As sanctions regimes evolve, the gap between how firms assess sanctions risk and how that risk actually crystallises is becoming harder to ignore.
The FCA’s recent review of sanctions systems and controls highlights a common challenge: sanctions compliance cannot be treated as a static list-screening exercise. Firms need to understand their exposure, assess it properly, and evidence that controls operate effectively in practice.
What did the FCA find?
The FCA identified weaknesses across several key areas of firms’ sanctions frameworks, including:
- sanctions risk assessments;
- customer due diligence;
- screening controls;
- management information;
- vendor oversight; and
- testing and assurance.
While many firms have invested significantly in sanctions frameworks since 2022, the regulator found that weaknesses often arise where controls are not connected or where firms cannot evidence that controls operate effectively in practice.
Why sanctions risk doesn't always look how you expect
In May 2026, the UK announced further measures targeting crypto and illicit finance networks used to circumvent sanctions, including the Kremlin-backed A7 network and cryptoasset infrastructure connected to Russian sanctions evasion. The designation of Huobi Global S.A., associated with the HTX exchange, has also prompted industry debate about how firms identify exposure where the name on the sanctions list does not neatly match the platform, counterparty or entity through which activity is taking place. This is not a separate issue from the FCA’s findings. It is a practical example of the same underlying challenge – that firms need controls capable of identifying sanctions risk as it actually appears in their business.
Similar themes have emerged internationally, with recent European case law reinforcing the need for firms to apply risk-based judgement rather than relying solely on screening outcomes.
For firms, the key question is not simply ‘do we screen?’. It is whether the wider sanctions framework is capable of identifying, assessing, escalating and evidencing sanctions risk across the customer and transaction lifecycle.
How should firms assess sanctions risk?
One of the clearest messages from the FCA’s review is that firms need to understand how sanctions risk could arise in their specific business model. A short sanctions section within a broader financial crime risk assessment is unlikely to be enough if it does not explain the firm’s exposure across customers, products, jurisdictions, counterparties and transaction flows.
This matters because sanctions risk is not a single risk type with a single control. Financial sanctions, trade sanctions, sectoral restrictions, proliferation financing and ownership and control risk can crystallise in different ways. Screening may help identify a designated person, but it will not necessarily identify whether a customer is using a product to support restricted trade, whether a payment chain involves a prohibited intermediary, or whether a counterparty is indirectly owned or controlled by a sanctioned person.
Trade sanctions are a good example. Firms do not need to offer traditional trade finance products to be exposed to trade sanctions risk. Payments firms, e-money institutions, merchant acquirers, cryptoasset firms and investment firms may all face exposure where customers operate in restricted sectors, payments relate to prohibited goods or technology, or funds are routed through intermediaries to obscure the true nature, destination or end use of a transaction.
Why do due diligence and data quality matter for sanctions screening?
The FCA’s findings also underline the relationship between due diligence, data quality and screening. Screening tools can only operate effectively where the firm holds accurate, complete and relevant information about the customer, its ownership and control structure, its activities, jurisdictions, counterparties, and expected transaction profile.
This is particularly important for higher-risk customers, complex corporate structures, financial institutions, customers with international operations, customers exposed to higher-risk jurisdictions, and customers operating in sectors vulnerable to sanctions circumvention. In those cases, onboarding should not simply confirm whether the customer is designated. It should help the firm understand whether there is direct or indirect exposure to sanctioned parties, restricted sectors, ownership and control concerns, or activity outside the firm’s risk appetite.
EDD tools such as sanctions exposure questionnaires can support that assessment, but they should not be treated as self-certification. Responses need to be reviewed, challenged where appropriate, and corroborated against other information. The output should then inform customer risk assessment, screening, ongoing monitoring and escalation.
What does effective sanctions screening look like?
Screening remains a core sanctions control, but it should not operate as a series of isolated checks. Firms need to be clear on who and what is screened, when screening takes place, how alerts are investigated, and when issues should be escalated. Without that clarity, screening may identify individual customer or payment matches, but fail to operate as a connected control across the customer and transaction lifecycle.
The FCA’s returned payments case study highlights the point. Sanctions risk can change after a transaction has first been screened. Where a payment is returned, refunded, rejected or otherwise reprocessed, firms should consider whether further screening or escalation is required before funds are released, particularly where there has been a new designation, a change in available information, or a gap in the data received with the returned payment.
The same principle applies across the wider customer and transaction lifecycle. Changes in ownership, list updates, account closures, chargebacks, frozen funds and other trigger events may all alter the firm’s sanctions exposure. Firms should also consider whether relevant typologies, regulatory updates, internal investigations, and emerging risk indicators are being used to inform screening configuration, alert investigations, escalation decisions and, where appropriate, internal watchlists or additional data sources.
How should firms oversee outsourced sanctions controls?
Many firms rely on vendors, outsourced providers or group functions to support CDD, screening or alert handling. That can be appropriate, but it does not reduce the need for internal accountability.
Firms need to understand how the control operates, whether it is configured appropriately for their risk profile, and how issues are identified, escalated and remediated. This includes understanding list coverage, update frequency, matching logic, thresholds, fuzzy matching, aliases, transliterations, suppression rules and the testing performed over the control.
This is particularly important for UK firms operating within international groups or using globally configured screening tools. Local senior management need sufficient visibility to satisfy themselves that UK sanctions requirements are reflected in policies, procedures, training, screening configuration, escalation processes, and management information.
What should firms do following the FCA's sanctions review?
Firms should consider whether:
- their sanctions risk assessment reflects actual exposure;
- CDD and EDD capture direct and indirect sanctions risks;
- customer and transaction data is sufficient to support screening;
- screening operates across the customer and transaction lifecycle;
- vendor and group-operated controls are subject to meaningful oversight; and
- management information and assurance provide a clear view of control effectiveness.
How fscom can help
Every firm’s sanctions framework sits at a different stage of maturity, and the right next step depends on where yours stands today. Whether you need a rapid diagnostic to identify material gaps, a focused review of specific high-risk areas, or independent assurance you can take to your Board, Audit Committee, or regulator, fscom’s sanctions specialists can help you find the right starting point.
To support firms in assessing their own frameworks, fscom has developed a practical Sanctions framework best practice guide, structured around the key components of an effective sanctions control framework.
The guide includes good practice indicators, self-assessment questions, and a framework scorecard designed to help firms identify gaps, prioritise remediation, and assess compliance maturity.