On 19 March 2026, the Office of Financial Sanctions Implementation, or OFSI, imposed a monetary penalty of £390,000 on Apple Distribution International Limited, an Irish subsidiary of Apple. The penalty related to two payments in 2022, worth £635,618.75 in total, made to Okko LLC, a Russian streaming service that at the time was wholly owned by JSC New Opportunities, a UK-designated person. OFSI concluded that Apple’s subsidiary had breached Regulation 12 of the Russia (Sanctions) (EU Exit) Regulations 2019 by making funds available to an entity owned or controlled by a designated person.
But this penalty is not just a story about a famous brand making a mistake. It also serves as a useful case study in how sanctions exposure can be created by the structure of a payment flow, the limits of ownership screening, and a compliance framework that is not calibrated to the jurisdiction that actually matters.
Why OFSI had jurisdiction over an Irish Apple subsidiary
What makes this case particularly notable is that ADI was not a UK company. It was incorporated in Ireland. Yet OFSI found jurisdiction because the payments were made using ADI funds held in a UK-based bank account and instructed through a UK bank. In OFSI’s view, the failure to cancel those payment instructions amounted to conduct in the UK.
That is the key lesson here: UK sanctions risk does not depend only on where a company is incorporated. It can arise from where funds are held, how payments are routed, and which financial institutions are involved. OFSI’s notice makes clear that bank-routing decisions can create UK exposure even where the business itself sits elsewhere.
When treasury decisions create sanctions exposure
That jurisdictional point matters far beyond the technology sector. Many multinational businesses assume sanctions obligations are primarily determined by headquarters location, governing law clauses, or the jurisdiction of the counterparty. OFSI’s notice is a reminder that treasury and payment infrastructure can create sanctions exposure of their own.
A business may think of a bank account as an operational detail. Regulators may treat it as the very reason UK sanctions law applies. That makes treasury structure, payment routing and banking relationships part of the sanctions control environment, not merely back-office administration.
The case was really about ownership, not just screening
The ownership chain is equally important. Okko itself was not on a sanctions list. The problem was who owned it. OFSI’s case turned on the fact that JSC New Opportunities had become Okko’s owner and was then designated by the UK on 29 June 2022. One of the payments was released the following day. The second was instructed after the designation and released a month later.
This means the breach was not a simple name-screening failure. It was an ownership and control failure. That distinction matters because many sanctions programmes are still strongest at direct list screening and weaker at tracking ownership changes over time.
OFSI’s message on due diligence is clear
In the penalty notice, OFSI said firms should have due diligence frameworks robust enough to identify and understand ownership and control both at the start of a relationship and on an ongoing basis. It also says firms remain ultimately responsible even where they rely on third-party screening and ownership diligence providers.
In other words, buying screening is not the same as discharging responsibility.
The penalty notice is particularly clear on this point. OFSI found that ADI relied on a self-certification model and third-party due diligence vendors for ownership-related risks in onboarding Russian app developers. It also noted that multiple open-source media articles were available at the time indicating the transfer of Sberbank’s digital assets to JSC New Opportunities, but those were not identified or flagged by ADI’s providers.
Strict liability has changed the compliance landscape
OFSI accepted there was no evidence ADI intended to breach sanctions, but under the UK’s strict liability civil enforcement regime, lack of knowledge is not enough to avoid a penalty.
That strict liability point is one of the biggest compliance takeaways. Since changes introduced under the Policing and Crime Bill, OFSI no longer has to prove knowledge or reasonable cause to suspect in order to impose a civil monetary penalty in these cases. Intent still matters to the level of seriousness and the eventual penalty, but it is no longer the threshold issue.
For compliance teams, that means controls must be designed around prevention and detection, not around whether a firm can later explain that it did not know.
Timing mattered, but only up to a point
There is also an important timing lesson here. OFSI treated the timing of the first payment as a mitigating factor because the window to cancel it was very limited. But it still included that payment in the penalty case because of the second payment a month later.
That shows that OFSI does recognise that newly imposed sanctions can create genuine operational difficulties where payments are already in motion. But that sympathy is limited: Firms are still expected to move quickly, and where there is a later payment after the designation, the regulator is unlikely to be persuaded by arguments about narrow operational windows alone.
Scheduled payments are a hidden sanctions risk
This makes the case especially relevant for businesses that use scheduled or value-dated payments. In practice, a payment may be screened when scheduled, enter a processing queue, and only be released days or weeks later. If a designation or ownership change occurs in the meantime, the payment can become prohibited after it has already been set in motion.
A firm may require pending payments to be cancelled where sanctions risk is identified. But if it has no practical way to stop a payment once it is already queued with an external bank, that is a real control gap. It may help explain the breach, but it does not excuse it.
OFSI’s enforcement framework is becoming more structured
Another reason this case stands out is that it is the first enforcement action resolved under OFSI’s new settlement mechanism, introduced in February 2026. OFSI’s guidance was updated on 9 February 2026, and the Apple case was settled under transitional arrangements.
The official notice says OFSI considered the case serious, set a baseline penalty of £600,000, then applied a 35% discount for voluntary disclosure and settlement to reach the final £390,000 figure. This shows that OFSI’s enforcement framework is becoming more structured, more transparent, and potentially more active.
What firms should do now
1. Add payment architecture to sanctions risk assessments
It is not enough to assess customer type, geography, products and jurisdictions in the abstract. Firms should ask where funds are actually held, which banks are used, which sanctions lists those institutions effectively bring into play, and whether treasury decisions are being reviewed by compliance before they go live.
The Apple case shows that a UK bank account can create UK sanctions exposure even for a non-UK company.
2. Treat ownership monitoring as an ongoing control
Where ownership structures are opaque, changeable or linked to higher-risk jurisdictions, point-in-time checks are unlikely to be enough. Firms should think about periodic recertification, adverse media escalation, event-driven reviews, and whether beneficial ownership data is actually being fed into sanctions screening systems rather than simply stored somewhere in a KYC file.
3. Put vendor reliance under proper scrutiny
OFSI did not criticise the use of third-party tools as such. It acknowledged their value. But it was equally clear that ultimate responsibility stays with the firm. That means asking whether vendors cover the right lists, whether they identify ownership-based exposure rather than only direct name matches, how quickly they update data, and how they handle registry opacity and missing information in higher-risk jurisdictions.
4. Revisit escalation procedures for pending payments
If a designation lands today, who can stop a payment already queued for release tomorrow? Is there a clear link between screening alerts, operations staff, treasury teams and the bank itself? If the answer is vague, the process is probably too slow for a serious sanctions event.
The Apple case suggests that these operational questions are no longer peripheral. They are part of the control framework regulators will scrutinise after the fact.
A warning for every multinational business
The broader message from OFSI is simple. Sanctions compliance is no longer just about screening counterparties against a list. It is about understanding who owns them, which jurisdiction actually governs the payment flow, whether your vendors can detect ownership and control risks in real time, and whether your organisation can act before a payment is released.
Apple’s penalty is a warning that even sophisticated companies can miss those links. For everyone else, it is a reminder that sanctions exposure often appears in the gaps between teams, systems and assumptions.
