U.K. regulators, as well as regulators worldwide,  are taking a tough line on corporate crime.To guide fintechs on the current landscape, Jonathan Benson joins the latest episode of “Fintech Focus” to discuss trends and developments that we’re seeing for fintechs regarding sanctions compliance. 

Tune in to this conversation led by host Joseph Kamyar as they discuss recent cases and offer takeaways for fintechs that find themselves navigating several regulatory bodies, multiple jurisdictions and evolving regulatory priorities.

💡 Meet Your Host 💡

Name: Joseph Kamyar

Title: European Counsel, Corporate, Skadden

Specialty: “Fintech Focus” host and European counsel Joseph Kamyar advises on a wide variety of corporate transactions, including cross-border private mergers and acquisitions, fundraisings, joint ventures, corporate reorganizations and general corporate matters, with a particular focus on the financial services, technology and media sectors.

Connect: LinkedIn | Email

💡 Featured Guest 💡

Name: Jonathan Benson   

What he does: Based in London, Jonathan Benson is a counsel in Skadden’s White Collar Defense and Investigations Group. He has extensive experience advising on complex sanctions, national security, business compliance and trade-related matters.

Organization: Skadden

Words of wisdom: “Fintechs should also be alive to the new U.K. failure to prevent fraud defense, which we’re expecting to come into force early next year.”

Connect: LinkedIn | Email

Connect with Skadden

☑️ Follow us on X and LinkedIn.

☑️ Subscribe to Fintech Focus on Apple Podcasts, Spotify, or your favorite podcast app.

Fintech Focus is a podcast by Skadden, Arps, Slate, Meagher & Flom LLP, and Affiliates. This podcast is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This podcast is considered advertising under applicable state laws.

Welcome to Fintech Focus, Skadden's podcast for fintech industry professionals. The global regulatory and legal updates you need, start now.

Welcome to Fintech Focus with me, Joe Kamyar. On this episode we have one of our sanctions and business compliance experts joining us, Jonathan Benson. So, Jonathan, welcome to the podcast.

Thank you very much, Joe. It's great to be on.

Over the past few months we've seen some interesting developments in this space. Notably the financial conduct authority in the UK announcing a 29 million pound fine against one of our prominent London-based neobanks. That was in fact the first penalty levied by the FCA against the neobank in relation to AML and sanctions controls. Maybe before we jump into the detail in that particular case, it might be helpful, Jonathan, if, could you maybe start by giving us a flavor and a overview of the current sanctions landscape for fintechs?

Sure, Joe. So very obviously, for most consumer-facing UK fintechs, the UK's asset freezing sanctions will be the most critical. The UK currently targets thousands of companies and individuals across its 40 or so sanctions regimes. Since those sanctions flow down to entities owned or controlled by asset freeze targets and asset freeze targets seek to circumvent the sanctions, there can also be additional layers of risk to be contended with.

New asset freezing targets are also added pretty much daily at the moment by the UK government. Fintechs are also increasingly branching out into other areas of business such as trade finance. Now, trade finance can create additional complexity for UK fintechs as UK sanctions restrict the provision of financial services and funds in relation to numerous items destined for sanctioned jurisdictions. Of course there's a broader canvas here as well. Fintechs will also need to consider the sanctions of other jurisdictions too.

So for fintechs whose business touches the EU, they'll need to consider EU sanctions as they apply to any business conducted in whole or in part within the union. The UK and the EU sanctions do overlap to some considerable degree, but they're not identical and they do need to be considered separately. Of course, all fintechs will need to consider US sanctions compliance issues due to the very broad reach of US sanctions. Even where a fintechs business has no US nexus, it will still need to consider the potential impact of so-called US secondary sanctions.

Plus in recent years, post February '22 in particular, sanctions regimes have proliferated globally with jurisdictions including Switzerland, Canada, Australia, and others becoming actively sanctioning jurisdictions. In relation to all of the regimes that I've touched upon, even if a particular transaction doesn't fall within their jurisdictional scope per se, care does still need to be taken as nationals of the relevant countries may need to be recused from involvement to avoid personal liability. So all in all, sanctions compliance is now a pretty complex and dynamic picture.

Yeah. So I mean, as you say, it sounds like there's a pretty significant patchwork of sanctions regulations for fintechs to work through on a global level. So I guess turning back to the FCA enforcement action that I mentioned at the start, can you just walk us through what specifically went wrong for the neobank in question?

Sure. I'll just touch on some of the key points. According to the FCA, there were a number of lapses in the bank's sanctioned related controls, including that the bank was only screening customers against entries on relevant sanctions lists, which corresponded to individuals who were known to reside in or have links to the UK contrary to its own sanctions policy.

The bank's automated customer streaming system had been misconfigured, which resulted in customers or prospective customers only being screened against a portion of the entries on the UK's consolidated list. At least one account was open for a designated person as a result.

The bank hadn't undertaken a sufficient risk assessment. There was a need to update and enhance relevant policies and procedures. There was no formal methodology or mechanism for testing and calibration of the bank's financial sanction screening system. Screening only took place every 14 days, which is a pretty high number in this context. There was no operational management information relating to financial sanctions and payments that were subject to screening was screened using a tool design for customer rather than payment screening.

So in totality, the FCA's view was that these failures amounted to a breach, a principle of three. The firm had failed to take reasonable care to organize and control its systems and controls for managing the risk of financial crime in connection of course, in particular with financial sanctions responsibly and effectively.

So I think interestingly in the FCA's press release on this case, one of the first things they refer to is the neobank's rapid growth and accumulation of millions of clients over a relatively short period of time. One of the themes we've been discussing over the past few months on this podcast has been around that theme of the risks associated with rapid growth, which lots of successful fintechs experience. Particularly where significant scaling of front office teams along with customers and transaction volumes isn't necessarily matched with proportionate levels of growth and perhaps investment in back office functions such as legal, risk, compliance and so on. So to what extent do you think this is on the minds of regulators and influencing how they approach the sector?

I think it's firmly in the mind of regulators, but ultimately the FCA's enforcement action is a stark reminder that compliance-related systems and controls have to keep in line with the business and its growth. This is obviously particularly a focus for the sector as it has been on notice since the FCA's 2022 review that financial crime compliance is an area of focus.

So are there any other key takeaways from the latest regulatory enforcement action that we've seen?

Yeah, there are. So the FCA's notice highlights that despite having policies that require customer screening against UK, EU, UN, and US sanctions lists, the bank in practice was only screening its customers against sanctions, records for individuals who were known to reside in or have ties to the UK. That meant that the bank was not screening records of individuals in other jurisdictions including the United States, even though the bank processed US dollar denominated payments.

Now, whether this gap in its controls led to a violation of US or other sanctions isn't apparent from the FCA notice, but the relevant US regulator, the US Treasury Department's Office of Foreign Asset Control has described the failure to maintain an effective customer screening framework as an aggravating factor in numerous enforcement actions in recent years. It's also noticeable that the FCA's ultimate investigation into the bank, which led to the fine, followed over three years of intensive interactions between the bank and the FCA, which could have led to a different outcome. This obviously is a reminder of the importance of swift and effective remediation once issues are identified.

A final point that I think it's worth making is that the bank had entered into a number of voluntarily accepted requirements with the FCA, which it breached. This was clearly an aggravating factor.

So in terms of the regulators that we've got in the UK for sanctions compliance, obviously in the financial services sector, as we've mentioned, we've got the UK Financial Conduct Authority, but then we also have the Office of Financial Sanctions and Implementation or OFSI as people refer to it. OFSI sits essentially as a department within the Treasury. So how are those two organizations working together and to what extent their roles differ or overlap? I guess are you seeing one regulator taking a more proactive stance with fintechs versus the other?

A great question, Joe. So as our listeners will no doubt know in this context, the FCA is responsible principally under FSMA for making rules in relations to the financial sector and supervising the conduct of regulated entities such as firms authorized or supervised by the FCA. It's therefore primarily focused on senior management arrangements and systems and controls.

By way of contrast, OFSI is responsible for the enforcement of financial sanctions and trade sanctions related to maritime transportation of certain oil and oil products. Importantly, OFSI can now enforce on a strict liability basis in terms of its civil enforcement powers. Its role therefore has a harder edge as it is concerned with the enforcement of actual violations of law.

In terms of the cooperation between the FCA and OFSI, they published a joint MOU in November of last year, which sets out the basis for their cooperation. It makes it clear that the two bodies will share information and cooperate where appropriate. Interestingly though OFSI has not separately enforced against the bank to date, remains to be seen whether an enforcement action will come forward. That doesn't seem likely at this stage.

Does this represent a difference in approach as between the FCA and OFSI in relation to fintechs though? I wouldn't say so. Last year, OFSI enforced against a different fintech using its relatively new name and shame powers. That enforcement action was widely recognized as being draconian as it related to a breach with a value of only 250 pounds.

Whilst OFSI didn't impose a fine, the reputation impact of the enforcement action was of course considerable and reportedly it may have also had significant operational and financial consequences for the fintech in question. So I think both regulators are taking a quite tough line here.

So stepping back slightly. When you've been advising fintechs on sanctions compliance, what are the biggest challenges you've seen facing fintechs? Are there any specific areas that you'd consider to be particularly high risk from a sanctions perspective?

Yeah, of course the issues do vary from client to client, but I would say that fintechs tend to struggle with the often overlapping but differing requirements imposed by the multiplicity of sanctions for regimes that they need to consider. That's obviously particularly in light of the fact that their compliance functions are often quite lean. Which means that they can struggle with the fast pace at which regulatory change is happening in this area, ensuring that the compliance framework, which is obviously absolutely key, keeps pace and senior management and the border of price of risks can be challenging.

KYC and identifying where enhanced due diligence is needed on customers and transactions and when reports to regulators have to be made can also be a tricky point. Now there are obviously some fintechs who also are involved in the cryptocurrency business and where their business involved crypto assets they face particular difficulties, as such assets can be used anonymously. It's widely reported that jurisdictions such as Russia and North Korea are seeking to use cryptocurrency as an alternative to fiat in order to evade sanctions. So the risk profile associated with those businesses can obviously be higher.

Got it. So I guess looking forward, what should people expect? I'm guessing you are going to say something along the lines of more regulatory expectations and more legislation to clamp down on economic crime.

Absolutely, yes. So sanctions compliance clearly remains very high on the agenda of the UK and other western governments and their associated regulators. Just by way of a couple of examples. In addition to the FCA's enforcement action against the bank that we've been discussing, in the last couple of weeks OFSI has announced that it's issued its first monetary penalty for a breach of UK financial sanctions imposed against Russia in February '22. The fine was relatively modest, but importantly, the underlying violations were not self-reported to OFSI showing how OFSI is taking a more proactive, intelligence-led enforcement stance.

Last week the UK also set up a new sanctions regulator, the Office of Trade Sanctions Implementation or OTSI. From the 10th of October, the UK's trade sanctions can be enforced on a strict liability basis. This development is obviously further evidence of the UK government's intention to crack down on sanctions violations. Fintechs should take note that they may also be subject to new reporting obligations under the regulations, setting out OTSI's powers.

Looking at the bigger picture, fintechs should also be alive to the new UK failure to promote fraud offense, which we're expecting to come into force early next year. Reforms late last year also reformed the UK's identification doctrine so that a broader range of employees can trigger corporate criminal liability.

Looking slightly further down the track, there's clear desire in the SFO to successfully prosecute or bring enforcement actions. There's talk about the SFO, for example, wanting to be able to pay whistleblowers as can happen in the states. So all of these developments signal that the UK is taking a tougher line on corporate crime.

Very good. Well, it looks like we've got some topics there to do deeper dives on in future episodes, but for now, Jonathan, thanks for joining the podcast.

Thank you, Joe. It's been a pleasure. If any of our listeners do have any questions, they should feel free to reach out.

Absolutely. Thanks to everyone for listening. See you next time.

Thank you for joining us on Fintech Focus. If you enjoyed this conversation, be sure to subscribe in your favorite podcast app so you don't miss any future conversations. Additional information about Skadden can be found at Skadden.com.