On 8 September 2025, the UK’s Office of Financial Sanction Implementation (OFSI) published a Disclosure concerning breaches of Regulations 11 and 12 of the Counter-Terrorism (Sanctions) (EU Exit) Regulations 2019 (Regulations) by UK-registered and Financial Conduct Authority-regulated Vanquis Bank Limited (VBL).
This civil enforcement action from OFSI is the fifth of 2025 (and the second Disclosure notice of the year) and is a step up from the single enforcement action OFSI took in 2024. While indicative of action being taken by the enforcement authority, this instance offers another example of OFSI’s emphasis on encouraging organisations to establish effective, robust, and appropriate compliance procedures, systems, and controls to mitigate the risk of violations.
OFSI Sanctions Breach Case: UK Bank’s Failure to Freeze Designated Person’s Account
The Disclosure relates to VBL breaching the prohibition on making funds available to a designated person (DP), or dealing with funds a DP owns, holds, or controls. The breach came about because of an eight-day delay in restricting access to a DP’s account, during which time the DP was able to access funds, including withdrawing cash and processing a transaction.
OFSI had written to VBL advising that one of its (suspected) customers, without giving any details of the customer, would be designated and subject to an asset freeze the following day; pre-notification was provided given the terrorist financing risks and for the purpose of protecting national security. The DP was subsequently listed, and OFSI issued an e-alert of the addition to the Consolidated List, as is normal practice.
The following day, VBL’s screening system generated a potential match for the DP and this was placed within VBL’s internal queue for consideration. That same day, a little more than an hour after VBL’s screening system identified the potential match, the DP withdrew £200 from the account and, five days later, made a purchase of £8.99 from the DP’s VBL account.
It was not until eight days after the designation that VBL confirmed a positive match and imposed the necessary restrictions on the DP’s account. VBL subsequently self-reported the breaches to OFSI, 13 days after the designation.
Sanctions Screening Systems Failure
VBL confirmed reliance on two sanctions screening suppliers: one managed the sanctions lists and the other supplied automated screening against VBL’s customer data. VBL described managing a first- and second-line review whereby potential matches are identified and raised to VBL staff, who manually assess the information and restrict access to accounts the bank holds when a positive hit is confirmed. VBL considered itself a low sanctions risk, as its services were available to UK residents only.
VBL amended its automated screening processes following a number of alerts being incorrectly closed as duplicates in 2024. To remediate this issue, VBL reassigned alerts for manual screening and reallocated resources from the first-line review to undertake this remediation process.
In this instance, the designation was overlooked due to a lack of resources caused by the remediation process, despite the warning OFSI had sent to VBL. It is not clear from the Disclosure when — i.e., whether in 2024 or 2025 — the violation took place.
OFSI Enforcement Decision: Moderately Severe Breach Classification Without Financial Penalty
OFSI considered the breach to be “moderately severe” within its scale of seriousness (less severe; moderately severe; and severe) in connection with breach cases and published the Disclosure.
Aggravating Factors in OFSI Sanctions Enforcement: Delayed Account Freezing and Compliance Failures
In reaching the Disclosure decision, OFSI considered the following to be aggravating factors:
- The forewarning OFSI issued had not been heeded;
- Funds were made available to a DP directly and a purchase was processed on the account;
- A delay of eight days to freeze the account from the date of designation enabled the account to be used by the DP; and
- As an FCA-regulated financial services firm, there is an expectation of significant awareness and understanding of sanctions risk, as well as having in place effective and sufficient financial crime systems and controls.
- VBL voluntarily self-reported the breaches and was cooperative throughout the investigation;
- Cash withdrawal occurred within 24 hours of the DP’s designation;
- There was no evidence of VBL deliberately circumventing or facilitating; and
- The breaches were of a comparatively low value and were isolated incidents, as opposed to forming a pattern of failures.
- Exercise vigilance where a notification is received by OFSI; and
- Ensure systems and controls, including sanctions screening, are appropriate to the business’ risk level and that such systems and controls can respond quickly to sanctions developments.
Sanctions Violation Mitigating Factors: Self-Reporting and Limited Financial Impact
OFSI also considered the following mitigating factors:
On balance, OFSI considered the time it took VBL to restrict access to be “inappropriate” and the failure to ensure effective and sufficient business continuity after the risk event identified in 2024 was something VBL should have had better control over.
The decision to issue a Disclosure was in recognition of the breaches and a finding that the Regulations had been violated.
Consistent with OFSI’s aims, the Disclosure has been used to identify lessons for the market, companies, and individuals, highlighting the need to:
OFSI Enforcement Trends 2025: Implications for Sanctions Compliance Programs
The Disclosure comes on the heels of recent proposals highlighted in OFSI’s July 2025 Consultation on key reform proposals, including capped discounts for voluntary self-disclosure; introducing a formal and discretionary settlement scheme for appropriate cases; and increasing statutory maximum penalties from £1 million or 50% of the breach’s value to a cap of £2 million and allowing penalties of up to 100% of the transaction value. The consultation is open until mid-October and represents the ambitious nature of OFSI’s efforts to tackle violations and circumvention.
It is notable that OFSI’s approach differs from that taken by HM Revenue & Customs (concerning export control sanctions violations) and the imposition of compound penalties, which may be significant in value, but come with no adverse publicity for the company or individual. HMRC does not publish names and details of those who have made voluntary disclosures. OFSI considers violations, however they have come to light, on a case-by-case basis. The published guidance, for example, provides that a private warning letter may be appropriate where there are no significant aggravating factors and the breach does not form part of a wider pattern of behaviour, while moderate cases may be dealt with via a publication without monetary penalty.
Complying with reporting obligations, responding to correspondence from OFSI, and engaging with requests for information remain a key focus for OFSI and may have, based on the enforcement activity to date, an impact on OFSI’s enforcement approach. Regular review and assessment of internal compliance systems and controls, including appropriate due diligence processes, is a vital piece of armour in organisations’ efforts to mitigate its risk and will be the first line of defence in any OFSI inquiry.