OFSI has recently taken divergent enforcement approaches against Vanquis Bank and Colorcon. Sanctions expert James Dodsworth examines what drove these outcomes and the lessons firms can draw for strengthening their sanctions compliance.
The Office for Sanctions Implementation (OFSI) has recently issued two Enforcement Actions for breaches of sanctions regulations. One firm received a large monetary penalty, whilst the other firm only received a disclosure notice.
In September 2025, Vanquis Bank Limited (VBL) and Colorcon Limited (Colorcon) found themselves under scrutiny by the OFSI for sanctions regulatory breaches. VBL received a disclosure notice published on the OFSI website, and Colorcon was issued a penalty of £152,750.
In this article, we explore the differences between the two cases and the practical lessons for firms aiming to stay on the right side of sanctions enforcement.
On 8th September, VBL was subject to a disclosure notice issued by OFSI for breaching regulations prohibiting making funds available to a designated person. VBL failed to restrict access to an account for eight days after the designation, and the designated person was able to withdraw cash and make other transactions.
VBL previously had an issue with its automated screening system, whereby alerts were being falsely closed as duplicates. As part of their remediation efforts, VBL produced a large number of alerts for manual screening that required reallocation of resources from their first-line referral team.
The OFSI designation came at a time when those resources were reallocated to remediation activities, meaning the alert was not reviewed for eight days. This was compounded by OFSI pre-notifying VBL that a suspected customer was due to be designated the following day, although not telling the firm the name of the customer.
VBL worked the subsequent alert on the eighth day after the designation was placed and restricted access to the account in question. Thirteen days after the designation, VBL reported the breaches to OFSI.
On 10th September, Colorcon was fined £152,750 by OFSI for making funds available to designated persons, breaching the UK’s sanctions on Russia. Colorcon is the UK subsidiary of a US-headquartered pharmaceutical group and previously had a representative office in Moscow.
In 2022, 123 payments (£191k value) were made to employees and service providers holding accounts at Russian Banks. 44 of the payments were permissible under an OFSI general licence. However, Colorcon continued to make payments after the expiry of the licence, breaching sanctions.
Colorcon took four months after discovering it had breached sanctions to make an initial disclosure to OFSI. Colorcon also believed that their bank would apply UK sanctions and that any payments they made to the Moscow office would be subject to sanctions screening. OFSI noted that Colorcon never explicitly tested this by questioning their bank.
OFSI also noted that Colorcon’s compliance procedures were insufficient, including policies not being significantly updated since 2018, and had not fully considered their financial sanctions risks or clarified what screening was undertaken by their bank. Additionally, Colorcon had not adhered to the requirements of the general licence, including the reporting requirements of that licence.
For VBL, OFSI did consider the value of the transactions that had taken place to be comparatively low and isolated as opposed to a regular pattern. And despite the slow response of VBL to identify and report the breaches, OFSI did not see it as deliberate circumvention by the bank. These factors, as well as the voluntary reporting, meant OFSI decided to treat the breach as moderately severe and publish a disclosure notice to educate other firms.
For Colorcon, the values, volumes, and the fact that the company had been operating in Russia for an extended period of time were all taken into consideration. The length of time to report the breaches and the non-adherence to the requirements of the general licence, including reporting, were also factors. Colorcon reported the breach after four months, compared to VBL’s thirteen days.
Whilst both firms breached sanctions, OFSI considered the severity and non-adherence of Colorcon to require a financial penalty.
On the back of these cases, there are a number of considerations for firms relating to their sanctions programmes:
1. Report Sanctions Breaches Promptly
In both cases, there was a time lag between discovering a breach and self-reporting to OFSI. This was compounded for Colorcon by also breaching the reporting requirements of the general licence, which is an offence in itself. OFSI is clear that breaches should be reported in a timely fashion.
How Thistle Initiatives can help: We help firms assess sanctions frameworks, including review of reporting procedures and requirements internally and externally.
2. Keep Policies and Procedures Up to Date
Colorcon had not made any significant refreshes of its sanctions policies and procedures since 2018. For sanctions, this is even more important where a firm has exposure to high-risk jurisdictions. It is clear from the Colorcon fine that OFSI expects firms operating in higher-risk locations to have a more developed understanding of the risks reflected in their documentation.
How Thistle Initiatives can help: We help firms review, revise, and uplift sanctions policies and procedures. With extensive experience across financial services, we understand both the regulatory requirements and the clarity needed for effective documentation.
3. Don’t Rely Blindly on Third-Party Screening
Risk cannot be outsourced. Colorcon’s belief that its bank would identify and flag transactions that may be in breach of sanctions had never been tested. Firms need to understand the screening that third parties are undertaking, alongside performing their own screening processes, with clear documentation of any outsourced relationships.
How Thistle Initiatives can help: We support firms to review sanctions screening programmes and systems. We provide independent testing of outsourcing frameworks, as well as any tools to validate that they are performing as expected, looking at fuzzy logic matching and completeness of sanctions lists.
If you would like to discuss strengthening your Sanctions framework, testing screening tools, or remediating alert backlogs, please get in touch at info@thistleinitiatives.co.uk or call 020 7436 0630 to speak with our team.
James has worked in financial crime compliance across a range of sectors and firms for over 20 years. As a certified fraud investigator, James has experience in leading sanctions programmes, including assessing and remediating risks, and creating and delivering training. James also performs reviews and testing of firms' sanctions systems and tools to evaluate effectiveness.