In September 2025, the UK’s Office of Financial Sanctions Implementation (OFSI) imposed a £152,750 penalty on Colorcon Limited, a UK-based pharmaceutical coatings company, for breaching the Russia (Sanctions) (EU Exit) Regulations 2019. On the surface, the case might appear as a routine enforcement action involving payments through sanctioned Russian banks. But beneath the figures lies a more significant lesson for every compliance professional: that a sanctions policy is only as effective as the risk assessment it’s built upon.
The anatomy of the breach
Colorcon operated a representative office in Moscow and between March and December 2022, the office made 123 payments totalling £191,290 to employees and service providers whose accounts were held at Russian banks designated under UK sanctions, including Sberbank, VTB, and Alfa Bank.
OFSI determined that 44 of those payments—worth £63,012—were permitted under a temporary General Licence allowing companies to wind down Russian operations. However, the remaining £128,278 were unlawful, made after the licence expired.
What makes this case stand out isn’t the amount but the nature of the failure. The payments weren’t made to sanctioned individuals, but to ordinary staff and vendors. Yet because their bank accounts were held with sanctioned institutions, the transactions indirectly made funds available to designated entities.
A case of overconfidence and omission
Colorcon’s compliance procedures were not fit for purpose. OFSI found that while Colorcon had made efforts to review its sanctions compliance in the wake of the Ukraine invasion, its focus remained narrow. It focused on concentrating on customers, shareholders, and remitting banks rather than internal payments to employees and suppliers.
Colorcon assumed its bank would conduct sanctions screening for all payments made through its systems. OFSI viewed this as a critical misjudgement. Relying on third parties, such as banks or payment processors, without confirming the scope and accuracy of their screening constitutes a significant compliance blind spot. OFSI emphasised that liability for sanctions breaches sits squarely with the company making the payment, not the institution processing it.
Moreover, the firm’s sanctions documentation, last updated in 2018, had not been materially revised despite the drastic changes in geopolitical risk following Russia’s invasion of Ukraine. OFSI’s post-case commentary was unequivocal: policies and procedures that are not continuously updated to reflect evolving risks will not be considered mitigating.
The price of delay
Perhaps the most avoidable error was Colorcon’s four-month delay in notifying OFSI after becoming aware of the potential breaches. OFSI expects suspected breaches to be disclosed “as soon as reasonably practicable.” In this instance, the regulator concluded that the circumstances were not complex enough to justify the delay. The late disclosure cost Colorcon a significant reduction in penalty mitigation—OFSI reduced its voluntary disclosure discount from the maximum 50% to 35%, leaving the company with a final penalty of £152,750 instead of £117,500.
The delay reflected a broader issue of responsiveness in sanctions governance. Compliance professionals should note that even where breaches are unintentional and voluntarily reported, timing is critical. A delay in disclosure can transform a mitigating act into an aggravating factor.
OFSI’s warning: Risk assessment comes first
At the heart of this enforcement is a single message from OFSI: compliance programmes that fail to align with real-world risk exposure are no defence. OFSI explicitly stated that it “will not necessarily consider the existence of sanctions policies and processes mitigating if they are not fit for purpose.”
In Colorcon’s case, the company’s risk assessment didn’t extend far enough. Despite having external legal counsel and internal teams monitoring sanctions developments, its framework failed to capture internal payment flows. The firm also neglected to confirm whether its bank’s systems screened Russian transactions for sanctions risks. These oversights, repeated across months of transactions, amounted to a systemic weakness—one that could have been avoided through a more dynamic, risk-based compliance strategy.
Lessons for compliance professionals
This case should prompt every compliance officer to revisit their own sanctions architecture. Effective sanctions compliance isn’t static; it demands constant recalibration to reflect geopolitical shifts, new designations, and the realities of global operations.
OFSI’s guidance following the decision sets out several clear principles:
Know your risk landscape: A sanctions policy must start with an honest assessment of where the organisation’s exposure lies—by geography, counterparties, and operational flow.
Don’t outsource accountability: Third-party screening tools and banking controls are helpful, but responsibility for due diligence and oversight always remains with the entity making the payment.
Keep policies alive: Sanctions frameworks should evolve in step with global events. A policy written in 2018, however well-intentioned, cannot anticipate the risks of 2022, 2025 or beyond.
Report quickly and transparently: Even partial or preliminary disclosure to OFSI within weeks of discovering a breach demonstrates good faith and can significantly reduce penalties.
Looking for more support? Upgrade your sanctions compliance today.
