OFSI has published its strategy for 2026–29. Thistle Initiatives Manager Elliott Day sets out what has substantively changed, why it matters and what UK‑regulated firms should be thinking about now.
The Office of Financial Sanctions Implementation (OFSI) published its strategy for 2026–29 in April. Rather than introducing new legal obligations, the strategy clarifies how OFSI intends to supervise, support and enforce UK financial sanctions over the next three years.
For compliance leaders, the value of the document lies less in its structure than in the signals it provides about supervisory direction. OFSI is clearer than before about where it will focus, how it will measure itself and, implicitly, how it will assess firms when sanctions issues arise.
This is less about new policy and more about how OFSI intends to exercise its supervisory and enforcement judgment over the next three years and what firms may need to evidence, adjust or re‑test now to ensure their sanctions frameworks remain robust as scrutiny increases.
The strategy confirms that OFSI intends to originate an increasing proportion of enforcement cases through its own intelligence and analytics, not solely through firm self‑disclosures. This is reinforced by the inclusion of published key performance indicators (KPIs) measuring intelligence‑originated enforcement outcomes over the strategy period.
OFSI has set measurable targets for licensing and enforcement timeliness, including committing to 50% of licensing cases being completed within six months and 90% of enforcement investigations reaching a decision within 18 months. These commitments will be reported on in future annual reviews.
Settlement is now described as a routine enforcement tool alongside monetary penalties and other outcomes, rather than an exceptional resolution mechanism.
The ’Change’ pillar frames sanctions failures as issues of culture, decision‑making and sustained compliance, not just control design or resourcing.
Licensing applications, compliance queries and suspected breach reports are explicitly described as feedback sources shaping guidance, supervisory focus and enforcement priorities.
The strategy does not expand OFSI’s powers, but it narrows the gap between stated expectations and supervisory response.
Most notably, the shift towards intelligence‑led enforcement reduces the extent to which regulatory exposure is driven only by what firms choose to disclose. Where OFSI can identify patterns across caseloads (such as recurring control weaknesses, repeated licensing issues or common circumvention typologies), those patterns may increasingly form the basis of enforcement action.
The introduction of public KPIs also matters. By committing to defined timelines, OFSI is signalling lower tolerance for prolonged uncertainty, incomplete engagement or slow internal responses once an issue is raised. Firms that struggle to progress sanctions escalations, investigations or licence submissions in a timely way may find issues escalating more quickly.
The focus on culture and behavioural change aligns OFSI more closely with the Financial Conduct Authority’s (FCA) supervisory lens. Over time, this increases the likelihood that sanctions failures are interpreted as indicators of broader systems and controls weaknesses, particularly where senior oversight is unclear or inconsistently applied.
For heads of compliance and money laundering reporting officers (MLROs), the practical implication is that sanctions compliance increasingly sits alongside anti-money laundering (AML) and conduct risk as a core regulatory concern, rather than a specialist or siloed topic.
The impact of the strategy will vary by business model, but several themes are likely to be relevant where sanctions exposure exists.
For firms relying on licences to support legitimate activity, OFSI’s emphasis on early engagement and information quality may affect turnaround times and supervisory confidence. Poor‑quality or late applications are less likely to be treated as neutral administrative issues.
Where breaches or near‑misses occur, the ability to evidence structured investigation, escalation and decision‑making is likely to carry more weight than the fact of self‑reporting alone.
Fragmented or highly granular management information (MI) that cannot explain trends or recurrence may be insufficient where OFSI is actively looking for patterns across firms and sectors.
Equally, firms with limited direct sanctions exposure should not assume they are outside the scope. The strategy highlights the use of data, intelligence and cross‑government engagement to identify risk beyond traditional firm‑to‑regulator touchpoints.
Against this backdrop, firms may wish to reflect on a small number of core questions:
Is your sanctions risk assessment genuinely exposure‑led?
Risk assessments that rely on generic descriptions rather than business‑specific exposure may be harder to defend if scrutiny increases.
Are governance and escalation routes clear and consistently used?
Firms should be able to explain who owns sanctions risk, how decisions are escalated and how senior oversight is exercised in practice.
Can your MI tell a coherent story?
MI should support an explanation of what is happening, why controls are appropriate and how issues are tracked and resolved over time.
Is your engagement with OFSI disciplined?
Queries, licence submissions and notifications should be well‑governed, well‑evidenced and aligned to internal decision‑making, rather than being ad-hoc requests for comfort.
These are not new expectations, but OFSI has been clearer about how they feed into its supervisory judgements.
The OFSI strategy for 2026–29 does not change the sanctions rules. What it does change is the transparency with which OFSI sets out how those rules will be implemented, supervised and enforced.
Firms that can clearly articulate their exposure, demonstrate proportionate controls and evidence sound governance are likely to find engagement with OFSI more predictable. Those relying on assumptions, informal practices or reactive remediation may face a sharper challenge as enforcement becomes faster and more intelligence‑driven.
For compliance leaders, this is less about preparing for new requirements and more about ensuring that existing frameworks stand up to closer, more structured scrutiny.
Our financial crime team supports firms in interpreting regulatory expectations and translating them into practical, defensible financial crime frameworks.
We help firms assess exposure, review sanctions risk assessments, test governance and escalation arrangements and strengthen incident response and MI. Our aim is simple: to help firms achieve clarity of judgement and proportionate solutions that stand up to scrutiny from regulatory, audit and banking partners.
Get in touch at info@thistleinitiatives.co.uk or call 0207 436 0630 to speak with our team.
Elliott is a manager within Thistle’s Financial Crime team, supporting fintech and financial services clients to strengthen controls, uplift governance, and deliver regulatory remediation. His experience spans AML, sanctions, KYC/KYB, onboarding and risk assessment, with a focus on proportionate, risk-based frameworks and practical assurance.
Before joining Thistle, Elliott held financial crime and compliance roles across payments and fintech, enhancing policies, procedures and monitoring arrangements. Elliott has also contributed to industry publications, including editorials for The Company Lawyer.