FCA Identifies Key Compliance Issues in Its Sanctions Systems and Controls Report (May 2026)
The Financial Conduct Authority’s (FCA) May 2026 report reviews sanctions systems and controls across over 150 supervised firms, assessing how effectively firms identified and managed sanctions risks since the FCA’s September 2023 report on firms’ responses to increased sanctions. Sanctions have become a central component of the United Kingdom’s foreign policy and financial crime framework, and regulated firms remain exposed to sanctions risks via their business relationships and activities.
The report identifies both strong practices and persistent weaknesses across the industry. While firms have generally developed relatively mature frameworks for financial sanctions, trade sanctions compliance remains less developed and presents a growing area of risk. The FCA emphasises in its report that firms must maintain robust, end-to-end systems and controls to prevent, detect and respond to sanctions breaches.
Key Findings
Breach Reporting
Although reports by FCA-supervised firms of suspected sanction breaches have decreased in recent years, reporting levels remain significantly higher than pre-2022 levels. Most reports concern financial sanctions, while only a small proportion are related to trade sanctions.
The FCA analysed the suspected breach reports it has received since 2024, and it found the following:
- The Majority of Reports Relate to the Russian Sanctions Regime. However, they also saw reports relating to Libya and, increasingly, Iran and North Korea.
- The Majority of Sanctions Reporting Is From Firms in the Payments, Retail Banking and Wholesale Financial Markets Sectors. However, whilst there is limited reporting from other sectors, such as insurance and digital assets, the FCA expects this to change given sanction evasion attempts by Russia’s shadow fleet and the reported use of cryptocurrencies in circumventing sanctions.
- Identifying and Reporting Suspected Breaches Is Improving but Is Not Always Timely. Of the breaches reported in 2025, 35% related to activity that occurred prior to 2025 (an improvement from 48% in 2024). The average time taken between a potential breach being identified and reported was 116 days in 2025, a small improvement from 120 days in 2024.
Common Breach Causes
The FCA found that most sanctions breaches stem from weaknesses in core control areas. The most frequent root causes include the following:
- Weak Sanctions Screening Systems (Including Name and Transaction Screening). The FCA highlighted that traditional screening is not sufficient, particularly for trade and sectoral sanctions. While most firms had some form of business risk assessment, many were incomplete, outdated or lacked methodological clarity. Common weaknesses included poor articulation of sanctions risk, unsupported conclusions and over-reliance on third-party inputs.
- Poor Alert Management Processes. Alert management issues were also prominent, including slow response times, inadequate escalation and poor documentation. In some cases, delays in acting on alerts allowed transactions to proceed despite sanctions risks.
- Inadequate Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). Many firms struggled to identify beneficial ownership or indirect exposure to sanctioned persons, particularly in complex or multilayered structures. The use of EDD tools, such as sanctions questionnaires, was inconsistent, and oversight of third-party CDD providers was often weak.
- Failures To Properly Implement or Maintain Asset Freezes and Errors in Complying With Licence Conditions. Failures in freezing assets and complying with licence conditions were a major source of breaches. Some firms did not act quickly enough to freeze assets or failed to maintain restrictions once applied, allowing internal transactions to move funds or apply charges to accounts. Others lacked clarity on licence conditions, increasing the risk of noncompliance.
FCA Expectations and Next Steps
The FCA expects firms to adopt a holistic, life-cycle approach to sanctions compliance, covering onboarding, screening, monitoring, escalation and reporting. Systems and controls should be regularly reviewed and updated to reflect evolving risks.
In particular, firms must do the following:
Strengthen Core Control Areas (CDD, Screening, Alert Handling)
The FCA stated that firms should adopt proactive approaches, including transaction monitoring, thematic reviews and intelligence-led investigations.
Improve Governance and Oversight
This includes providing high-quality management information combining both quantitative and qualitative analysis. Firms’ reliance on third-party vendors created additional risk. The FCA identified issues with data quality, such as missing or inaccurate customer information, and delays or errors in updating sanctions lists. Firms with strong controls supplemented external data with internal watchlists and intelligence.
Enhance Capability in Trade Sanctions Compliance
For firms with relevant exposure, trade compliance expertise should be integrated into financial crime frameworks and supply chains and goods/services risk should be mapped.
Incorporate Evasion Typologies Into Risk Assessments and Controls
The FCA identified common methods used to evade sanctions, including (1) use of intermediaries, family members or associates to obscure ownership; (2) complex or opaque corporate structures; (3) movement of funds via crypto assets or e-money platforms; (4) rapid transfer of funds following designation; and (5) misrepresentation of trade transactions (e.g. falsified documentation or mis-declared end use). The FCA stressed that firms must go beyond basic screening and actively detect such patterns.
The FCA is engaging with firms where weaknesses were identified and will continue to monitor industry progress.
Firms should consider the guidance set out in the FCA’s report, and please do not hesitate to contact our team should you wish to discuss these matters further.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.