Financial Conduct Authority sets out its expectations for sanctions systems and controls

The FCA's 28 May report summarises the findings from its assessment of the sanctions systems and controls of 150 UK financial services firms. The report clarifies the FCA's expectations, provides examples of good practice and highlights challenges around trade sanctions in particular.

This article highlights key points in the context of a sanctions and enforcement landscape which, in recent years, has been in a permanent state of flux.

A complex risk landscape

The FCA notes how significantly the UK sanctions regime has expanded since 2022.

For financial sanctions, the total value of frozen assets reported rose to £37bn in 2024-25, or 150% of the £24.4bn reported for 2023-24. Trade sanctions were also expanded to include a much wider range of prohibited services and restricted goods which, coupled with the introduction of a new monetary penalty regime and mandatory reporting to OTSI in October 2024, have moved the dial on both sides of the risk matrix, increasing the likelihood and impact of a breach for regulated firms.

Although the FCA acknowledged that many firms have made progress since its previous review in September 2023, it concludes that substantial gaps remain. The most common root causes of reported sanctions breaches were found to include:

• weaknesses in customer due diligence;
• ineffective transaction and name screening;
• poor alert management;
• compliance with general and specific licenses and
• failures in handling frozen assets.

Implementing robust and effective systems and controls in an ever-changing sanctions and enforcement landscape clearly presents an ongoing challenge for financial services firms but the FCA considers that underreporting of breaches in insurance and digital assets sectors may be indicative of less developed controls in firms which are inherently exposed to higher circumvention and sanctions evasion risk by shipping and other activities related to Russia's shadow fleet.

Key challenges for firms

The FCA distinguishes between the development of systems and controls for compliance with financial sanctions and trade sanctions. The FCA recognises that trade sanctions are more challenging for firms and require a greater range of controls to manage risk which is often not apparent on readily available information.

A key theme emerging from the report is around the practical limitations of screening systems. While list-based name screening and transaction monitoring are central to compliance with both financial and trade sanctions, the FCA considers that firms can over-rely on them without fully tailoring them to their risk profile or appreciating their inherent limitations. Complex ownership structures, intermediaries and indirect interests can obscure connections to designated persons, meaning that automated tools alone will not identify all exposure. For trade sanctions, screening and transaction monitoring cannot always detect where payments are made in connection with sanctioned activities by third parties (e.g. customers) where the relevant prohibition (e.g. provision of financial services) applies directly to the firm.

The FCA places significant emphasis on escalation processes and human judgment when using screening systems. Firms are expected to have robust procedures for investigating alerts, assessing complex scenarios and making risk-based decisions, informed by more holistic data analysis, thematic reviews and intelligence. This in turn requires strong governance frameworks, clear accountability, and staff who are appropriately trained on applicable sanctions regimes and their responsibilities.

The FCA appears to recognise the challenges around assessing the extent of ownership and control by designated persons in particular. While OFSI has recently closed its consultation to understand those challenges, it does not promise comprehensive legislative change.

Most firms will buy in some form of support or use third-party providers for diligence and risk ratings. Others may be a part of larger groups with tools and applications configured by a head office. The FCA has reminded UK firms that they remain responsible for their own compliance and must understand and be able to oversee effectively the operation of any outsourced systems or group-wide controls.

Prevent, detect and respond

Firms are being encouraged to assess and test the effectiveness of their systems, policies, and controls to ensure they are adequate to prevent, detect and respond to potential non-compliance with UK sanctions. The FCA's findings provide guidance as to how firms should consider what will be adequate.

The FCA also makes clear its expectation that firms will report suspected breaches in a timely manner, both to the FCA in line with the FCA's Principle 11 and to other authorities. The FCA's report suggests it considers that firms should not wait to discover what caused breaches before reporting, as that work can be done later to inform remediation. OFSI's February 2026 enforcement policy however, allows for a 20% discount on a monetary penalty in exchange for a comprehensive factual early account of the circumstances of the breach. While the FCA now has formal arrangements in place for sharing information with OFSI for financial sanctions and OTSI for trade sanctions, the expectations of what will be reported by firms and when do not neatly align. Firms will also need to consider mandatory reporting obligations, with potential criminal liability for failing to report breaches when under an obligation to do so.

In summary

The FCA’s latest findings shed light on the FCA's expectations and give practical guidance on moving from well-designed systems and controls to effective frameworks to prevent, detect and respond to the risk of sanctions breaches.

Firms, regardless of their size, should consider:

• undertaking 'as-is' assessments of their current sanctions risk exposure and frameworks;
• investing in stronger and clearer governance structures / procedures to ensure risk-based decisions can be made at the right level with the necessary information; and
• ensuring procedures are in place to recognise and respond to suspected breaches.

How can we help:

Our experts regularly:

• Advise on sanctions exposure.
• Conduct sanctions risk assessments.
• Provide training on applicable sanctions regimes.
• Advise on sanctions policies, procedures, systems and controls.
• Provide advice on new business/ products/ suppliers.
• Conduct investigations where breaches may have occurred to help firms understand root causes and implement remedial actions.
• Advise clients on reporting obligations and associated money laundering considerations where breaches are suspected.