisis, it is fair to say that SMEs are feeling financially fragile.
The invasion and subsequent sanctions have brought new challenges to SMEs, particularly around compliance. The volume and velocity of sanction requirements are unprecedented for financial services firms, vendors in the space, and regulators overseeing the programmes.
How can SMEs successfully navigate the challenges, and as more sanctions technology comes to market; how to decide which best meets their needs?
In February 2023, the UK announced a sanctions ban on every item Russia uses on the battlefield. This included further measures on six companies supplying Russia’s military, in addition to eight individuals and one entity. The EU sent out a similar message with the Commission announcing a tenth package of sanctions against Russia worth €11bn.
For every new sanction imposed, SMEs must assess existing and any potential relationships that could impact compliance: they should also review all transactions and implement high-quality screening. SMEs will need to think hard about sanctions risk when considering new ventures – conduct a thorough assessment and determine whether and which controls are possible.
The cost of failure is potentially high: a hefty fine; criminal proceedings; and long-term consequences, like restrictions on trade; as well as damage to reputation.
We are seeing a huge rise in the enforcement of sanctions. For example, according to the Office for Financial Sanctions Implementation (OFSI), from 2021 to 2022, there were 147 potential financial sanction breaches being considered, an increase from 132 in the previous year. Following criticism by MPs about the lack of fines, in June 2022, the OFSI was empowered to impose a monetary penalty on a company or individual on a strict liability basis for a sanctions breach.
Does it matter if you are big or small?
There is no distinction between SMEs and larger organisations when it comes to sanctions compliance; both are the same legal obligation. However, not everyone is exposed to the same risks: SMEs not dealing with and selling products or services to Russia directly, for example, will be able to carry on business as usual, only being mindful when taking on new clients or work that sanctions could cover.
Regulators are more closely monitoring firms’ sanctions screening capabilities. Measures now apply that prohibit specified industries and services based in the US, EU and UK, for example, management consultancy and accounting, from engaging in Russia. As a result, a wider range of company types now have to perform sanctions screening, increasing their compliance risk.
SMEs may be expected to provide more information, including on beneficial ownership and control when seeking financial services. Furthermore, SMEs will need to certify any involvement in goods that may be used in Russia, Belarus or occupied Ukraine. It is possible for SMEs to continue trading with sanctioned persons or entities with a special licence. However, SMEs are expected to understand the scope and purpose of such licences and to have the technical knowledge to register exemption requests. Ultimately the onus remains on the business, no matter what size, to check OFSI guidance on this matter and on how and when to report a suspected sanctions breach.
Navigating regulatory change and how to choose the right reg tech
To help SMEs, the FCA has increased investment into its own resources, publishing thematic guidance on how small and mid-sized institutions manage sanction risk, as well as creating a wider team of experts on standby for questions and technical assistance. As such, there is a lot of free and useful information and tools to help SMEs stay on the right side of regulation.
There are also channels in place which are useful in activating efficient controls going forward. The Office of Financial Sanctions Implementation offers channels for firms uncertain about how and when to report sanctions risks. Additionally, other bodies, such as the UK Law Society, publish specific industry guidance on AML obligations for small firms.
The industry has also responded to these issues by providing a greater range of technology and products that are accessible at every price point.
However, more choice also makes it harder for SMEs to know which technology is right for them, particularly if they are new to the world of sanctions screening which many of them will be. Unlike bigger organisations, SMEs will not have the same access to market research and, as a result, will be shopping around what they see online.
Institutions with financial crime compliance obligations have a lot of technology choices, ranging from under £20,000 for an entry-level suite of tools to several millions for the most performant and sophisticated systems. However, it is important to remember that tools should be selected according to suitability to manage risk rather than on price alone.
When choosing a compliance provider, SMEs should first have a good understanding of their risk profile and the capability they need. While price is still a critical component, a compliance approach should not be driven by price over risk. A good starting point should be looking at the tools that the FCA has to offer, which will be hugely relevant and helpful to businesses when it comes to understanding their risk profile. From there, they can find a suitable provider that meets their compliance needs.
On the plus side, there is so much now available as a software service that the infrastructure requirements are minimal compared to what they used to be. Firms no longer need extra IT resources or particular hardware but rather just a good connection. IT experts should, however, look for a simple interface that can be used with minimal instruction.
Chrisol Correia is head of financial crime risk management at Facctum