OFSI imposes monetary penalty on fintech company for breach of financial sanctions

On 5 August 2021, the Office of Financial Sanctions Implementation ("OFSI") announced the imposition of a monetary penalty of £50,000 on TransferGo Limited ("TransferGo") in respect of a breach of the financial sanctions imposed in respect of the situation in Ukraine. This is the fifth time OFSI has used its power to impose civil penalties for breach of financial sanctions (granted under the Policing and Crime Act 2017 (the "PCA")). Although OFSI updated its guidance on the imposition of monetary penalties earlier this year, we understand this penalty to have been calculated on the basis of the previous version of the guidance (the "Monetary Penalties Guidance"), which continues to apply to the treatment of breaches reported to OFSI prior to 1 April 2021.

In this update, we set out the circumstances of the TransferGo penalty, and identify the potential lessons learned for other companies in respect of sanctions compliance.

OFSI imposed its penalty on TransferGo in respect of a breach of the Ukraine (European Union Financial Sanctions) (No. 2) Regulations 2014 (the "UK Regulations") – the pre-Brexit legislation through which the EU's sanctions in respect of the situation in Ukraine were criminalised. (The equivalent sanctions under the UK's post-Brexit sanctions regime are set out in the Russia (Sanctions) (EU Exit) Regulations 2019).

TransferGo is a UK company which carries out payment transfers. In 2018 and 2019, TransferGo issued instructions in respect of 16 transactions to make payments to accounts held at the Russian National Commercial Bank ("RNCB"). RNCB had been designated by the EU in 2014 in response to the situation in Crimea and was therefore subject to an asset freeze. OFSI determined that the payment instructions issued by TransferGo amounted to making funds available to a designated person, in breach of the UK Regulations. OFSI rejected TransferGo's assertion that the fact that the payments were destined for non-designated account holders at RNCB meant that the payments were not prohibited, stating that "funds held in bank accounts ultimately belong to those banks".

What can regulated firms, and other companies, take away from the latest OFSI penalty?

• OFSI will take action against companies even where the sums involved are relatively insubstantial; the transactions that were the subject of the TransferGo penalty resulted in a total of £7,764.77 being made available to RNCB. The PCA provides that the maximum penalty which may be imposed is the greater of £1 million or 50% of the estimated value of the funds or resources involved in the breach and the Monetary Penalties Guidance states that OFSI will determine what level of penalty is reasonable and proportionate within this maximum (with proportionate meaning that there is a clear relationship between the value of the proposed penalty and both the value of the breach and how seriously the breach undermined the sanctions regime). The Monetary Penalties Guidance also states that a high value breach is generally more likely to result in enforcement action but that enforcement action may also be justified in respect of lower-value breaches, for example if the action was a "calculated and deliberate flouting of sanctions". It is not clear from the penalty notice how this applies to TransferGo. One might assume that £7,000, although not insignificant, would be regarded as a lower value breach, but it does not appear that OFSI regarded the payments by TransferGo to be calculated or deliberate; rather the implication is that they arose from a failure to correctly interpret the company's obligations under the UK Regulations.
• Regulated firms may be expected to have a more sophisticated knowledge of financial sanctions. This is relevant because an offence is committed under the UK Regulations where a person knows or has reasonable cause to suspect that it is involved in a transaction with a designated person. OFSI's penalty notice refers to the fact that TransferGo is an FCA authorised payment institution and is also supervised by HMRC and describes the company as having demonstrated a "poor" understanding of financial sanctions throughout its engagement with OFSI.
• In its penalty notice, OFSI emphasised the importance it places on voluntary disclosure of breaches. No such disclosure was made in this case and OFSI became aware of some of the payments to RNCB via a report from a third party. OFSI's penalty notice states that TransferGo fell within the definition of "relevant institution" within the UK Regulations such that it was required to inform OFSI of any breaches of financial sanctions, although it did not do so.
• This case emphasises the importance of due diligence on all parties in a transaction, including banks, in particular checking all parties against the relevant sanctions list(s). TransferGo was processing payments between the accounts of non-designated persons but via a bank which was subject to an asset freeze.
• TransferGo sought a ministerial review of the penalty (as provided for in the PCA). This is the first such review where the amount of the penalty has remained unchanged. Two previous recipients of penalties have made use of this process, and in both cases the Minister concluded that the penalty should be reduced. TransferGo requested anonymity in the event that the penalty was upheld. The Minister considered that such anonymity would be contrary to the objectives of OFSI's sanctions enforcement regime and not in the public interest. None of the five monetary penalties issued to date has been anonymised so there is still limited guidance on when anonymity may be granted.