Article

FCA publishes systems and controls advice on sanctions

|

4 minute read

Following the expansion of the UK’s sanctions regimes in response to Russia’s invasion of Ukraine in 2022 and the recent broadening of trade sanctions, the Financial Conduct Authority (FCA) has been actively reviewing the sanctions systems and controls of supervised firms. 

In a report published on 28 May 2026, the FCA sets out its findings from an assessment of over 150 firms, drawing on work undertaken since its previous September 2023 report

The FCA’s high level observations include that:

  • Systems and controls for financial sanctions compliance are generally more developed than those for trade sanctions. 
  • Since 2024 the majority of reported sanctions breaches related to:
  1. the payments sector;
  2. the retail banking sector; and
  3. the wholesale financial markets sector.
  • Whilst there appears to have been a strengthening of internal systems to identify and report potential breaches, notifications are not always made in a timely manner. The average time taken to report a breach from identification was 120 days in 2024 and 116 days in 2025.
  • Detecting and preventing breaches of trade sanctions is a more challenging area for firms and those who successfully identified suspected breaches had often done so through proactive investigations.

Good and poor practices

The report highlights examples of “good” and “poor” practice by firms, and highlights specific areas for improvement based on evidence of reported breaches.

Whilst the FCA identified 11 themes, the most common root causes of reported sanctions breaches were weaknesses in due diligence, alert management, transaction and name screening, management of frozen assets and compliance with specific and general licenses. 

THEME         EXAMPLES OF GOOD PRACTICE          EXAMPLES OF POOR PRACTICE
Due diligence and ongoing monitoring                           
  • Regular updates to client due diligence (CDD) policies
  • Sanctions-specific information requests, ensuring relevant questions on trade and financial sanctions are included.
  • Consider sanctions risks in deciding the frequency of assessing specific customers.  
  • Use of third parties to carry out aspects of CDD without adequate oversight, governance, assurance and testing arrangements in place over the third-party controls.
 Alert management                             
  • Clear internal documentation and standard team practices.
  • Periodic testing and quality assurance of alert investigations to ensure policies are effective and embedded.
  • Reliance on external or intermediary screening solutions without sufficient internal oversight.
Transaction and name screening
  • Periodic calibrations to enable obfuscated and variant names to be detected.
  • Validation or periodic testing of screening solutions, including after material list or system changes.
  • A limited understanding of how vendor screening logic or configurations operate in practice – i.e. simply relying on the automated system without effective human oversight.
Management of frozen assets and license compliance
  • Maintaining clear, documented processes to quickly identify, implement and maintain requirements set out in sanctions licenses and comply with asset freezing.
  • Inadequate procedural documentation.
  • A lack of appropriate account restrictions during investigation into potential matches.
  • An absence of clearly defined service-level agreements for account freezing and transaction blocking.
Governance and management oversight
  • Keeping management policies up to date.
  • Collecting and monitoring data on customer exposure to high-risk jurisdictions.
  • Reliance on group entities to provide sanctions risk compliance services, with limited oversight and insufficient management information on overseas branches and offices to check their compliance with UK sanctions.
Risk assessment
  • Using risk assessments that consider both financial and trade sanctions as well as proliferation financing risks.
  • Quantifying sanctions exposure or risk without documented and supporting rationale.
Screening infrastructure: policies and list management
  • Maintenance of clear and up-to-date sanctions screening policies that define screening scope, frequency, escalation thresholds and governance arrangements.
  • In relation to list management, firms should ensure they have clear contractual and operational arrangements with vendors.
  • Reliance on historic vendor settings without appropriate oversight.
  • Insufficient controls to ensure updates to screening systems lists are complete and effective.
Proactive detection and investigation
  • Providing staff training which clearly outlines sanctions red flags and how to spot and escalate suspicious behaviour.
  • Excluding key sanctions evasion typologies in the firms’ risk assessments, policies and procedures, or controls design.

What’s next? 

Firms should consider the report and review their systems to ensure they are effectively complying with the FCA’s expectations for managing sanctions risk. In view of the areas where the FCA found the majority of breaches, firms should in particular focus on:

  1. strengthening screening systems and testing, together with regular engagement with screening vendors following updates to the UK Sanctions List; and
  2. reviewing and clarifying alert management, asset freezing and CDD procedures to ensure they are robust, clearly documented and enhanced where appropriate. 

Firms should also review the example case studies in the FCA report, and incorporate them into their training programmes where appropriate.

Enforcement actions against Starling Bank and Monzo Bank for failings in their financial crime systems and controls, including in respect of sanctions, demonstrate the risks for firms who have seriousness and systemic weaknesses in this area.

The overall message from the FCA is clear: “Firms have improved but must do more to prevent sanctions breaches.”

This article was co-authored by Trainee Solicitor, Polly Jeffery.

Authors

Related topics

Business Crime and SanctionsFinancial Services RegulationIn-house CounselFinancial Services DisputesLitigation, Arbitration and Investigations

Like what you are reading?

Stay up to date with our latest insights, events and updates – direct to your inbox.

Subscribe

Related insights

View more

How can we help you?

Browse our people by name, team or area of focus to find the expert that you need.

Find an expert