What the first three OFSI Settlements tell us about UK sanctions enforcement

TLT picks out the key points you shouldn't miss...

What's this about?

OFSI introduced its settlement regime on 9 February 2026. By 26 May 2026, three cases had already been resolved under it, the most recent being a penalty of just over £1 million imposed on Sabre Global Technologies Limited (SGTL) for breaches of the Russia (Sanctions) (EU Exit) Regulations 2019, including circumvention.

Three cases in under four months is not a slow start – it's a statement of intent.

Taken together, these early settlements give us the first real read on how OFSI is using its reformed enforcement toolkit in practice: how quickly it is moving, what conduct it is pursuing, what it expects of firms when things go wrong, and what the financial consequences look like even where firms cooperate and disclose voluntarily. The picture that emerges has clear implications for UK corporates and financial services firms.

Alongside this, recent OFSI/OFAC guidance reinforces that sanctions compliance is a strict liability regime with no safe harbour for getting it wrong, further increasing the importance of proactive controls.

For banks, payment firms and other UK corporates with international exposure, this is the clearest indication yet of how sanctions risk will be assessed in practice.

Our Partner and Head of Risk and Financial Crime, Ben Cooper says...

"Three settlements in under four months tells you this is no longer a theoretical regime - it’s operational enforcement. What matters now is not just whether a breach occurs, but how quickly and credibly a firm reacts. Firms need to know today how they would identify, investigate and report a sanctions issue tomorrow, because OFSI will expect them to get that right."

What the first three settlements tell us...

1. Settlement is now mainstream and OFSI is using it quickly and in serious cases

The pace of the early settlements should put to rest any assumption that the new regime would be used cautiously or reserved for straightforward cases. OFSI has moved quickly, and it has moved on cases that are genuinely complex, including cases involving circumvention and penalty values exceeding £1 million.

The mechanics of the settlement scheme are worth understanding. Firms that agree to settle receive a 20% discount on the penalty and the opportunity to input into the published case summary. In return, they waive rights to ministerial review and appeal. OFSI has been clear that it considers early settlement to be in the public interest. But settlement is a tool for efficient enforcement of serious cases, not a mechanism for reducing the stakes. This consistency across the first three settlements suggests this will be OFSI’s default route for resolving enforcement cases going forward.

2. OFSI will pursue circumvention and an unsuccessful attempt is still a breach

One of the most significant signals from the SGTL case is OFSI's approach to circumvention. The firm did not successfully receive the funds it was seeking through an alternative channel, but OFSI found a circumvention breach nonetheless. The attempt was enough.

This is important beyond the specific facts of SGTL. It tells us that OFSI will look at the intent and structure of a firm's conduct, not just its outcome. Exploring workarounds after a bank has blocked a payment, however commercially motivated and however unsuccessful, is treated as among the most serious aggravating factors OFSI can identify.

This aligns with signals from the other early settlements that OFSI is focusing on conduct that seeks to work around restrictions, not just technical breaches.

3. Governance and control failures are consistently aggravating

Across the early settlements, OFSI has consistently looked beyond the breach itself to the systems and culture that allowed it to occur and to persist. Unclear internal ownership, gaps in senior oversight, policies calibrated to a different jurisdiction's sanctions regime, and screening tools that fail to route alerts to the right people have all featured as aggravating factors.

The consistent message is that OFSI expects firms to have controls that are genuinely fit for purpose in a UK context: not inherited from a US parent, not generic, and not theoretical. Where controls fail in practice, that failure will count against the firm. These themes are not isolated to SGTL – they recur across the early settlements and are being treated consistently as aggravating.

4. Cooperation and voluntary disclosure help, but do not prevent a material penalty in serious cases

Each of the early settlements has involved voluntary disclosure and cooperation as mitigating factors. The SGTL case resulted in a 20% discount being applied. That discount is real – but so is the penalty that remained after it was applied.

OFSI’s enforcement and monetary penalties guidance (as updated following its recent reforms) caps voluntary disclosure and cooperation reductions at 30%. The early settlements confirm the practical consequence: cooperation is valued and it reduces exposure, but it does not neutralise a serious penalty where conduct has been classified at the highest level. Voluntary disclosure is not a substitute for having adequate controls in place; it is what firms should do when those controls have failed.

The quality of disclosure also matters. An early but incomplete report, one that does not set out the full circumstances, fact pattern, or cause of the breach, will not attract full credit, and firms that fail to follow up proactively once they have indicated they will do so risk losing the benefit of the disclosure altogether.

5. What the firm does once the issue arises is at least as important as the breach itself

This is the thread that runs through all three early cases and, in our view, the most important signal to emerge from the new regime.

OFSI is assessing firms not just on whether a breach occurred, but on:

when the firm first had reason to identify a potential issue;
what steps it took, or failed to take, once those warning signs appeared;
whether it stopped, escalated internally, and investigated promptly;
whether it considered applying for a licence where one was available; and
whether and when it reported to OFSI, and the completeness of that report.

The firms that score well on these questions will be in a materially better position than those that cannot demonstrate a structured, timely, and credible response. OFSI's reformed case assessment matrix, introduced alongside the settlement regime, captures each of these factors in detail and prices them accordingly.

This increasingly forensic approach to assessing firm conduct is also being reinforced by closer international coordination. OFSI’s enhanced partnership with OFAC is designed to support greater information sharing and alignment between the UK and US regimes. For firms operating across borders, this is likely to translate into more joined-up enforcement, greater visibility of issues across jurisdictions, and increased scrutiny of how firms respond to potential breaches.

What this means for UK corporates, particularly in financial services

The first three settlements are not just case studies. They are a preview of how reformed UK sanctions enforcement will operate at scale. There are four clear takeaways:

‍Sanctions risk is now being tested in enforcement, not just theory. The pace and seriousness of the early cases should remove any remaining assumption that OFSI enforcement is slow, rare, or reserved for extreme conduct. Firms operating in sectors with international supply chains, counterparty networks, or payment flows need to treat sanctions exposure as a live enforcement risk. This is further amplified by increasing coordination between OFSI and OFAC, raising the likelihood of cross-border visibility and enforcement action.‍
The legal framework reinforces the need for proactive compliance. Both the UK and US regimes now operate on a strict liability basis, meaning firms can face penalties even where they did not know they were in breach. There is no safe harbour for inadvertent breaches. In the UK, the absence of any limitation period further increases exposure, meaning historic issues can still be investigated and enforced.

Taken together with the early settlements, this creates a clear expectation: firms must be able to evidence that their controls are designed, implemented and operating effectively — and that they are actively monitoring for potential breaches, not simply reacting once an issue becomes visible.

Firms will be judged on how their controls perform when it matters. OFSI's case assessment matrix evaluates the adequacy of systems and controls as a discrete conduct factor. A policy that looks robust on paper but fails operationally (because it does not route alerts correctly, does not assign clear ownership, or is not calibrated to the UK regime) is an aggravating factor, not a neutral one.
What the firm does once the issue arises is critical. The early cases consistently show that OFSI scrutinises the firm's response to warning signs as closely as it scrutinises the breach itself. Stopping promptly, escalating internally, investigating thoroughly, considering licensing, and reporting to OFSI in a timely and complete way are each assessed, and each can move a case meaningfully in either direction.
Investigation and self-reporting capability is now a compliance essential. Firms need three things in place before an issue arises, not after: a clear mechanism to identify potential breaches early; a structured internal investigation capability, with legal privilege considered from the outset; and a credible, well-managed self-reporting strategy that allows them to engage with OFSI proactively and completely. The firms that have invested in this infrastructure will be fundamentally better placed. Those that have not will find the costs of an OFSI investigation, both financial and reputational, significantly higher than they need to be. This is particularly important in a strict liability environment, where the absence of knowledge is not a defence and the firm’s response to an issue becomes a primary driver of outcome. In practice, that means firms need defined escalation triggers, clear internal ownership, and a repeatable investigation process - before an issue arises, not after.

Firms that have not yet tested these capabilities against real-world scenarios should assume that now is the time to do so.

At a glance...

Publication link	OFSI Public Penalty Notice
Published date	26 May 2026
Who has published it?	Office of Financial Sanctions Implementation (OFSI), HM Treasury
Publication type	Enforcement notice / monetary penalty / settlement
Key dates	Settlement regime introduced: 9 February 2026. SGTL settlement agreed: 26 May 2026.
What's it relevant to	Sanctions, sanctions compliance, OFSI enforcement, financial crime, economic crime, Russia sanctions, circumvention, financial services regulatory, governance, voluntary disclosure, settlement regime, internal investigations, self-reporting
Sectors reviewed	Retail insurance; wholesale insurance; life insurance

Authors: Ben Cooper, Chantal Stroker and Ailbhe Redding

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2026. For more information see our terms & conditions.

No items found.

Date published

30 Jun 2026