FCA report flags sanctions control gaps across UK financial firms

LONDON, May 28, 2026 — The Financial Conduct Authority published a report on sanctions systems and controls across UK financial firms, setting out examples of good and poor practice after reviewing more than 150 supervised firms since February 2022. The findings are relevant to all firms authorized or registered by the FCA, with particular focus on money laundering reporting officers, nominated officers, financial crime compliance staff and bodies subject to Office for Professional Body Anti-Money Laundering Supervision oversight.

The review said firms’ controls for financial sanctions are generally more mature than those for trade sanctions, even as UK sanctions regimes have expanded in scope and complexity. The FCA said the most common root causes of reported suspected breaches were weaknesses in due diligence, alert management, transaction and name screening, asset freezing, and compliance with specific and general licenses.

The report described mixed standards of governance and oversight. Some firms had outdated or incomplete sanctions policies, relied heavily on group entities, vendors or other third parties without adequate local oversight, or failed to reflect risks beyond asset freezes, including sectoral and trade sanctions. Stronger firms maintained current governance documentation, tailored staff training, meaningful management information and internal or external audit assurance.

The FCA also highlighted weaknesses in risk assessments and customer due diligence, including incomplete assessments, weak treatment of trade sanctions and proliferation financing risks, inconsistent use of enhanced due diligence tools, and poor visibility into beneficial ownership and indirect exposure to sanctioned persons. For trade sanctions, firms often faced challenges because only partial transactional information was available.

Screening and alert management featured prominently in reported suspected breaches. The report cited deficiencies in list management, data feeds, calibration and testing of screening systems, and handling of alerts. In its screening tests, firms were generally effective at identifying exact name matches, but performance was weaker where names appeared in variant forms or involved non-Latin characters, titles or other formatting complications.

The FCA said breach reporting remains substantial compared with pre-2022 levels, although fewer suspected breaches were reported by supervised firms between 2023 and 2025. Most reports related to financial sanctions, with a comparatively small proportion tied to trade sanctions. In 2025, 35% of breaches reported that year related to earlier activity, down from 48% in 2024, while the average time between identification and reporting improved to 116 days from 120 days.

The regulator said it is working with firms where weaknesses were identified and will continue monitoring remediation. It also said firms should review their systems and controls to ensure compliance with both financial and trade sanctions and report suspicious activity to the appropriate authorities in a timely manner.