Issues Arising for Financial Institutions and Regulated Entities

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The critical role of financial institutions in intermediating and facilitating global commerce means that they are under an unabating spotlight, from governments and the public alike, concerning their implementation and administration of sanctions regimes. Due to the global and often complex nature of their business and the fact that they have touch points with so many transactions and other movements of assets, financial institutions bear the brunt of navigating multiform, and at times conflicting, sanctions regimes and often on a real-time basis. Further, the unprecedented nature, scale and evolution of sanctions enacted in response to the war in Ukraine stretched financial institutions’ operational capabilities to their limits. This chapter considers some of the key practical issues for regulated financial institutions in managing sanctions risks and designing and implementing effective sanctions compliance programmes.

Compliance programme design and implementation

Financial institutions should seek to operate sanctions compliance programmes that incorporate guidance from key sanctions authorities, industry good practice and lessons learnt from publicly available records of historical enforcement actions. These programmes will include: written policies and procedures detailing internal rules and controls that are designed to prevent breaches of sanctions; mechanisms for escalating and reporting (internally and, as needed, externally) potentially restricted transactions or suspected breaches; mechanisms for horizon-scanning to monitor and identify new and emerging sanctions trends and developments; measures for auditing and testing the operational effectiveness of the compliance programme; and adequate record-keeping processes.

When designing or reviewing its compliance programme, the financial institution should ensure that its policies and procedures enable it to navigate all sanctions regimes that may potentially apply to its business. This means that the policies and procedures should enable the financial institution’s staff members to identify when a relevant sanctions regime might apply to a particular transaction or activity (i.e., when there is a territorial ‘nexus’ requiring compliance with a particular sanction regime) and assess and, as appropriate, mitigate the potential sanctions risk prior to engaging in the transaction or activity. In practice, the policies and procedures will need to provide sufficient guidance to allow staff members to establish whether a particular sanctions regime may apply to a contemplated transaction or activity due to the citizenship, residence rights or location or domicile of any parties involved in the transaction, including the staff members themselves or whether a particular transaction or activity may be caught by extraterritorial sanctions measures, such as the US secondary sanctions.[2] An effective sanctions compliance programme should also incorporate regular training to ensure the policies and procedures are implemented and applied consistently across the organisation.

In designing its compliance programme, a multinational financial institution may also face the onerous challenge of reconciling inconsistent and potentially conflicting sanctions regimes into global policies and procedures that can be applied consistently throughout the institution. Although the conflict between Russia and Ukraine saw an unprecedented coordination of sanctions responses between the United States, the United Kingdom, the European Union and other allies, major differences remain within their sanctions regimes. Applying the strictest requirement (i.e., ‘gold-plating’), even in circumstances where it may not apply as a matter of law, may be impractical and could expose the institution to increased regulatory and litigation risk. Therefore, the institution may choose, instead, to have higher-level global policies that are further implemented through more detailed country or regional policies and procedures for local operating business. At the same time, the institution should ensure that the local policies and procedures are not parochial and continue to enable an effective assessment of risks arising under all potentially applicable sanctions regimes.

The financial institution will also need to ensure that its programme is sufficiently flexible to help it navigate any blocking or counter-sanctions measures. For many years, financial institutions operating in the European Union and seeking to fully comply with US sanctions have had to navigate the Blocking Regulation, which counteracts certain extraterritorial US sanctions on Iran and Cuba.[3] Although EU Member State authorities have not actively enforced the Blocking Regulation, there have been cases of private parties whose rights have been affected by EU operators’ compliance with US extraterritorial sanctions bringing successful damages claims against those operators to recover loss resulting from this compliance.[4] Moreover, institutions that operate in, or have exposure to, China or Russia may also need to consider whether their transactions or business activities in those countries may be affected by Chinese or Russian counter-sanctions.[5] These conflicts of law issues will invariably require a fact-specific analysis and balancing of competing risks, and financial institutions’ policies and procedures should retain this flexibility.

Finally, financial institutions should consider how their sanctions compliance programme fits within their broader financial crime compliance programmes. Historically, in line with industry practice, large financial institutions would maintain separate sanctions compliance teams and anti-money laundering (AML) compliance teams (sitting within a wider financial crime compliance team) that generally would operate independently of each other. With key Russian oligarchs and politicians becoming subjects of asset freezing measures in the wake of the war in Ukraine, there has been an explosion in sanctions evasion and related money laundering typologies and a re-invigorated focus by government on the pursuit of ‘corrupt elites’ and their enablers.[6] Financial institutions may, therefore, consider whether a merger of sanctions and AML teams or other means for facilitating exchange of knowledge and expertise are needed to ensure a holistic assessment of financial crime and reputational risks emerging following the war in Ukraine. This is particularly the case in circumstances where effective AML controls ensure that financial institutions have good visibility on the operations of their customers and counterparties, which, in turn, assists with subsequent analyses of ownership or control for sanctions compliance purposes.

Risk assessment

Business risk assessment

A comprehensive business-wide risk assessment lies at the core of an effective and risk-based sanctions compliance programme and justifiable sanctions risk appetite. A financial institution should ensure that it refreshes its sanctions risk assessment on a regular basis (e.g., annually) as well as in response to external trends (e.g., the recent increase in virtual currencies and cryptoassets) and material regulatory developments. Changes to the institution’s risk profile (from either internal or external developments) should result in new or updated controls to mitigate any identified risks. While the assessment underpins and rationalises a financial institution’s general risk-based approach to sanctions compliance, the financial institution will need to ensure that it promptly implements, and complies with, any newly adopted sanctions measures such as new sanctions designations (which most institutions will do by ensuring that the data feeds they use for sanctions screening are updated and integrated on a real-time basis).

In designing and carrying out their business-wide risk assessments, financial institutions should have regard to relevant sanctions authority guidance. For example, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has included in its Economic Sanctions Enforcement Guidelines a ‘risk matrix’ that financial institutions can use in evaluating their compliance programmes.[7]

Although there is no ‘one-size-fits-all’ framework, a financial institution should consider whether it operates in, or has exposure to, jurisdictions that are subject to sanctions or are hotspots for sanctions evasion activities, or whether it provides products and services that inherently pose higher sanctions risks, such as trade finance, virtual currencies or cryptoassets, cross-border payments or correspondent banking. The institution should also assess the type of clients it services (domestic or international) and whether it interacts with its direct or indirect clients through intermediaries or agents. In this regard, the financial institution may want to pay particular attention to whether its clients are subject to the same sanctions regimes as the institution and consider the risk of its clients using the institution’s services to engage in or facilitate business activities with sanctioned parties or countries.

The financial institution’s risk assessment framework should also be updated to reflect the institution’s compliance requirements under novel sanctions tools deployed by governments. For example, the US, UK, EU and their allies’ measures to impose a cap on the price of seaborne Russian oil and petroleum products were unprecedented and continue to have significant ramifications for financial institutions, which are expected to assess their direct and indirect exposure to transactions in seaborne Russian oil and petroleum products and seek appropriate attestation from their clients or counterparties concerning the price of the traded oil and petroleum products. As appropriate, the risk assessment should consider existing and emerging risks posed by the financial institution’s exposure to blocking or counter-sanctions measures.

Customer risk assessment

A financial institution should also have appropriate processes to enable assessment of whether its clients or counterparties are the targets of sanctions. In addition to customer screening (see below), the financial institution should have policies and procedures to enable it to assess whether a customer who is not listed on any sanctions lists may nonetheless be a target of sanctions by operation of applicable law. The financial institution should be mindful of the fact that the ‘ownership and/or control’ rules vary between the major sanctioning jurisdictions and their application can lead to, at times, inconsistent and counter-intuitive outcomes.

OFAC applies the 50 Percent Rule, meaning that a non-listed legal entity will be treated as sanctioned if one or more listed persons directly or indirectly own a 50 per cent or greater interest in the legal entity.[8] OFAC guidance does not require an institution to consider whether, regardless of the ownership position, the listed person exercises control over the non-listed entity. In theory, therefore, the financial institution can, in each case, arrive at a bright-line assessment of whether the non-listed legal entity must be treated as sanctioned as a matter of US law. This assumes that the institution has access to, or an understanding of, the relevant ownership structures, which are likely to have been identified or obtained via an effective AML compliance programme.

In contrast to the US position, the assessment can become a veritable Gordian Knot under the UK and EU regimes. Under both EU and UK sanctions regimes, a non-listed legal entity will be subject to sanctions restrictions if owned 50 per cent or more or ‘controlled’ by a person listed on the EU or UK sanctions list.[9] As per EU and UK guidance, the assessment of ‘control’ requires consideration of whether, notwithstanding the formal ownership of and management arrangement for the non-listed legal entity, the listed person has de facto or informal direct or indirect control over the non-listed legal entity. Conducting this assessment becomes fraught with danger where the listed person transferred formal ownership or control of an entity to their family members or business associates around the time of their listing, which is a common fact pattern in the context of the post-2022 Russia sanctions.[10]

As both the UK and EU authorities look to ramp up enforcement of their sanctions regimes, in particular with the UK’s introduction of strict liability civil penalties for breaches of financial sanctions in June 2022, the stakes and potential consequences of getting the ‘ownership and control’ determination wrong continue to increase for financial institutions.[11] While the UK’s Office of Financial Sanctions Implementation (OFSI) has indicated that it will treat a financial institution’s reasonable and good faith (but incorrect) determination concerning ownership and control as a mitigating factor, it stopped short of confirming that this determination would immunise the financial institution from enforcement.[12] Therefore, when conducting ownership and control assessments, the financial institution may have to continue to balance the regulatory (and potential enforcement) risk against the risk of litigation from a customer or counterparty that may reasonably believe that it is not a target of sanctions.

In addition, a financial institution’s customer risk assessments should take account of the differences in the application of UK and EU ownership and control rules. While the EU guidance suggests that financial institutions must aggregate different listed persons’ holdings in a non-listed legal entity for the purposes of assessing whether it is more than 50 per cent owned (or controlled) by listed persons, OFSI, in contrast, would not aggregate different listed persons’ interests in a non-listed legal entity unless they hold their interests pursuant to a joint arrangement or one listed person controls the rights or interests of the other listed persons. Furthermore, from an EU perspective, where a non-listed legal entity is found to be owned or controlled by a listed person, the legal entity is only presumed to be subject to asset freezing measures. That presumption can be rebutted on a case-by-case basis by the legal entity concerned if it can be demonstrated that some or all of its assets are outside the control of the listed person or (as the case may be) that funds or economic resources made available to it would in fact not reach or benefit the listed person.[13]

In practice, these differences have led to an entity that is owned by the same UK and EU listed persons being treated as sanctioned for UK but not EU law purposes (or vice versa), as well as competent authorities in different EU Member States reaching diametrically opposite conclusions concerning the sanctions status of the same legal entity. This, in turn, makes it paramount that the financial institutions document their assessment of ownership and control matters and consider confirming those assessments with competent authorities where that is appropriate.

Internal controls

Sanctions screening controls

To mitigate the risk of dealing with sanctioned parties, most financial institutions will implement two main screening controls: customer screening and transaction screening. Customer screening is designed to identify relationships with sanctioned persons during onboarding or among the existing customer population, while transaction screening identifies whether transactions involve sanctioned persons or assets. While the financial institution will conduct transaction screening in real time, customer screening will take place on a periodic basis. A large and sophisticated financial institution will ordinarily have automated screening processes underpinned by detailed protocols for escalation and adjudication of potential matches.

In calibrating its screening processes, the financial institution will need to consider a number of important factors, including which sanctions lists it will screen, how ‘fuzzy’ to set the screening filters, which customer relationships or transactions to screen, and whether to screen against specific locations (e.g., cities or ports) within countries targeted with sanctions, such as jurisdictions subject to OFAC comprehensive sanctions. Financial institutions, particularly banks, may want to incorporate sanctions evasion typologies into their screening processes to the extent they are able to do so.

A financial institution will typically engage a vendor to supply it with relevant screening lists that are ingested by the financial institution’s screening systems. In practice, there will be a delay between the enactment of new sanctions and the updating of internal screening filters. This period of delay may expose the financial institution to the risk of engaging in prohibited transactions, including dissipation of funds liable to freezing. As a result, the financial institution may want to consider additional measures to mitigate its sanctions risks during this period, including proactively identifying relationships with newly listed persons.

The vendor may also supply a package that includes data concerning entities believed to be owned by one or more listed persons. However, the vendor’s assessment is likely to be based on publicly available information (which can be out of date) and, on its own, is unlikely to enable the financial institution to determine whether the non-listed entity may be controlled by one or more listed persons.

Moreover, financial institutions should consider reviewing the sanctions authorities’ press releases and notices announcing new listings because they may contain important indications concerning entities that are potentially owned or controlled by listed persons. For example, when the UK government imposed asset freezing sanctions on Roman Abramovich on 10 March 2022, the associated statement of reasons explained that Abramovich ‘exercises effective control of’ Evraz PLC.[14] However, Evraz PLC itself was not listed on the same day and, in fact, was only directly targeted on 5 May 2022. Similarly, when the UK government targeted Elvira Nabiullina, the Governor of the Central Bank of the Russian Federation, the associated press release stated that the ‘UK Government does not consider that Elvira Nabiullina owns or controls the Central Bank’.[15]

Controls relating to activity-based sanctions

A financial institution, depending on its business, should consider instituting and maintaining appropriate risk-based systems and controls to counter the risk of violating activity-based sanctions. While the above-mentioned sanctions screening processes enable a financial institution to identify and mitigate the risk of the institution dealing with a sanctioned person (including a non-listed legal entity owned or controlled by a listed person), it is more challenging to implement an effective screening process for activity-based or trade sanctions. This is because activity-based sanctions may only restrict the provision of specific services or goods to, or undertaking specific dealings with, certain or all persons associated with a sanctioned country. In turn, this means that controls relating to activity-based sanctions can be more difficult to automate and are also reliant on having a sufficient understanding of a client or counterparty’s business activities via the know-your-customer and customer due diligence process.

To successfully navigate these sanctions, a financial institution should, in the first instance, consider undertaking an assessment of its exposure to the risk of violating these sanctions. Once the financial institution has identified business areas that pose heightened exposure to activity-based sanctions, it can design and implement effective systems and controls to mitigate its risks. In this section, we consider some of the most impactful activity-based sanctions imposed following the commencement of the war in Ukraine and the potential risk mitigation measures.

Asset managers and other financial institutions that, on behalf of underlying clients, invest or trade in securities of issuers established in the European Union are likely to be aware of the EU prohibition on selling transferable securities denominated in any official currency of a Member State issued after 12 April 2022, or units in collective investment undertakings providing exposure to these securities, to any Russian or Belarusian nationals or residents, or legal entities incorporated in Russia or Belarus. In practice, financial institutions have sought to navigate these sanctions by undertaking enhanced due diligence on clients (fund investors) who have potential connections to Russia or Belarus and seeking appropriate contractual representations and warranties from financial institutions that introduce or distribute investments that they are not acting on behalf of the restricted Russian or Belarusian parties.

The US,[16] UK[17] and EU[18] bans on new investments relating to Russia have prompted financial institutions to increase scrutiny of the utilisation of any credit or equity financing that they might provide or arrange for non-Russian clients. To guard against the risk of funds being diverted to finance prohibited new investment activities in Russia, financial institutions may conduct enhanced due diligence on their clients’ operations in, or exposure to, Russia and insist on more onerous covenants that prevent the direct or indirect use of the proceeds of any financing in Russia in breach of applicable sanctions.

Finally, financial institutions continue to grapple with their trade sanctions obligations. Across the US, UK, EU and other sanctions regimes, trade sanctions typically prohibit not only the actual trade in the restricted goods with the sanctioned country, but also the provision of financing relating to that trade. In the United Kingdom, these trade sanctions are particularly onerous for financial institutions because they prohibit the provision of any financial services relating to the prohibited trade, including payment processing and money transmission services.[19] This also applies under US sanctions rules. US persons could be subject to penalties if they ‘facilitate’ sanctions violations. OFAC has interpreted the prohibition on ‘facilitation’ broadly: there is a prohibition on arranging, assisting, supporting or approving non-US persons’ dealings with sanctioned parties or countries, if those dealings would be unlawful if carried out by a US person.

To date, financial institutions have had limited operational ability to conduct effective and proportionate real-time screening of financial transactions to identify whether they relate to trade in restricted goods. Therefore, financial institutions have chosen to focus their resources on ensuring that these trade sanctions risks are adequately managed in high-risk business activities such as trade finance and other forms of working capital financing through detailed due diligence on clients, manual review and screening of underlying trade documentation, and re-screening of direct or indirect counterparties involved in the trade transaction at all key stages of the financing. Nevertheless, the explosion in the use of trade sanctions against Russia (particularly in the context of the oil price cap mechanism, discussed above), as well as increased focus on financial institutions’ measures to counter proliferation financing,[20] may require financial institutions to rethink their general onboarding and AML transaction monitoring processes to help them identify clients that present an increased exposure to trade sanctions risks proactively and at an earlier stage.

Correspondent banking relationships

A financial institution providing correspondent banking services (i.e., an arrangement where a financial institution (correspondent) provides payment and other services to another financial institution (respondent)) presents heightened sanctions as well as other financial crime risks to the correspondent because the correspondent is unable to conduct due diligence on the respondent’s clients whose transactions may be processed through the correspondent. The correspondent is in a position where it must rely on the respondent bank’s financial crime systems and controls even where the respondent may be subject to a different and potentially weaker regulatory regime.

In this context, non-US financial institutions should be aware of the risks of undertaking cross-border US dollar payments or other transactions that touch on the US financial system. Historically, OFAC has aggressively asserted US jurisdiction over cross-border payments that clear through US correspondent banks, even when the underlying transaction is between non-US clients of non-US financial institutions. In a stark example of its aggressive enforcement approach, in 2019 OFAC entered into a settlement with a UK bank that had provided US dollar funding to certain Sudanese banks in violation of the US–Sudan sanctions programme. Although the UK bank’s transactions with the Sudanese banks did not use the US financial system, US financial institutions, which were several layers removed from the prohibited activity, were ultimately the source of the US dollar funding made available to the Sudanese banks. Aside from risks in the correspondent banking sphere, the case illustrates that non-US financial institutions, when considering any potential transactions involving US sanctioned parties or countries, should be thorough in their analysis and conclusion of any US nexus to those transactions.

Given that sanctions violations relating to correspondent banking services have led to record-breaking OFAC settlement figures in the past, it is perhaps unsurprising that financial institutions globally continue to focus on their sanctions risks and controls relating to correspondent banking services. Due to the elevated risks, correspondents typically implement a suite of controls to monitor: the respondent institution’s transactions with a view to detecting any changes in the respondent institution’s risk profile; any unusual activity or transaction on the part of the respondent; or any potential deviations from the agreed terms of the arrangements governing the correspondent relationship, including the respondent’s adherence to the sanctions regimes applicable to the correspondent.[21] The monitoring techniques and tools will invariably depend on the risks associated with the correspondent banking relationship. Where the correspondent identifies concerns, it should investigate and follow up with the respondent institution by making requests for information on particular transactions or customers of the respondent bank.

Internal auditing and testing

Establishing internal auditing and testing processes ensures that the financial institution is aware of how well its sanctions compliance programme and sanctions screening processes are performing. Audits allow for an assessment of the effectiveness of internal structures to determine whether procedures need to be updated or recalibrated to account for weaknesses in existing compliance programmes, changes in the sanctions and adaptations in risk assessments.

To measure the effectiveness of internal controls in this way, financial institutions should commit to ensuring that the senior management is held accountable for carrying out internal auditing and testing with sufficient authority, skill, expertise and resources. Furthermore, financial institutions should ensure that auditing and testing assessments are objective and relevant to their size and sophistication.

In conducting internal audits, should any actual or suspected breaches or deficiencies be found, financial institutions should take prompt action to conduct a robust investigation, analyse root causes of any breaches or deficiencies, and adequately remediate any issues in keeping with the relevant regulatory requirements and expectations. Financial institutions should also consider self-reporting the suspected or actual breaches to relevant authorities.

Reporting obligations and information sharing

Under the US, UK, EU and other sanctions regimes, financial institutions are obliged to report to the relevant sanctions authorities if they hold or control blocked funds or assets in which a sanctioned person has an interest or if they reject transactions prohibited by sanctions. Moreover, financial institutions may be required, or expected to, self-report actual or suspected violations of applicable sanctions. There are common features to reporting under the US, EU and UK sanctions regimes, although the timing and information requirements for reports may vary depending on the regime. In designing their internal processes for escalation of true matches or suspected breaches of sanctions, financial institutions should be mindful of these reporting obligations and expectations.

Under US law, if a financial institution’s sanctions screening processes identify a true match, the financial institution, depending on the facts and the relevant sanctions programme, may be required to either block or reject the transaction and report this to OFAC.[22] Financial institutions are required to report to OFAC any blocked or rejected transactions within 10 days of the action.[23] In the event that a financial institution believes it has violated US sanctions laws and regulations, of which OFAC is unaware, proactive and voluntary disclosure of any potential violation can reduce potential penalties.

OFAC guidelines provide for voluntary self-disclosures (VSD), which are defined as a ‘self-initiated notification to OFAC of an apparent violation by a Subject Person that has committed, or otherwise participated in, an apparent violation of a statute, Executive Order, or regulation administered or enforced by OFAC, prior to or at the same time that OFAC, or any other federal, state, or local government agency or official, discovers the apparent violation’.[24] VSD should be timely, include sufficient detail to explain the circumstances surrounding the apparent violation, address corrective actions taken, including the existence and effectiveness of existing compliance programmes, and offer full cooperation with OFAC. However, financial institutions must bear in mind that OFAC is required by memoranda of understanding entered into with a number of state regulators to share information concerning sanctions violations with those regulators. In situations where a financial institution is potentially facing both regulatory and criminal liability, it must also consider disclosing to the National Security Division of the US Department of Justice (DOJ) as well as OFAC, and in what order to do so. DOJ prosecutors are required to consider non-criminal alternatives in determining whether to initiate criminal enforcement actions, but non-disclosure may cause further problems and increased penalties if sanctions violations are later determined.

In contrast, under UK law, financial institutions (and some other regulated entities) are typically required to report to OFSI as soon as practicable if they have reasonable cause to suspect that their customer or counterparty is a sanctioned person (providing details of any frozen assets) or that any person has committed a breach of financial sanctions.[25] The UK regime, therefore, requires financial institutions to self-report their own suspected breaches of sanctions to OFSI, and, in practice, OFSI places considerable emphasis on timely reporting of breaches.[26] More generally, OFSI also requires all persons holding or controlling funds or economic resources belonging to sanctioned persons to submit annual frozen assets reports to it.

Should the Economic Crime and Corporate Transparency Bill be enacted by the UK Parliament, financial institutions and other regulated business will obtain the ability to voluntarily share customer information with each other for the purposes of preventing, investigating and detecting economic crime, without risking the breach of client confidentiality obligations. These provisions could facilitate, among other things, the UK financial institutions’ sharing of intelligence to counter sanctions violations and circumvention.

EU sanctions regulations typically require any person (including a financial institution) to ‘immediately supply’ their competent authority with ‘any information which would facilitate compliance’ with EU sanctions, such as information concerning any frozen funds. In the context of the Russia sanctions regulations, the European Union has also clarified that these reporting obligations require reporting of suspected breaches of EU financial sanctions.[27] Similar to the United Kingdom, this obligation could be considered to require financial institutions to self-report their own breaches of sanctions.

Finally, when designing and executing sanctions reporting procedures, financial institutions should bear in mind that in certain cases they may be required to report suspected sanctions breaches, frozen assets or compliance programme weaknesses to their financial services regulator in addition to the sanctions enforcement authority[28] and there may also be other relevant reporting obligations (e.g., money laundering reporting obligations, such as suspicious activity reports). They should also consider whether and when they may be required to report issues to sanctions or financial services regulatory authorities in multiple jurisdictions. The new sanctions on Russia have heralded an unprecedented era of coordination between different countries.[29] Given the governments’ intense focus on enforcing this regime and stamping out its circumvention, there is every reason to expect this coordination to translate into ever-closer cooperation on investigation and enforcement of sanctions breaches. Financial institutions should be aware that navigating and resolving sanctions issues may increasingly require a global approach and should prepare for this accordingly.


[1] John Bedford is a partner, Andris Ivanovs is an associate and Navpreet Moonga is a special legal consultant at Dechert LLP.

[2] Under secondary sanctions, a non-US person faces the threat of US sanctions if they engage in a specified activity even where that activity has no US nexus.

[3] The Blocking Regulation prohibits EU persons from complying with certain US sanctions relating to Iran and Cuba. Council Regulation (EC) No. 2271/96 of 22 November 1996 protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom, Article 5.

[4] See, for example, Case C-124/20, Bank Melli Iran v. Telekom Deutschland GmbH.

[5] For example, the Decision of the Board of Directors of the Bank of Russia of 1 April 2022 prohibiting companies from ‘unfriendly states’ from buying any non-rouble currency in Russia, and the Chinese Anti-Foreign Sanctions Law, which gives the Chinese government powers to place sanctions on individuals involved in the development, decision-making and implementation of discriminatory restrictive measures by foreign governments against China.

[6] Home Office, ‘New plan puts UK at the forefront of fight against economic crime’ (30 March 2023),, accessed 11 May 2023.

[7] 31 C.F.R. Appendix A to Part 501, Annex.

[8] Office of Foreign Assets Control, ‘Revised Guidance on Entities Owned by Persons Whose Property and Interests in Property are Blocked’ (13 August 2014),, accessed 11 May 2023.

[9] Office of Financial Sanctions Implementation (OFSI), ‘UK Financial Sanctions: General guidance for financial sanctions under the Sanctions and Anti-Money Laundering Act 2018’ (August 2022),, pp. 17–19, accessed 11 May 2023. See also European Commission, ‘Commission opinion of 19.6.2020 on Article 2 of Council Regulation (EU) No. 269/2014’ (19 June 2020), C(2020) 4117 final.

[10] National Crime Agency, OFSI, Joint Money Laundering Intelligence Taskforce, National Economic Crime Centre, ‘Financial Sanctions Evasion Typologies: Russian Elites and Enablers’ (0697-NECC, July 2022).

[11] Giles Thomson, ‘New enforcement powers – a message from Giles Thomson, Director of OFSI’ (8 June 2022),, accessed 11 May 2023.

[12] OFSI, ‘OFSI enforcement and monetary penalties for breaches of financial sanctions’ (March 2023),, paragraphs 3.22–3.31, accessed 11 May 2023.

[13] European Commission, ‘Commission Consolidated FAQs on the implementation of Council Regulation No. 833/2014 and Council Regulation No. 269/2014’ (updated 10 May 2023),, accessed 11 May 2023.

[15] Foreign, Commonwealth & Development Office (FCDO), ‘Sanctions in response to Putin’s illegal annexation of Ukrainian regions’ (30 September 2022) ,, accessed 11 May 2023.

[16] Executive Order 14071.

[17] The Russia (Sanctions) (EU Exit) Regulations 2019, Regulation 18B.

[18] Council Regulation (EU) No. 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine, Article 3a.

[19] Export Control Joint Unit, FCDO, OFSI, ‘Russia sanctions: guidance’ (updated 24 April 2023),, accessed 11 May 2023.

[20] The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Regulations 18A and 19A.

[21] Financial Action Task Force, ‘Guidance on Correspondent Banking Services’ (October 2016), p. 14,, accessed 11 May 2023.

[22] There is a clear distinction between blocking and rejecting a transaction: to block a transaction, the financial institution must not process the transaction, and hold or freeze the funds; to reject the transaction, the financial institution will simply refuse to process the transaction. An example of a transaction that must be blocked is one in which the funds are designated for, or received from, a person or entity included on the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (the SDN List). By contrast, a transaction that may have to be rejected does not include any parties on the SDN List, and thus there is no property interest that is subject to blocking. Financial institutions must reject transactions to avoid facilitating prohibited trade; for example, financial institutions must refuse to process a transaction with a North Korean company as, pursuant to OFAC’s regulations concerning North Korea, all trade with North Korea is prohibited.

[23] 31 C.F.R. Part 501.

[24] 31 C.F.R. Appendix A to Part 501.

[25] HM Treasury, ‘Reporting information to OFSI – what to do’ (16 December 2022),, accessed 11 May 2023.

[26] OFSI, ‘OFSI enforcement and monetary penalties for breaches of financial sanctions’ (March 2023), paragraph 3.43,, accessed 11 May 2023.

[27] Council Regulation (EU) No. 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine, Article 8(1).

[28] See, for example, Financial Conduct Authority, ‘Financial sanctions’ (updated 21 February 2023),, accessed 11 May 2023.

[29] See, for example, OFSI, ‘OFAC-OFSI Enhanced Partnership’ (17 October 2022),, accessed 11 May 2023.

Unlock unlimited access to all Global Investigations Review content