FCA Report on Sanctions Systems and Controls in Financial Firms (Published 28 May 2026)

Executive Summary

• The UK Financial Conduct Authority (FCA) has published a detailed review of financial services firms' systems and controls for complying with financial and trade sanctions.
• The report is based on proactive assessments of over 150 FCA-supervised firms since February 2022, analysis of breach reports, and ongoing supervision.

Key Context:

• UK sanctions have grown significantly in scope, complexity, and speed since 2022, particularly targeting Russia and expanding to other regimes (e.g., Iran, North Korea) and thematic areas (e.g., human rights, corruption).
• Frozen assets in the UK rose from £24.4bn (2023-24) to £37bn (2024-25).
• While firms have improved since the FCA's 2023 report, material gaps remain—especially in trade sanctions compliance, third-party oversight, screening effectiveness, and governance.
• The report highlights good practices, poor practices, and case studies across key areas. It emphasises that firms must strengthen controls to prevent breaches and evasion, aligning with the FCA's 2025-2030 strategy on fighting financial crime.

Core Message:

• Sanctions compliance is a priority.
• Firms should use this report to benchmark and remediate their frameworks.
• Financial sanctions controls are more mature than trade sanctions ones.

1. Who This Applies To

• All FCA-authorised or registered firms.
• Particularly relevant for MLROs, nominated officers, financial crime compliance professionals, and OPBAS-supervised bodies.

2. Background and What the FCA Did

• Sanctions Landscape:
• Increased use against major economies, broader sectoral/trade restrictions, and faster designations.
• FCA Actions:
• Assessed >150 firms; reviewed REP-CRIM data, self-reports, and reactive cases. Collaborates with OFSI (financial sanctions) and OTSI (trade sanctions).
• Breach Trends (2023-2025):
• Fewer reports than at peak post-2022 levels, but still high vs pre-2022.
• Mostly financial sanctions; few trade sanctions reports.
• Majority from payments, retail banking, and wholesale markets.
• Common evasion tactics:
• Complex ownership,
• Intermediaries,
• Crypto,
• Mis-declared goods,
• False documentation.
• Reporting timeliness improving (average 116 days in 2025), but 35% of 2025 reports related to prior-year activity.
• Key Root Causes of Breaches:
• Weak due diligence,
• Alert management,
• Screening (names/transactions/ownership),
• Frozen asset management, and
• Licence compliance.

3. Key Findings by Theme

• Governance and Oversight
• Good: Up-to-date policies covering all sanctions types (not just asset freezes); clear accountability; role-specific training; effective use of audits; contingency plans for system outages.
• Poor: Outdated policies; over-reliance on group/third-party providers without local oversight; focus only on asset freezes.
• Case Study Example: A bank's screening system outage led to unscreened payments queuing due to poor contingency planning.
• Management Information (MI)
• Good: Comprehensive MI with quantitative/qualitative analysis of exposure, controls, and trends (including high-risk jurisdictions and trade sanctions).
• Poor: Limited depth; weak coverage of overseas branches or trade sanctions.
• Risk Assessments
• Good: Granular, documented assessments covering financial/trade sanctions, proliferation financing, products, customers, and jurisdictions; used to remediate gaps.
• Poor: Outdated/incomplete; conflated with AML; over-reliance on vendor ratings; poor rationale for risk conclusions.
• Due Diligence and Ongoing Monitoring
• Good: Risk-based sanctions exposure questionnaires (SEQs); corroboration with public data/vessel tracking; sanctions exclusion clauses; robust oversight of third-party CDD.
• Poor: Inconsistent EDD; poor audit trails; heavy reliance on third parties without assurance; self-attestation only.
• Case Study: An insurer used vessel data and further checks to identify and report potential Russian oil sanctions exposure post-policy termination.
• Screening (Customers, Counterparties, Payments)
• Widespread use of automated screening, but deficiencies drive most breaches.
• Policies: Clear scope/frequency/escalation vs unclear or inconsistently applied.
• List Management/Data Feeds:
• Timely updates (many within 1 day) vs errors, delays, poor data quality.
• Calibration/Configuration/Testing:
• Periodic assurance and root-cause analysis vs untested vendor settings.
• Alert Management/Resourcing:
• Proper investigation vs backlogs, false negatives, or rushed discounting.
• Good: Comprehensive data coverage; internal watchlists; real-time screening.
• Poor: Gaps in ownership/control screening; exclusions without governance.
• Case Study: Returned payment not re-screened against updated lists due to poor manual processes, leading to potential breach.

Other Areas

• Evasion Detection: Strong firms use multiple data sources and proactive investigations.
• Asset Freezing/Licences: Issues with managing frozen assets and licence compliance.
• Breach Reporting: Need for robust internal assessment and timely external reporting (to FCA + OFSI/OTSI).

4. What the FCA Expects from Firms

Firms must have proportionate, effective, and tested systems and controls. Senior management should demonstrate clear oversight. Focus on:

• Holistic risk assessments and MI.
• Robust CDD/EDD and ongoing monitoring.
• Well-governed screening (including ownership/control).
• Strong third-party assurance.
• Evasion detection capabilities.
• Timely breach identification, freezing, and reporting.

Action List for Firms

Prioritise these actions based on your firm's risk profile, business model, and exposure (e.g., payments, trade finance, insurance, crypto):

• Gap Analysis — Conduct an immediate review of your sanctions framework against the FCA's good/poor practices and case studies. Document findings in a board/MLRO report. (Priority: High; Timeline: Within 3 months)
• Governance & Policies — Update policies/procedures to cover all sanctions types (financial, trade, sectoral). Ensure clear accountability, training (role-specific), and contingency plans. Strengthen third-party/group oversight with contracts, reviews, and assurance. (Priority: High)
• Risk Assessments & MI — Refresh business/product/jurisdictional risk assessments with granular sanctions analysis (including trade/proliferation). Enhance MI for senior management with exposure trends, control effectiveness, and overseas branch coverage. (Priority: High)
• Due Diligence & Monitoring — Implement/enhance risk-based SEQs and EDD. Improve ongoing monitoring, documentation, and corroboration (e.g., through vessel tracking and public data). Define review frequencies. (Priority: Medium-High)
• Screening & Alert Management — Review screening policies, list management, calibration, and testing. Ensure timely updates, full data coverage (including ownership/control), and robust alert investigation/resourcing. Test for real-world effectiveness. (Priority: High — root cause of most breaches)
• Evasion, Freezing & Licences — Strengthen detection of evasion techniques. Review the asset-freezing processes and licence-compliance procedures. (Priority: Medium)
• Breach Processes — Ensure clear internal escalation, root-cause analysis, and timely reporting to FCA/OFSI/OTSI. Track remediation. (Priority: High)
• Training & Assurance — Deliver tailored training and use audits (internal/external) for ongoing assurance. (Priority: Medium)
• Trade Sanctions Focus — If relevant to your business, build specific capabilities (e.g., goods screening, documentation checks) beyond financial sanctions. (Priority: As applicable)
• Board & Senior Management — Present this briefing and action plan to the Board/MLRO forum. Establish ongoing progress monitoring with clear ownership and deadlines. Report material weaknesses to the FCA if required.

Next Steps Recommended:

• Firms should consider this report alongside OFSI/OTSI guidance and the FCA's 2023 sanctions report. The FCA expects firms to act on these findings as part of ongoing supervision.

This briefing provides a comprehensive overview.

• For the full FCA report, refer to the official publication. Firms are encouraged to seek specialist legal/compliance advice tailored to their operations.
• https://www.fca.org.uk/publications/good-and-poor-practice/sanctions-systems-and-controls-our-firms-our-findings