The most common causes of sanctions breaches at UK financial institutions are weaknesses in screening and alerts, the Financial Conduct Authority (FCA) has revealed, following a probe into more than 150 supervised firms.
The regulator said it has carried out an examination of the financial sector’s approach to sanctions since September 2023, assessing reports related primarily to Russia, but also Libya, Iran and North Korea.
The review uncovered a “mixed standard of governance, oversight and control frameworks”, across both financial and trade-related sanctions, the regulator said.
It cited several examples of good practice, but also warned of weaknesses in firms’ due diligence, alert management, transaction monitoring and name screening processes, as well as in managing assets that have been frozen.
It said firms should “focus on strengthening their control frameworks in these areas”, adding that it is working on remedial action with firms where weaknesses were found.
The examination follows a sector-wide assessment launched by the FCA in February 2022 and an initial review published in September the following year.
The FCA revealed that since then, the most common underlying causes of sanctions breaches were deficiencies in firms’ screening and alert management.
It gave the example of an unnamed wholesale bank that suffered a system integration issue, which meant transactions were not screened for an extended period of time.
“The problem arose from a data feed failure between internal systems and the firm didn’t spot it through routine monitoring – it only came to light during a later internal review,” the regulator said. “As a result, the firm had to conduct an extensive review to assess whether breaches had occurred.”
In another case, a bank processed payments referencing vessels that were linked to an individual sanctioned by UK authorities.
The FCA said its screening controls were “too narrow”, meaning they failed to detect the vessel names because they were not presented in the format expected.
At one lender, key risk indicators were missed and vessel-related salary payments were processed despite the ship’s ties to sanctioned entities, the regulator said. “Analysts, under pressure to meet internal targets, bypassed mandatory sanctions escalation procedures, resulting in incomplete checks, weak documentation, and missed connections to the designated vessel owner,” it said. “This resulted in potential sanctions breaches.”
The regulator said such breaches were most often due to issues such as outdated lists of sanctioned entities, poorly applied screening rules and gaps in ownership or control information.
It also warned firms about overreliance on third-party screening firms, highlighting a bank that suffered a “significant” issue when its external sanctions screening system was unavailable.
“Because it didn’t have effective contingency arrangements, the firm was unable to… block transactions at the point of processing, resulting in thousands of payments queuing without being screened,” it said.
However, the FCA added that the majority of firms understood the importance of timely sanctions screening, with the majority monitoring payments in real-time, and 76% conducting name screening on a daily basis.
It cited a bank whose client received transfers from companies potentially acting as intermediaries in illicit Russian fuel trades.
Although the payment messages did not show any indicators of high risk, the bank discovered inconsistencies between the client’s declared business activity and its counterparties’ oil operations.
“The firm promptly interdicted the transactions, added the entities to its exclusion lists, and instructed the client to cease all related activity, preventing further potential evasion,” the regulator said.
The FCA concluded that financial institutions must have “robust”, comprehensive, day-to-day screening frameworks in place.
It also called for adequate due diligence and risk assessment when onboarding new customers, noting that some institutions struggled to identify entities’ true beneficial ownership – particularly where control structures were multilayered or opaque.
