Sanctions Enforcement

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


In this chapter, we provide an overview of recent significant changes to both the UK and US sanctions enforcement regimes. Although there has not been any UK sanctions enforcement action in recent years, we expect that Her Majesty’s Treasury’s (HMT) new enforcement powers will result in increased enforcement in the years to come. By way of comparison, we have set out several key US enforcement decisions from 2016 that highlight certain risk areas for companies and demonstrate how the US authorities deal with sanctions breaches. We have also set out points for companies to consider to ensure compliance with the sanctions regimes on both sides of the Atlantic. This chapter supplements and updates our previous chapter in this area: ‘Cross-border overview: Sanctions enforcement’, in which we provided an overview of the different UK and US sanctions regimes and the mechanics of sanctions enforcement more generally.

Changes to the UK sanctions regime

The Policing and Crime Act 2017 (the Act) came into force on 1 April 2017. The Act significantly changes the way in which the UK authorities will enforce the sanctions regime, and reflects the government’s intention to incorporate aspects of US sanctions enforcement, which allows the US Office of Foreign Asset Control (OFAC) to swiftly impose substantial financial penalties without recourse to the criminal courts.1

HMT now has the authority to find individuals and corporates liable for sanctions breaches if it is satisfied on a ‘balance of probabilities’ (the evidential test in civil proceedings) that a breach has occurred, and impose a substantial financial penalty. The new standard mirrors the ‘preponderance of the evidence’ standard for civil enforcement actions in the US.

The civil evidential test will make it easier for HMT to be satisfied that a sanctions breach has occurred as opposed to the previous regime whereby any breach would have required a criminal prosecution to the much higher criminal evidential standard, ‘beyond reasonable doubt.’ In addition, HMT is not required to prove the breach in court; it will, in this respect, be prosecutor, judge and jury. The more serious cases will all be referred for criminal prosecution. Nevertheless, we believe that the new evidential test and the ability of HMT to decide cases itself will result in a significant increase in sanctions enforcement by HMT.

The civil standard

HMT, through the Office of Financial Sanctions Implementation (OFSI), now has the power2 to impose a monetary penalty if it is satisfied, on the balance of probabilities, that (1) the person has breached a prohibition, or failed to comply with an obligation, that is imposed by or under financial sanctions legislation, and (2) the person knew, or had reasonable cause to suspect, that the person was in breach of the prohibition or had failed to comply with the obligation.

Whether someone had reasonable cause to suspect is an objective test. HMT will need to be satisfied that there were factual circumstances from which an honest and reasonable person should have inferred knowledge or formed the suspicion that the conduct amounted to a breach of sanctions.3 This is a low evidential threshold. HMT will also then have to consider whether it is in the public interest to take enforcement action.

The decision to impose a penalty rests with HMT. Appeal of the imposition of the penalty is first to a Minister of the Crown and then by appeal to the Upper Tribunal, which is part of the UK’s High Court. The High Court typically deals with civil litigation.

Options available to HMT

HMT, through OFSI, can now respond to a breach of financial sanctions in several ways, depending on the case. The steps it can take include:

  • issuing correspondence requiring details of how a party proposes to improve their compliance systems;
  • referring regulated professionals or bodies to their relevant professional body or regulator to improve their compliance with financial sanctions;
  • imposing a monetary penalty; and
  • referring the case to law enforcement agencies for criminal investigation and potential prosecution. 

Enforcement action

The Guidance issued by HMT on 3 April 2017 sets out how HMT will decide whether to act and what action it will take, and provides several examples of mitigating and aggravating features, including the following.


HMT will consider an offence to have been committed when a person intentionally participates in activities knowing that the object or effect (directly or indirectly) is to circumvent any of the prohibitions or facilitates the circumvention of any prohibitions or regulations. The Guidance states that ‘OFSI takes circumvention very seriously because it attacks the integrity of the financial system and damages public confidence in the foreign policy and national security objectives that the sanctions regimes support. We will normally impose a monetary penalty if the case is not prosecuted criminally.’4             

Knowledge and compliance standards in the sector and response to breaches

HMT will take account of the sector in which the breach occurred and judge the breach in that context. The Guidance notes, ‘when we consider a case, we believe it is reasonable and necessary to take account of the level of actual or expected knowledge and the extent of relevant ways of complying’. However, the Guidance also states that ‘we wish to encourage strong compliance cultures and will not seek to punish companies that simply fall below a high standard if that is the only distinguishing factor in a case. This is particularly true if the company has acted swiftly to remedy the cause of the breach.’5

Behaviour of the individuals involved

HMT will look at whether the breach was deliberate or whether there was a failure to take reasonable care. HMT will also consider whether there was a systems and control failure, or a misinterpretation of the law and whether the relevant person seemed to be unaware of their responsibilities. The Guidance makes clear that without knowing or having a reasonable cause to suspect a breach, there can be no offence.6

Professional adviser

Facilitation by those providing professional advice to others will be regarded as serious and aggravating.7


The Guidance states that ‘breaches of sanctions must be reported to OFSI’.8 There is no reference in the Act to such a requirement, however, HMT considers that voluntary reporting of a financial sanctions breach will be a mitigating factor and will ‘have a real effect on any subsequent decision to apply a penalty’9 and can reduce the penalty by 50 per cent, whereas failure to report will be an aggravating feature. Reporting must be timely, but the Guidance acknowledges that:

it is reasonable for you to take some time to assess the nature and extent of the breach, but this should not delay an effective response to the breach. [. . .] If you make early disclosure with partial information on the basis that you are still working out the facts and will make a further disclosure shortly, OFSI will be happy to support this approach.10

When the breach has been committed by corporate bodies or incorporated associations, and the breach can be attributed to an officer of that entity, HMT may impose a monetary penalty upon the individual and the body or association. The penalty can be imposed on any officer of the body who consented to or took part in any conduct resulting in a breach of financial sanctions or whose neglect caused a breach of financial sanctions. HMT will also consider imposing different penalties on the legal entity and the officers who run it.

Calculation of penalty

At the end of the assessment OFSI will categorise the breach as ‘serious’ or ‘most serious’. The latter category will attract a higher penalty. The Act sets out the permitted maximum for a monetary penalty at the greater of either £1 million or 50 per cent of the estimated value of the funds or economic resources to which the breach or failure relates. The Guidance sets out how HMT will calculate the financial penalty to be imposed.11

Criminal penalties

Part 8 of the Act increases the maximum term of imprisonment for offences created by UK statutory instruments that implement European financial sanctions. As a result, offences relating to EU financial sanctions will now be punishable with a maximum term of between four months and seven years. This is an increase from the previous maximum prison sentence of two years.

Deferred prosecution agreements

Breaches of financial sanctions are now included in the list of offences for which a deferred prosecution agreement can be considered.12

Serious crime prevention orders

A breach of financial sanctions has also been included in the list of offences in respect of which an SCPO can be made under the Serious Crime Act 2007.13 The Serious Crime Act 2007 allows a High Court judge to impose a serious crime prevention order (SCPO) on an individual or corporate entity if he, she or it has been involved in a serious crime. There is no requirement for the person or entity to have been convicted of a qualifying offence, only for the person or entity to have acted in such a way as to facilitate the commission of a serious offence (whether or not such an offence was committed), such as a breach of sanctions.

An SCPO could therefore be imposed on an entity that has assisted another person or entity to breach financial sanctions, even if there has been no offence committed. The terms of an SCPO could prohibit an entity from trading in a particular sector or with particular customers. The government has suggested that SCPOs may be used in cases where entities or individuals not subject to Financial Conduct Authority oversight require additional supervision to ensure that they continue to conduct their affairs in accordance with the law. We suspect this would result in the appointment of a monitor, in the same way that companies with compliance failures in the anti-corruption area have had monitors.

Temporary implementation of UN Security Council resolutions

There has been some concern that during the time it takes for the EU to implement new UN financial sanctions regimes, the UK may be exposed to ‘asset flight’ from UN listed persons and placed in breach of its international obligations. The Act provides HMT with the power to create a temporary financial sanctions regime implementing a UN mandated financial sanctions regime, without waiting for the EU to implement the same. The temporary measures will cease upon the EU implementation of the UN Security Council Resolution or, if earlier, after the end of a maximum period of 30 days starting from the adoption of the UN resolution.

Looking ahead

HMT’s new powers provide it with a greater number of options when considering how to deal with sanctions breaches. We anticipate an increased number of enforcement actions by HMT as it will be able to levy significant financial penalties without needing to prove its case to a criminal standard, or taking the matter to court.

Corporates that discover a sanctions breach will have to carefully consider how they deal with the matter as regards the enforcement authorities, given the new civil standard required to prove a breach and the financial incentives for ‘self-reporting’. In addition, the government has provided corporates with an incentive to self-report potential criminal financial breaches by including such breaches in the list of offences that qualify for a deferred prosecution agreement.

UK sanctions following the UK’s exit from the EU

The UK government has stated that it will introduce a Bill that will ensure that the UK continues to take part in sanctions ‘jointly’14 with the EU, following its exit from the European Union. It remains to be seen whether or not the UK will adopt the sanctions imposed by the European Union, but we consider this to be likely.

US sanctions

Aside from lifting of sanctions on particular countries, US sanctions implementation and enforcement has not undergone a sea change like the United Kingdom. OFAC administers and enforces most US economic sanctions, which implement UN measures or address US national security concerns, foreign policy goals, and economic interests. US sanctions generally restrict activities that take place in the United States or involve a ‘US person’.

The foreign subsidiaries of US companies are also restricted in certain cases, such as with respect to the sanctions for Cuba and Iran. Moreover, non-US persons and companies can face penalties under US sanctions law for ‘causing’ a violation by a US person.15 Non-US persons could also face sanctions for certain transactions seemingly unrelated to the United States, and be cut off from the US market, for engaging in certain activity involving Iran or Hezbollah that would fall into a category known as ‘secondary sanctions’ (ie, restrictions on access to the US market).16 For instance, if a non-US person conducted a significant transaction with an Iranian specially designated national (SDN), the United States could impose secondary sanctions on the non-US person.17

The following sections provide summaries of recent changes to US sanctions with a focus on applicability to non-US persons and companies.


Like the UK, the US lifted many of its sanctions on Iran pursuant to Implementation Day of the Joint Comprehensive Plan of Action (JCPOA) in January 2016.18 The vast majority of the sanctions measures lifted by the United States pertained to the activities of non-US companies.

Sanctions easing

The United States suspended most secondary sanctions on Iran, meaning it removed the threat of most secondary sanctions on non-US persons engaging in business involving Iran. Specifically, the United States suspended the risks of secondary sanctions on companies engaging in numerous sectors in Iran, including: financial and banking; insurance; energy and petrochemical; and shipping and shipbuilding. The United States also removed over 400 individuals and entities from the SDN List, thereby removing the threat of secondary sanctions on non-US companies engaging in transactions with these individuals and entities.19

In addition, the United States lifted most of the restrictions on doing business in Iran for the foreign subsidiaries of US companies. Under general licence H (GL H), companies owned or controlled by US persons and established or maintained outside the US are generally authorised to engage in transactions involving Iran that would otherwise be prohibited.20 However, GL H includes a number of restrictions on companies operating under the authorisation, including restrictions that US persons may not facilitate any transactions involving Iran except to the extent authorised by GL H. As a result, foreign subsidiaries of US companies operating under GL H could face potential liability for seeking approval from a US parent for a transaction involving Iran or clearing such transactions through a US financial institution.

Remaining restrictions

Beyond the limited relaxation of sanctions described above, it remains generally prohibited to export goods or services from the United States, or for US persons to export goods or services, to Iran directly or indirectly. Non-US persons are also broadly prohibited from re-exporting controlled US-origin goods and technology to Iran. Such transactions are permitted only if licensed or subject to an exemption.

Secondary sanctions also remain for non-US persons for transactions with over (1) 200 Iran-related persons on the SDN List, including the Islamic Revolutionary Guard Corps (IRGC) and its designated agents or affiliates, and (2) any other person who remains designated in connection with Iran’s nuclear programme, ballistic missile activities, or support for international terrorism.

There are also disclosure obligations applicable to US-listed public companies that engage in certain types of activities involving Iran.

Looking forward

Moving forward, we can expect to see changes to the sanctions regimes as the Trump administration develops its foreign policy priorities. The White House has committed to a review of its policy towards Iran, as President Trump repeatedly stated during his election campaign. Despite broad commitments during the campaign to renegotiate the JCPOA, the administration is likely to focus on additional designations of bad actors in Iran, while remaining compliant with the JCPOA. In February 2017, for example, OFAC designated 25 individuals and entities linked to Iran’s ballistic missile programme and support for international terrorism. Additional designations would not broadly prevent business in Iran, but non-US companies would need to monitor changes to the SDN List to avoid exposure to secondary sanctions for transacting with an SDN.

Changes to other US sanctions programmes

The United States continues to alter sanctions restrictions in response to changing foreign policy priorities. This trend will surely continue under the Trump administration as it reassesses policy choices made by its predecessors.

In July 2016, the US reaffirmed that Ukraine-related sanctions would remain in effect unless Russia fulfilled its obligations under the Minsk Protocol reached in February 2015. OFAC’s sanctions program currently consists of three types of sanctions: (1) blocking Ukraine and Russia-related individuals and entities on the SDN List; (2) sectoral sanctions on certain types of transactions with specific entities operating in particular sectors of the Russian economy, which are listed on the Sectoral Sanctions Identification List; and (3) prohibitions on new investment and on the export and import of goods, technology, or services to and from Crimea. While the Administration has yet to make major policy changes with respect to the Russia sanctions, President Trump has mentioned his desire for a deal with Russia and his intention to review the sanctions programme.

In October 2016, President Obama lifted sanctions on Myanmar by terminating the national emergency and revoking the Executive Orders that had formed the basis of most of the US sanctions.21 Similarly, in January 2017, OFAC issued a general licence suspending the OFAC-administered embargo on Sudan.22

Enforcement trends

UK enforcement trends

The last UK corporate criminal prosecution for sanctions breaches occurred in 2009 and 2010 when two corporate entities, Mabey & Johnson Ltd and the Weir Group Plc (both cases in which one of the authors was involved), pleaded guilty to breaching UN sanctions as they applied to the Iraq oil-for-food programme. Further, in 2011 two individuals pleaded guilty to breaching UN sanctions as they related to Iraq. However, the enforcement activity of HMT is likely to increase following the Policing and Crime Act 2017 coming into force.

US enforcement trends

Enforcement of US sanctions remains generally consistent. While the new administration will bring policy and rule changes, sanctions enforcement tends to remain steady across White House transitions, and is based on whatever regulations were in place at the time of the transaction in question. The number of enforcement actions leading to civil penalties has trended down slightly in the past several years. In 2016, OFAC issued only nine civil enforcement penalties, while in 2015 there were 15, 2014 had 23, and 2013 had 27.23 As of March 2017, OFAC has announced five civil penalties, three of which were issued before 20 January, when President Obama left office.

In the past, the highest penalties have been levied against financial institutions. The largest fine, by OFAC, US$963 million, was issued against BNP Paribas in 2014 as part of an US$8.9 billion penalty from multiple US agencies.24 Recent enforcement actions, however, indicate that OFAC will be aggressive on enforcement across sectors, with high fines being issued against manufacturing and other exporting companies.

Recent enforcement actions

Recent enforcement actions against Zhongxing Telecommunications Equipment Corporation, National Oilwell Varco, and Halliburton Atlantic Limited demonstrate some of the recent trends in OFAC enforcement actions and penalties, as well as how OFAC enforcement could touch on UK and EU entities. OFAC will levy high penalties on non-financial institutions, especially when the sanctions violations are wilful and senior leadership has knowledge of the violations. The first two fines described here were particularly high because OFAC found that the companies deliberately concealed the prohibited activity from the US government.

Zhongxing Telecommunications Equipment Corporation

In March 2017, Chinese telecommunications equipment manufacturer Zhongxing Telecommunications Equipment Corporation (ZTE) agreed to a combined civil penalty of US$1.19 billion to several agencies for sanctions and export control violations.25 Of the total settlement amount, ZTE agreed to pay a penalty of US$100,871,266 to OFAC to settle potential civil liability for violations of the Iranian Transactions and Sanctions Regulations.26 This was the largest penalty ever levied by OFAC against a non-financial institution.

ZTE allegedly conspired to build telecommunications networks in Iran, in violation of US sanctions and made shipments of controlled US-origin telecommunications equipment to Iran and North Korea, in violation of US export controls. OFAC found that these violations were egregious, that ZTE did not self-disclose, and that ZTE wilfully and recklessly disregarded US sanction laws and senior executives knew of this activity. OFAC also found that ZTE had a long-term pattern of conduct designed to mislead the US government.27 

National Oilwell Varco, Inc

In November 2016, Houston-based oil and gas company National Oilwell Varco, Inc (NOV) agreed to a US$5,976,028 civil penalty for violations of the Cuba Assets Control Regulations, the Iranian Transactions and Sanctions Regulations, and the Sudanese Sanctions Regulations.28

OFAC found that NOV’s Canadian subsidiary, Dreco Energy Services, made four commission payments to a UK entity for the sale and exportation of goods to Iran. These transactions had a total value of US$2,630,091. NOV was also found to have illegally exported goods from the United States to Iran, Cuba and Sudan, for a value totalling US$15,955,471.

OFAC found the violations to be egregious. NOV executives ‘wilfully blinded’ themselves by allowing deliberate non-identification of Iran in the transactions and they found that NOV senior management knew or had reason to know the activity involved Iran. OFAC also found that NOV did not have an adequate compliance programme.

Halliburton Atlantic Limited

In February 2016, Halliburton Atlantic Limited and Halliburton Overseas Limited settled potential civil liability for violations of the Cuba Assets Control Regulations, for US$304,706.29 OFAC found that subsidiaries of Halliburton had provided goods and services worth US$1,189,752 to support oil and gas exploration and drilling in an Angolan concession.

A state-owned Cuban company held a 5 per cent interest in an oil and gas production consortium and a corresponding interest in the concession. Because of this, OFAC found that Halliburton was dealing in property in which Cuba had an interest. The Halliburton case demonstrates the risks for companies not pre-emptively implementing policies and procedures to screen customers and partners even before discovering any sort of red flag that might indicate a sanctions risk.

How to account for UK, EU and US compliance risks

We set out in our previous chapter a number of sources to assist in developing a compliance programme for financial sanctions. Much of the guidance currently available for EU compliance programmes is drawn from the financial services sector, where firms have for many years been required to proactively assess and respond to their sanctions risks, including through screening customers and counterparties. The importance of firms, including those outside the financial services sector, adopting measures of this type has increased with the implementation of the 2017 Act.

Similarly, potential liability for violations by both financial institutions and industry remains high in the US, where the government recently imposed the highest ever penalty – US$1.19 billion – for sanctions and export control violations on a non-financial institution. In addition, there are several areas where it is easy to fall foul of the differing standards and approaches applied between the UK and EU, and the US.

It is important that companies consider:

  • Conducting a risk assessment: do you have any business lines, customers or operations that are exposed to greater financial sanctions risks? Have you considered both the UK/EU and US nexus that could implicate sanctions restrictions?
  • Establishing policies and procedures: how should sales teams and other employees monitor and elevate sanctions risks? UK/EU and US authorities encourage, and are likely to consider as mitigating circumstances for any potential violation, appropriate written policies and procedures for sanctions compliance. Written policies and procedures should be accompanied by training to ensure they are understood and properly implemented across the company.
  • Monitoring: take account of potential sanctions risks that may arise – and adapt policies and procedures – when new regimes are brought into force as a result of global events. Quickly assess any impact these changes may have on business. While there are often common approaches adopted by the US and the UK and EU in these situations, the form and applicability of the laws in place will be different.
  • Assessing legal exposure: while many companies that operate in the UK and EU may consider that they do not have exposure to US sanctions enforcement risk, it is important to consider the position and involvement of US companies and/or US employees, managers and directors in transactions that have potential US sanctions exposure, as well as US service providers, including banks. The same applies to US companies that might need to consider the position of their UK and EU group companies or UK and EU national employees.
  • Having appropriate customer identification processes in place: while the financial services sector has for many years been accustomed to applying customer identification standards, or ‘know your customer’ processes, that include screening for sanctions risks, many outside that sector have not. Consider what level of screening may be appropriate in light of the risk assessment and what sources are needed to screen customers and other business counterparts. The lists of individuals and entities subject to US and UK/EU financial sanctions are constantly being updated and amended and therefore static lists can quickly fall out of date.


  1. HM Treasury, Budget 2015, 18 March 2015, p. 33:
  2. Section 146 of the Policing and Crime Act 2017.
  3. HMT Guidance paragraph 3.4.
  4. HMT Guidance paragraph 3.17.
  5. HMT Guidance paragraph 3.22.
  6. HMT Guidance paragraph 3.24.
  7. HMT Guidance paragraph 3.27
  8. HMT Guidance paragraph 3.29.
  9. HMT Guidance paragraph 3.31.
  10. HMT Guidance paragraph 3.34.
  11. HMT Guidance paragraph 4.
  12. Section 150 of the Policing and Crime Act 2017.
  13. Section 151 of the Policing and Crime Act 2017.
  14. Stated by the UK’s Foreign Secretary in a parliamentary debate on 6 April 2017.
  15. See, e.g., 50 USC. section 1705(a).
  16. See, e.g., 31 C.FR. Part 561. OFAC uses secondary sanctions to target dealings by non-U.S. companies with particular Iran and Hezbollah-related entities and sectors. Under so called secondary sanctions authorities, the United States has the authority to restrict non-US companies from doing business in the United States for engaging in specified conduct, even without a US nexus to the activities in question. These measures are used as a mechanism to deter activity by non-US companies that may not have a US nexus.
  17. SDNs are individuals and companies designated by OFAC or the State Department whose assets are blocked. US persons are generally prohibited from engaging in a transaction in which an SDN has any interest.
  18. US Department of the Treasury, Guidance Relating to the Lifting of Certain US Sanctions Pursuant to the Joint Comprehensive Plan of Action on Implementation Day (16 January 2016),
  19. US Department of the Treasury, JCPOA-related Designation Removals, JCPOA Designation Updates, Foreign Sanctions Evaders Removals, NS-ISA List Removals; 13599 List Changes (Jan. 16, 2016),
  20. US Department of the Treasury, General License H (16 January 2016),
  21. US Department of the Treasury, Termination of Emergency with Respect to the Actions and Policies of the Government of Burma (7 October 2016), available at
  22. US Department of the Treasury, General License Authorizing Transactions Involving Sudan, 31 C.F.R. Section 538.540, available at
  23. US Department of the Treasury, Civil Penalties and Enforcement Information, Resource Center (accessed 21 March 2017),
  24. US Department of Treasury, Treasury Reaches Largest Ever Sanctions-Related Settlement with BNP Paribas SA for $963 Million (20 June 2014), at; US Department of Justice, BNP Paribas Sentenced for Conspiring to Violate the International Emergency Economic Powers Act and the Trading with the Enemy Act (1 May 2015), at
  25. US Department of Commerce, Secretary of Commerce Wilbur L. Ross, Jr. Announces $1.19 Billion Penalty for Chinese Company’s Export Control Violations to Iran and North Korea (7 March 2017),
  26. US Department of the Treasury, Enforcement Information for March 7, 2017 (7 March 2017),
  27. For a longer discussion of the ZTE case, see David Mortlock and Nikki Cronin, ZTE Penalized $1.9 Billion for Sanctions and Export Control Violations, a Record Fine Against a Non-Financial Institution (Willkie Farr & Gallagher LLP, 17 March 2017), at
  28. US Department of the Treasury, Enforcement Information for November 14, 2016 (14 November 2016),
  29. US Department of the Treasury, Enforcement Information for 25 February 2016 (25 February 2016),


Unlock unlimited access to all Global Investigations Review content