Colorcon Limited Receives Civil Monetary Penalty for Russia Sanctions Breaches

The UK Office of Financial Sanctions Implementation (“OFSI”) has published details of its thirteenth civil monetary penalty against Colorcon Limited, a UK registered company and provider of products for the pharmaceutical and nutrition industries (“Colorcon”).  The £152,750 penalty represents the fourth largest civil monetary penalty imposed by OFSI to date and was imposed in connection with payments made in 2022 by Colorcon’s Moscow representative office to accounts held by non-designated persons at several designated Russian banks.  Several useful pointers as to OFSI’s current enforcement approach and compliance expectations for businesses required to comply with UK sanctions can be discerned from the Colorcon case, which affected businesses should factor into their UK sanctions compliance efforts. 

The Breaches

At the time of the breaches, Colorcon operated a representative office in Moscow (the “Office”).  Between March and December 2022, 123 payments in Russian Rubles with a total value of £191,290.57 were made to pay the salaries and benefits (e.g., car and medical insurance) of the Office’s employees, as well as payments to service providers under various service contracts (e.g., the provision of bookkeeping, payroll, and other services).  While the employees and service providers that were beneficiaries of those payments were not UK designated persons, the payments were made to bank accounts held with various UK designated Russian banks. 

The payments were initiated by Colorcon’s Russian bookkeeper, with a copy of the payment instructions sent to Colorcon for authorization.  Colorcon’s authorized signatories were located in the UK.  The authorization provided by the Colorcon signatories did not involve a review of the sanctions status of the bank at which the accounts of the beneficiaries were held.

44 of the payments were permitted under General Licence INT/2022/2055384 (“Companies winding down operations in Russia”) (“GL”) at the time they were made, although Colorcon did not comply with the reporting requirements imposed by the GL in respect of those payments.  The remaining 79 payments with a collective value of £128,277.72, therefore, were made in breach of the prohibition on making funds available directly or indirectly to a UK designated person.  

OFSI opened an investigation into the payments on June 30, 2023, following Colorcon submitting an initial breach report to OFSI in April 2023 and a subsequent, fuller report in June 2023.

OFSI’s Assessment of the Case

When assessing the Colorcon case and determining the appropriate enforcement response, OFSI had regard to the case factors set out in the November 14, 2024, version of its Enforcement and Monetary Penalties Guidance.  OFSI assessed Colorcon’s breaches as “serious,” noting that it did not sufficiently manage its sanctions risks in respect of payments made to its own employees and service providers.

OFSI identified a number of aggravating features to the case, as follows:

• Value of the breach – the value of the breach was a collective value of £128,277.72, a significant amount;
• Risk of harm to objectives of sanctions regime – the risk of harm to the UK’s Russia sanctions regime was elevated because the payments were made directly to bank accounts held with designated Russian financial institutions;
• Intent – Colorcon was a global company with clear exposure to UK sanctions risk that had operated its Moscow office for more than 15 years at the time of the breach, and failed to take reasonable care.  Additionally, with respect to payments that occurred prior to the introduction of strict civil liability for sanctions breaches in June 2022, OFSI concluded that Colorcon had knowledge or reasonable cause to suspect that its actions would make funds available to UK designated persons;
• Knowledge of sanctions and compliance systems – Colorcon should have had a more developed awareness and understanding of financial sanctions and their relevance to its Russian operations having obtained legal advice from external counsel on sanctions compliance that predated Russia’s invasion of Ukraine and tasked internal teams with monitoring sanctions post-invasion.  Colorcon’s sanctions procedures were also assessed as insufficient because they did not consider or mitigate its sanctions risk exposure, including by addressing screening of the financial institutions with which its counterparties operated accounts;
• Licensing – Colorcon did not recognize (at the time of the payments) that the GL could be relied upon with respect to 44 payments or the importance of complying with the reporting conditions imposed by the GL (having failed to comply with them);
• Repetition or persistence of breaches – Colorcon’s failure to identify multiple payments to accounts held at designated banks over a nine month period involved repeated and persistent errors; and
• Reporting breaches – There was a four month delay between Colorcon becoming aware of the breaches and making an initial notification to OFSI, which OFSI classified as a lack of prompt disclosure because the circumstances of the breach were not complex and did not require extensive analysis, which resulted in a reduction of 15% to the voluntary disclosure discount OFSI granted Colorcon.

These factors were weighed against three mitigating factors.  First, the payments were made in relation to medical and humanitarian purposes.  Second, Colorcon voluntarily disclosed the breaches to OFSI, responded to OFSI’s requests for information in a timely manner, and fully cooperated with OFSI’s investigation.  Third, OFSI acknowledged that Colorcon’s decision to exit the Russian market in August 2022 demonstrated an awareness of the changing UK and EU sanctions landscape and a willingness to exit an area posing a heightened sanctions risk.

Key Takeaways

The Colorcon case offers a timely reminder that even routine payments can create sanctions exposure and underscores a number of important compliance lessons for businesses that are required to comply with UK sanctions:

1. Reliance on others’ sanctions controls is not sufficient.  Companies cannot rely solely on others such as banks to carry out sanctions checks on their behalf.  The legal responsibility for sanctions compliance remains with the company and the risk management activities of third parties should be understood, including by making proportionate inquiries.
2. Sanctions policies and processes must evolve and remain “fit for purpose”.  Companies should regularly review their sanctions controls and ensure that their reviews consider all aspects of the sanctions risks to which they are exposed (e.g., financial and trade sanctions).  As needed, sanctions policies and processes should also be enhanced to reflect the findings of these reviews.
3. General licences have strict limits. Companies must comply fully with the terms of general licences, including any reporting requirements, as non-compliance itself is an offence.  Issuance of a general licence does not mean that conduct undertaken following the expiry of the licence will not be treated as a serious sanctions breach by OFSI.
4. Timely disclosure of breaches is critical.  Voluntary disclosure is valued but must be prompt to qualify for maximum penalty discounts.  
5. UK sanctions apply extraterritorially.  UK incorporated companies and their representative/branch offices remain bound by UK sanctions obligations in respect of conduct anywhere in the world.

As OFSI continues to focus on enforcement and refine its expectations when assessing and determining how to resolve breaches of UK financial sanctions, affected companies should review the adequacy and ability of their risk assessments and sanctions compliance systems and controls to effectively identify and address the sanctions risks associated with their business activities.  For more information on these developments and their implications for companies, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Economic Sanctions team in London.