FCA sanctions review: the regulator is becoming more proactive - and firms need controls that work in practice

The FCA’s sustained programme of assessments across more than 150 firms demonstrates that it is no longer simply observing market maturity, but actively defining what effective sanctions compliance looks like. Firms should expect these findings to be used as a benchmark in ongoing supervisory engagement.

Firms’ controls for financial sanctions are generally more developed than those for trade sanctions, with many struggling to identify exposure where relevant data sits outside standard screening frameworks. The FCA’s coordination with the Office of Trade Sanctions Implementation signals that trade sanctions risk is now firmly within scope.

Although some improvement has been observed, breach reporting remains slow, with many cases identified long after the underlying activity occurred and delays between identification and reporting remaining significant. Escalation processes are not always clearly embedded, increasing regulatory exposure.

Firms are required to report suspected breaches to Office of Financial Sanctions Implementation promptly, and expectations around timeliness, completeness and cooperation are increasing. This places greater emphasis on having controls that surface issues quickly enough to support effective escalation and reporting.

Common failings include weaknesses in due diligence, screening, alert handling, frozen asset controls and compliance with licence conditions. These are well-established risk areas, and firms should not assume repeat issues will be viewed sympathetically.

The FCA identified weaknesses in governance, including outdated policies and over-reliance on group structures or third parties without sufficient local oversight. Senior management engagement, clear accountability and meaningful MI are critical.

Screening systems often perform well for exact matches but are less effective when names vary. Firms should regularly test and validate their systems, rather than relying on assumed effectiveness.

Alert handling remains a weakness, with delays and errors driven by unclear procedures, insufficient training and weak oversight. Operational discipline is key to effective sanctions compliance.

Complex ownership structures and reliance on intermediaries or third parties continue to create risk. Firms must be able to evidence effective oversight and robust due diligence processes.

Some firms’ risk assessments are overly high-level or outdated. Sanctions risk should be clearly defined, current and capable of informing real operational decisions.

Failures to properly freeze assets or comply with licence conditions remain a recurring issue. Firms should ensure controls are clearly documented, well understood and regularly tested.

Sanctions compliance cannot rely solely on screening. Firms should consider broader tools, including data analysis and thematic reviews, to identify potential evasion.

While Russia remains the dominant focus, other regimes and thematic sanctions are increasing in relevance. Firms should ensure their frameworks reflect the full range of exposure.

• Do we have a current sanctions risk assessment covering financial and trade sanctions?
• Does it address evasion risk, ownership complexity and geographic exposure?
• Is sanctions risk clearly distinguished from broader financial crime risk?

• Have we independently tested our screening systems, including for non-exact and non-Latin matches?
• Are thresholds calibrated, documented and periodically reviewed?
• Is there clear ownership and oversight of screening performance?

• Are alerts reviewed and resolved within defined timeframes?
• Are procedures, training and quality assurance effective?
• Are potential matches escalated quickly enough to support timely freezes?

• Can potential breaches be identified promptly across the business?
• Are escalation and reporting triggers clearly defined?
• Can issues be investigated and reported without avoidable delay?

• Is there clear senior management accountability?
• Does management receive meaningful MI on sanctions risks and performance?
• Are weaknesses actively tracked and remediated?

• Can we identify ultimate ownership and control in complex structures?
• Are intermediary risks appropriately managed?
• Is third-party reliance supported by effective oversight?

• Are assets frozen promptly and restrictions maintained?
• Do systems prevent unauthorised movements of frozen funds?
• Are licence conditions clearly tracked and complied with?

• Have we identified where trade sanctions risk arises?
• Can we detect exposure beyond standard screening flows?
• Is responsibility for trade sanctions clearly defined?

• Do we use tools beyond screening where appropriate?
• Are evasion indicators embedded in policies and training?
• Can we demonstrate proactive investigation activity?

• Have we tested end-to-end processes from alert through to reporting?
• Do we run scenario testing or simulations?
• Can we demonstrate that controls work in practice under time pressure?