Overview
On September 8, 2025, HM Treasury’s Office of Financial Sanctions Implementation (“OFSI”) published a disclosure notice against Vanquis Bank Limited (“VBL”), a UK financial services provider regulated by the Financial Conduct Authority, for breaches of the Counter-Terrorism (Sanctions) (EU Exit) Regulations 2019 (the “Counter-Terrorism Regulations”). The enforcement action represents the third use of OFSI’s enforcement disclosure powers and relates to a delay by VBL in restricting a UK designated person’s account, which allowed the designated person to withdraw funds and undertake a transaction on the account. Several useful indicators of OFSI’s enforcement approach and compliance expectations for businesses required to comply with UK sanctions can be discerned from the VBL case, which affected businesses should factor in to their UK sanctions compliance efforts. This enforcement action also serves as a reminder that OFSI’s enforcement efforts are not solely focused on Russia sanctions.
The Breach
The breach arose when VBL failed to promptly restrict a customer’s account following the customer’s designation under the UK’s counter-terrorism sanctions regime. OFSI had notified VBL on the day before the designation that a suspected customer of the bank would be designated for the purpose of an asset freeze the following day due to the terrorism financing risks associated with the case and the sanctions regime’s purpose of protecting national security.
On the day of designation, VBL’s customer was added to OFSI’s Consolidated List of Financial Sanctions Targets in the UK and details of the designation were publicized via an e-alert. At around 8.30am on the day following the designation, VBL’s screening system generated a potential match alert for the newly designated person, which was placed it into a queue for prioritisation. Eight days after the individual’s designation, VBL confirmed that the alert generated by its screening system was a positive match to the designated person and VBL restricted access to the individual’s account.
In the intervening period, VBL made funds directly available to the designated person as a result of the individual accessing their account on two occasions. First, withdrawing £200 in cash at approximately 9.43pm on the day following designation. Second, making a purchase of £8.99 using the account five days after the designation. VBL voluntarily reported these breaches to OFSI thirteen days after the individual’s designation.
VBL used two suppliers for their sanctions screening. One supplier provided the sanctions list, while the other supplier screened VBL’s customer data against the sanctions list and flagged potential matches to VBL. VBL staff were then responsible for conducting first and second line review within one day and, when a match is identified, restricting the person’s account.
Separately, VBL had identified a number of alerts in its automated screening system being closed as duplicates and reallocated significant resources from its first line referral team to review a large number of alerts manually as part of the remediation of that risk event. According to the enforcement disclosure notice, VBL failed to review the potential match for the designated person within one day because of the reallocation of personnel from the first line referral team to complete the remediation review. Consequently, the potential match was not reviewed by VBL’s first line referral team until eight days after the individual’s designation, despite OFSI forewarning VBL that a suspected customer was due to be designated. Following first line review, the potential match was escalated for second line review and access to the designated person’s account was restricted on the same day. OFSI considered the length of time VBL took to restrict access to the account as inappropriate. While the event leading to the redeployment of VBL’s first line referral personnel was not within its control, OFSI considered that VBL’s “failure to ensure business continuity was, and led to a period when the [designated person] had full access to the account and credit card.”
OFSI’s Assessment of the Case
When assessing the VBL case and determining the appropriate enforcement response, OFSI had regard to the case factors set out in the May 2, 2024, version of its Enforcement and Monetary Penalties Guidance.
OFSI identified a number of aggravating features to the case, as follows:
- Intent, knowledge, reasonable cause to suspect - VBL should have been especially vigilant to the designation because it was put on notice that a suspected customer was to be designated;
- Harm or risk of harm to the sanction regime’s objectives - VBL made funds directly available to a designated person, a purchase was processed on the designated person’s account, and the post-designation delay in restricting the account could have resulted in additional withdrawals or purchases being made; and
- Knowledge of sanctions and compliance systems – VBL was expected to have significant awareness and understanding of sanctions risks, as well as sufficient financial crime systems and controls to ensure funds are not made available to a designated person, because it is an FCA-regulated firm.
These factors were weighed against several mitigating factors. OFSI considered VBL’s voluntary self-disclosure and cooperation with OFSI’s investigation, the low value (i.e., £208.99) and isolated nature of the breaches, the timing of the breaches (i.e., the cash withdrawal occurred within one day of the designation), and the absence of evidence of deliberate circumvention.
OFSI’s Enforcement Decision
OFSI has the power to respond to breaches of UK financial sanctions with a range of civil enforcement responses. In the VBL case, OFSI assessed the nature and circumstances of the breach as “moderately severe” and determined that the publication of an enforcement disclosure notice was the appropriate and proportionate response in this case.
Key Takeaways
This VBL disclosure notice provides several important takeaways for firms required to comply with UK sanctions:
- Respond promptly to new designations. Firms must act without delay and ensure that they do not make funds available to designated persons, particularly (but not exclusively) if notified by OFSI that a person with which they are suspected to have business dealings may be designated in the near future.
- Assess and right size sanctions screening processes and resourcing. Sanctions compliance processes must be resilient to operational or technical disruption, with adequate staff capacity to ensure business continuity and prevent delays in responding to sanctions designations.
- Voluntary disclosure and cooperation remain critical. Prompt self-reporting and cooperation with OFSI can be mitigating factors in enforcement, even when breaches are found to be moderately severe.
- No breach is too small. Low-value or unintentional breaches can still result in enforcement action, particularly in the counter-terrorism context where access to any funds post-designation can present heightened sanctions and terrorist financing risks.
The disclosure notice against VBL underscores OFSI’s continued focus on ensuring robust sanctions compliance across the UK financial sector and beyond. While the sums involved were of low value, the case highlights a number of other factors that OFSI takes into consideration when calibrating its enforcement response to breaches of UK financial sanctions.
Affected firms should review the adequacy and ability of their sanctions compliance systems and controls to respond swiftly to changes in sanctions, ensure their sanctions screening process and business continuity arrangements are fit for purpose, and exercise particular care if alerted by OFSI that a suspected customer may be designated in the near future. For more information on these developments and their implications for companies, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Economic Sanctions team in London.
