UK Financial Conduct Authority publishes report indicating that financial institutions must do more to prevent sanctions breaches: key takeaways

On 28 May 2026, the UK Financial Conduct Authority (“FCA”) published a detailed report outlining steps that financial institutions take to comply with sanctions requirements, including examples of good and poor practice. The report addresses both financial and trade sanctions measures, with financial institutions managing risks arising from their own activities and those of their customers.

The report follows the FCA’s engagement with over 150 FCA-supervised firms since February 2022, and builds upon the FCA’s previous report in September 2023 on firms’ responses to increased sanctions (available here). The report is a further important example of the focus of UK authorities on sanctions compliance in the financial sector. Whilst the report provides helpful guidance, with limited exceptions it does not differentiate between application to different financial actors, who will have to interpret and apply the guidance according to their business model and risk profile.

Alongside the publication of the report, the FCA has also entered into a Memorandum of Understanding with the UK Office of Trade Sanctions Implementation (“OTSI”), facilitating exchange of information between the authorities in relation to trade sanctions matters (in line with the trade sanctions focus areas in the report).

We have summarised key takeaways from the FCA’s report below.

1. Focus on trade sanctions as an evolving risk area for financial institutions

• The FCA’s report emphasises the complex compliance challenges for financial institutions that arise from trade sanctions measures, and outlines various ways in which financial institutions are managing the risks. As noted by the FCA, prohibited activities have “broadened beyond traditional military and dual-use goods to include prohibitions on the trade of a wider range of goods and technologies, alongside restrictions on services ancillary to this trade and standalone services”, including in particular “prohibitions on financial services and technical assistance related to restricted goods and technologies, as well as bans on certain ancillary services”.
• Financial institutions can face challenges due to limited available information on whether particular transactions relate to trade in sanctioned items. The FCA notes that “firms said it was hard to comply with complex and evolving regimes, with often only partial transactional information available to inform their decision about potential exposure”.
• Firms should undertake risk assessments to identify and manage trade sanctions risks. Examples of strong risk assessments “drew on a wide range of qualitative and quantitative information relating to trade sanctions, including internal breach data, transaction and customer insights, product and jurisdictional assessments, and external guidance and typology reports. This helped firms assess inherent risk, residual risk, and control effectiveness”.
• Some firms use “multiple complementary systems and data sources” to assess trade sanctions risks, “such as vessel tracking, corporate structure analysis, and documentation reviews, to mitigate data gaps”. In order to assess trade sanctions risks (and other non-asset freeze measures), financial institutions “may need to undertake transaction monitoring, data analysis, thematic reviews and intelligence-led investigations, and have a good understanding of evasion typologies and how these may manifest across a firm’s business”.
• Good practice will include “[u]sing intelligence to enhance internal watchlists for customers linked to trade sanctions evasion” and “maintaining an internal repository of trade documentation samples to help detect falsified documentation and technology to identify discrepancies in trade documentation”.

2. Ongoing risks relating to financial sanctions measures and screening configuration

• From a financial sanctions perspective, the FCA notes that “there are now more UK designated persons subject to targeted financial sanctions, and sectoral financial sanctions have increased since broader prohibitions on financial services, infrastructure access and activity-based financial support have been introduced”.
• Weak screening frameworks are a significant cause of breaches, “including outdated or poorly maintained lists, suboptimal configuration, calibration and testing of screening rules, or gaps in ownership and control screening”.
• The report notes that some firms “found it hard to identify and manage the risk of dealing with entities owned or controlled by sanctioned people. The risk increased when ownership structures were multilayered or opaque, or when transactions went through intermediaries. In some suspected breaches, firms struggled to determine upstream ownership, interpret complex control relationships, or connect counterparties to designated persons. Links were indirect, embedded in corporate groups, or only identifiable through emerging external intelligence. Some firms didn’t have a complete understanding of beneficial ownership, end-investor identity in complex distribution chains, and indirect sanctions exposure”.
• Some firms (or their vendors) “supplemented government sanctions lists with internal lists of entities or people they suspected of being higher sanctions risks, or where customers or transaction counterparties were suspected of being owned or controlled by sanctioned people”.
• Good screening practices included “periodic calibration and quality assurance testing, engaging with vendors to retest systems following list updates or changes to matching logic, and using root cause analyses following screening mismatches to improve performance.”
• An example of poor practice is “[n]ot taking account freezing obligations into account when a client is offboarded due to potential sanctions concerns.”

3. Causes of breaches, and issues around alert handling

• According to the FCA, the most common root causes of sanctions breaches were “weaknesses in due diligence, alert management, transaction and name screening, as well as the management of frozen assets and compliance with specific and general licences”.
• The report highlights issues relating to handling of sanctions alerts, with this being “a common cause of reports of suspected breaches by firms”. Issues include “failures to respond to alerts and to freeze accounts before assets were moved, and handling errors leading to alerts being incorrectly resolved, sometimes due to unclear procedures, training, or oversight controls”.
• The FCA notes that the timeliness of alert handling was a recurring issue. Whilst around 44% of firms “reported resolving name screening alerts within one working day on average, with a similar proportion (47%) resolving payment screening alerts in this timeframe”, “a sizeable minority of firms reported longer resolution times, with over a quarter taking three to five days to close name screening alerts, and around a fifth taking the same time for payment alerts”.
• Poor practice includes “[f]ailure to meet internal SLAs for alert management and/or not operating effective quality control procedures”.
• Some firms have weak arrangements for restricting accounts during ongoing assessments, with “procedures that were insufficiently documented and accounts were not subject to appropriate restrictions while investigations into potential matches were ongoing”.

4. Expectations around reporting

• The report outlines the FCA’s expectations that FCA-supervised firms “should report suspected breaches of financial and trade sanctions to us if they indicate weakness in their controls, alongside reporting suspected breaches to the relevant UK government bodies”.
• The FCA notes that “most reported breaches relate to financial sanctions, with only a comparatively small proportion of breach reports submitted by firms relating to trade sanctions”.
• Reporting from insurance and digital assets sectors is lower than in some other sectors. The FCA would expect more reporting from these sectors, given “continued attempts to evade sanctions from Russia’s shadow fleet and the reported use of cryptocurrencies in circumventing sanctions”.

5. Focus on customer due diligence and “evasion techniques”

• The report highlights a number of common “evasion techniques” that firms should be aware of, including:
  • Transferring funds out of accounts shortly after an individual or entity is sanctioned.
  • Accessing financial services or economic resources through complex ownership chains, relatives, or close associates.
  • Using third parties, intermediaries, or correspondent banks to obscure connections to a sanctioned person.
  • Routing funds through cryptoasset or e-money wallets to conceal links to designated persons.
  • Conducting cash withdrawals for onward movement to high-risk jurisdictions.
  • Mis-declaring the nature or end use of goods in trade transactions.
  • Providing falsified or incomplete trade documentation.
• Firms should reflect sanctions evasion risks in their customer due diligence. Proactive and risk-based approaches to detecting sanctions circumvention included “targeted investigations on high-risk customers, including reviewing transactional activity before and after major sanctions events to identify potential rerouting of trade or changes in behaviour”. Some firms “used insights from open-source reporting, internal investigations or typology analysis to identify high-risk customers”, which showed “a greater focus on anticipating and identifying risks rather than just relying on reactive controls”.
• Effective practice includes firms using detailed, risk-based “Sanctions Exposure Questionnaires” in their enhanced due diligence processes “to understand direct and indirect sanctions exposure (including exposure through counterparties), high-risk third countries, industries vulnerable to circumvention, and specific sectoral measures”.  
• Tailored transaction monitoring scenarios can help to detect sanctions evasion, by mapping “high-risk jurisdictions against specific industry risks, informed by firms’ own investigative insights and wider intelligence and typology reporting”.
• Good practice includes “conducting proactive and/or thematic sanctions lookbacks to test control effectiveness, as opposed to only responding to known, or suspected, breaches”.

6. Sanctions compliance programme enhancements

• In addition to the above points, the FCA’s report includes other detailed guidance on steps that financial institutions can take to manage sanctions risks. This includes guidance in the following areas:
  • Governance, oversight and control frameworks
    • The FCA notes that firms “should have clear ownership and accountability for compliance, and their senior management should oversee and provide informed decision-making, acting quickly to address weaknesses”.
    • Some firms “had outdated, inaccurate or inconsistent policies and procedures, that didn’t reflect restrictions such as sectoral sanctions or focused overly on asset freezes alone”.
    • The FCA is critical of over-reliance on third parties (including other group entities or arrangements) to conduct sanctions screening or other compliance measures. The FCA found “weaknesses among firms that relied on third parties to conduct [customer due diligence] or sanctions screening, including business partners and group entities”. Several firms could not demonstrate “adequate local oversight, governance and assurance over sanctions systems and controls”.
    • The FCA’s report emphasises the importance of risk assessments from a governance perspective, as they enable firms to articulate “their approach to accepting, managing and mitigating exposure, including in relation to specific sanctioned or higher risk jurisdictions”. The FCA notes that “business risk assessments, jurisdictional risk assessments and sanctions policies” will support “coherent decision-making and oversight.”
    • Examples of strong sanctions-related Management Information include “data and commentary on the nature and extent of inherent sanctions exposures, the operation of the firms’ controls structures and the crystallisation of any sanctions risks”.
  • Training
    • The FCA identified several cases where “staff training lacked detail on applicable sanctions regimes, employee responsibilities and how to identify behaviours or indicators of sanctions evasion”.
    • Good practice can involve “[r]ole-specific sanctions training that aligns with internal processes, with teams in higher risk control areas receiving enhanced training”.

Memorandum of Understanding between the FCA and the UK Office of Trade Sanctions Implementation Alongside this guidance, the FCA has also entered into an information sharing Memorandum of Understanding (“MOU”) with OTSI. This will facilitate sharing of information between the FCA and OTSI in relation to issues of potential trade sanctions breaches. The FCA already has an MOU in place with the UK Office of Financial Sanctions Implementation.