The FCA’s latest findings and recent OFSI enforcement action highlight the common weaknesses that leave firms exposed despite firms having policies, screening tools and governance frameworks in place. Thistle consultant, Oxana Pisier-Caillet, explores why sanctions controls continue to fail in practice, and the steps firms should take to strengthen their sanctions compliance framework.
Recent enforcement action by the Office of Financial Sanctions Implementation (OFSI), including significant monetary penalties for sanctions breaches and control failings, serves as a reminder that sanctions compliance remains firmly under regulatory scrutiny. Combined with the FCA’s latest findings on sanctions systems and controls, these developments highlight a recurring issue across the financial services sector: many firms continue to struggle with the practical implementation of sanctions compliance frameworks.
The majority of firms have sanctions policies, screening tools and governance structures in place. However, the regulator’s observations suggest that weaknesses often emerge when firms attempt to operationalise those controls effectively and consistently across the business. A common theme throughout the FCA’s findings is that firms frequently appear more focused on demonstrating the existence of controls than on evidencing whether those controls genuinely operate effectively in practice. This is particularly relevant given the increasing complexity of sanctions regimes, heightened geopolitical risk and increasing regulatory focus on operational effectiveness.
The FCA’s observations provide valuable insight into the areas where firms continue to fall short and, equally importantly, what good practice looks like in comparison. In this article, we examine some of the key themes emerging from the FCA’s findings, highlight examples of both good and poor practice, and consider what firms should be doing to strengthen their sanctions control frameworks and reduce the risk of regulatory scrutiny.
A recurring theme throughout the findings is overreliance on standard screening processes without sufficient consideration of how sanctions risk may arise within a firm’s specific products, services, customer base and geographic footprint. The FCA also identified examples of fragmented accountability, particularly where sanctions responsibilities were shared across group functions, outsourced providers or multiple jurisdictions.
The regulator further highlighted firms’ difficulties in identifying indirect sanctions exposure. In many cases, exposure was concealed through complex ownership structures, intermediaries or transactional relationships that would not have been identified through direct screening alone. As sanctions evasion techniques continue to evolve, firms are increasingly expected to look beyond straightforward customer relationships and understand the broader context in which sanctions risk may arise.
By contrast, the firms that performed better tended to have clearer ownership of sanctions risk, stronger governance and a more proactive approach to reassessing controls as sanctions risks evolved.
The FCA also identified recurring weaknesses in sanctions screening frameworks and surrounding controls. These included outdated sanctions lists, ineffective matching logic, poorly calibrated screening settings, incomplete customer data and limited testing of screening effectiveness. In several cases, firms could not adequately explain how screening configurations operated or how material changes were governed and validated internally. A common issue across the sector is that firms often assume that implementing a recognised vendor solution is sufficient evidence of a strong sanctions framework. The FCA’s findings suggest that screening technology remains heavily dependent on the quality of governance, oversight and operational understanding surrounding it.
The FCA's observations are consistent with issues we regularly encounter when reviewing sanctions control frameworks. In our experience, weaknesses rarely arise because firms have selected the wrong screening provider. More often, problems emerge through poor configuration, inadequate governance or a lack of understanding of how screening rules operate in practice. We have seen instances where matching logic, screening thresholds or data quality issues reduced the effectiveness of otherwise well-established screening solutions, resulting in potential matches not being identified or alerts not being generated as expected.
Firms demonstrating stronger practices generally carried out regular tuning exercises, assurance testing and independent validation over screening outcomes and alert management processes. More mature firms also appeared to have a stronger understanding of the limitations of screening technology and the extent to which manual investigation and operational judgement remained necessary.
The FCA’s findings also suggest that many firms continue to experience weaknesses in their operational response to sanctions risks once potential exposure has been identified. In several cases, alerts were not escalated appropriately, investigations lacked sufficient documentation or restrictions were not applied sufficiently following identification of sanctions exposure. The FCA also identified examples where operational pressures affected decision-making or where firms relied heavily on manual controls that became ineffective during periods of increased alert volumes or reduced staffing capacity.
These findings reflect a broader issue across financial crime compliance functions where firms may invest significantly in detection capabilities while underestimating the operational infrastructure required to investigate, escalate and resolve sanctions risks effectively. We frequently observe similar challenges during independent reviews and remediation programmes. Firms often devote significant attention to screening and detection controls but comparatively less attention to the processes that sit behind them, as well as the resources needed to carry out the alert's investigation. As a result, escalation procedures, investigation procedures and decision-making frameworks are not always sufficiently robust to support effective sanctions risk management.
Firms demonstrating stronger practices generally showed more detailed escalation procedures, more robust quality assurance processes and greater operational resilience within alert handling and investigation teams.
The FCA’s findings also indirectly highlight the importance of specialist sanctions expertise. Some firms appeared to rely heavily on generalist compliance, audit or operations teams without sufficient technical understanding of sanctions-specific risks, particularly in areas such as ownership and control analysis, trade finance exposure, screening calibration and sanctions evasion typologies. This can become more pronounced where compliance functions are centralised outside the UK and lack familiarity with FCA expectations or supervisory priorities.
Firms with stronger frameworks generally appeared to combine governance oversight with access to more specialist operational expertise capable of providing effective challenge across both technical and operational sanctions risks.
The FCA’s findings highlight that sanctions compliance is no longer simply about having policies, screening tools and governance frameworks in place. Firms are increasingly expected to demonstrate that sanctions controls operate effectively in practice and remain proportionate to their evolving risk profile.
As firms assess their own frameworks, particular attention should be given to:
Governance and accountability arrangements for sanctions risk.
The identification of indirect sanctions exposure through ownership, control and transactional relationships.
The effectiveness, calibration and ongoing testing of sanctions screening systems.
Escalation, investigation and decision-making processes following the identification of potential sanctions exposure.
The availability of appropriate sanctions expertise across compliance, operations and assurance functions.
Independent oversight and assurance over sanctions controls and remediation activities.
For many firms, the difficulty is not recognising the importance of sanctions compliance. More often, the challenge lies in ensuring that governance, technology and operational processes work together effectively as sanctions risks continue to evolve.
Where weaknesses are identified, firms should view them as an opportunity to strengthen their sanctions control environment before they become regulatory concerns. A proactive review of sanctions governance, screening frameworks and operational controls can help organisations assess whether their arrangements remain effective, proportionate and aligned to regulatory expectations.
Whether undertaking an independent review of sanctions controls, assessing screening effectiveness or supporting remediation programmes, we help firms identify weaknesses before they become regulatory concerns. Drawing on experience gained through regulatory reviews, Skilled Person engagements and advisory assignments, we support firms in strengthening sanctions governance, screening controls, operational processes and assurance frameworks to ensure controls are operating effectively in practice and delivering the outcomes regulators expect.
Our financial crime team supports firms in interpreting regulatory expectations and translating them into practical, defensible financial crime frameworks.
We help firms assess exposure, review sanctions risk assessments, test governance and escalation arrangements and strengthen incident response and MI. Our aim is simple: to help firms achieve clarity of judgement and proportionate solutions that stand up to scrutiny from regulatory, audit and banking partners.
Get in touch at info@thistleinitiatives.co.uk or call 0207 436 0630 to speak with our team.
Oxana is a Financial Crime Consultant at Thistle Initiatives. She previously worked as a Corporate Risk & Due Diligence Specialist at Interfax in London, following an early career in Geneva. Oxana holds a Master’s degree in Countering Organised Crime and Terrorism and brings expertise in due diligence, corporate risk assessment and financial crime prevention.