Global Regulation Tomorrow

On 28 May 2026, the Financial Conduct Authority (FCA) published its findings in relation to financial firms’ controls, highlighting good and poor practices and areas for improvement to support better compliance with sanctions rules.

Background

The FCA highlights that over the past four years, the UK’s sanctions regimes have grown in scope and complexity and that, therefore, it recently assessed financial services firms’ systems and controls for financial and trade sanctions. As a result, the FCA now sets out examples of good and poor practice, and areas for development, to help firms comply with sanctions legislation.

Summary

Overall, the FCA sets out that although there were fewer reports of suspected sanctions breaches from FCA-supervised firms between 2023-2025, the figure remains substantial compared to pre-2022 levels, and most reported breaches relate to financial sanctions, with only a comparatively small proportion of breach reports submitted by firms relating to trade sanctions. As a result, it sets out certain key observations in relation to the following areas, including:

• Key themes in breaches: The most common root causes of reported sanctions breaches were weaknesses in due diligence, alert management, transaction and name screening, as well as the management of frozen assets and compliance with specific and general licences. Firms should focus on strengthening their control frameworks in these areas as they underpin many of the issues the FCA observe. 

• Governance and oversight: Sanctions frameworks only work well if firms have strong governance and oversight. Firms should have clear ownership and accountability for compliance, and their senior management should oversee and provide informed decision-making, acting quickly to address weaknesses. Firms should also have robust contingency plans to deal with sudden events or system outages.

• Management Information (MI): Meaningful MI should allow senior management to understand sanctions exposure, emerging risks, control effectiveness and issues that need escalating or remediating. Firms generally reported some sanctions-related MI to senior management. Tracking and reporting true matches and false positives arising from customer and transaction screening against the UK Sanctions List is also common practice. However, the quality and depth of sanctions MI varied. Stronger MI included data and commentary on the nature and extent of inherent sanctions exposures, the operation of the firms’ controls structures and the crystallisation of any sanction’s risks.

• Risk assessments: Good sanctions risk assessments should guide how firms design and operate their systems and controls. Firms should assess their exposure to sanctions risks present among their customers, products and the jurisdictions they operate in, as well as the strength of the systems and controls they have in place to address them, which can help identify control gaps and support remediation.

• Due diligence and ongoing monitoring: Robust customer due diligence (CDD) at onboarding and ongoing reviews can help firms identify sanctions risks and take actions throughout the customer lifecycle.  Some firms understood and assessed the sanctions risks posed by their customers. In others, initial screening and CDD at onboarding did not show that they’d properly considered how they would get a clear view of their sanctions exposure. Among those that had found higher sanctions risks, the use of enhanced due diligence (EDD) tools such as sanctions exposure questionnaires was inconsistent. In some cases, questions were outdated, did not consistently cover UK sanctions regimes, or were used only as a form of customer self-attestation. 

• Screening: Good sanctions screening can find potential sanctions risks across customer and counterparty relationships and transactions. Firms’ screening and alert management systems and processes should be proportionate to risk exposure, appropriately calibrated, and regularly tested and reviewed.

• Screening policies: Firms with stronger screening frameworks often supported their screening activity with well‑documented policies and procedures with details of who or what to screen, how often, and how to escalate and resolve potential matches.  More mature frameworks had clear escalation routes, with defined roles and responsibilities across the first and second lines of defence. However, the FCA also found screening policies that were unclear, incomplete, or not applied consistently. 

• List management and data feeds: Firms varied in their approaches to sanctions list management and the underlying data feeds. Around two-thirds of those in the FCA’s proactive work said that they implemented sanctions list updates within one day of notification and had processes and controls in place so that updates were accurate and prompt. However, the FCA also found errors or omissions in sanctions lists provided by third-party vendors, because of poor quality data and the transfer of data between systems, as well as delays or failures in updating the UK Sanctions List in a timely manner.

• Calibration, configuration, and assurance testing: The sophistication of firms’ screening configuration and testing varied considerably. Effective practices included periodic calibration and quality assurance testing, engaging with vendors to retest systems following list updates or changes to matching logic, and using root cause analyses following screening mismatches to improve performance. In contrast, the FCA also observed limited testing and oversight of sanctions screening systems, meaning that some firms could not easily detect obfuscated or variant names, including those with non-Latin characters. This meant that firms couldn’t find exact matches between names on their systems and the UK Sanctions List, nor easily identify name variations.

• Alert management and resourcing: Alert handling was a common cause of reports of suspected breaches by firms. This includes failures to respond to alerts and to freeze accounts before assets were moved, and handling errors leading to alerts being incorrectly resolved, sometimes due to unclear procedures, training, or oversight controls.

• Evasion detection and investigation: Screening names and payments may not always be sufficient to identify activities breaching sanctions, particularly as connections to sanctioned activity can’t always be identified from transaction messaging.  This is particularly the case for sanctions outside asset freeze measures, such as sectoral financial sanctions and trade sanctions. Firms may need to undertake transaction monitoring, data analysis, thematic reviews and intelligence-led investigations, and have a good understanding of evasion typologies and how these may manifest across a firm’s business.

• Asset freezing and licence compliance: To effectively comply with asset freezing and the requirements set out in sanctions licences, firms must have clear processes to quickly identify, implement and maintain the requirements. Policies, procedures and systems, along with staff training and appropriate governance, can help ensure assets are frozen and remain frozen, and that licence permissions are managed.

• Reporting and assessing breaches: UK sanctions legislation defines obligations for reporting suspected breaches of financial and trade sanctions. This requires firms to have clear processes for identifying, escalating and reporting potential breaches to relevant authorities in a timely manner. Discovering what caused the breaches can inform remediation, control enhancements, and risk assessments. Firms are identifying and reporting breaches more quickly and the reporting data shows the average time between identification and reporting has shrunk slightly from 2024.

Next steps

Firms should consider the findings and examples in this report and continue to review their systems and controls to ensure they comply with both financial and trade sanctions.

The FCA are working with the firms that had weaknesses we found during our review, to make sure they’re taking the right remedial action and will continue to monitor firms to help drive improvements and reduce financial and trade sanctions risk across the industry.

The FCA will also continue to liaise and work with relevant partners across HM Government such as the Office of Financial Sanctions Implementation and the Office of Trade Sanctions Implementation to share insights to enhance the FCA’s work.