Sanctions controls: the FCA's £37bn reality check for boards

The FCA has put a number on the UK's sanctions effort — £37bn of assets frozen as of last year — and used it to reset expectations for the firms doing the freezing (FCA). The regulator's latest review, drawing on proactive assessments of more than 150 firms since February 2022, finds genuine improvement in controls but a familiar set of failures: weak due diligence, poor alert management, gaps in transaction and name screening, and sloppy handling of frozen assets and licence conditions (FCA). Published the same day as a new Memorandum of Understanding with the Office of Trade Sanctions Implementation, the review signals that the FCA now expects firms to treat sanctions as a single, integrated discipline rather than a financial crime sub-function (FCA).

A widening perimeter

The most consequential line in the review is almost throwaway: reports still concentrate on Russia, but the FCA is seeing more activity tied to Libya, Iran and North Korea (FCA). That diversification matters because the typologies differ. Russia-related screening has been industrialised over four years; Iran and DPRK exposures tend to involve more complex ownership structures, dual-use goods and trade finance touchpoints where financial controls bleed into export compliance. The FCA itself notes that the range of controls used for trade sanctions is wider than for financial sanctions, and that firms find trade breaches harder to detect and prevent (FCA). Boards that have benchmarked their programmes against Russia-era playbooks should assume those benchmarks are now insufficient.

The OTSI MoU changes the intelligence picture

The new FCA–OTSI MoU, sitting alongside the existing OFSI arrangement, formalises intelligence sharing across the financial and trade sanctions regulators (FCA). For regulated firms, this closes a gap that compliance teams have quietly relied on: the assumption that a trade-side concern raised with a corporate client would not automatically surface in financial supervisory dialogue. It will now. Senior leaders should expect supervisors to arrive with a more complete picture of client behaviour across goods, services and payment flows, and should pressure-test whether their own internal lines — financial crime, trade finance, client onboarding, export controls advisory — share data with anything like the same fluency.

The cost of getting it wrong is operational, not just regulatory

The same week's news that small payment institution SB Remit entered administration after a voluntary undertaking restricting its activities is a reminder that the FCA is willing to constrain firms quickly when controls are inadequate, and that customers of payment firms have no FSCS protection to fall back on (FCA). Sanctions breaches sit in the same category of risk: a single material failure can trigger restrictions that strand customer funds, damage correspondent relationships and force a rapid wind-down. The FCA's decision to publish good and poor practice rather than enforcement statistics is deliberate — it is inviting firms to self-correct before supervisory tools are used.

For C-suites and boards, the practical implication is narrow and immediate. The sanctions function can no longer be governed as a financial-crime sub-committee item benchmarked against 2022 controls. It needs a refreshed mandate covering trade exposures, a tested data-sharing protocol with export-control advisers, and a board-level view of which jurisdictions — Iran and DPRK in particular — are now drawing supervisory attention. Firms that wait for the next thematic review to find out will be doing so on the regulator's timetable, not their own.