ECSH33370 - Checking customer due diligence: targets of UK sanctions regimes

All businesses carrying on business in the UK must comply with UK sanctions that are in force.

What are sanctions?

Sanctions are restrictive measures that can be put in place to fulfil a range of purposes. In the UK, these include complying with United Nations (UN) and other international obligations, supporting foreign policy and national security objectives, as well as maintaining international peace and security, and preventing terrorism.

You should be aware that there are different types of sanctions such as:

  • financial sanctions
  • trade sanctions
  • arms embargoes
  • travel bans

Some sanctions measures (such as asset freezes and travel bans) apply only to individuals, entities or ships which have been designated or specified by the UK Government, whereas other sanctions measures could apply to individual countries, jurisdictions or organisations such as government bodies, banks, and gas/oil producers.

Financial sanctions

The UK financial sanctions general guidance sets out the lists of those subject to financial sanctions maintained by the Office of Financial Sanctions Implementation (OFSI), which you will need to check when testing customer due diligence (CDD) measures. It also details what a business must do if it knows, or has reasonable grounds to suspect, that it is in possession or control of, or is otherwise dealing with, the funds or economic resources of a designated person which should form part of your background reading.

Financial sanctions which relate to a specific country or terrorist group are known as ‘regimes’. You can find financial sanctions imposed in the UK on a specific regime on GOV.UK.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

You should be aware that if a business routes its financing through countries outside of the UK, or carries out transactions in other currencies, it may need to also comply with sanctions imposed by other countries, and you may see references to this in the business’s policies, controls, and procedures (PCPs). For example, a money service business (MSB) money transmitter routing its transaction through the USA will be required to comply with sanctions applicable to the USA, as governed by the Office of Foreign Assets Control (OFAC). Whilst this may be necessary, it is important to establish whether the business complies with the relevant sanctions implemented by the UK.

Trade sanctions

Businesses must comply with trade sanctions, arms embargoes, and other trade restrictions.

If you are conducting a check to a business dealing in goods (such as high value dealers (HVDs) or art market participants (AMPs)), or who have customers who deal in goods, you must check whether any goods are subject to restrictions, and whether the business has taken this into account when carrying out its risk assessment. A business may have considered a customer operating in certain commodities as an “at risk industry”. If so, you will need to establish what additional measures the business has taken to mitigate this risk, such as enhanced due diligence.

Similarly, you should consider if the destination country for goods and services breach sanctions, by reviewing the list of countries shown on GOV.UK in the link above.

You should establish whether the business has risk assessed the possibility of its customers dealing in items listed under trade prohibitions, such as luxury goods and dual use goods. See GOV.UK for more guidance on this. You should conduct open-source checks to have an awareness of any emerging risks in media coverage.

You should also determine whether the business has considered the risks of trading with customers based in countries neighbouring sanctioned jurisdictions being used to circumvent trade restrictions. For example, you are assessing the compliance of a trust or company service provider who states it has a client who supplies electronic components and deals with China. You should establish whether the business has assessed the risks of proliferation financing and whether the components could end up in neighbouring North Korea in its risk assessment, as required by regulation 18A. For more guidance on this, see the ”relevant requirements” for Regulation 18A  

You should note that this could also be relevant for MSB money transmitters who carry out third party payments as part of the money transmission process.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)



Testing compliance

When conducting a check to a supervised business, you must confirm that the business has considered risk factors including potential customers and transactions involving individuals, entities, goods, and countries subject to sanctions, embargoes or similar measures. You should ask the business what information it uses when assessing these risks, for example has it subscribed to receive e-alerts from OFSI whenever a new notice is published. If it is not documented in the business’s risk assessment or the business has failed to consider this risk, you must discuss the requirements with the business and direct it to relevant guidance (see links above) so that it can identify and assess risks within the factors at regulation 18(2)(b).

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

False positives

Whilst conducting records testing, you may see that the business has found that the name of an individual or entity it is dealing with matches one or more entries on the sanctions list. This is known as a name match. However, it does not necessarily mean that the individual or entity it is dealing with is the same one as is on the list.

If the individual or entity it is dealing with matches all the information on the sanctions lists, this is likely to be a target match. If the business has satisfied itself that the person or entity is not the same as the one on the list, it does not need to take further action. This should be recorded, and you should see evidence of how it has satisfied itself, including any further controls in place, for example obtaining senior manager approval. These should be set out in the business’s PCPs, and you should check that these controls are working. If not, you need to discuss this with the business to establish what has gone wrong and why/how procedures have been bypassed.

Ongoing monitoring

You should establish whether the checks are done as a one-off when establishing a business relationship with the customer or carrying out an occasional transaction, or whether it forms part of the business’s ongoing monitoring.

Sanctions breach

If during your checks you find a business has breached a sanction, you will need to inform the business to contact OFSI immediately.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)