How UK firms build sanctions screening controls that meet OFSI and FCA expectations, covering lists, name matching, reporting and penalties.

Sanctions screening is the process of checking customers, counterparties, beneficial owners and payments against lists of individuals, entities and ships that are subject to financial sanctions. In the UK, financial sanctions apply to all individuals and legal entities within the UK's territory, and to all UK nationals and UK-incorporated entities wherever their activities take place. Where an asset freeze applies, it is generally prohibited to deal with the frozen funds or economic resources, to make funds or economic resources available directly or indirectly to or for the benefit of a designated person, or to take actions that circumvent those prohibitions.
The stakes are high because the enforcement regime is unforgiving. The Office of Financial Sanctions Implementation (OFSI), part of HM Treasury, assesses breaches on a strict liability basis for conduct occurring after 15 June 2022, which means it does not need to prove that a firm knew or had reasonable cause to suspect it was breaching sanctions in order to impose a civil monetary penalty. Screening is the primary control that stops a firm dealing with, or making funds available to, a designated person in the first place.
This guide sets out what UK regulated firms need to know: which lists to screen against, what screening should cover, how name matching and fuzzy matching work, how to manage false positives, when you must report to OFSI, and the penalties that follow a breach. It is written for compliance, payments and operations teams that have to turn the rules into working controls.
UK financial sanctions sit on the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). Section 1 of SAMLA gives ministers the power to make sanctions regulations for specified purposes, including financial sanctions such as freezing funds and economic resources. Since the UK left the EU sanctions framework, the individual country and thematic regimes that firms screen against are made as secondary legislation under SAMLA.
Enforcement of financial sanctions is handled by OFSI. Its power to impose civil monetary penalties comes from section 146 of the Policing and Crime Act 2017, which gives HM Treasury the power to penalise breaches of financial sanctions. Following changes that took effect for breaches occurring after 15 June 2022, OFSI applies a strict liability standard. As OFSI's enforcement guidance puts it, the removal of the previous knowledge or suspicion requirement in section 146 means that this is no longer required for OFSI to impose a monetary penalty.
For firms, the practical consequence is straightforward. You cannot rely on not having known a customer was sanctioned as a defence to a civil penalty. The quality of your screening controls, the completeness of your list coverage and the speed of your rescreening are what stand between the firm and a breach. That is why regulators expect screening to be treated as a core control rather than an occasional check.
The FCA does not run the sanctions regime, but it does supervise whether the firms it regulates have adequate systems and controls to comply with it. Chapter 7 of the FCA's Financial Crime Guide (FCG 7) sets out its expectations on sanctions, asset freezes and proliferation financing. It applies to firms subject to the financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R, and extends to e-money institutions, payment institutions and cryptoasset businesses within the FCA's supervisory scope.
A key point that surprises some teams is that screening itself is not a legal requirement. The legal obligation is to not breach sanctions. Screening is, however, the control the FCA expects firms to use to meet that obligation. FCG 7 states that screening new customers, counterparties to transactions and payments against the sanctions list, and rescreening existing customers when new names are added to the list, helps ensure that firms will not breach UK sanctions. Screening should generally take place at customer take-on and be repeated whenever the list changes.
The FCA also expects clear governance. Senior management should take clear responsibility for managing sanctions risks, treating them in the same way as other risks the business faces, and should be sufficiently aware of the firm's obligations to discharge their functions effectively. Effective customer due diligence and know your customer work is described as a cornerstone of sanctions compliance, because you cannot screen parties you have not identified, including those hidden behind corporate vehicles.
| List source | Published by | What it covers | Legal weight for UK firms |
|---|---|---|---|
| UK Sanctions List | Foreign, Commonwealth and Development Office | All UK sanctions designations under SAMLA 2018: individuals, entities and specified ships subject to asset freezes and other measures | Directly binding on UK firms and persons |
| OFSI Consolidated List | OFSI (HM Treasury) | Historic list of asset freeze targets; closed to updates on 28 January 2026 and merged into the UK Sanctions List | Superseded; retained for historic reference only |
| UN Consolidated List | United Nations Security Council | Persons and entities designated under UN sanctions resolutions, which the UK implements under SAMLA | Implemented into UK law via SAMLA regulations |
| OFAC SDN List | US Office of Foreign Assets Control | US-designated persons and entities; not a UK legal requirement but relevant to firms with US touchpoints or USD flows | Not UK law; screened for cross-border risk management |
| EU Consolidated List | European Union | Persons subject to EU restrictive measures; not UK law post-Brexit but relevant to firms operating in the EU | Not UK law; screened where EU activity applies |
A significant operational change took effect at 9am UK time on 28 January 2026. The OFSI Consolidated List of asset freeze targets stopped being updated, and the UK Sanctions List, published by the Foreign, Commonwealth and Development Office, became the single authoritative source for all UK sanctions designations. The old OFSI Consolidated List remains available on its previous page for reference but receives no further updates.
OFSI's guidance is direct about what this means for screening. Firms need to ensure that any systems that use the OFSI Consolidated List for sanctions screening are instead using the data from the UK Sanctions List. Newly designated persons are assigned a Unique ID on the UK Sanctions List rather than the former OFSI Group ID, although Group IDs assigned before 28 January 2026 remain valid for existing licences and for breach reporting.
If you use a third-party screening provider, OFSI advises speaking to your supplier to understand the impact on the data you receive. The core message for compliance teams is to confirm, in writing, that your screening feeds have migrated to the UK Sanctions List and that historic identifiers are still recognised where needed. Beyond the UK list, many firms operating internationally also screen against the UN, OFAC and EU lists to manage cross-border and US dollar clearing risk, even though only the UK Sanctions List is binding under UK law.
Effective screening reaches beyond the named account holder. FCG 7 makes clear that firms should screen new customers, counterparties to transactions and payments. That means running checks at onboarding, on the parties to individual transactions, and on real-time or batch payment flows, because a payment can make funds available to a designated person even where neither the sender nor the recipient on your books is listed.
Beneficial ownership is central. An entity can be caught by sanctions even if it is not designated in its own right. Under OFSI's ownership and control tests, an entity is owned or controlled by a designated person where that person holds directly or indirectly more than 50% of the shares or voting rights, has the right to appoint or remove a majority of the board, or where it is reasonable to expect that the person could ensure the entity's affairs are conducted in accordance with their wishes. Screening therefore has to consider who ultimately owns and controls a customer, not just the surface entity.
This is where onboarding due diligence and screening meet. Customer due diligence identifies the individuals and entities that need to be screened, including those hidden behind layered corporate structures, and screening then tests them against the lists. A screening programme that checks only the named customer, and ignores directors, ultimate beneficial owners and transaction counterparties, will miss the exposures that most often lead to breaches. A well integrated governance and controls platform helps firms keep customer records, ownership data and screening results connected rather than scattered across systems.
The technical heart of screening is name matching. Sanctions lists carry identifying information such as names, aliases, dates and places of birth, nationality, passport details and addresses. Because names are transliterated, misspelled or ordered differently across systems, exact matching alone will miss real targets. FCG 7 expects screening systems to make fuzzy matches that catch similar or variant spellings, name reversal and digit rotation, so that a listed person is not missed simply because their name was entered differently.
Fuzzy matching comes at a cost: false positives. A name match is not the same as a target match. Turning fuzzy matching up too high floods analysts with alerts on people who merely share a name with a designated person; turning it down risks missing a genuine target. FCG 7 expects firms to understand how their automated tools are calibrated and to decide what mixture of manual and automated screening is appropriate to the nature, size and risk of the business.
The way to resolve alerts is with additional identifiers. FCG 7 states that firms should use a range of identifier information such as name, date of birth, address or other customer data to distinguish real matches from false positives, and should have sufficient resources to identify false positives before taking action. In practice, a defensible programme keeps clear audit trails of each alert, the identifiers compared, the decision reached and who made it, so the firm can evidence to the FCA that its calibration and disposition process is sound. Payment screening in particular has to resolve matches quickly without introducing avoidable delay to legitimate transactions.
Where screening produces a genuine match, obligations follow immediately. Funds and economic resources are to be frozen immediately by the person in possession or control of them. There is no grace period to keep processing while you decide what to do.
Reporting is a legal obligation, not a courtesy. Relevant firms must report to OFSI where they know or reasonably suspect that a person is a designated person, or that a breach of financial sanctions has occurred. The report must include the information or matter on which the knowledge or suspicion is based and the identifying details, and where the designated person is a customer, the nature and amount or quantity of any funds or economic resources held. Relevant institutions, meaning persons with FSMA 2000 permission, must additionally inform OFSI without delay in specified circumstances, such as when they credit a frozen account.
For FCA-regulated firms there is a second reporting dimension. FCG 7 indicates that firms should report breaches to OFSI and also consider whether they need to notify the FCA where a breach results from a significant failure in their systems and controls. A missed match is not only a potential sanctions breach; if it reveals that the screening system was inadequate, it can also become a systems and controls issue for the regulator.
OFSI can impose a civil monetary penalty on a strict liability basis. The permitted maximum is the greater of £1,000,000 and 50% of the estimated value of the funds or economic resources involved in the breach, where that value can be estimated. Where it cannot be estimated, the cap is £1 million. These are civil penalties and sit alongside the possibility of criminal prosecution for the most serious conduct.
The largest financial sanctions penalty imposed by OFSI to date illustrates the scale. In 2020, OFSI penalised Standard Chartered Bank £20,471,809.83 in connection with 102 loans to a Turkish bank that was almost wholly owned by Sberbank of Russia, a sanctioned entity. The penalty already reflected a 30% reduction for voluntary disclosure. Published penalties since have ranged widely, from five figure amounts for smaller breaches to sums well into six and seven figures for banks and corporates.
OFSI's enforcement guidance sets out discounts that can reduce a baseline penalty. Voluntary disclosure and co-operation can reduce a penalty by up to 30%, the Settlement Scheme offers a 20% reduction, and the Early Account Scheme introduced in the February 2026 guidance update offers up to a further 20% for firms that provide an early factual account of a case. These reductions reward firms that identify a breach, disclose it and co-operate, which underlines why strong screening plus honest self-reporting is the cheapest path through a problem. Investing in robust screening is far less costly than a penalty, and firms weighing that trade-off can review our pricing to see how the controls fit together.
Published OFSI monetary penalties for breaches of UK financial sanctions, illustrating the range of outcomes. Figures are from OFSI's published enforcement decisions.
Sanctions screening is not a box-ticking exercise bolted onto onboarding; it is the control that keeps a firm on the right side of a strict liability regime where OFSI does not have to prove you knew. The essentials are consistent: screen customers, beneficial owners, counterparties and payments against the UK Sanctions List as the binding source, add UN, OFAC and EU lists where your footprint demands it, tune fuzzy matching so you catch real targets without drowning analysts in false positives, and rescreen your book whenever the list changes.
When screening does surface a genuine match, act fast: freeze immediately, resolve using multiple identifiers, and report to OFSI without delay, considering also whether a systems failure needs to be flagged to the FCA. With penalties reaching into the millions and a strict liability standard behind them, the firms that fare best are those that treat screening as a governed, well-documented and continuously maintained control rather than a one-off check at account opening.
Screening itself is not a legal requirement. The legal obligation is to not breach financial sanctions, such as by dealing with frozen funds or making funds available to a designated person. The FCA expects firms to use screening as the control that meets that obligation, and FCG 7 sets out those expectations for regulated firms.
The binding source is the UK Sanctions List, published by the Foreign, Commonwealth and Development Office under SAMLA 2018. Since 28 January 2026 it is the single authoritative list, having absorbed the former OFSI Consolidated List. Firms operating internationally often also screen the UN, OFAC and EU lists to manage cross-border risk, though only the UK Sanctions List is binding under UK law.
For breaches occurring after 15 June 2022, OFSI can impose a civil monetary penalty without needing to prove that the firm knew or had reasonable cause to suspect it was breaching sanctions. This is the strict liability standard, and it is why the quality of your screening controls is so important.
OFSI's civil monetary penalty is capped at the greater of £1,000,000 or 50% of the estimated value of the funds or economic resources involved in the breach. Discounts of up to 30% for voluntary disclosure, 20% under the Settlement Scheme and up to 20% under the Early Account Scheme can reduce a penalty.
Fuzzy matching catches variant spellings and name reversals but also generates false positives. FCG 7 expects firms to resolve alerts using a range of identifiers such as name, date of birth and address, and to have enough resources to identify false positives before taking action. Clear audit trails of each decision are essential.
A relevant firm must report to OFSI where it knows or reasonably suspects that a person is a designated person or that a breach has occurred, including the basis for that suspicion and details of any funds held. Relevant institutions with FSMA permission must also inform OFSI without delay in specified circumstances. Frozen assets must be frozen immediately.
Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.