OFSI Encourages Self-Reporting of Sanctions Breaches

OFSI Encourages Self-Reporting of Sanctions Breaches

Blog WilmerHale W.I.R.E. UK

Companies faced with the decision of whether to voluntarily self-report sanctions breaches to law enforcement or sanctions enforcement agencies in the UK and the US can take some measure of comfort from recent comments made by the heads of OFSI (UK Office of Foreign Sanctions Implementation) and OFAC (US Department of the Treasury’s Office of Foreign Assets Control). According to those remarks, companies acting in good faith that self-report minor and unintentional sanctions breaches are unlikely to face enforcement action.

Speaking on 9 October, the heads of OFSI and OFAC effectively incentivised companies to make use of the UK and US self-reporting regimes. Giles Thomson, head of OFSI, said that OFSI is “not going to come after people with a sledgehammer who are seeking to do the right thing”, while OFAC Director Brad Smith said that OFAC “probably” would not enforce large penalties against companies that were acting in good faith, unless the circumstances involved “wilful, grossly negligent behaviour”. 

Since June 2022, OFSI has been able to enforce against companies breaching sanctions rules on a strict liability basis. Thomson’s statements suggest that in most self-reported cases, OFSI is unlikely to use its enforcement powers, noting that 95% of OFSI cases do not result in enforcement action. He indicated that even if OFSI finds that a breach of the rules has occurred, provided the breach is low-level and there are mitigating factors, OFSI will generally not pursue further action. 

What does this mean for companies?

Thomson’s comments cannot be relied on as official OFSI policy or guidance and have no legal status. However, they will be seized on by companies looking to better understand OFSI’s thinking when weighing the risk of enforcement action following a decision to self-report. It is helpful for companies and their advisors to hear directly from OFSI that it generally does not intend to enforce against companies that self-report minor breaches of sanctions rules where they have acted in good faith and the breaches were unintentional. It is also helpful to understand that OFSI will reserve its enforcement powers for cases involving deliberate and/or serious breaches of sanctions rules. Companies can take some comfort in knowing that if they self-report accidental and minor sanctions breaches to OFSI in these circumstances, they are unlikely to face enforcement action.

OFSI’s encouragement to self-report is consistent with recent UK Financial Conduct Authority (FCA) guidance, which sets out its expectation that regulated firms will make timely and accurate reports regarding potential sanctions breaches.1  The FCA views negatively firms that take “weeks or even months” to notify the FCA of sanctions breaches, as they undermine the FCA’s ability to understand firms’ systems and controls issues and to establish whether the issues were properly remediated.

Outside the sanctions context, it is interesting to note that while the UK Serious Fraud Office wants companies to voluntarily self-report matters involving fraud and corruption, it does not offer any equivalent comfort or reassurance to companies that they will not be prosecuted for low-level impropriety.

OFSI’s enforcement record

OFSI has pursued a total of nine enforcement actions since 2019, and most of the penalties imposed have been relatively low. Voluntary self-reports were made by the relevant companies in five of the nine cases. Considering the breadth of the UK’s sanctions regime, the number of companies affected, OFSI’s small team and its limited enforcement record, Thomson’s suggestion that OFSI is not prioritising minor and unintentional breaches of sanctions rules is perhaps unsurprising.

The single largest financial penalty imposed by OFSI to date was £20 million against a financial institution in 2020, for making funds available to a designated person. In that case, the financial institution self-reported and was deemed to have acted in good faith and to have breached sanctions rules unintentionally. However, because of the seriousness of the breach, OFSI pursued enforcement action and imposed a fine, emphasising that OFSI’s encouragement to self-report to avoid enforcement action is limited to companies reporting minor breaches. Serious albeit unintentional breaches are likely to result in enforcement action, notwithstanding their being brought to OFSI’s attention voluntarily. 

July 2023 US “Tri-Seal” Compliance Note on Voluntary Self-Disclosures (VSD)

These recent statements by OFSI and OFAC follow the issuance in July 2023 of a compliance Note by the US Departments of Commerce, Treasury, and Justice setting forth each department’s policy on VSD of potential sanctions and/or export control violations.2  The Note describes the Department of Justice’s (DOJ) updated VSD policy covering potential criminal violations of US export control and sanctions laws as a means “for a company to reduce—and, in some cases, avoid altogether—the potential for criminal liability.” Such VSD must be made “within a reasonably prompt time”, and disclosures made to other regulatory agencies do not qualify for the DOJ’s new policy. The Note also reaffirms the Commerce and Treasury departments’ long-standing policies of considering VSD as a mitigating factor when determining enforcement action, potentially resulting in a significant reduction in penalty if an enforcement action is pursued.

In recent years, the UK and the US have attempted to harmonise their respective sanctions regimes, including applicable prohibitions and compliance guidance. A key distinction, however, has been that the US has had a more robust and active enforcement record, including with respect to policies involving VSD. The OFSI statement narrows the gap between US and UK sanctions regimes with respect to enforcement and reflects greater harmonisation between the regimes.


Deciding whether to voluntarily self-report a potential sanctions breach remains a complex, multifaceted and fact-sensitive judgement call. These recent coordinated comments by senior law enforcement officials in the UK and the US are nevertheless helpful and should be taken into account by companies with such exposure. 




More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.