HMRC has raised the reputational risk attached to sanctions and export control breaches. In Notice to Exporters 2026/15, HMRC publicly named Petrofac Facilities Management Limited after the company paid a £569,157 compound settlement for breaches of the UK Russia sanctions regime. The breaches occurred while PFML was divesting its Russian operations in 2022 and 2023, and HMRC said the case had been brought to its attention through a voluntary disclosure, with PFML fully cooperating with the investigation.
That is the part businesses need to pay attention to. This was not a prosecution. It was not a case where HMRC said the company had set out to breach sanctions. Compound settlements may be offered where a breach was inadvertent or caused by weaknesses in internal controls, and where the exporter voluntarily tells HMRC about the breach.
Until now, one of the practical attractions of a compound settlement was that it usually allowed a business to resolve an export control or trade sanctions breach without being publicly identified. HMRC’s decision to name PFML changes that calculation, and raises the risk. Voluntary disclosure, cooperation and settlement may still reduce the risk of prosecution and financial penalty, but they may no longer protect the business from public scrutiny.
Naming is now part of the enforcement outcome
The PFML case should be seen as part of a wider shift in UK sanctions enforcement. Regulators are no longer relying only on the fine itself to send a message. Publicity is becoming part of the penalty environment.
OFSI has already been operating in a more visible enforcement model. In June 2026, it fined Sabre Global Technologies Limited £1,000,920.59 for breaches of the Russia sanctions regime. The government said Sabre continued to provide services to Ural Airlines after potential breaches had been identified and tested alternative payment routes, conduct OFSI treated as circumvention.
The significance of Sabre is that it moved sanctions risk beyond the usual banking and legal sector examples. Sabre is a travel technology company. The alleged risk was not only money moving through an account, but continued access to systems and services. For many businesses, that is where sanctions exposure can be harder to spot. A platform, licence, software tool or booking system could still provide economic value to a sanctioned person or entity.
The fine may not be the main consequence
In January 2026, OFSI published a £160,000 penalty against Bank of Scotland for breaches of the Russia financial sanctions regime. The bank processed 24 payments linked to an account held by a designated person. The issue arose partly because the account had been opened using a UK passport containing a spelling variation of the customer’s name, which differed from the name on the sanctions list.
That case is a useful reminder that sanctions failures often come from operational gaps rather than deliberate evasion. Transliteration, spelling variants, weak matching logic, poor escalation routes and unclear ownership of sanctions alerts can all create real exposure. Public naming then turns what might otherwise look like a technical screening failure into a reputational event.
The Deutsche Bank case also demonstrates this. OFSI fined Deutsche Bank AG London Branch £165,000 after it processed two payments totalling £635,618.75 to Okko LLC, a Russian company wholly owned by JSC New Opportunities, a UK-designated person. OFSI noted that the bank relied partly on third-party ownership and control data, but the relevant screening did not generate an alert in relation to Okko or its ownership.
A sanctions control can fail because a list was not updated, a name variation was missed, a customer’s ownership structure changed, a third-party vendor lacked data, or a business unit treated a blocked payment as an administrative obstacle. Once enforcement is public, the issue becomes wider than the fine. Boards, customers, investors, banks, insurers and counterparties may all ask what went wrong.
Voluntary disclosure is still the best route for a positive outcome
For many organisations, reputational damage may be more worrying than the penalty itself. If a business believes a self-report could lead to being publicly named, it may be tempted to investigate quietly, remediate internally and hope the regulator never finds out.
That would be a risky conclusion. HMRC’s own compound settlement criteria still place voluntary disclosure at the centre of settlement eligibility. OFSI’s recent cases also show that voluntary disclosure can materially reduce penalties. In the Bank of Scotland case, for example, OFSI stated that the penalty would otherwise have been £320,000, before a 50% voluntary disclosure discount was applied.
The better conclusion is not “do not disclose”. It is that disclosure decisions now need to be more structured. Legal, compliance and senior management should assess the breach, the evidence, the likely regulatory response, the remediation plan and the communications risk together. A rushed or incomplete disclosure can create problems. A delayed disclosure can also undermine mitigation. Businesses need a clear internal process before a breach happens.
Why sanctions pressure is still increasing
The UK sanctions framework has also become more operationally demanding. From 28 January 2026, the UK Sanctions List became the single source for UK sanctions designations, and the OFSI Consolidated List is no longer updated. Businesses must ensure their systems use the UK Sanctions List and that any references to OFSI Group IDs are updated for new designated persons.
At the same time, OFSI and OFAC have published joint UK-US sanctions guidance comparing the two regimes. That guidance is useful because many businesses may face both UK and US exposure through currency, ownership and technology.
What businesses should do now to protect against a sanctions breach
Businesses should review their sanctions framework against the new enforcement reality. Policies and procedures should explain when sanctions issues must be escalated, who owns the decision, when legal advice is needed and when a voluntary disclosure should be considered. Screening systems should be tested against spelling variants, transliteration risk, ownership and control, customer-country exposure and third-party data limitations. Vendor assurance should be documented, especially where the business relies on external screening tools or embedded checks in finance, onboarding, procurement or sales systems.
Training also needs to move beyond generic sanctions awareness. Staff should understand that sanctions risk can arise through services, platforms, technical assistance, software access, payment workarounds, changes in bank details, indirect ownership and activity involving higher-risk jurisdictions.
