OFSI Issues First-Ever ‘Disclosure’ Against Wise Payments for Sanctions Violation: A Case Study

On August 31, 2023, the UK’s Office of Financial Sanctions Implementation (OFSI) issued a “Disclosure” against Wise Payments Limited (Wise), a UK-based company regulated by the Financial Conduct Authority. This action was taken because Wise had violated Regulation 12 of The Russia (Sanctions) (EU Exit) Regulations 2019, specifically by making funds available to a company owned or controlled by a designated person (DP). Notably, this is the first instance of OFSI utilizing its authority to issue such a Disclosure since the Economic Crime (Transparency and Enforcement) Act came into effect on August 1, 2022. It also marks the first publicly known violation of these Regulations.

The breach occurred when a company employee made a £250 cash withdrawal on June 30, 2022, from a Wise business account using a company debit card in the DP’s name. The DP had been added to the UK Sanctions List on June 29, 2022.

At the time, Wise’s sanctions policy checked against the Consolidated List of sanctioned individuals and entities. If a potential match was detected, the customer’s profile would be suspended, preventing funds from being sent or received from the account. However, the use of debit cards associated with the account was not initially suspended due to a high rate of false positives, allowing access to funds. Wise eventually suspended the account linked to the DP on June 30, 2022, and escalated the potential sanctions match to its sanctions team on July 1, 2022. Unfortunately, the escalation wasn’t reviewed until after the weekend because Wise did not monitor weekends, resulting in a five-day delay before blocking the debit card.

OFSI categorized Wise’s breach as “moderately severe” and chose not to impose a civil monetary penalty. Instead, a Disclosure was considered an appropriate and proportionate enforcement response. OFSI has also updated its Monetary Penalty and Enforcement Guidance, providing further details on how it categorizes breaches into different severity levels: from “lesser severity” to “moderate severity” and “serious enough to justify a civil monetary penalty.”

In reaching its decision, OFSI considered several factors:

1. Wise’s systems and controls related to sanction risk management, specifically their policy of not restricting debit cards in cases of possible name matches with designated persons, were deemed inappropriate.
2. OFSI stressed the importance of having sufficient and suitable staff resources to manage sanctions risk exposure.
3. Wise voluntarily self-reported the breach on July 20, 2022, and cooperated fully with the investigation.
4. Wise took corrective actions to enhance its sanctions compliance process to prevent future breaches.

This incident underscores OFSI’s commitment to promoting corporate responsibility in preventing sanctions violations, regardless of their scale. The Disclosure report highlights the reputational consequences for the offending corporation, and the updated guidance illustrates OFSI’s use of disclosure powers for breaches of lesser severity when there are valuable compliance lessons to be learned. It also emphasizes the need for companies to promptly respond to sanctions changes and new designations, highlighting the importance of continuous monitoring systems.