Payment sanctions screening for UK firms: legal obligations, how screening works, FCA expectations and what happens when controls fail.
Every payment a UK business sends or receives carries a legal obligation: check whether any party to the transaction is on a sanctions list before funds move. This is payment sanctions screening, and it sits at the heart of the UK financial sanctions regime overseen by the Office of Financial Sanctions Implementation (OFSI) and, for regulated firms, supervised by the Financial Conduct Authority (FCA).
The stakes are significant. For 2024 to 2025, OFSI reported 37 billion pounds of frozen assets, up from 24.4 billion pounds the prior year. OFSI had 240 active cases under investigation as of April 2025, with 151 of them identified proactively rather than through self-reports. The FCA's October 2024 fine of almost 29 million pounds against Starling Bank for financial crime and screening failures signalled that supervisors are moving beyond passive monitoring. This guide explains the mechanics, legal requirements and common failure points, drawing on OFSI and FCA primary sources.
Sanctions screening is the process of comparing the names, account details and other identifiers of payment counterparties against official designated-persons lists. In the UK, the authoritative reference from 28 January 2026 is the UK Sanctions List published by the FCDO, which replaced the previous OFSI Consolidated List.
For payments, screening covers three dimensions. Customer screening checks whether account holders are designated. Transaction screening checks every originator, beneficiary and available intermediary in a specific payment instruction. Business screening extends checks to counterparties such as suppliers and correspondent banks. OFSI guidance describes these as distinct but complementary controls.
The obligation is not only to screen: it is to freeze. If a firm identifies that funds are owned or controlled by a designated person, it must freeze those assets and report to OFSI as soon as practicable. OFSI can impose civil monetary penalties on a strict liability basis, meaning it does not need to show the firm knew or had reasonable cause to suspect a breach. The fact of making funds available to a designated person is sufficient for OFSI to open an investigation.
Based on OFSI Annual Review 2024-25. Total reported frozen assets: 37.08 billion pounds. The Russia regime accounts for 22.52 billion pounds (about 61 per cent); all other regimes, including Libya, Belarus and Syria, account for the remainder.
The primary legislation is the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), which gave the UK independent sanctions powers after leaving the European Union. Individual regimes are created by statutory instruments under SAMLA, such as the Russia (Sanctions) (EU Exit) Regulations 2019. These instruments prohibit making funds or economic resources available to designated persons and impose mandatory reporting obligations on anyone who holds frozen assets.
OFSI administers and enforces the regime. It maintains the UK Sanctions List, issues licences permitting otherwise-prohibited payments, and investigates suspected breaches. Civil monetary penalties can reach one million pounds or 50 percent of the breach value, whichever is greater. Proposed legislation would double those maxima to two million pounds or 100 percent of the breach value.
For FCA-regulated firms, including payment institutions and e-money institutions, Chapter 7 of the FCA's Financial Crime Guide (FCG 7) sets out the supervisory standard. The FCA can act against a firm for inadequate controls even where no actual breach has occurred. The Sanctions (EU Exit) (Miscellaneous Amendments) (No. 2) Regulations 2024, most of which came into force on 5 December 2024, also introduced an annual frozen-asset reporting requirement to OFSI by 30 November each year. From 14 May 2025 the same reforms broadened the reporting perimeter to include high-value dealers, art market participants, insolvency practitioners and letting agencies.
Based on OFSI Annual Review 2024-25. OFSI issued 57 enforcement actions in the year; had 240 active cases as of April 2025; and imposed two monetary penalties totalling 480,000 pounds (15,000 pounds and 465,000 pounds).
Most regulated firms rely on automated screening systems that sit within or alongside their payment processing infrastructure. When a payment instruction is initiated, the system extracts key fields: the originator name, beneficiary name and account identifiers. These are compared against the sanctions list using fuzzy-matching algorithms designed to catch name variations, transliterations from non-Latin scripts and simple spelling differences.
The FCA's Sanctions Screening Testing workstream, reported in May 2026, found that automated systems correctly identified a designated person in 90 percent of tests where the name was an exact match. That accuracy dropped to 75 percent where the name appeared in a slightly different form. Common failure points included single-word names, numerical identifiers, honorific titles and non-Latin characters.
When a potential match is flagged, the system generates an alert that a compliance analyst must review. The analyst checks the hit against the full sanctions list entry, including date of birth, nationality and aliases, to determine whether it is a true match or a false positive. A true positive requires the payment to be stopped, the funds to be frozen and a report to be made to OFSI as soon as practicable.
Alert resolution speed matters in a real-time payments environment. FCA data from 2024 to 2025 showed that approximately 44 percent of firms resolved name screening alerts within one working day, but over a quarter took three to five days. Funds that have already settled before an alert is reviewed may constitute a breach even where the system correctly flagged the transaction. Pre-submission screening on outbound payments is one control pattern firms use to reduce this risk; tools such as Nasara Pay apply screening before a payment is submitted.
The FCA's October 2024 action against Starling Bank is the most instructive recent example. The fine was 28,959,426 pounds. The core finding was that Starling's automated screening system had, from 2017 onward, been screening customers against only a fraction of the full UK financial sanctions list. The bank grew from roughly 43,000 customers in 2017 to 3.6 million by 2023, but its compliance infrastructure did not keep pace.
The Starling case exposed three recurring failure modes. First, a screening system that was never properly configured or validated against the complete list. Second, inadequate governance: senior management lacked the MI needed to understand the firm's true sanctions exposure. Third, a failure to act on regulatory findings: when the FCA raised concerns in 2021, Starling agreed to restrict high-risk account openings but then opened over 54,000 accounts for approximately 49,000 high-risk customers between September 2021 and November 2023.
The FCA's May 2026 thematic report, covering more than 150 firms, identified the same recurring weaknesses: screening calibration, alert management and frozen asset handling. On calibration, firms had tuned systems to reduce false positives but had not tested whether that tuning was also suppressing true matches. FCA REP-CRIM data shows that 70 percent of reporting firms used automated screening in 2024 to 2025, yet 98 percent had not identified a single true payment match since 2022. Regulators read this as a calibration warning, not a clean bill of health. Ongoing calibration monitoring is one way firms can identify drift before a regulator does; tools such as Nasara Control are designed to support this kind of monitoring.
FCA Sanctions Screening Testing workstream results published May 2026. Accuracy falls significantly when names appear in variant forms.
Screening is not a one-time activity at onboarding. The UK Sanctions List is updated continuously: significant batches of designations were added in November 2024, February 2025 and May 2025 alone. A customer who was clear at onboarding may be designated the following week, and continuing to provide banking services to that customer could constitute an unlawful provision of economic resources.
FCA REP-CRIM data for 2024 to 2025 showed that 76 percent of firms conducted name screening daily and 73 percent screened transactions at least daily, with nearly six in ten doing so in real time. Daily screening of the full customer base is a common standard among regulated payment firms. JMLSG Part III guidance addresses compliance with the UK financial sanctions regime, and the prohibition on making funds available to a designated person applies regardless of whether a transfer is internal or external to a firm.
Firms acting as intermediaries carry their own screening duty, not just originating institutions. The Wire Transfer Regulation, as retained in UK law, requires payment messages to carry originator information so that intermediary processors can screen the underlying parties. Correspondent banks and payment processors should have controls in place to act on that information where it is available.
The obligation covers economic resources as well as funds. A right to receive future payment held by a designated person can constitute an economic resource, so making that payment may be unlawful even where the relationship predates the designation. Firms with long-running supplier or client relationships should re-screen periodically rather than relying solely on onboarding checks.
OFSI's general guidance identifies four core activities in a sound compliance framework: customer screening, business screening, transaction screening and ongoing monitoring. Each must be backed by documented policies, tested technology and clear escalation routes. The level of control should be proportionate to the firm's size and risk profile, but proportionality does not mean minimal.
The FCA's FCG Chapter 7 sets the supervisory benchmark. Key questions include whether the firm screens all customers at onboarding and on a recurring basis, whether automated systems are calibrated and regularly tested against the full list, whether there is a documented escalation process, and whether senior management receive timely MI on the firm's sanctions exposure.
Documentation determines outcomes. When OFSI investigates a suspected breach, it examines screening records and alert resolution rationale. A firm that can show it flagged a hit and properly concluded it was a false positive is in a materially different position from one with no records. The Early Account Scheme introduced in February 2026 provides up to a 20 percent penalty reduction for firms that supply a full factual account early, which is only possible with complete records.
For payment institutions and e-money businesses supervised by the FCA, the starting point is a gap analysis against FCG Chapter 7 and OFSI's general guidance. Map every point in the payment journey where a sanctions check should occur, confirm the automated system screens against the current UK Sanctions List in full, and verify that calibration thresholds have been tested for both false positives and false negatives.
System testing should replicate the FCA's Sanctions Screening Testing workstream: exact name matches, near-matches, variants, transliterations and single-word names. If your system scores below 90 percent on exact matches or below 75 percent on variants, recalibration is needed. Document test results and retain them as evidence.
Alert management processes should set maximum resolution times and require documented rationale for every false-positive decision. The FCA has signalled that three-to-five-day alert closure times are outside its expected standard in real-time payment environments. Compliance teams should produce regular MI on alert volumes, true positive rates, licence activity and test results. Automating this MI helps ensure senior management have current visibility of the firm's sanctions exposure; tools such as Nasara Control can generate this reporting.
Payment sanctions screening is a strict legal obligation, not a box-ticking exercise. The UK framework, administered by OFSI and supervised by the FCA, requires firms to screen all payments, freeze any funds connected to a designated person and maintain documented evidence of every decision. The 29 million pound Starling Bank fine and OFSI's record 37 billion pounds in frozen assets in 2024 to 2025 confirm that regulators are applying greater scrutiny than at any point since the regime was established.
Effective screening means reliable true-positive detection, fast alert resolution and senior management visibility of the firm's sanctions exposure. Purpose-built payment and compliance tools that embed pre-submission screening and automated monitoring provide the most robust foundation for meeting that standard.
All UK persons and entities must comply with financial sanctions law. FCA-regulated firms, including payment institutions and e-money institutions, must additionally maintain adequate systems and controls. From 14 May 2025, the reporting perimeter expanded to cover high-value dealers, art market participants, insolvency practitioners and letting agencies.
From 28 January 2026, the UK Sanctions List published by the FCDO is the single authoritative source, replacing the OFSI Consolidated List. The list is updated continuously, so screening systems must receive timely updates, typically at least daily.
Making funds available to a designated person breaches financial sanctions regulations regardless of intent, as the offence is largely strict liability. OFSI will investigate and may impose a civil monetary penalty. Voluntary disclosure reduces the penalty by up to 30 percent, and the Early Account Scheme introduced in February 2026 provides a further reduction of up to 20 percent for firms that supply a full factual account early.
The FCA REP-CRIM data for 2024 to 2025 shows 81 percent of reporting firms performed repeat customer screening, and 76 percent of firms conducted name screening daily. Given that the UK Sanctions List is updated continuously, daily screening of the full customer base is a common practice among regulated payment firms.
Customer screening checks whether a person or entity in your client book is designated, at onboarding and on a recurring basis. Transaction screening checks the specific parties in a payment instruction: originator, beneficiary and any available intermediary details. Both are required because a customer who is clear at onboarding may be designated later, and a non-customer may appear as a beneficiary in a payment from an existing client.
Yes. OFSI issues general licences covering categories of activity such as legal services and humanitarian payments, and specific licences granted case by case. The firm must hold the correct licence before making the payment, confirm the transaction falls within its scope, and comply with any attached conditions and reporting requirements.
Nasara Pay helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.