Sanctions systems and controls in our firms: our findings

The most common root causes of reported sanctions breaches were weaknesses in due diligence, alert management, transaction and name screening, as well as the management of frozen assets and compliance with specific and general licences. 

Firms should focus on strengthening their control frameworks in these areas as they underpin many of the issues we observe. 

We also noted the challenges FCA-supervised firms face in detecting and preventing specific breaches of trade sanctions, particularly for customers using open book financing or where maritime insurance policies cover vessels that transport a wide variety of goods across the globe. 

The range of controls used for trade sanctions compliance was greater than those used for financial sanctions. Those firms who had detected specific exposure to trade sanctions appear to have identified suspected breaches through proactive investigations and, in many cases, comprehensive internal watchlists.

Sanctions frameworks only work well if firms have strong governance and oversight. Firms should have clear ownership and accountability for compliance, and their senior management should oversee and provide informed decision-making, acting quickly to address weaknesses. Firms should also have robust contingency plans to deal with sudden events or system outages.

There was a mixed standard of governance, oversight and control frameworks among firms we observed. Some had outdated, inaccurate or inconsistent policies and procedures, that didn’t reflect restrictions such as sectoral sanctions or focused overly on asset freezes alone. 

Some firms relied heavily on group arrangements, screening vendors or third parties for sanctions compliance, with some failing to demonstrate adequate local oversight, governance and assurance over sanctions systems and controls.

Other firms demonstrated clear governance over sanctions risks by articulating their approach to accepting, managing and mitigating exposure, including in relation to specific sanctioned or higher risk jurisdictions. This was reflected across business risk assessments, jurisdictional risk assessments and sanctions policies, supporting coherent decision-making and oversight. 

We also saw some firms adopt mandatory all-staff training packages for UK sanctions regimes. Some went further to tailor off-the-shelf training or develop bespoke programmes to reflect firm-specific sanctions risks, including trade and other sectoral sanctions, and gave role-specific training to teams working in higher-risk control areas. 

These firms also maintained up-to-date governance documentation, provided timely updates on sanctions regulatory developments, included meaningful sanctions management information (MI) and key risk indicators in MLRO reporting, and made effective use of audit and assurance.

Examples of good practice

Examples of poor practice

Meaningful MI should allow senior management to understand sanctions exposure, emerging risks, control effectiveness and issues that need escalating or remediating.

Firms generally reported some sanctions-related MI to senior management. Tracking and reporting true matches and false positives arising from customer and transaction screening against the UK Sanctions List is also common practice. However, the quality and depth of sanctions MI varied.

We also saw firms with overseas branches failing to adequately reflect sanctions risks conducted through those branches in MI and reporting.

Stronger MI included data and commentary on the nature and extent of inherent sanctions exposures, the operation of the firms’ controls structures and the crystallisation of any sanctions risks. 

We noted a strong emphasis on financial sanctions within MI, with few firms routinely collecting, analysing or escalating data relating to exposure to trade or other sectoral sanctions. 

Examples of good practice

Examples of poor practice

Good sanctions risk assessments should guide how firms design and operate their systems and controls. Firms should assess their exposure to sanctions risks present among their customers, products and the jurisdictions they operate in, as well as the strength of the systems and controls they have in place to address them. This can help identify control gaps and support remediation.

However, from what we saw, firms’ sanctions risk identification and assessment varied in quality. Weaknesses included:

When assessing how firms were incorporating trade sanctions into risk assessments, we saw some explicitly assessing risks across their business models, customer bases and product offerings, rather than limiting it to trade finance activities alone. 

Strong risk assessments drew on a wide range of qualitative and quantitative information relating to trade sanctions, including internal breach data, transaction and customer insights, product and jurisdictional assessments, and external guidance and typology reports. This helped firms assess inherent risk, residual risk, and control effectiveness.

Some good practice we saw involved firms developing detailed product and jurisdictional risk assessments, which considered how sanctions, including trade and sector-based measures, could be circumvented. Customer risk against multiple sanctions-related factors, including exposure to high-risk jurisdictions and proliferation financing, was also assessed. These provided a clearer, more comprehensive view of sanctions risk, supporting better oversight, particularly in complex areas such as trade sanctions.

Examples of good practice

Examples of poor practice

Robust customer due diligence (CDD) at onboarding and ongoing reviews can help firms identify sanctions risks and take actions throughout the customer lifecycle. 

Some firms understood and assessed the sanctions risks posed by their customers. In others, initial screening and CDD at onboarding did not show that they’d properly considered how they would get a clear view of their sanctions exposure. Among those that had found higher sanctions risks, the use of enhanced due diligence (EDD) tools such as sanctions exposure questionnaires (SEQs) was inconsistent. In some cases, questions were outdated, did not consistently cover UK sanctions regimes, or were used only as a form of customer self-attestation. 

Some firms found it hard to identify and manage the risk of dealing with entities owned or controlled by sanctioned people. The risk increased when ownership structures were multilayered or opaque, or when transactions went through intermediaries. In some suspected breaches, firms struggled to determine upstream ownership, interpret complex control relationships, or connect counterparties to designated persons. Links were indirect, embedded in corporate groups, or only identifiable through emerging external intelligence. Some firms didn’t have a complete understanding of beneficial ownership, end-investor identity in complex distribution chains, and indirect sanctions exposure. 

Some effective practices we observed involved firms using detailed, risk-based SEQs in their EDD processes to understand direct and indirect sanctions exposure (including exposure through counterparties), high-risk third countries, industries vulnerable to circumvention, and specific sectoral measures. 

In some cases, firms supplemented these tools with discussions between compliance teams, particularly when onboarding financial institutions or customers with significant international operations. Information gathered at onboarding then supported ongoing monitoring, for example by comparing actual activity against the customer’s stated business model and anticipated activity.

Firms had varying approaches to reviewing and refreshing CDD information. Ongoing monitoring could be limited or focused on PEPs, rather than taking a broader view of sanctions risk. In higher risk cases, EDD was not always adequately documented. File reviews indicated poor audit trails, missing customer data and limited corroboration of information provided by customers.

Finally, we found weaknesses among firms that relied on third parties to conduct CDD or sanctions screening, including business partners and group entities. Several firms could not demonstrate they had effective oversight, validation or assurance of the controls they relied on. Some did not have evidence that they understood, challenged or reflected third party findings in governance outputs such as MLRO reports. They weren’t regularly reviewing these third parties’ policies and procedures, and it was unclear who has responsibility for sanctions risk management across the customer lifecycle.

For trade sanctions, firms said it was hard to comply with complex and evolving regimes, with often only partial transactional information available to inform their decision about potential exposure. We saw some firms use sanctions exclusion clauses alongside CDD, as a means to temporarily suspend services when sanctions-related concerns are highlighted, and to mitigate potential exposure. We also saw examples of stronger practice where firms used publicly available data to corroborate trade documentation as part of CDD, ongoing monitoring and sanctions risk assessment.

Examples of good practice

Examples of poor practice

Good sanctions screening can find potential sanctions risks across customer and counterparty relationships and transactions. Firms’ screening and alert management systems and processes should be proportionate to risk exposure, appropriately calibrated, and regularly tested and reviewed.

As part of our overall assessment work on screening and alert management, we tested the calibration and configuration of firms’ sanctions screening systems in our sanctions screening testing (SST) workstream using financial crime data from firms’ REP-CRIM returns.

Our findings are below and fall under these four areas:

1. Screening policies
2. List management and data feeds
3. Calibration, configuration, and assurance testing
4. Alert management and resourcing

From the reports of suspected sanctions breaches provided to us, the most common causes of breaches by firms are deficiencies in sanctions screening and alert management.

Breaches most commonly arose from weak screening frameworks, including outdated or poorly maintained lists, suboptimal configuration, calibration and testing of screening rules, or gaps in ownership and control screening. 

Some screening arrangements didn’t cover all relevant customer or transaction data. Delays in updates to post-designation lists led to alert backlogs, and underlying reference data quality made matching more difficult. We also saw poor alert management processes leading to falsely discounted positive matches or to accidental movement of frozen assets.

Firms should have robust list management processes, comprehensive data coverage, and well-governed screening configuration processes, that can identify sanctions risks promptly and support compliant sanctions decisions.

We note that the use of automated, ongoing screening by firms is common. In 2024-25, 70% of firms making REP-CRIM returns said they used automated screening and 81% were performing repeat customer screening. Of these, 95% had not identified any true sanctions matches for their clients since 2022, and 98% had not identified any true sanctions matches for screened payments since 2022. 

Most firms showed they understood the importance of timely sanctions screening. In our proactive work, we noted 76% of firms conducted name screening daily, and 73% screened transactions or payments at least daily (including real-time screening). For those firms screening payments, nearly 6 in 10 reported doing so in real time.

Firms with stronger screening frameworks often supported their screening activity with well‑documented policies and procedures with details of who or what to screen, how often, and how to escalate and resolve potential matches. 

More mature frameworks had clear escalation routes, with defined roles and responsibilities across the first and second lines of defence. However, we also found screening policies that were unclear, incomplete, or not applied consistently. 

As well as including screening frequency, firms’ policies should also consider what data to screen against what information on the sanctions lists. Through our SST, we saw firms and/or their vendors making decisions to exclude certain categories of sanctions list data. Some could not demonstrate recent review or senior management oversight and decisions to support such exclusions.

In our trade sanctions work, we observed that some firms were doing targeted assessments of their exposure to restricted or dual use goods, including items on the Common High Priority list, to check if screening for specific goods would add value. Others were screening free-text payment fields to identify exposure to high-risk goods and jurisdictions. We also saw them using multiple complementary systems and data sources, such as vessel tracking, corporate structure analysis, and documentation reviews, to mitigate data gaps.

Examples of good practice 

Examples of poor practice

Firms varied in their approaches to sanctions list management and the underlying data feeds. Around two-thirds of those in our proactive work said that they implemented sanctions list updates within one day of notification, and had processes and controls in place so that updates were accurate and prompt.

However, our SST work found errors or omissions in sanctions lists provided by third-party vendors, because of poor quality data and the transfer of data between systems, as well as delays or failures in updating the UK Sanctions List in a timely manner.

We also observed how firms, or their vendors, supplemented government sanctions lists with internal lists of entities or people they suspected of being higher sanctions risks, or where customers or transaction counterparties were suspected of being owned or controlled by sanctioned people. 

We also found gaps in firms’ internal customer records, such as dates of birth that were missing, incomplete, or entered as placeholder values rather than an individual’s actual date of birth.

Examples of good practice

Examples of poor practice

The sophistication of firms’ screening configuration and testing varied considerably. Effective practices included periodic calibration and quality assurance testing, engaging with vendors to retest systems following list updates or changes to matching logic, and using root cause analyses following screening mismatches to improve performance. 

In contrast, we also observed limited testing and oversight of sanctions screening systems, meaning that some firms could not easily detect obfuscated or variant names, including those with non-Latin characters. This meant that firms couldn’t find exact matches between names on their systems and the UK Sanctions List, nor easily identify name variations.

Across the sanctions screening testing undertaken, firms were generally effective at identifying sanctioned individuals and organisations where names matched exactly. Overall, 90% of alerts raised during testing correctly identified the relevant sanctioned party. Performance improved over the period in which the testing was conducted.

Testing also considered firms’ ability to identify sanctioned individuals and organisations where names appeared in slightly different forms, such as minor spelling variations. In these cases, 75% of alerts raised during testing correctly identified the relevant sanctioned party. As with exact name matches, performance improved over the course of the testing programme.

Through our SST, we tested how screening systems ingest, transform and interpret names from the UK Sanctions List and observed examples where:

• Firms were removing titles inconsistently or incorrectly integrating them into name fields during ingestion.
• Including honorifics, such as titles, appellations and suffixes, reduced match scores below alert thresholds.
• One-word names, or names containing digits, were excluded as default. 
• Long names exceeded system character limits and failed without generating an alert or required manual intervention.

In several cases, firms had to rely on their vendor to explain why these categories of names did not generate a successful alert. 

Additionally, we tested firms’ vendor oversight and assurance of the screening solutions. We found some examples where firms provided limited challenge or validation of vendor configuration, logic or updates, and others where firms overly relied on vendor assurances or conducted insufficient internal testing.

Examples of good practice

Examples of poor practice

Alert handling was a common cause of reports of suspected breaches by firms. This includes failures to respond to alerts and to freeze accounts before assets were moved, and handling errors leading to alerts being incorrectly resolved, sometimes due to unclear procedures, training, or oversight controls.

The timeliness of alert handling was a recurring theme. Around 44% of firms reported resolving name screening alerts within one working day on average, with a similar proportion (47%) resolving payment screening alerts in this timeframe. 

However, a sizeable minority of firms reported longer resolution times, with over a quarter taking three to five days to close name screening alerts, and around a fifth taking the same time for payment alerts. 

We also observed instances where firms were unable to provide MI on alert resolution timeliness. By contrast, stronger practices included structured alert management frameworks, supported by internal service level agreements, documented investigation rationales, quality assurance over alert outcomes, and clearly defined escalation arrangements between the first and second lines of defence.

Examples of good practice

Examples of poor practice

Screening names and payments may not always be sufficient to identify activities breaching sanctions, particularly as connections to sanctioned activity can’t always be identified from transaction messaging. 

This is particularly the case for sanctions outside asset freeze measures, such as sectoral financial sanctions and trade sanctions. Firms may need to undertake transaction monitoring, data analysis, thematic reviews and intelligence-led investigations, and have a good understanding of evasion typologies and how these may manifest across a firm’s business. 

In several cases, we saw that staff training lacked detail on applicable sanctions regimes, employee responsibilities and how to identify behaviours or indicators of sanctions evasion. Evasion typologies were not consistently reflected in firms’ risk assessments, policies or controls.

But we also saw firms adopt more proactive and risk-based approaches to detecting sanctions circumvention. Some conducted targeted investigations on high-risk customers, including reviewing transactional activity before and after major sanctions events to identify potential rerouting of trade or changes in behaviour. 

Others used insights from open-source reporting, internal investigations or typology analysis to identify high-risk customers. This led to implementing enhanced systems and controls, and external reporting or offboarding, demonstrating a greater focus on anticipating and identifying risks rather than just relying on reactive controls.

We also saw some firms develop and refine tailored transaction monitoring scenarios to detect evasion. These scenarios mapped high-risk jurisdictions against specific industry risks, informed by firms’ own investigative insights and wider intelligence and typology reporting. 

Some firms improved detection outcomes by aligning second-line teams responsible for trade-based money laundering and sanctions, which meant they could share information more effectively, and better understand evasion typologies across financial crime risks.

Other firms, particularly those with large trade finance operations, were exploring the use of automation and AI to reduce manual processing of trade documentation to identify anomalies.

Examples of good practice

Examples of poor practice

To effectively comply with asset freezing and the requirements set out in sanctions licences, firms must have clear processes to quickly identify, implement and maintain the requirements. Policies, procedures and systems, along with staff training and appropriate governance, can help ensure assets are frozen and remain frozen, and that licence permissions are managed.

We found that major causes of suspected sanctions breaches are failures to properly freeze assets and keep them frozen, and firms and their clients failing to meet the requirements of sanctions licences.

Some firms’ arrangements for freezing assets were weak. Some had procedures that were insufficiently documented and accounts were not subject to appropriate restrictions while investigations into potential matches were ongoing. We also found a lack of clearly defined service level agreements governing the timeliness of account freezing and transaction blocking. 

Reported suspected breaches also showed instances of firms not maintaining frozen assets properly, such as by failing to prevent internal transactions from moving funds or making charges to accounts.

Some firms sought to manage the risk of licence non-compliance through client education and engagement, requirements for pre-notification and disclosure of payments made under licence, and restrictions on amounts held in accounts which could be accessed under licence.

Examples of good practice

Examples of poor practice

UK sanctions legislation defines obligations for reporting suspected breaches of financial and trade sanctions. This requires firms to have clear processes for identifying, escalating and reporting potential breaches to relevant authorities, including OFSI, OTSI, HMRC and the FCA, in a timely manner. Discovering what caused the breaches can inform remediation, control enhancements, and risk assessments.

Firms are identifying and reporting breaches more quickly and the reporting data shows the average time between identification and reporting has shrunk slightly from 2024. 

In our reviews, we found that although most firms were aware of reporting obligations to OFSI, many lacked reporting procedures to other competent authorities such as OTSI and HMRC. In many cases, firms’ policies and procedures did not clearly outline how staff might escalate potential sanctions issues to senior management, and reporting to the competent authority was at times excluded from process documentation.

Examples of good practice