By Becki LaPorte, Principal – AML Strategy & Innovation, FinScan.
The FCA’s latest report on sanctions systems and controls delivers a verdict that compliance professionals will find both encouraging and concerning. Although financial sanctions programs have matured, trade sanctions compliance has not. The gap between the two is significant and the report highlights this clearly.
Financial sanctions controls are maturing, but gaps remain
The FCA’s findings draw on assessments of more than 150 supervised firms. The report states that automated screening is now widely deployed. The stats provided indicate that 70% of firms use automated tools and 76% run daily name checks. Accuracy for exact matches stands at 90%, which is an impressive statistic considering the complexity of the UK Sanctions List and the volume of designations added since February 2022. Frozen assets reported in the UK rose from £24.4bn for 2023-24 to £37bn for 2024-25.
Governance has also improved at better-resourced firms, with sanctions integrated meaningfully into AML reporting and policies updated to reflect the full range of sanctions measures. Accuracy drops to 75% for name variations, and over a quarter of firms take three to five days to resolve name screening alerts. For trade sanctions, the picture is considerably bleaker. Trade sanctions add an additional layer of complexity that firms seem to be missing.The FCA’s most significant finding around this is that many firms are treating financial and trade sanctions as similar compliance problems. They are not. Few firms routinely collect, analyze, or escalate management information on trade sanctions exposure. Risk assessments frequently omit trade-specific considerations or confine them to dedicated trade finance operations, rather than applying them across broader business models and product portfolios.
Trade sanctions require a different compliance approach
Trade sanctions breaches often cannot be detected through name screening alone. Mis-declared goods, falsified trade documentation, and routing through third-country intermediaries require a fundamentally different control architecture. The FCA also notes that breach reporting from the insurance and digital assets sectors is lower than the regulator would expect, given documented evasion through Russia’s shadow fleet and the use of cryptocurrency to circumvent restrictions. More likely than not, this may be due to under-reporting as opposed to a low-risk situation.
Enforcement is increasing focused on control effectiveness
The FCA’s enforcement posture has escalated from guidance to consequence. The Starling Bank action, a £29m fine imposed in September 2024 for screening customers against only a fraction of the full sanctions list since 2017, set a new standard. Metro Bank followed with a £16.7m penalty for transaction monitoring failures. In 2025, Monzo received a £21m fine for sustained AML control failings, and Barclays was fined £42m for weaknesses in high-risk client management.
The FCA is penalizing control failures, not only confirmed breaches. Inadequate systems are attracting enforcement actions. This reinforces the global trend of developing effective programs as opposed that just fill the defined compliance guidelines. OFSI civil penalties remain low at approximately £500k in 2024-25 compared to OFAC’s $235m over the same period. Because the FCA is starting to build a strong posture on effective programs, this gap may close in the coming years.Diverging paths: UK supervisory pressure vs. EU regulatory centralization
The UK, which is enforced through OFSI, OTSI, and FCA supervision, has demonstrated genuine agility in designation speed since 2022. However, the EU is pursuing a different trajectory. The Anti-Money Laundering Authority, established in Frankfurt, will provide centralized direct supervision of high-risk financial institutions across member states when its full powers take effect by January 2028. One of its first goals is to have a consolidated rulebook for all member states to minimize disparity from one jurisdiction to another. Until then, EU enforcement remains fragmented. For example, Lithuania fined Revolut €3.5m, Ireland fined Coinbase €21m, and standards diverge sharply across jurisdictions. The UK is deepening supervisory intensity within an existing framework, while the EU is building the framework itself.
Building a trade sanctions program fit for today’s risk environment
Trade sanctions are beginning to require a standalone program. A dedicated gap analysis covering trade-specific customer due diligence (CDD), dual-use goods exposure, and transaction monitoring scenarios mapped to evasion typologies is the minimum starting point. Lumping them in with financial sanctions controls is proving to be an ineffective decision, and the FCA has now explicitly flagged that approach as inadequate.
Screening calibration requires continuous attention. Testing should cover fuzzy matching, non-Latin scripts, name variants, and vessel identifiers, with results escalated to senior management. The FCA’s own testing found one-word names, names containing digits, and long names exceeding character limits failing to generate alerts at some firms.
Third-party oversight must move beyond contractual reliance. Firms should independently test vendor outputs, set contractual standards for data quality and update frequencies, and document clearly who owns sanctions risk at each stage of the customer lifecycle.
Finally, evasion detection must extend beyond name screening. Transaction monitoring scenarios targeting layering through intermediaries, third-country rerouting, and cryptocurrency opacity should be built from real typology intelligence. Proactive lookback reviews, rather than reactive responses to known breaches, are what the FCA’s strongest performers are doing. The gap between them and the rest of the market is widening.
Subscribe to our newsletter
