Overview

On May 28, 2026, the UK Financial Conduct Authority (FCA) published its findings after reviewing 150 authorized firms’ sanctions systems and controls, concluding that while firms have materially improved since 2022, significant gaps remain that continue to drive sanctions breaches.¹

This alert summarizes the key findings and sets out practical steps for regulated firms’ in-house legal and compliance teams to take in order to mitigate their firms’ regulatory sanctions risk.

Key Findings

Improvements made but there’s still more to do.

Firms are increasingly able to identify and prevent breaches before they occur, reflecting investments in systems and controls. However, the FCA identified recurring deficiencies in the following areas as the principal drivers of reported breaches:

• customer due diligence;
• alert handling and escalation processes;
• transaction- and name-screening systems;
• management of frozen assets; and
• compliance with both general and specific licenses.

Trade sanctions are an area of increasing risk.

Firms struggle more with trade sanctions compliance than with financial sanctions. The FCA found that firms’ trade sanctions controls are more varied and less mature, reflecting the operational complexity of implementing the trade sanctions framework, which has broadened beyond traditional military and dual-use goods to include prohibitions on the trade of a wider range of goods and technologies alongside restrictions on services ancillary to trade and stand-alone services.

Breach reporting is changing.

Most breach reports still relate to Russia-related sanctions, but they are relating increasingly to Iran, North Korea and Libya as well.

The FCA expects to receive more reports from the insurance and digital assets sectors than it currently does. The majority of breach reports are from firms in the payments, retail banking and wholesale financial markets sectors.

Identifying and reporting suspected breaches is improving but not always timely; the FCA found that 35% of breaches reported in 2025 related to activity that occurred prior to that year.

Governance and management information (MI) around sanctions is varied.

The FCA observed variability in senior management oversight, the quality and granularity of MI, and risk assessment frameworks. The FCA’s view is that sanctions frameworks only work well if firms have strong governance and oversight, including clear ownership and accountability for compliance. Senior managers need to understand sanctions exposure, emerging risks, control effectiveness, and issues that need escalating or remediating.

FCA supervisory focus on sanctions continues.

The FCA continues proactive assessments and data-driven supervision. It has strengthened coordination with government bodies, including entering a new memorandum of understanding with the Office of Trade Sanctions Implementation (OTSI).

Practical Steps

The FCA’s message is clear: Sanctions compliance remains a supervisory priority and firms are expected to demonstrate operationally effective, risk-based control frameworks. The 10 practical steps below serve as a checklist for in-house legal and compliance teams to mitigate their firms’ regulatory sanctions risk.

1. Regularly revisit sanctions risk assessments enterprise-wide, ensuring they reflect current geopolitical exposure beyond Russia; cover products, clients, counterparties and jurisdictions; and explicitly address trade sanctions risk. Firms would also be well advised to validate and record that conclusions are evidence-based and specific.
2. Conduct a “controls effectiveness” review to test whether existing controls detect real-world risks, including poor screening calibration (false positives versus missed hits, gaps in ownership/control screening), outdated lists (errors, omissions, feed delays), large alert backlogs and long resolution times. Consider whether independent validation or an internal audit targeting the FCA’s identified weak points is required. Regularly reassess whether any incidents indicate systemic control weaknesses.
3. Strengthen screening frameworks by reviewing name and transaction screening logic and thresholds, coverage of beneficial ownership and indirect exposure, and the integration of UK-specific requirements into global frameworks. Algorithms struggle with real-world name variation. Firms performed well on exact matches but poorly on spelling variants, one-word names, digits, titles and non-Latin characters. Performing scenario testing using typologies—e.g., evasion via intermediaries or digital assets— would also be well advised.
4. Enhance governance and accountability by ensuring clear SMF ownership of sanctions risk and providing regular, useful MI to senior management. MI should include breach/root cause analysis, screening performance metrics, and exposure by jurisdiction and sector.
5. Improve alert management and escalation by addressing backlogs and aging alerts. The FCA has little patience for failures caused by backlogs, particularly if those are due to known resourcing issues.
6. Focus on frozen assets and licensing processes by implementing controls to ensure accurate identification and ringfencing of frozen assets and compliance with Office of Financial Sanctions Implementation (OFSI) licensing conditions.
7. Consider whether it is necessary to build out your firm’s trade sanctions For firms with relevant exposure, trade compliance expertise should be integrated into financial crime frameworks and supply chains and goods/services risk should be mapped.
8. Review reliance on group and third-party systems; consider challenging assumptions if relying on group-level frameworks or third-party screening providers. Vendor reliance does not equate to regulatory assurance. Firms must ensure that they understand and challenge their vendors’ logic and document the challenge.
9. Anticipate and prepare for supervisory engagement regarding sanctions. Firms should expect deep dives into MI, governance, data, and requests for evidence of remediation and testing. As a result, firms should ensure they maintain a clear audit trail of enhancements to their sanctions systems and controls, incorporating the feedback provided by the FCA in this review.
10. Stress-test incident response and reporting by confirming processes for identifying and reporting breaches to the FCA, OFSI, OTSI and other authorities.