UK steps up sanctions penalties with raft of fines and enforcement actions

The UK’s financial sanctions enforcement landscape has seen significant developments in recent weeks, as the Office of Financial Sanctions Implementation (OFSI) takes a more proactive approach to compliance monitoring and enforcement. With increasing scrutiny on financial and non-financial entities alike, the latest actions signal that the UK government is strongly committed to ensuring strict adherence to sanctions regulations.


OFSI issues disclosure notices to UK charities

On 14 March 2025, OFSI issued a “Disclosure” against three UK-registered and regulated charitiesSahara Hands, Peculiar Peoples’ Palace Ministries, and Impact Planet for breaching Regulation 36(6) of the Counter Terrorism (International Sanctions) (EU Exit) Regulations 2019. The breach stemmed from the charities’ failure to respond to OFSI’s requests for information (RFI), which are critical for monitoring compliance and detecting financial offenses.

Under UK sanctions law, OFSI has the authority to request information from individuals or organisations if it believes they possess details relevant to the financial activities of designated persons. This includes establishing the nature and extent of funds, economic resources, or financial transactions involving sanctioned entities. The charities failed to provide the requested information despite multiple attempts by OFSI to contact them via email and post. This lack of response impeded OFSI’s ability to ensure compliance and prevent sanctions evasion.

While the breach was not deemed severe enough to warrant a monetary penalty, OFSI assessed it as moderately serious and opted to publish the disclosure notice as an enforcement measure. OFSI noted that all other charities contacted during the same information request process complied with their obligations. 


Law firms under scrutiny: Herbert Smith Freehills CIS LLP fined

In another major enforcement action, OFSI imposed a monetary penalty of £465,000 on Herbert Smith Freehills CIS LLP (HSF Moscow) for breaching UK financial sanctions related to Russia. This marks the first time OFSI has penalised a law firm for sanctions violations, underscoring the growing expectations for professional services firms to maintain rigorous compliance standards.

HSF Moscow, a subsidiary of the UK-based Herbert Smith Freehills LLP, made six payments amounting to nearly £4m million to sanctioned Russian banks during one week in May 2022, a few months after the Ukraine invasion. The transactions occurred during the firm’s expedited wind-down of its Moscow operations. OFSI found that these payments constituted a direct provision of funds to sanctioned entities.

The firm attributed the breach to human error, as local finance staff failed to adhere to internal screening processes during the rushed closure of the Moscow office. However, OFSI determined that the violations demonstrated a pattern of compliance failings. The penalty was initially higher but was reduced by 50% due to HSF London’s proactive self-reporting and cooperation with the regulator.

This case serves as a critical reminder to law firms and other professional services providers that they are expected to exercise the same level of due diligence in sanctions compliance as financial institutions.


Sanctions circumvention: Russian politician faces UK trial

Beyond regulatory fines, the UK is also seeing increased enforcement through criminal proceedings. Former Russian governor Dmitrii Ovsiannikov is currently on trial in the UK for allegedly circumventing financial sanctions and engaging in money laundering. The case revolves around a series of financial transactions carried out after Ovsiannikov was designated under UK sanctions in 2020. This is the first criminal trial for a breach of the Russian sanctions regime.

According to prosecutors, Ovsiannikov opened a UK bank account with Halifax February 2023, into which his wife transferred approximately £76,000. He then allegedly attempted to purchase a luxury SUV worth £54,000 before the bank detected his sanctioned status and froze the account. Subsequently, his brother is accused of buying the car on his behalf and using further funds to pay school fees for Ovsiannikov’s children. The prosecution argues that these actions constitute sanctions circumvention and money laundering offenses, carrying potential prison sentences of up to 14 years.


A new era of enforcement

These recent enforcement actions signal a shift in the UK’s approach to financial sanctions. OFSI had previously declared 2024 a ‘year of enforcement,’ but 2025 appears to be living up to that expectation. The regulator has demonstrated its willingness to utilise its full range of enforcement tools, including:

  • Disclosure notices: As seen with the charity sector, where public naming and shaming serve as a deterrent.
  • Monetary penalties: Highlighted by the fine against HSF Moscow, demonstrating that even professional services firms are not immune to financial sanctions enforcement.
  • Criminal proceedings: The Ovsiannikov case underscores that sanctions breaches can lead to serious legal consequences beyond regulatory fines.


The UK government is taking a firm stance on sanctions enforcement, reflecting a broader strategy to ensure financial restrictions are effectively implemented and maintained. Businesses, financial institutions, and non-profits alike must be prepared for heightened regulatory expectations and should invest in robust compliance frameworks to avoid becoming the subject of enforcement action.

 

Your guide to navigating sanctions compliance

Step 1: Define the scope and objectives

  • Identify the jurisdictions and regulatory bodies relevant to your business (e.g., UK’s OFSI, US’s OFAC, EU sanctions).
  • Determine whether the audit will cover the entire business or specific departments.
  • Set clear objectives, such as identifying gaps, ensuring compliance, and mitigating risks.

Step 2: Review existing sanctions compliance policies

  • Examine the company’s written policies on sanctions compliance.
  • Ensure they align with UK, EU, and US regulations as applicable.
  • Assess whether policies are regularly updated in response to regulatory changes.

Step 3: Evaluate screening procedures

  • Check how the business screens customers, suppliers, and partners against sanctions lists.
  • Review the frequency of screening (e.g., onboarding, periodic rescreening, transaction monitoring).
  • Verify whether the screening software is up to date and effective.

Step 4: Assess risk-based approach

  • Identify high-risk customers, jurisdictions, and transactions.
  • Evaluate how the business categorises risk levels and applies enhanced due diligence (EDD) where needed.
  • Ensure there is a clear escalation process for potential matches.

Step 5: Review internal controls and record-keeping

  • Check whether there are clear procedures for flagging and handling potential sanctions matches.
  • Ensure that compliance decisions are documented and retained for regulatory scrutiny.
  • Verify record retention policies (e.g., at least 5-6 years as required in many jurisdictions).

Step 6: Assess employee training and awareness

  • Review the frequency and content of sanctions compliance training.
  • Ensure that employees understand how to identify and report potential breaches.
  • Assess whether key staff receive enhanced training for complex sanctions scenarios.

Step 7: Test compliance procedures

  • Conduct sample testing of customer and supplier due diligence checks.
  • Simulate a potential sanctions match to evaluate staff responses.
  • Identify whether any weaknesses exist in the escalation and reporting process.

Step 8: Evaluate reporting and escalation processes

  • Review how the business reports potential sanctions breaches to OFSI or other regulators.
  • Ensure there are clear steps for internal reporting, escalation, and legal consultation.
  • Assess past incidents and how they were handled to identify areas for improvement.

Step 9: Identify gaps and recommend improvements

  • Document any deficiencies or non-compliance issues found during the audit.
  • Provide recommendations for addressing gaps, such as system updates, policy changes, or enhanced training.
  • Set timelines for implementing improvements.

Step 10: Establish ongoing monitoring and review

  • Schedule regular audits (e.g., annually or semi-annually) to maintain compliance.
  • Monitor regulatory updates and adjust policies accordingly.
  • Assign responsibility for continuous sanctions compliance monitoring.

 

Upgrade your sanctions compliance training now.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.