The FCA’s latest sanctions review raises the bar for firms to prove that screening systems, data feeds, alert workflows and vendor arrangements work under live sanctions conditions.
The review draws on the FCA’s assessment of more than 150 supervised firms since February 2022. It includes examples of good and poor practice across governance, management information, risk assessment, due diligence, screening, list management, alert handling, evasion detection, asset freezing and breach reporting.Sanctions Risk Has Changed
The FCA notes that UK sanctions regimes have expanded in scale, breadth and speed since 2022. The Russian regime remains a major source of reported breaches, but the regulator also points to reports linked to Libya, Iran and North Korea. The FCA also cites suspected thematic breaches linked to global anti-corruption, human rights and counter-terrorism regimes.
Sanctions risk can arise through multiple sources including ownership chains, relatives, close associates, correspondent banks, cryptoasset or e-money wallets, trade documentation, vessel links, high-risk goods and misstated end use.
The total value of assets in the UK reported as frozen rose from £24.4 billion in 2023–24 to £37 billion in 2024–25. The FCA also found that 35% of breaches reported in 2025 related to activity from earlier years. The average time between identification and reporting was 116 days.
Those figures point to a core operational issue. Sanctions controls that can detect exposure, restrict activity, escalate cases, freeze assets and support reporting within defined timeframes are critical. Delayed identification and reporting by firms reveals weaknesses across data, workflow and accountability.
Governance Needs Operational Evidence
The FCA found mixed standards of governance and oversight. Stronger firms had sanctions policies aligned to their business model, meaningful management information for senior management, role-specific training and audit assurance. Weaker firms had outdated policies, limited coverage of sectoral or trade sanctions, and dependence on group entities or third parties with weak local oversight.This is both a governance issue and a data issue. Senior management cannot oversee sanctions exposure through static policy documents. Management information needs to highlight inherent risk, control performance, true matches, false positives, alert backlogs, branch exposure, remediation activity and emerging typologies.
The FCA found that many firms produced sanctions management information, including true-match and false-positive tracking across customer and transaction screening. It also identified material gaps, including limited visibility of overseas branches and weaker coverage of trade and sectoral sanctions.
This raises the bar for case management, reporting dashboards and control analytics. The strongest platforms will help firms evidence what was screened, which data was used, which rules fired, who reviewed the alert, what decision was made and how the case was escalated.
Gaps in Risk Assessment
The data for financial sanctions controls can often be structured around names, accounts, payments and ownership links. For trade sanctions controls, the data is more fragmented, and the risk assessment is more dependent on context. That challenges firms to understand goods and services, end use, vessels, intermediaries, documentation, insurance exposure and sectoral restrictions.
The report identifies weak or incomplete risk assessments, poor articulation of sanctions and proliferation-financing risk, unsupported conclusions, insufficient product-level analysis, over-reliance on third-party inputs and gaps in coverage across financial-crime frameworks.
Firms need more granular risk-assessment tooling that connects customer due diligence, transaction monitoring, vessel data, corporate ownership, trade documentation, jurisdiction exposure and internal breach intelligence.
Screening Automation Requires Assurance
The FCA found extensive use of automated screening. In 2024–25, 70% of firms filing REP-CRIM (financial crime report) returns reported using automated screening, while 81% carried out repeat customer screening. In its supervisory assessments of more than 150 firms, the FCA also found that 76% screened names at least daily and 73% screened transactions or payments at the point of processing.
Across sanctions screening testing, systems identified the relevant sanctioned party in 90% of exact-match alerts. Where names appeared in variant forms, such as minor spelling changes, the figure fell to 75%.
The FCA found issues in how systems ingest, transform and interpret names from the UK Sanctions List. Examples included title handling that reduced match scores, one-word names or names with digits being excluded, and long names exceeding system character limits. In some cases, firms had to rely on vendors to explain why names failed to generate alerts.
Firms need to understand screening configuration, matching thresholds, list ingestion, data transformation and exclusions. Vendor assurance needs to cover update frequency, data quality, change control, configuration logic, test results and system performance after list updates.
Alert Handling
The FCA identifies alert handling as a common cause of suspected breaches. Weaknesses included failure to respond to alerts, failure to freeze accounts before assets moved, handling errors, unclear procedures, training gaps and weak oversight.
The FCA found that 44% of firms resolved name-screening alerts within one working day on average, while 47% met the same timeframe for payment-screening alerts. More than 25% took three to five days to close name-screening alerts, and around 20% took three to five days for payment alerts.
Alert workflows need escalation policies, service-level agreements, investigation rationales, quality assurance, hand-off records and case ageing. A positive match has limited control value if it is discounted without evidence, left unresolved, or escalated after assets have moved.
The FCA’s examples of sanctions evasion reveal the limits of name and payment screening. Customers and counterparties may use complex ownership chains, third parties, correspondent banks, cryptoasset wallets, cash withdrawals, false trade documents or misstated end use.
The control challenge is evidence. Firms using analytics or AI-supported tools must show how alerts are generated, how data sources are governed, how decisions are reviewed and how outputs feed into sanctions escalation.
What Firms Should Do Next
The FCA found stronger practice where firms had clear senior oversight, sanctions policies aligned to their business model, management information that tracked exposure and control outcomes, and documented screening policies with clear escalation routes.
It also highlighted firms that used internal watchlists, thematic reviews, vessel-tracking data, ownership analysis and targeted investigations to detect evasion risk.
The gaps were concentrated in operational controls. Firms need to strengthen risk assessments, trade and sectoral sanctions coverage, overseas branch visibility, screening calibration, list-update assurance, vendor oversight, alert handling, asset-freezing procedures and breach reporting. A screening tool has limited value where the data is incomplete, thresholds lack justification, alerts are closed without evidence, or escalation happens after assets have moved.
Subscribe to our newsletter
