OFSI has fined Deutsche Bank AG London Branch £165,000 for breaching the UK’s Russia sanctions regime after it processed two payments totalling £635,618.75 to Okko LLC, a Russian app developer wholly owned by JSC New Opportunities, a UK-designated person. The payments were made in June and July 2022 on behalf of a customer, rather than directly for Okko, which was a customer of Deutsche Bank’s customer.
On the surface, this is another relatively modest OFSI penalty. But the Deutsche Bank case raises significant sanctions compliance questions. This was not about a simple name-screening failure. It was about ownership and control, third-party screening data, customer risk management and how far firms need to go when payments involve high-risk jurisdictions.
What happened
The penalty notice states that Okko had previously been owned by PJSC Sberbank, which was designated by the UK on 6 April 2022. Sberbank sold Okko and its assets to JSC New Opportunities in May 2022. JSC New Opportunities was then designated by the UK on 29 June 2022. From that point, Okko became subject to UK sanctions prohibitions by virtue of being owned or controlled by a designated person.
Deutsche Bank processed Payment A on 29 June 2022, the same day JSC New Opportunities was designated. The value date was 30 June. Payment B was processed almost a month later, on 27 July 2022, with a value date of 28 July. OFSI accepted that the first payment happened in a narrow window around the designation, but considered the second payment much harder to justify, particularly because it went to the same party after the designation had been public for around a month.
OFSI also noted an earlier April 2022 payment to Okko of more than £1.1m, but did not treat it as a breach because it occurred before the strict liability amendments to the Policing and Crime Act 2017 came into force on 15 June 2022.
Strict liability matters
One of the most important points in the case is that the breaches occurred after the UK’s strict liability regime for financial sanctions penalties came into effect. OFSI did not need to prove that Deutsche Bank knew, suspected or had reasonable cause to suspect that it was breaching sanctions. It needed to be satisfied, on the balance of probabilities, that a breach had occurred.
This shows why strict liability matters. The absence of intent, knowledge or actual suspicion may be treated as a mitigating factor, but it does not prevent OFSI from imposing a civil penalty where it is satisfied that a breach occurred.
For firms, that means sanctions compliance needs to be designed around prevention, detection and evidence. The question is not simply whether staff meant to comply. It is whether the firm had controls that were appropriate to the risk and whether those controls worked in practice.
The third-party vendor point
Deutsche Bank screened the beneficiary, Okko, for both payments. No alert was generated because the third-party screening vendor’s lists did not include Okko’s ownership data at the time. OFSI acknowledged that third-party data providers can be valuable, especially where a firm has no direct relationship with the payment beneficiary. But it also made the core point clear: Deutsche Bank remained responsible for ensuring it complied with financial sanctions when processing payments.
This is one of the sharpest lessons from the case. Screening vendors are part of a control framework, not a transfer of responsibility. If vendor data is incomplete, stale or unable to identify ownership and control links, the regulatory risk still sits with the firm.
That is especially important in Russia sanctions cases, where ownership information may be harder to verify. OFSI noted that Russian corporate registry information became less available in 2022, including through the suppression or concealment of information in national public registers. It also noted that there were open-source media articles in May 2022 indicating the transfer of Sberbank’s digital assets to JSC New Opportunities, but that this information had not been reflected in the third-party data used by Deutsche Bank.
The lesson is not that firms must conduct open-source research on every customer’s customer. OFSI specifically said it did not consider Deutsche Bank to have a general legal requirement to do that. But where a customer is making payments to Russia-based beneficiaries in a high-risk period, firms need to understand the limits of their data, tools and customer controls.
Knowing your customer’s sanctions controls
Another important part of the decision is OFSI’s discussion of the customer relationship. Deutsche Bank had engaged with the customer between March and May 2022 about Russian payment flows and sanctions compliance. But OFSI said those discussions did not uncover how the customer assessed ownership-related sanctions risk, including its reliance on a self-certification model. Deutsche Bank also did not update its onboarding questionnaire to explicitly reference Russia sanctions until later enhancements in 2024.
This is where the practical lesson can be easily misunderstood. “Know your customer’s customer” is not a formal rule that applies across the board. OFSI accepted that Deutsche Bank did not have a general legal requirement to conduct due diligence on its customer’s customers. But OFSI still expected a better understanding of how the customer managed sanctions risk, particularly where transactions involved Russia-based beneficiaries.
That distinction matters. Firms do not necessarily need to build a full KYCC programme. But they do need risk-based insight into how their customers manage sanctions exposure, especially when the customer’s business involves higher-risk jurisdictions, payment flows or sectors.
Is £165,000 enough?
The penalty has already prompted criticism that £165,000 is too small to be an effective deterrent for a global bank. That reaction is understandable. For a major financial institution, the number can look modest, particularly when compared with the scale of the organisation and the value of the payments involved.
But the compliance lesson should not be reduced to the fine amount.
First, the statutory maximum penalty in this case was £1m. OFSI set a baseline penalty of £300,000, then applied a 45% discount to reflect voluntary disclosure and settlement. The final number was therefore shaped by the breach value, OFSI’s seriousness assessment, the disclosure, the settlement and the available statutory framework.
Second, OFSI assessed the case as “serious”, even after taking mitigating factors into account. It identified multiple aggravating factors, including that the payments were made directly to an entity wholly owned and controlled by a designated person, that the breach undermined the asset freeze, and that Russia sanctions were and remain a strategic priority for the UK.
Third, public enforcement carries consequences beyond the penalty. For regulated firms, an OFSI penalty can trigger internal reviews, board scrutiny, remediation costs, supervisory attention, reputational damage, customer questions and future enforcement exposure. The commercial and operational cost of a sanctions failure is rarely limited to the cheque written to OFSI.
That said, the criticism is still relevant. If firms perceive sanctions penalties as a manageable cost of doing business, the deterrence effect is weakened. That makes the internal compliance message even more important: sanctions breaches should not be assessed only by the likely penalty. They should be assessed by legal risk, regulatory scrutiny, reputational exposure, disruption, remediation burden and senior accountability.
What the Deutsche Bank penalty tells us about sanctions controls
OFSI’s notes on compliance set out three core lessons.
First, firms need sanctions screening systems and processes that are appropriate to their risk exposure. Third-party tools may be vital, but firms must understand their limitations and supplement them where appropriate, particularly where sanctions apply through ownership and control.
Second, firms need strong sanctions onboarding procedures and regular risk-based customer reviews. This includes understanding how customers manage their own sanctions compliance risks, particularly for transactions involving owned or controlled entities and higher-risk jurisdictions.
Third, voluntary disclosure needs to be prompt, complete and detailed. Deutsche Bank disclosed the breaches, but OFSI considered the disclosure incomplete and said the time between discovery and reporting should have allowed for a more comprehensive account of the facts.
For firms, the checklist is clear:
- test whether screening tools capture ownership and control risk, not only exact name matches
- understand what third-party vendors do and do not cover
- document where vendor data is supplemented by internal processes
- review customers with Russia or other high-risk jurisdiction exposure more frequently
- ask higher-risk customers how they assess sanctions ownership and control
- update onboarding and review questionnaires when geopolitical risk changes
- define what a complete voluntary disclosure should include before a breach occurs
- train staff to escalate sanctions risks that sit outside standard name-screening alerts
The gap between screening and risk intelligence
The Deutsche Bank case shows how sanctions compliance can fail in the gaps between systems, people and judgement. The beneficiary was screened. The third-party tool did not generate an alert. The bank did not have a direct relationship with the beneficiary. But OFSI still found that a breach had occurred.
Automated screening is essential, but it is not enough. A firm also needs escalation routes, trained staff, risk-based reviews, vendor oversight, customer understanding and evidence that the programme has been updated as sanctions risk changes.
A £165,000 fine may not look dramatic. But OFSI’s decision is a reminder that sanctions compliance is moving further away from simple list-screening and closer to a broader question of risk intelligence. Firms need to know not only who they are dealing with, but how ownership, control, customer behaviour, payment flows and third-party data limitations can create exposure.
VinciWorks sanctions training
VinciWorks’ sanctions training helps staff understand financial sanctions, ownership and control, screening obligations, escalation routes and the practical risks that arise when dealing with high-risk jurisdictions. Our courses are regularly updated to reflect enforcement trends and regulatory expectations, helping organisations move beyond policies on paper and build a more defensible sanctions compliance programme.
