This past March, the UK’s Office of Financial Sanctions Implementation (OFSI) imposed a £465K penalty on Herbert Smith Freehills CIS LLP (HSF Moscow) for breaches of UK financial sanctions related to Russia’s invasion of Ukraine. The penalty stemmed from six payments totaling nearly £4 million to sanctioned entities, made during a rapid wind-down of HSF’s Russian operations.

While the legal sector is at the center of this particular case, the implications ripple across all industries. The breach and the substantial fine that followed highlight recurring themes in sanctions enforcement: inadequate screening, poor due diligence and flawed decision-making under pressure.

This case is clearly a wake-up call for businesses and firms. As they navigate a complex sanctions environment, they need to make sure their sanctions compliance strategy can withstand the increasingly complicated situations they will encounter.

The breach or human error under pressure

HSF Moscow made the six sanctioned payments over the course of seven days, during the final week of closing its Russian operations. The payments did not involve client funds or any other HSF offices, but were attributed to “human error” under operational pressure.

Despite the firm’s global scale of 2,400 lawyers across 24 offices and its extensive legal expertise, the Moscow office’s failure to properly execute sanctions controls exposed serious compliance weaknesses.

OFSI cited these payments as evidence of a pattern of failings, including:

• inadequate sanctions screening
• weak due diligence
• hasty decision-making during office closure

The lessons

What can businesses learn from this case? OFSI highlights three key lessons.

1. Sanctions risk is everyone’s business

Whether your company operates globally or solely within domestic markets, sanctions risk can touch your business more easily than you think. HSF Moscow’s payments, though made under time pressure,still involved designated persons under asset freeze sanctions. The breach could have been avoided with more robust risk identification and better internal controls.

What companies should do:

• Map your sanctions exposure by geography, clients, third parties and subsidiaries.
• Monitor OFSI guidance and updates from international regulators (such as OFAC and the EU).
• If operating in or near high-risk jurisdictions, seek specialist legal and compliance advice.
• Ensure oversight of overseas subsidiaries includes regular risk assessments and sanctions training.

2. Policies are only as good as their execution

HSF had policies in place. But the issue wasn’t policy absence. It was a failure to follow those policies in practice. OFSI explicitly warns that having sanctions procedures is no shield if they’re not implemented effectively.

In HSF’s case, the rushed closure of the Moscow office led to decision-making that bypassed due diligence and screening protocols, even among senior personnel. The consequences were costly.

What companies should do:

• Train all staff, including senior leaders, on how to actually apply sanctions controls and not just what the policies say.
• Run real-world scenario testing to evaluate whether processes hold up under pressure.
• Build in checks and balances, especially around payments, counterparties and legal exits from high-risk regions.

3. Don’t overlook ownership and control

One of the trickier but crucial aspects of sanctions compliance is understanding ownership and control. OFSI penalizes failures to assess control more harshly than honest mistakes made in good faith.

This means businesses must go beyond surface-level checks. Is the counterparty owned or controlled (directly or indirectly) by a sanctioned individual? Have you documented your assessment?

What companies should do:

• Review OFSI’s Enforcement and Monetary Penalties Guidance, specifically on ownership and control.
• Use enhanced due diligence tools to trace ownership structures.
• If uncertain, document the rationale behind any conclusions drawn and seek legal or regulatory advice.

Voluntary disclosure helped. But not enough

HSF London self-reported the breach to OFSI, which resulted in a 50% reduction in the fine. But even with this discount, the final penalty stood at nearly half a million pounds, and that’s before considering reputational costs.

As HSF stated: “We were disappointed by the fine… Nonetheless, we are pleased that this matter has now been resolved.” The bottom line is the voluntary disclosure was appreciated by regulators but it did not erase the consequences.

Prevention Is cheaper than a penalty

HSF London paid nearly half a million pounds in fines. The reputational and operational damage from this kind of breach far outweighs the cost of proactive compliance. For businesses, the message is clear: robust, dynamic, and enforced sanctions compliance programs are not optional. They are critical risk management tools. From onboarding clients to exiting high-risk jurisdictions, every step must be sanctions-aware. In a world of shifting geopolitical landscapes and growing regulatory scrutiny, failing to prepare could mean you will have to pay.

Vinciworks’ sanctions compliance courses give your staff the tools they need to understand and comply with sanctions requirements in these volatile times.