HM Treasury’s Office of Financial Sanctions Implementation (OFSI) has found that UK payment firm Wise allowed a designated person to make a £250 cash withdrawal in breach of Russian sanctions.
According to OFSI, on June 30, 2022, Wise allowed one of its customers to withdraw £250 cash from a Wise business account belonging to a company owned by a designated person.
The transaction was made using a debit card that was also held in the designated person’s name.
The person was designated on June 29, 2022, the day before the transaction. Wise voluntarily reported the issue to OFSI, the notice published on the government website shows.
OFSI said the breach was not serious enough to justify a penalty but it decided to publish a notice of the breach because it provides “important compliance lessons”.
Wise sanctions screening policy
The notice said that Wise screened all customer details, including the ultimate beneficial ownership of a business account, against OFSI’s list of sanctioned persons using a third-party sanctions data provider and its own in-house screening software.
In the event of a match, the system generated an alert and suspended the customer’s profile, preventing the customer from sending or receiving any funds from or to the account.
The freeze, however, did not apply to debit cards which remained active as long as the matches were resolved.
Wise told OFSI that it implemented this policy because of a high false positive rate for sanctions alerts and was intended to strike the right balance between its legal obligations to comply with financial sanctions and its regulatory requirement “to pay due regard to the interests of its customers and treat them fairly”.
Time matters
Wise’s third-party sanctions data provider updated the sanctions list at 00:59am on June 30, 14 hours after OFSI published its consolidated list.
Four hours later, at 4:20am, Wise’s systems raised an alert due to a possible name match and froze the account. This prevented any transfers but did not restrict the use of the debit card associated with that account.
The cash withdrawal took place three hours after that, at 7:25am.
But it was only the following day, on Friday July 1, that a Wise agent reviewed the match and escalated it to the sanctions specialist team, which confirmed it and blocked the card on Monday July 4.
Compliance lessons learnt
OFSI said that despite the low breach value, the case was “moderately severe overall” because Wise’s systems and controls regarding debit card payments were “inappropriate”.
A lack of resources at weekends to review sanctions alerts also led to a “material delay” in the proper restrictions being placed on a designated person’s debit card.
“This case demonstrates that firms should carefully consider what resourcing is appropriate to manage sanctions risk exposure,” the agency stressed.
“When a firm identifies a sanctions risk, it should take steps to fully address that risk by promptly restricting all forms of access to funds or economic resources,” the notice adds.
Firms should also maintain proportionate sanctions screening and alert review functions, including, for example, at weekends where they conduct business at such times.
At the same time, OFSI took into account the low value of the breach and said it acknowledges that Wise voluntarily reached out to the agency, made full disclosures and took steps to address these issues.
For instance, Wise ended the relationship with the designated person, hired additional staff and introduced weekend working hours for the specialist sanctions team. It also changed its policy so that debit cards are blocked immediately along with the account, pending review.
Wise's spokesperson told VIXIO the company "takes this matter very seriously".
"We remain committed to ensuring that our day-to-day operations are in compliance with all relevant regulatory requirements, and to working openly and collaboratively with our regulators," the spokesperson added.
This is the first time the office used its recently acquired disclosure power under the Economic Crime (Transparency and Enforcement) Act 2022.
OFSI could have decided to anonymise the publication but said revealing the name of the firm “was proportionate to the breach”.
“Through publishing details of breaches, this new enforcement tool will act as a form of censure and deterrent while also enabling compliance lessons to be available to other companies and individuals,” OFSI said in a statement.