The Office for Financial Sanctions Implementation (OFSI) has recently enforced settlement penalties on two firms for breaches of Russian sanctions, both relating to the same designated party. In this article, we look at the breaches in the two cases and lessons learned for firms relating to sanctions compliance.
Earlier in 2026, OFSI imposed settlement penalties on two firms for breaches of UK Russia sanctions:
On 19th March, OFSI imposed a penalty of £390,000 on Apple Distribution International Limited (ADI), an entity incorporated in the Republic of Ireland, and a subsidiary of the US technology company Apple Inc., for breaches of the Russia Sanctions by making funds available to a person owned or controlled by a designated person.
On 30th April, OFSI imposed a penalty of £165,000 on Deutsche Bank AG London Branch (DBLB), a branch of Deutsche Bank AG. The penalty was imposed for breaches of Russia Sanctions by making funds available to a person owned or controlled by a designated person. DBLB processed two payments (one in June 2022 and another in July 2022) totalling £635,618.75 on behalf of ADI to a beneficiary, Okko, a company wholly owned by the designated person JSC New Opportunities.
ADI relied on their corporate affiliates to functionally implement relevant payment processes and the sanctions screening and due diligence, however, OFSI determined that ADI is the legal entity responsible for the breaches in this case, as it is the legal entity that instructed made the payments that were in breach of the Russia Regulations. OFSI views that the responsibility of ensuring compliance with sanctions legislation rests with the entity directly responsible for the breach.
At the time of the Payments, DBLB’s third party screening vendor had incorporated the updates to the OFSI Consolidated List (now the UK Sanctions List), which included the designation of JSC New Opportunities. While DBLB conducted sanctions screening in respect of the beneficiary (Okko) for both Payments, no alert for Okko was generated in screening because, at the time of the Payments, the screening lists provided by DBLB’s third-party screening vendor did not include data in relation to Okko’s ownership.
OFSI felt ADIs’ sanctions framework at the time of the breaches was not sufficiently calibrated to the increased financial sanctions risk associated with Russia following its full-scale invasion of Ukraine in February 2022 and the ensuing rapid escalation in UK financial sanctions against Russia.
At the time of the payments, the processes used by ADI to assess sanctioned party ownership-related risks in the onboarding of Russian app developers focused primarily on (1) a self-certification model, and (2) ownership due diligence provided by third-party due diligence vendors.
ADI relied in part on third-party providers for ownership and control data. OFSI acknowledges the value that such services can afford firms like ADI and recognises that including such providers in its due diligence program is good compliance practice. However, ADI remains ultimately responsible for ensuring that it complies with financial sanctions legislation.
In this case, third-party tools did not identify the change in Okko’s ownership in a timely manner. Also, there were multiple open‑source media articles were available which clearly indicated the transfer of Sberbank’s (which was designated) digital assets to JSC New Opportunities. OFSI noted that these articles were not identified or flagged by the third-party providers engaged by ADI.
DBLB engaged in various meetings with ADI between March and May 2022 to discuss risks arising in relation to Russian payment flows and sanctions compliance matters relating to Russia and Belarus. Whilst these meetings demonstrate that DBLB was actively engaged with its customer during this challenging period, DBLB did not address or uncover how ADI assessed sanctioned party ownership-related risk, in particular the customer’s reliance on a self-certification model, nor did it update its onboarding questionnaire to explicitly reference Russia sanctions.
OFSI concluded that DBLB had been unaware that ADI did not augment its diligence process by affirmatively requesting ownership information from its downstream customers. OFSI considered that DBLB had the opportunity to seek further information about ADI’s systems and controls, which could have potentially resulted in greater oversight and understanding of payments being made to a higher risk jurisdiction.
These cases highlight important compliance lessons for firms.
UK financial sanctions apply to any conduct in the UK and to all UK persons (including legal entities established under UK law) anywhere in the world. That includes non-UK firms using UK financial institutions to conduct payments, even if the non-UK firm directly manages the account from outside the UK. Firms must ensure they comply with those UK financial sanctions that are in force.
Firms should ensure that their client and customer due diligence frameworks are sufficiently robust to identify and understand ownership and control at the outset of a relationship and on an ongoing basis. Firms should be utilising sanctions screening tools, tracing Ultimate Beneficial Owners (UBOs), ownership percentages including indirect ownership or aggregated minor shareholders, conducting periodic and trigger-event reviews and transaction monitoring.
Firms should take a risk-based approach, applying enhanced due diligence where ownership structures are complex, opaque, or involve higher risk jurisdictions or sectors.
Ongoing monitoring should be calibrated to identify changes in ownership and control that may give rise to heightened sanctions risk.
Firms retain ultimate responsibility for screening payments and ensuring compliance with financial sanctions. Use of third-party sanctions screening and ownership due diligence providers is often invaluable in supporting firms, particularly those with large and complex customer bases. As these cases demonstrate, this does come with ensuring that tools remain fit for purpose, including performing ongoing testing for effectiveness.
Our financial crime team supports firms in interpreting regulatory expectations and translating them into practical, defensible financial crime frameworks.
We help firms assess exposure, review sanctions risk assessments, test governance and escalation arrangements and strengthen incident response and MI. Our aim is simple: to help firms achieve clarity of judgement and proportionate solutions that stand up to scrutiny from regulatory, audit and banking partners.
Get in touch at info@thistleinitiatives.co.uk or call 0207 436 0630 to speak with our team.
James has worked in financial crime compliance across a range of sectors and firms for over 20 years.
As a certified fraud investigator, James has experience in all three lines of defence: conducting investigations, designing and delivering fraud controls and risk assessments, as well as creating and reviewing policies and procedures.