UK Sanctions Update: significant new OFSI enforcement powers to be introduced and notable recent sanctions cases

UK sanctions regulation remains a highly fluid area of law and enforcement practice. This update provides a summary of some notable recent developments, including significant (and in some cases novel) changes to the civil penalty enforcement landscape following the Office of Financial Sanctions Implementation's ("OFSI") public consultation - which will broadly make it easier for OFSI to punish smaller breaches and increase the amount it may impose for more significant breaches – as well as the implications of OFSI's new (and welcome) consultation on the vexed issue of ownership and control.

We also discuss learnings from the recent enforcement against Bank of Scotland for sanctions breaches and consider the case of Alliance Petrochemical v Mazzagatti & Anor, which provides a clear reaffirmation of the territorial limits of the foreign illegality defence under English law in the context of U.S. sanctions.

Now Reading

OFSI consultation response and updated guidance on civil enforcement

On 29 January 2026, OFSI published a response to its consultation on improving civil enforcement processes for financial sanctions. The response contained a number of proposed changes to civil enforcement of sanctions, which have since been implemented through an update to OFSI's guidance on 9 February 2026 (save for the proposed changes to statutory penalties, which will require primary legislation). Key changes include:

Improvements to case assessment guidance

In the consultation, OFSI proposed to improve public case assessment guidance by introducing new matrices on severity and conduct, and case outcomes, allowing for further transparency. The updated guidance now provides a clearer classification of breaches through a four-level seriousness model, and revises the various factors that affect severity.

Under the new framework, breaches will be classified as Lower Severity, Moderate Severity, Serious, or Most Serious.

"Lower Severity" typically captures technical or minor infractions with negligible impact and limited aggravating factors, where a warning or minor penalty may be appropriate. Lower Severity and Moderate Severity (see below) cases are likely to be dealt with via a private warning letter or by publishing information pertaining to a breach without imposing a monetary penalty.
"Moderate Severity" cases involve more substantial breaches, perhaps where there are some aggravating elements or a greater compliance lapse, but not rising to the level of a systemic or intentional violation.
"Serious" cases are characterised by clear and impactful breaches, often with significant harm, repeated failings, or elements of recklessness.
"Most Serious" cases represent the gravest category, typically involving very high monetary value; particularly poor, negligent or intentional conduct; or severe or lasting damage to the purposes of the sanctions regime.

This structure not only aligns OFSI’s approach more closely with that seen in analogous regulatory contexts, such as health and safety enforcement (which also classifies offences into one of four categories), but also offers businesses and practitioners clearer expectations regarding both process and potential outcomes.

Furthermore, the current discount for voluntary self-disclosure has been replaced with a voluntary disclosure and co-operation discount, for which the maximum discount will be 30% (which is more in line with the credits we see given for early guilty pleas in certain other criminal enforcement regimes), as opposed to the current 50%. This is intended to ensure fines are appropriately deterrent in effect, but a clear incentive for organisations to self-disclose and (in a change of emphasis) co-operate remains.

Settlement scheme

OFSI has also introduced a settlement scheme, allowing subjects of enforcement action to resolve monetary penalty cases through a time-limited negotiated settlement. Businesses will need to waive their rights to a ministerial review and to an appeal of the decision as a condition of the settlement. Settling the case allows for a penalty discount of 20%, and gives the subject of the penalty the opportunity to input into the penalty notice.

This is an interesting development, indicating a shift from a more conventional legal process to a more commercial and outcomes-focused mindset, which is in part a response to the complexities of the sanctions compliance landscape. It underlines that enforcement in this area remains an evolving concept, and it will be interesting to see how many businesses look to take their chances with this alternative process in coming years.

Early Account Scheme

OFSI has also introduced an Early Account Scheme, which enables subjects of enforcement action to provide OFSI with an early and comprehensive factual account of a case, supported by relevant materials and evidence. If OFSI subsequently decides to impose a monetary penalty, the subject will then be eligible for a penalty reduction of up to 20%. Alternatively, OFSI may take no further action and close the case, issue a private warning or public disclosure, or continue with its investigation.

The Early Account Scheme is distinct from the settlement scheme and the voluntary disclosure and co-operation discount. Subjects participating in the Early Account Scheme are simply providing a comprehensive, early account of the case with all relevant materials and evidence, and they may still choose to contest OFSI’s findings later on. In contrast, the settlement scheme requires a subject to agree not to contest OFSI’s findings (i.e. to effectively accept the outcome and forgo rights to review and appeal), while the voluntary disclosure and co-operation discount is awarded for proactively reporting and cooperating with OFSI—which usually involves acknowledging the existence of a breach—if not making a formal admission of liability.

All three discounts could theoretically apply cumulatively, reducing the penalty by a maximum of 70%.

Fixed penalties and revised guidance

Furthermore, following the consultation, OFSI has introduced fixed monetary penalties of £5,000 and £10,000 for certain offences. These will apply to the following types of offence:

Non-compliance with reporting obligations
Incomplete or otherwise non-compliant reporting on specific and general licences
Failing to respond in time to a Request for Information
Breaches of licences, including breaches involving funds / resources with a value of up to £10,000

Not all such offences will necessarily result in a fixed monetary penalty; the guidance sets out that many first-time or one-off offences can be dealt with via private enforcement action, and the party's conduct and severity of the breach will impact the decision to proceed to penalty stage. More serious offences or repeat offending are more likely to result in a penalty under the full monetary penalty process. Once again, the desire to streamline enforcement and make it easier for OFSI to punish breaches is clear.

Changes to statutory penalty maximums

In the consultation response, OFSI indicated that it will seek to increase penalty maximums from their current level – the higher of £1 million and 50% of the value of the breach – to the higher of £2 million and 100% of the value of the breach. OFSI notes in its consultation response that respondents expressed concerns that the change could lead to disproportionate fines, but emphasises that the value of any penalty is at OFSI's discretion, and notes the need for appropriate deterrent effect.

These changes underline the need for the utmost caution when dealing with UK sanctions compliance. When dealing with cross-border flows of money the nominal 'value' that can attach to a seemingly technical breach of rules can be significant, and this change (to allow the penalty to equate to 100% of that value) essentially doubles the penalty exposure in those circumstances. Coupled with the reduced self-disclosure discounts now available (see above), taking pragmatic and early legal advice is more vital than ever.

OFSI is required to keep the statutory maximum penalty under review, and this would be the first change since the introduction of the cap in 2017. This is the only change signalled in the consultation response that is not yet in effect, as it will require primary legislation to be passed to come into effect.

OFSI call for evidence on ownership and control requirements

On 16 February 2026, OFSI launched a call for evidence seeking views from industry on how UK financial sanctions regulations on ownership and control are applied in practice. This is in reaction to OFSI receiving regular correspondence from businesses saying that assessing the potential ownership and control of counterparties in connection with designated persons can be very difficult, particularly where there are complex fund or trust structures in place. This leads to additional costs and often makes it difficult to provide sufficient certainty before entering, continuing or terminating commercial relationships. Given the increased civil penalties now being proposed, providing clear guidance in this complex and uncertain area has become more critical than ever.

By way of a quick recap, in the UK an entity is typically considered to be owned or controlled directly or indirectly by a designated person in the following circumstances:

The designated person holds (directly or indirectly) more than 50% of the shares or voting rights in the entity;
The designated person has the right (directly or indirectly) to appoint or remove a majority of the board of directors of the entity; and/or
It is reasonable, having regard to all the circumstances, to expect that the designated person would (if they chose to) be able, in most cases or significant respects, by whatever means and whether directly or indirectly, to achieve the result that the affairs of the entity are conducted in accordance with that designated person's wishes.

While the first two tests are, at least in theory, easy to interpret (albeit applying them may depend at times on how much information you have access to and the quality of third-party screening), the third limb continues to cause uncertainty. OFSI has therefore called for evidence on how often "hypothetical control" (i.e. where the designated person has the ability to exercise control, whether or not they have in fact done so) is present in real financial sanctions cases, the impact this has on costs, legal risk and business decisions and whether other legal concepts and typologies of control are helpful in applying the ownership and control analysis.

While the call for evidence has only just been published, OFSI's response should be useful in clarifying the scope of the ownership and control test. This in turn should reduce some uncertainty for businesses when analysing the application of sanctions, particularly where screening has identified a potential link but the entity in question is not also officially designated.

Increased enforcement activity: Bank of Scotland fine

OFSI's new guidance comes amidst an increase in sanctions enforcement.

An indicative example is the recent £160,000 penalty imposed on Bank of Scotland by OFSI for breaches of the UK's sanctions regime, details of which were published on 26 January. Bank of Scotland was penalised due to having processed 24 payments, totalling £77,383, to and from an account held by a sanctioned individual at Halifax, a trading division of Bank of Scotland.

A notable feature of the breach is that it was caused by a transliteration error. The sanctioned individual opened the Halifax account using a UK passport with a spelling variation of their name, consisting of different characters in their first name and surname, and a missing middle name. These character changes are common equivalents in Russian to English translations. The bank's screening system failed to reconcile the spelling on the passport with that on their sanctions system, and so a match was not made.

The screening system did successfully identify the individual as a Politically Exposed Person ("PEP"), but during a human-led PEP review – during which the individual was also identified as a designated person - they were assessed, incorrectly, as having been removed from the UK sanctions list, and the matter was not escalated.

Lloyds Banking Group, Bank of Scotland's parent, subsequently formally reported the matter to OFSI approximately a month after the breaches on a voluntary basis. A significant discount was applied to the final fine imposed due to these mitigating actions. OFSI makes it explicit in its notice on the incident that, were it not for the voluntary disclosure, a penalty of £320,000 would have been imposed.

Key learnings

What can be learned from this enforcement case? On 23 February 2026, OFSI published Four key lessons from OFSI’s £160,000 Bank of Scotland penalty, which are:

(a) Lesson 1: Screening data and configuration really matter.

OFSI strongly encourages firms to utilise all information available to optimise their sanctions controls relative to risk. Firms should regularly assess whether their screening systems can cope with spelling and transliteration variants, and consider using enriched screening and commercial list providers alongside the UK Sanctions List where warranted by their risk profile.

(b) Lesson 2: Automation is not a safety net.

There are inherent risks with automated sanctions screening. Firms must have robust and explicit contingency procedures in place, and internal policies should give clear guidance to staff on when and how to escalate potential sanctions concerns, particularly in higher-risk areas such as those involving PEPs. Moreover, this case demonstrates that the greater the sanctions exposure, the higher the bar the regulator sets. In its notice, OFSI explicitly states that firms with greater sanctions exposure should be able to deal appropriately with the increased sanctions risk: "OFSI does consider it reasonable to expect that firms with greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening".

(c) Lesson 3: Training must match today's sanctions landscape.

The sanctions landscape has changed significantly, and training must be kept up to date. All training content and associated materials should be regularly reviewed and updated to reflect current regulatory and geographic developments to ensure continued compliance.

(d) Lesson 4: Voluntary disclosure can shape the outcome.

This case shows that prompt, voluntary disclosure of a potential breach to OFSI is taken into account, and OFSI seeks to reward timely and complete voluntary disclosures through penalty discounts. Breaches should be reported as soon as practicable, even if all facts are not yet known, with follow-up as further information becomes available. Ultimately, BOS received the maximum possible penalty reduction from OFSI (currently, 50% - although, as discussed above, OFSI has now reduced that to 30%) due to their prompt voluntary reporting of the breach. Co-operation with the various regulators in this space is thus of paramount importance not only from a legal but also a bottom-line perspective. Whilst the subsequent reduction in the amount of the credit (from 50% to 30%) should not in itself materially alter that dynamic, it is nonetheless important for businesses to ensure that, when assessing how to deal with any suspected non-compliance, they are cognisant of the latest enforcement standards and guidance in this fast-moving area.

What does this tell us about the state of sanctions enforcement?

OFSI's enforcement activity sits alongside other regulatory bodies in the sector, such as HMRC, the Home Office, and the new Office of Trade Sanctions Implementation ("OTSI", whose activity focuses on trade sanctions). For further detail on OTSI, which published its first annual review in December last year, see our previous briefing.

OFSI has increased the rate at which it is imposing penalties in recent years, with 6 in 2025 compared to just one in 2020. This, coupled with the revised civil enforcement guidance and increasing array of regulators with civil and/or criminal powers in this area, shows that sanctions enforcement is a real and growing prospect. Enforcement is not simply limited to disclosure. As the Bank of Scotland case shows, significant penalties can be and are being imposed, and the recent guidance opens the door to even larger enforcement amounts. Financial institutions and other businesses with cross-border activities with potential sanctions exposure ought to be mindful of this increasing activity.

Alliance Petrochemical v Mazzagatti & Another – US sanctions and territoriality of foreign illegality defence claims

Separate to the increase in sanctions enforcement activity, a recent High Court case has clarified the UK courts' approach to foreign sanctions regimes, and whether they can be relied upon through a 'foreign illegality defence' despite their extraterritorial effect.

A 'foreign illegality defence' is a legal argument that a claim should not be enforced if it requires the court to give effect to an act that is unlawful under a foreign law. It has been much debated in recent years in the contexts of sanctions laws, as these give rise to complex questions of (often overlapping and/or conflicting) jurisdiction of overseas laws.

In Alliance Petrochemical v Mazzagatti & Another (see here), the High Court was considering a claim by Alliance Petrochemical ("API") to recover monies allegedly misappropriated by its former CEO and CFO following a transaction involving an Iranian entity. The defendants sought to rely on a foreign illegality defence, arguing that as API was controlled by a third party, Mr Jahanpour, a U.S. citizen, who allegedly caused API to breach US sanctions via the dealings with the Iranian entity, the claim was therefore founded on illegal conduct and was improper.

The High Court struck out that defence, on the basis that the foreign illegality defence was only available if the act in question is illegal under the governing law of the claim (here, English law) or the place where the act was performed (none of which were in the US). It therefore does not cover acts outside the territory of the state of the relevant law. The mere fact Mr Jahanpour was a U.S. citizen did not bring the case into the scope of the defence.

From a sanctions perspective, the case clarifies that UK courts will not enforce foreign laws with extraterritorial effect if the case lacks a sufficient connection to that foreign state. Foreign sanctions regimes will not be usable as a potential basis for a foreign illegality defence unless the claim has a sufficient territorial connection to the state from which those regimes emanate.

Read John Buttanshaw Profile